Detection of vulnerabilities in computer systems

US 8,844,043 B2
Filed: 05/08/2012
Issued: 09/23/2014
Est. Priority Date: 03/19/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a presence of at least one vulnerability in a software application, the method comprising:

modifying instructions of the software application to instrument a method by;

parsing binary instructions of the software application associated with the method as the binary instructions are being loaded from a storage device; and

installing, by one or more processors, at least one monitor to the parsed binary instructions of the software application associated with the method before the parsed binary instructions of the software application are executed by the same one or more processors, wherein the at least one monitor is inserted at non-random locations within the binary instructions, and wherein the at least one monitor is adapted to generate an action snapshot of data or control flow pattern of the instrumented method whenever the instrumented method is invoked;

storing the action snapshot of with other stored action snapshots generated by the at least one monitor during execution of the software application whenever the instrument method is invoked;

analyzing, from within the same software application, the stored action snapshots;

based on the analysis, detecting the presence of at least one vulnerability in the software application, each of the at least one vulnerability defined by a particular security rule to identify a vulnerable data or control flow pattern of the unparsed binary instructions, the vulnerable data or control flow pattern rendering the software application more likely to perform actions unintended by the software application when executed by the same one or more processors; and

reporting the presence of the at least one vulnerability in the software application as detected based on the analysis of the stored action snapshots.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability.

Citations

22 Claims

1. A method for detecting a presence of at least one vulnerability in a software application, the method comprising:
- modifying instructions of the software application to instrument a method by;
  
  parsing binary instructions of the software application associated with the method as the binary instructions are being loaded from a storage device; and
  
  installing, by one or more processors, at least one monitor to the parsed binary instructions of the software application associated with the method before the parsed binary instructions of the software application are executed by the same one or more processors, wherein the at least one monitor is inserted at non-random locations within the binary instructions, and wherein the at least one monitor is adapted to generate an action snapshot of data or control flow pattern of the instrumented method whenever the instrumented method is invoked;
  
  storing the action snapshot of with other stored action snapshots generated by the at least one monitor during execution of the software application whenever the instrument method is invoked;
  
  analyzing, from within the same software application, the stored action snapshots;
  
  based on the analysis, detecting the presence of at least one vulnerability in the software application, each of the at least one vulnerability defined by a particular security rule to identify a vulnerable data or control flow pattern of the unparsed binary instructions, the vulnerable data or control flow pattern rendering the software application more likely to perform actions unintended by the software application when executed by the same one or more processors; and
  
  reporting the presence of the at least one vulnerability in the software application as detected based on the analysis of the stored action snapshots.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the instructions of the software application are modified at a run time during the execution of the application.
  - 3. The method of claim 1, wherein the instructions of the software application are modified before the execution of the software application.
  - 4. The method of claim 1, wherein the modifying instructions of the software application to include at least one monitor further includes modifying instructions of the software application to include at least one monitor based on at least one security rule.
  - 5. The method of claim 4, further comprising:
    - projecting the at least one security rule up to a super class of the at least one method.
  - 6. The method of claim 5, further comprising:
    - projecting the at least one security rule down to override an instrumented method.
  - 7. The method of claim 1, further comprising:
    - configuring the at least one monitor to track data objects of the application.
  - 8. The method of claim 7, wherein the data objects represent HTTP requests or responses.
  - 9. The method of claim 7, further comprising:
    - correlating the action snapshots to generate a trace of events.
  - 10. The method of claim 9, wherein each event is associated with a set of tagranges, and wherein each tagrange is configured to apply a tag associating a descriptive attribute to a portion of a particular data object being tracked.
  - 11. The method of claim 1, further comprising:
    - configuring the monitors to generate the action snapshot that includes information uniquely identifying the associated action.
  - 12. The method of claim 11, further comprising:
    - identifying duplicate traces based on the information uniquely identifying the associated action.
  - 13. The method of claim 12, further comprising:
    - removing the identified duplicate traces prior to reporting the at least one vulnerability.
  - 14. The method of claim 1, further comprising:
    - applying patches to the at least one vulnerability.
  - 15. The method of claim 14, further comprising:
    - applying patches during a run-time when the application is being executed.
  - 16. The method of claim 14, further comprising:
    - applying patches from within the application that affect multiple methods to be instrumented and thus benefit multiple applications.

17. A system for detecting vulnerabilities in a software application, the system comprising:
- an instrumentation module structured and arranged to modify instructions of the software application to instrument a method by;
  
  parsing binary instructions of the software application associated with the method as the binary instructions are being loaded from a storage device; and
  
  installing, by one or more processors, at least one monitor to the parsed binary instructions of the software application before the parsed binary instructions of the software application are executed by the same one or more processors, wherein the at least one monitor is inserted at non-random locations within the binary instructions, and wherein the at least one monitor is adapted to generate an action snapshot of data or control flow pattern of the instrumented method whenever the instrumented method is invoked;
  
  a tracking module structured and arranged to;
  
  store the action snapshot with other stored action snapshots generated by the at least one monitor during execution of the software application whenever the instrument method is invoked;
  
  analyze, from within the same software application, the stored action snapshots, andbased on the analysis, detect a presence of at least one vulnerability in the software application, each of the at least one vulnerability defined by a particular security rule to identity a vulnerable data or control flow pattern of the unparsed binary instructions, the vulnerable data or control flow pattern rendering the software application more likely to perform actions unintended by the software application when executed on the same one or more processors; and
  
  a reporting module structured and arranged to report the presence of at least one vulnerability in the software application as detected based on the analysis of the stored action snapshots.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the tracking module further includes a correlation module structured and arranged to correlate the stored action snapshots.
  - 19. The system of claim 17 further including a security rule editor module structured and arranged to edit or add a security rule for causing the monitor to generate an the action snapshot based on at least one security rule.

20. A non-transitory computer readable medium including stored executable instructions for detecting at least one vulnerability in an software application executing on at least one processor, the medium comprising instructions for causing the processor to:
- modify instructions of the software application to instrument a method by;
  
  parsing binary instructions of the software application associated with the method as the binary instructions of the software application are being loaded from a storage device; and
  
  installing, by one or more processors, at least one monitor to the parsed binary instructions of the software application associated with the method before the parsed binary instructions of the software application are executed by the same one or more processors, wherein the at least one monitor is inserted at non-random locations within the binary instructions, and wherein the at least one monitor is adapted to generate an action snapshot of data or control flow pattern of the instrumented method whenever the instrumented method is invoked an action performed by the software application, wherein the action snapshot includes at least some data associated with the action;
  
  store the action snapshot with other stored action snapshots generated by the at least one monitor during the execution of the software application whenever the instrument method is invoked;
  
  analyze, from within the same software application, the stored action snapshots;
  
  based on the analysis, detecting the presence of at least one vulnerability in the software application, each of the at least one vulnerability defined by a particular security rule to identify a vulnerable data or control flow pattern of the unparsed binary instructions, the vulnerable data or control flow pattern rendering the software application more likely to perform actions unintended by the software application when executed by the same one or more processors; and
  
  report the presence of at least one vulnerability in the software application as detected based on the analysis of the stored action snapshots.
- View Dependent Claims (21, 22)
- - 21. The medium of claim 20 further including instructions that cause the processor to generate an execution sequence associated with the at least one vulnerability.
  - 22. The medium of claim 20 further including instructions that cause the processor to report the presence of the at least one vulnerability based on the generated execution sequence associated with the vulnerability.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Contrast Security, LLC
Original Assignee
Contrast Security, LLC
Inventors
Williams, Jeffrey, Dabirsiaghi, Arshan, Sheridan, Eric
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Su, Sarah

Application Number

US13/466,527
Publication Number

US 20120222123A1
Time in Patent Office

868 Days
Field of Search

726/22, 726/25, 713/189
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Detection of vulnerabilities in computer systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of vulnerabilities in computer systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links