System and method for improving coverage for web code

US 8,914,879 B2
Filed: 06/07/2011
Issued: 12/16/2014
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, the method comprising:

locating conditional statements in the web code received in web content;

identifying an if-then-else construct in a first conditional statement of the conditional statements;

rewriting the first conditional statement into a corresponding first unconditional statement by rewriting a then-block of the if-then-else construct into a first context-recovery block and rewriting an else-block of the if-then-else construct into a second context-recovery block to generate a modified version of the web code; and

performing dynamic analysis on the modified version of the web code by executing the first unconditional statement to analyze a corresponding branch of the first conditional statement to detect malicious code in the web code.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for improving code coverage for web code that is analyzed for security purposes by dynamic code execution are described. A controller receives information, routes the information to the appropriate engine, analyzer or module and provides the functionality for improving code coverage for code analyzed for security purposes. A code rewrite engine rewrites code in such a way that all branches and stray functions will be executed. A dynamic analyzer performs dynamic analysis on web content to detect malicious code. Additionally, a static analyzer performs static analysis on web content. The static analyzer scans web content and detects a style of coding, a style of obfuscation of the code or patterns in the code.

Citations

19 Claims

1. A computer-implemented method, the method comprising:
- locating conditional statements in the web code received in web content;
  
  identifying an if-then-else construct in a first conditional statement of the conditional statements;
  
  rewriting the first conditional statement into a corresponding first unconditional statement by rewriting a then-block of the if-then-else construct into a first context-recovery block and rewriting an else-block of the if-then-else construct into a second context-recovery block to generate a modified version of the web code; and
  
  performing dynamic analysis on the modified version of the web code by executing the first unconditional statement to analyze a corresponding branch of the first conditional statement to detect malicious code in the web code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 17)
- - 2. The computer-implemented method of claim 1, futher comprising adding markers to each branch of the conditional statements.
  - 3. The computer-implemented method of claim 2, further comprising gathering statistics related to code coverage based on a triggering of the markers in the dynamic analysis.
  - 4. The computer-implemented method of claim 2, further comprising performing static analysis on each branch not executed in the dynamic analysis.
  - 5. The computer-implemented method of claim 1, wherein performing the dynamic analysis includes deobfuscating the web code to identify the malicious code.
  - 6. The computer-implemented method of claim 5, further comprising performing static analysis on dynamically created code generated during the dynamic analysis.
  - 7. The computer-implemented method of claim 1, further comprising:
    - detecting a query of a value of an environment parameter during a first pass scan; and
      
      detecting a branch based on the value of the environmental parameter.
  - 8. The computer-implemented method of claim 7, further comprising:
    - queuing a second pass scan with a different value for the environmental parameter; and
      
      making the second pass scan after completion of the first pass scan.
  - 9. The computer-implemented method of claim 1, further comprising remediating the malicious code.
  - 17. The method according to claim 1, further comprising:
    - executing the first unconditional statement by performing a first try-catch routine on the first context-recovery block to detect malicious code in the first context-recovery block;
      
      performing a second try-catch routine on the second context-recovery block to detect malicious code in the second context-recovery block; and
      
      reporting that malicious code is present in the web code via a user interface when malicious code is detected in at least one of the first context-recovery block or the second context-recovery block.

10. A system comprising:
- a scan engine to locate conditional statements in web code received in web content and to identify a first conditional statement in the conditional statements in the web code by identifying a corresponding if-then-else construct in the web code;
  
  a code rewrite engine to generate a modified version of the web code by rewriting the first conditional statement into a corresponding first unconditional statement by rewriting a then-block of the if-then-else construct into a first context-recovery block and rewriting an else-block of the if-then else construct into a second context-recovery block; and
  
  a dynamic analyzer to perform dynamic analysis on the modified vesion of the web code by executing the first unconditional statement to analyze a respective branch of the first conditional statement to detect malicious code in the web code.
- View Dependent Claims (11, 12, 13, 18)
- - 11. The system of claim 10, wherein the code analyzer is further to generate the modified version of the web code by adding markers to each branch related to the conditional statements.
  - 12. The system of claim 11, further comprising a statistics module to gather statistics related to code coverage based on a triggering of the markers in the dynamic analysis.
  - 13. The system of claim 10, further comprising a static analyzer to perform static analysis on a branch not executed in the dynamic analysis.
  - 18. The system according to claim 10, wherein the dynamic analyzer is to:
    - perform a first try-catch routine on the first context-recovery block to detect malicious code in the first context-recovery block;
      
      perform a second try-catch routine on the second context-recovery block to detect malicious code in the second context-recovery block; and
      
      report that malicious code is present in the web code via a user interface when malicious code is detected in at least one of the first context-recovery block or the second context-recovery block.

14. A tangible computer readable storage disc or storage device comprising instructions that, when executed, cause a machine to at least:
- locate a conditional statements in the web code received in web content;
  
  identify an if-then-else construct in a first conditional statement of the conditional statement;
  
  rewrite (1) a then-block of the if-then-else construct into a first context-recovery block and (2) an else-block of the if-then else construct into a second context-recovery block to generate a modified version of the web code; and
  
  perform dynamic analysis on the modified version of the web code by executing the first unconditional statement to analyze a corresponding branch of the first conditional statement to detect malicious code in the web code.
- View Dependent Claims (15, 16, 19)
- - 15. The tangible computer readable storage disc or storage device of claim 14, wherein the instructions cause the machine to perform the dynamic analysis by detecting a query of a value of an environmental parameter during a first pass scan;
    - and detecting a branch based on the value of the environmental parameter.
  - 16. The tangible computer readable storage disc or storage device of claim 15, wherein the instructions further cause the machine to:
    - queue a second pass scan with a different value for the environmental parameter; and
      
      make the second pass scan after completion of the first pass scan.
  - 19. The tangible computer readable storage disc or storage device according to claim 14, wherein the instructions, when executed, cause the machine to:
    - perform a first try-catch routine on the first context-recovery block to detect malicious code in the first context-recovery block;
      
      perform a second try-catch routine on the second context-recovery block to detect malicious code in the second context-recovery block; and
      
      report that malicious code is present in the web code via a user interface when malicious code is detected in at least one of the first context-recovery block or the second context-recovery block.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Melnik, Artem, Kaplan, Mark
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Alata, Ayoub

Application Number

US13/155,179
Publication Number

US 20110307954A1
Time in Patent Office

1,288 Days
Field of Search

726/22, 726/23, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

System and method for improving coverage for web code

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for improving coverage for web code

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links