Detection of vulnerabilities in computer systems

US 8,458,798 B2
Filed: 08/27/2010
Issued: 06/04/2013
Est. Priority Date: 03/19/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a presence of at least one vulnerability in an application, the method comprising:

modifying instructions of the application to create an instrumented method while the application is running, wherein the instrumented method includes at least one software sensor adapted to generate an event indicator in response to the instrumented method of the application being invoked, and wherein the event indicator includes at least some data associated with the method instrumented for a particular event;

storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application, wherein other stored event indicators were generated in response to corresponding instrumented methods being invoked;

analyzing the stored event indicators;

detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and

reporting the presence of at least one vulnerability in the application as detected based on the analysis of the stored event indicators.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability.

Citations

22 Claims

1. A method for detecting a presence of at least one vulnerability in an application, the method comprising:
- modifying instructions of the application to create an instrumented method while the application is running, wherein the instrumented method includes at least one software sensor adapted to generate an event indicator in response to the instrumented method of the application being invoked, and wherein the event indicator includes at least some data associated with the method instrumented for a particular event;
  
  storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application, wherein other stored event indicators were generated in response to corresponding instrumented methods being invoked;
  
  analyzing the stored event indicators;
  
  detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and
  
  reporting the presence of at least one vulnerability in the application as detected based on the analysis of the stored event indicators.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the instructions of the application are modified at a run time during the execution of the application.
  - 3. The method of claim 1, wherein analyzing the stored event indicators further includes correlating the stored action snapshots.
  - 4. The method of claim 1, wherein the detecting the presence of the at least one vulnerability in the application based on the analysis of the stored action snapshots further includes generating an execution sequence associated with the vulnerability.
  - 5. The method of claim 4, wherein the reporting the presence of the at least one vulnerability further includes reporting the presence of at least one vulnerability based on the generated execution sequence associated with the vulnerability.
  - 6. The method of claim 1 wherein the reported presence of the at least one vulnerability includes at least one of the following vulnerabilities:
    - SQL injection, command injection, cross-site scripting, weak cryptography, cross-site request forgery, insecure transport, insecure redirect, parameter tampering, session hijacking, security misconfiguration, weak authentication, broken access control, and weak input validation.
  - 7. The method of claim 1, wherein the modifying instructions of the application to include at least one monitor further includes modifying instructions of the application to include at least one monitor based on at least one security rule.
  - 8. The method of claim 7, wherein the security rule verifies that the application has a code segment that prevents a vulnerability risk.
  - 9. The method of claim 7, wherein the security rule verifies that the application does not have a code segment that creates a vulnerability risk.
  - 10. The method of claim 7, wherein the security rule includes description of a terminal action that, when satisfied, causes the monitor to generate an indicator of an action.
  - 11. The method of claim 10, wherein the terminal action is satisfied when the application fails to securely authenticate a request or a response.
  - 12. The method of claim 10, wherein the terminal action is satisfied when the application fails to securely authorize a request.
  - 13. The method of claim 10, wherein the terminal action is satisfied when the application does not securely validate or encode data.
  - 14. The method of claim 10, wherein the terminal action is satisfied when the application fails to use secure communications during its execution.
  - 15. The method of claim 10, wherein the terminal action is satisfied when the application fails to use secure encryption during its execution.
  - 16. The method of claim 10, wherein the terminal action is satisfied when the application fails to prevent caching of its data.

17. A system for detecting vulnerabilities in an application, the system comprising:
- an instrumentation module structured and arranged to modify instructions of the application to create an instrumented method while the application is running, wherein the instrumented method includes at least one software sensor adapted to generate an event indicator in response to the instrumented method of the application being invoked, and wherein the event indicator includes at least some data associated with the method instrumented for a particular event;
  
  a tracking module structured and arranged to;
  
  store the event indicator with the other stored event indicators generated by the at least one sensor during the execution of the application, wherein other stored event indicators were generated in response to corresponding instrumented methods being invoked;
  
  analyze the stored event indicators, anddetect a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and
  
  a reporting module structured and arranged to report the presence of at least one vulnerability in the application as detected based on the analysis of the stored event indicator.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the tracking module further includes a correlation module structured and arranged to correlate the stored action snapshots.
  - 19. The system of claim 17 further including a security rule editor module structured and arranged to edit or add a security rule for causing the monitor to generate an the action snapshot based on at least one security rule.

20. A non-transitory computer readable medium including stored executable instructions for detecting at least one vulnerability in an application executing on at least one processor, the medium comprising instructions for causing the processor to:
- modify instructions of the application to create an instrumented method while the application is running, wherein the instrumented method includes at least one software sensor adapted to generate an event indicator in response to the instrumented method of the application being invoked, and wherein the event indicator includes at least some data associated with the method instrumented for a particular event;
  
  store the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application, wherein other stored event indicators were generated in response to corresponding instrumented methods being invoked;
  
  analyze the stored event indicators;
  
  detect a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and
  
  report the presence of at least one vulnerability in the application as detected based on the analysis of the stored event indicators.
- View Dependent Claims (21, 22)
- - 21. The medium of claim 20 further including instructions that cause the processor to generate an execution sequence associated with the at least one vulnerability.
  - 22. The medium of claim 20 further including instructions that cause the processor to report the presence of the at least one vulnerability based on the generated execution sequence associated with the vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Contrast Security, LLC
Original Assignee
Aspect Security Inc. (Ernst & Young LLP)
Inventors
Williams, Jeffrey, Dabirsiaghi, Arshan, Sheridan, Eric
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Su, Sarah

Application Number

US12/870,367
Publication Number

US 20110231936A1
Time in Patent Office

1,012 Days
Field of Search

726/22, 726/25, 713/189
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Detection of vulnerabilities in computer systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of vulnerabilities in computer systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links