Systems and methods for combining static and dynamic code analysis

US 8,726,392 B1
Filed: 03/29/2012
Issued: 05/13/2014
Est. Priority Date: 03/29/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for combining static and dynamic code analysis, at least a portion of the method being performed by a computing system comprising at least one computer processor, the method comprising:

identifying executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data;

performing a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data by;

identifying one or more application programming interfaces capable of accessing sensitive data, andidentifying one or more code paths capable of leaking sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code;

using a result of the static analysis to tune a dynamic analysis by instrumenting the executable code to track access to the one or more objects identified during the static analysis, wherein instrumenting the executable code comprises hooking the one or more application programming interfaces;

performing the dynamic analysis by, while the executable code is being executed, activating analysis within the one or more application programming interface hooks to analyze the one or more code paths capable of leaking sensitive data to determine whether the executable code leaks sensitive data via the one or more objects.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for combining static and dynamic code analysis may include 1) identifying executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data, 2) performing a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code, 3) using a result of the static analysis to tune a dynamic analysis to track the one or more objects identified during the static analysis, and 4) performing the dynamic analysis by, while the executable code is being executed, tracking the one or more objects identified during the static analysis to determine whether the executable code leaks sensitive data via the one or more objects. Various other methods, systems, and computer-readable media are also disclosed.

259 Citations

20 Claims

1. A computer-implemented method for combining static and dynamic code analysis, at least a portion of the method being performed by a computing system comprising at least one computer processor, the method comprising:
- identifying executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data;
  
  performing a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data by;
  
  identifying one or more application programming interfaces capable of accessing sensitive data, andidentifying one or more code paths capable of leaking sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code;
  
  using a result of the static analysis to tune a dynamic analysis by instrumenting the executable code to track access to the one or more objects identified during the static analysis, wherein instrumenting the executable code comprises hooking the one or more application programming interfaces;
  
  performing the dynamic analysis by, while the executable code is being executed, activating analysis within the one or more application programming interface hooks to analyze the one or more code paths capable of leaking sensitive data to determine whether the executable code leaks sensitive data via the one or more objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - the executable code comprises a single software application;
      
      the one or more objects which the executable code may use to transfer data comprise one or more storage locations that the single software application may write to and read from.
  - 3. The computer-implemented method of claim 1, wherein:
    - the executable code comprises a plurality of software applications;
      
      the one or more objects into which the executable code may transfer data comprise one or more inter-process communication channels used to communicate between applications in the plurality of software applications.
  - 4. The computer-implemented method of claim 1, wherein performing the static analysis further comprises at least one of:
    - performing a data-flow analysis to gather information relating to the executable code;
      
      using a control flow graph of the executable code to determine parts of the executable code to which a particular value assigned to a variable potentially propagates.
  - 5. The computer-implemented method of claim 1, wherein instrumenting the executable code further comprises at least one of:
    - instrumenting the executable code to watch data written to and read from a storage location identified during the static analysis;
      
      instrumenting the executable code to track sensitive data passed between programs using additional inter-process communication channels.
  - 6. The computer-implemented method of claim 1, wherein the executable code comprises at least one of:
    - JAVA bytecode;
      
      DALVIK bytecode.
  - 7. The computer-implemented method of claim 1, wherein identifying the executable code comprises:
    - identifying a first software program that is capable of accessing sensitive data;
      
      identifying a second software program that is capable of transferring sensitive data outside the computing system, wherein the executable code comprises the first and second software programs.

8. A system for combining static and dynamic code analysis, the system comprising:
- an identification module programmed to identify executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data;
  
  a static analyzer programmed to perform a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data by;
  
  identifying one or more application programming interfaces capable of accessing sensitive data, andidentifying one or more code paths capable of leaking sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code;
  
  a tuning module programmed to use a result of the static analysis to tune a dynamic analysis by instrumenting the executable code to track access to the one or more objects identified during the static analysis, wherein instrumenting the executable code comprises hooking the one or more application programming interfaces;
  
  a dynamic analyzer programmed to perform the dynamic analysis by, while the executable code is being executed, activating analysis within the one or more application programming interface hooks to analyze the one or more code paths capable of leaking sensitive data to determine whether the executable code leaks sensitive data via the one or more objects;
  
  at least one computer processor configured to execute the identification module, the static analyzer, the tuning module, and the dynamic analyzer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - the executable code comprises a single software application;
      
      the one or more objects which the executable code may use to transfer data comprise one or more storage locations that the single software application may write to and read from.
  - 10. The system of claim 8, wherein:
    - the executable code comprises a plurality of software applications;
      
      the one or more objects into which the executable code may transfer data comprise one or more inter-process communication channels used to communicate between applications in the plurality of software applications.
  - 11. The system of claim 8, wherein the static analyzer further performs the static analysis by at least one of:
    - performing a data-flow analysis to gather information relating to the executable code;
      
      using a control flow graph of the executable code to determine parts of the executable code to which a particular value assigned to a variable potentially propagates.
  - 12. The system of claim 8, wherein the tuning module further instruments the executable code by at least one of:
    - instrumenting the executable code to watch data written to and read from a storage location identified during the static analysis;
      
      instrumenting the executable code to track sensitive data passed between programs using additional inter-process communication channels.
  - 13. The system of claim 8, wherein the executable code comprises at least one of:
    - JAVA bytecode;
      
      DALVIK bytecode.
  - 14. The system of claim 8, wherein the identification module identifies the executable code by:
    - identifying a first software program that is capable of accessing sensitive data;
      
      identifying a second software program that is capable of transferring sensitive data outside a computing system, wherein the executable code comprises the first and second software programs.

15. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify executable code that is to be analyzed to determine whether the executable code is capable of leaking sensitive data;
  
  perform a static analysis of the executable code to identify one or more objects which the executable code may use to transfer sensitive data by;
  
  identifying one or more application programming interfaces capable of accessing sensitive data, andidentifying one or more code paths capable of leaking sensitive data, the static analysis being performed by analyzing the executable code without executing the executable code;
  
  use a result of the static analysis to tune a dynamic analysis by instrumenting the executable code to track access to the one or more objects identified during the static analysis, wherein instrumenting the executable code comprises hooking the one or more application programming interfaces;
  
  perform the dynamic analysis by, while the executable code is being executed, activating analysis within the one or more application programming interface hooks to analyze the one or more code paths capable of leaking sensitive data to determine whether the executable code leaks sensitive data via the one or more objects.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein:
    - the executable code comprises a single software application;
      
      the one or more objects which the executable code may use to transfer data comprise one or more storage locations that the single software application may write to and read from.
  - 17. The non-transitory computer-readable medium of claim 15, wherein:
    - the executable code comprises a plurality of software applications;
      
      the one or more objects into which the executable code may transfer data comprise one or more inter-process communication channels used to communicate between applications in the plurality of software applications.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-executable instructions further perform the static analysis by at least one of:
    - performing a data-flow analysis to gather information relating to the executable code;
      
      using a control flow graph of the executable code to determine parts of the executable code to which a particular value assigned to a variable potentially propagates.
  - 19. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-executable instructions further instrument the executable code by at least one of:
    - instrumenting the executable code to watch data written to and read from a storage location identified during the static analysis;
      
      instrumenting the executable code to track sensitive data passed between programs using additional inter-process communication channels.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the executable code comprises at least one of:
    - JAVA bytecode;
      
      DALVIK bytecode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
McCorkendale, Bruce, Tian, Xue Feng, Gong, Sheng, Zhu, Xiaole, Mao, Jun, Meng, Qingchun, Huang, Ge Hua, Hu, Wei Guo Eric
Primary Examiner(s)
Chen, Shin-Hon

Application Number

US13/434,416
Time in Patent Office

775 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/52   during program execution, e...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/60   Protecting data

Systems and methods for combining static and dynamic code analysis

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

259 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for combining static and dynamic code analysis

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

259 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others