Method and system for filtering communications to prevent exploitation of a software vulnerability
First Claim
1. A method in a computer system with a processor and a memory for identifying when communications with a component exposes a vulnerability of the component, the component having a communication protocol with communication protocol states that the component transitions through as it receives communications, the method comprising:
- providing a specification that specifies at least a portion of the communication protocol states of the component along with characteristics of communications associated with transitioning from one communication protocol state to another communication protocol state and indicates a communication protocol state when the vulnerability is exposed, the specification being independent of any exploitation of the vulnerability, an exploitation being a particular sequence of communications;
receiving a plurality of communications for the component; and
before each received communication is processed by the component,determining a current communication protocol state of the component;
determining a next communication protocol state of the component based on the provided specification and the received message;
when the next communication protocol state is the indicated communication protocol state in which the vulnerability is exposed, not providing of the received communication to the component; and
when the next communication protocol state is not the indicated communication protocol state, providing the received communication to the component; and
setting the current protocol state to the next protocol state.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for protecting an application that implements a communication protocol against exploitation of a communication-based vulnerability is provided. A protection system provides a protection policy that specifies how to recognize messages that expose a specific vulnerability and specifies actions to take when the vulnerability is exposed. A protection policy specifies the sequence of messages and their payload characteristics that expose a vulnerability. The protection system may specify the sequences of messages using a message protocol state machine. A message protocol state machine of an application represents the states that the application transitions through as it receives various messages. The message protocol state machine of the protection policy may be a portion of the message protocol state machine of the application relating to the vulnerability. The protection system uses the message protocol state machine to track the states that lead up to the exposing of the vulnerability.
-
Citations
16 Claims
-
1. A method in a computer system with a processor and a memory for identifying when communications with a component exposes a vulnerability of the component, the component having a communication protocol with communication protocol states that the component transitions through as it receives communications, the method comprising:
-
providing a specification that specifies at least a portion of the communication protocol states of the component along with characteristics of communications associated with transitioning from one communication protocol state to another communication protocol state and indicates a communication protocol state when the vulnerability is exposed, the specification being independent of any exploitation of the vulnerability, an exploitation being a particular sequence of communications; receiving a plurality of communications for the component; and before each received communication is processed by the component, determining a current communication protocol state of the component; determining a next communication protocol state of the component based on the provided specification and the received message; when the next communication protocol state is the indicated communication protocol state in which the vulnerability is exposed, not providing of the received communication to the component; and when the next communication protocol state is not the indicated communication protocol state, providing the received communication to the component; and setting the current protocol state to the next protocol state. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for detecting when a vulnerability of an application would be exposed as a result of messages being sent to the application, comprising:
-
a memory storing; a specification for the application that defines a state machine that indicates when a message would expose the vulnerability of the application and defines actions to take to prevent exposing the vulnerability of the application, the state machine specifying communication protocol states that the application transitions through as it processes messages of a communication protocol used by the application, the specification being independent of any exploitation of the vulnerability, an exploitation being a particular series of messages; a state store that stores a current communication protocol state of the application as represented by the state machine; and an engine with computer executable instructions that receives messages for the application, retrieves the current communication protocol state of the state machine for the application, and identifies from the specification for the application actions to perform when in the retrieved current communication protocol state and that message is received; and a processor for executing the computer-executable instructions stored in the memory. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage medium for controlling a computer system to identify when messages expose a vulnerability of an application, the application having a message protocol with message protocol states that the application transitions through as it receives messages, by a method comprising:
-
providing a specification that specifies at least a portion of the message protocol states of the application and indicates when, within the specified portion of the message protocol states, the vulnerability of the application is exposed, the provided specification defining a state machine for controlling processing of messages, the state machine defining message protocol states of the message protocol and events to transition between message protocol states, the specification being independent of any exploitation of the vulnerability, an exploitation being a particular sequence of messages; receiving messages for the application; determining whether a received message would expose the vulnerability of the application based on the specified portion of the message protocol states of the application, a current message protocol state, and the received message; when it is determined that the vulnerability would be exposed, not providing the received message to the application; and when it is determined that the vulnerability would be exposed, providing the received message to the application.
-
Specification