SYSTEM, METHOD AND APPARATUS TO VISUALLY CONFIGURE AN ANALYSIS OF A PROGRAM

US 20150288705A1
Filed: 04/04/2014
Published: 10/08/2015
Est. Priority Date: 04/04/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting views from an application program, where at least some extracted views comprise at least one view component;

presenting the extracted views to a user;

in response to the user selecting a view component in a presented extracted view, presenting a form to the user having a plurality of vulnerability types indicated for the selected view component and, for each vulnerability type, providing an ability for the user to set an indicator in the form to indicate whether the view component is at least one of a source or a sink;

saving the form containing the user'"'"'s input in conjunction with a user-provided label for the selected view component and a unique identification of the selected view component; and

deriving an analysis policy configuration from the saved form that is formatted for use by a program security analyzer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method extracts views from an application program, where at least some extracted views include at least one view component, and presenting the extracted views to a user. In response to the user selecting a view component in a presented extracted view, the method presents a form to the user having a plurality of vulnerability types indicated for the selected view component and, for each vulnerability type, provides an ability for the user to set an indicator in the form as to indicate whether the view component is at least one of a source or a sink. The method further includes saving the form containing the user'"'"'s input in conjunction with a user-provided label for the selected view component and a unique identification of the selected view component, and deriving an analysis policy configuration from the saved form that is formatted for use by a program security analyzer.

15 Citations

View as Search Results

20 Claims

1. A method, comprising:
- extracting views from an application program, where at least some extracted views comprise at least one view component;
  
  presenting the extracted views to a user;
  
  in response to the user selecting a view component in a presented extracted view, presenting a form to the user having a plurality of vulnerability types indicated for the selected view component and, for each vulnerability type, providing an ability for the user to set an indicator in the form to indicate whether the view component is at least one of a source or a sink;
  
  saving the form containing the user'"'"'s input in conjunction with a user-provided label for the selected view component and a unique identification of the selected view component; and
  
  deriving an analysis policy configuration from the saved form that is formatted for use by a program security analyzer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where the unique identification comprises at least geometric coordinates of the selected view component in the view containing the selected view component.
  - 3. The method of claim 1, where extracting views is performed statically by an analysis of the application program source code.
  - 4. The method of claim 1, where extracting views is performed dynamically by emulating the execution of the application program and recording in chronological order the views as they are generated by the application program.
  - 5. The method of claim 1, where the vulnerability types comprise at least Cross-site scripting (XSS), Structured Query Language (SQL) injection, Command injection, and confidentiality.
  - 6. The method as in claim 1, where saving the form containing the user'"'"'s input further comprises saving at least one of non-visual activities and resources associated with the selected view component.
  - 7. The method of claim 1, where providing the ability for the user to set an indicator in the form further enables the user to designate whether the selected view component is associated with an entry point or with a downgrader.

8. A system, comprised of at least one data processor connected with at least one memory that stores software instructions, where execution of the software instructions by the at least one data processor causes the system to:
- extract views from an application program, where at least some extracted views comprise at least one view component;
  
  present the extracted views to a user;
  
  in response to the user selecting a view component in a presented extracted view, present a form to the user having a plurality of vulnerability types indicated for the selected view component and, for each vulnerability type, provide an ability for the user to set an indicator in the form as to whether the view component is at least one of a source or a sink;
  
  save the form containing the user'"'"'s input in conjunction with a user-provided label for the selected view component and a unique identification of the selected view component; and
  
  derive an analysis policy configuration from the saved form that is formatted for use by a program security analyzer.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, where the unique identification comprises at least geometric coordinates of the selected view component in the view containing the selected view component.
  - 10. The system of claim 8, where the system extracts the views statically by an analysis of the application program source code, or where the system extracts the views dynamically by emulating the execution of the application program and recording in chronological order the views as they are generated by the application program.
  - 11. The system of claim 8, where the vulnerability types comprise at least Cross-site scripting (XSS), Structured Query Language (SQL) injection, Command injection, and confidentiality, and where the saved form containing the user'"'"'s input further comprises an indication of at least one of non-visual activities and resources associated with the selected view component.
  - 12. The system of claim 8, where the provided ability for the user to set an indicator in the form further enables the user to designate whether the selected view component is associated with an entry point or with a downgrader.

13. A computer program product comprised of software instructions on a computer-readable medium, where execution of the software instructions using a computer results in performing operations comprising:
- extracting views from an application program, where at least some extracted views comprise at least one view component;
  
  presenting the extracted views to a user;
  
  in response to the user selecting a view component in a presented extracted view, presenting a form to the user having a plurality of vulnerability types indicated for the selected view component and, for each vulnerability type, providing an ability for the user to set an indicator in the form to indicate whether the view component is at least one of a source or a sink;
  
  saving the form containing the user'"'"'s input in conjunction with a user-provided label for the selected view component and a unique identification of the selected view component; and
  
  deriving an analysis policy configuration from the saved form that is formatted for use by a program security analyzer.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The computer program product of claim 13, where the unique identification comprises at least geometric coordinates of the selected view component in the view containing the selected view component.
  - 15. The computer program product of claim 13, where extracting views is performed statically by an analysis of the application program source code.
  - 16. The computer program product of claim 13, where extracting views is performed dynamically by emulating the execution of the application program and recording in chronological order the views as they are generated by the application program.
  - 17. The computer program product of claim 13, where the vulnerability types comprise at least Cross-site scripting (XSS), Structured Query Language (SQL) injection, Command injection, and confidentiality.
  - 18. The computer program product of claim 13, where saving the form containing the user'"'"'s input further comprises saving at least one of non-visual activities and resources associated with the selected view component.
  - 19. The computer program product of claim 13, where providing the ability for the user to set an indicator in the form further enables the user to designate whether the selected view component is associated with an entry point or with a downgrader.
  - 20. The computer program product of claim 13, where the computer program product and the program security analyzer are embodied on the same platform, or where the computer program product and the program security analyzer are embodied on different platforms, and where the platform or platforms comprise a hardware instantiation or a virtual, cloud-based instantiation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ligman, Joseph W., Pistoia, Marco, Tripp, Omer

Granted Patent

US 9,485,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SYSTEM, METHOD AND APPARATUS TO VISUALLY CONFIGURE AN ANALYSIS OF A PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM, METHOD AND APPARATUS TO VISUALLY CONFIGURE AN ANALYSIS OF A PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links