Verifying application security vulnerabilities

US 8,935,794 B2
Filed: 05/07/2013
Issued: 01/13/2015
Est. Priority Date: 05/18/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented process for verifying application security vulnerabilities, the computer-implemented process comprising:

receiving a source code to analyze;

performing a static analysis using the received source code;

generating a vulnerability call trace for the received source code;

determining whether all static analysis results are validated;

responsive to a determination that all static analysis results are not validated, generating mock objects using the vulnerability call trace;

creating a unit test using the generated mock objects;

executing, using a processor, the unit test using the generated mock objects;

determining, using the processor, whether an identified vulnerability was validated;

responsive to a determination that an identified vulnerability was validated, selecting a next static analysis result; and

responsive to a determination that all static analysis results are validated, reporting results and computed unit tests.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verifying application security vulnerabilities includes receiving a source code to analyze, performing a static analysis using the received source code and generating a vulnerability call trace for the received source code. Responsive to a determination that all static analysis results are not validated, mock objects are generated using the vulnerability call trace and a unit test is created using the generated mock objects. The unit test is executed using the generated mock objects and responsive to a determination that an identified vulnerability was validated; a next static analysis result is selected. Responsive to a determination that all static analysis results are validated, results and computed unit tests are reported.

Citations

20 Claims

1. A computer-implemented process for verifying application security vulnerabilities, the computer-implemented process comprising:
- receiving a source code to analyze;
  
  performing a static analysis using the received source code;
  
  generating a vulnerability call trace for the received source code;
  
  determining whether all static analysis results are validated;
  
  responsive to a determination that all static analysis results are not validated, generating mock objects using the vulnerability call trace;
  
  creating a unit test using the generated mock objects;
  
  executing, using a processor, the unit test using the generated mock objects;
  
  determining, using the processor, whether an identified vulnerability was validated;
  
  responsive to a determination that an identified vulnerability was validated, selecting a next static analysis result; and
  
  responsive to a determination that all static analysis results are validated, reporting results and computed unit tests.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented process of claim 1, wherein performing a static analysis using the received source code further comprises:
    - identifying an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities of the source code received.
  - 3. The computer-implemented process of claim 1, wherein generating a vulnerability call trace for the received source code further comprises:
    - identifying a path suspected to have vulnerabilities defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 4. The computer-implemented process of claim 1, wherein creating a unit test using the generated mock objects further comprises:
    - converting the vulnerability call trace into a test method;
      
      creating a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace; and
      
      creating a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, wherein the mock response object contains validation logic for a specified vulnerability.
  - 5. The computer-implemented process of claim 4, wherein creating a mock response object further comprises:
    - selectively replacing the request object identified in the vulnerability call trace with one of a mock database access mechanism, a file system access and a specified type of sink.
  - 6. The computer-implemented process of claim 1, further comprising:
    - responsive to a determination that an identified vulnerability was not validated, marking a current static analysis as a false positive; and
      
      selecting a next static analysis result.
  - 7. The computer-implemented process of claim 1, wherein executing the unit test using the generated mock objects further comprises:
    - modifying the generated mock objects to incorporate changes caused by filters in a processing path, which processes a request object by a filter before being passed to an application code, and which processes a response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

8. A computer program product for verifying application security vulnerabilities, the computer program product comprising:
- a computer recordable storage medium containing computer executable program code stored thereon, the computer executable program code comprising;
  
  computer executable program code for receiving a source code to analyze;
  
  computer executable program code for performing a static analysis using the received source code;
  
  computer executable program code for generating a vulnerability call trace for the received source code;
  
  computer executable program code for determining whether all static analysis results are validated;
  
  computer executable program code responsive to a determination that all static analysis results are not validated, for generating mock objects using the vulnerability call trace;
  
  computer executable program code for creating a unit test using the generated mock objects;
  
  computer executable program code for executing the unit test using the generated mock objects;
  
  computer executable program code for determining whether an identified vulnerability was validated;
  
  computer executable program code responsive to a determination that an identified vulnerability was validated, for selecting a next static analysis result; and
  
  computer executable program code responsive to a determination that all static analysis results are validated, for reporting results and computed unit tests.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein computer executable program code for performing a static analysis using the received source code further comprises:
    - computer executable program code for identifying an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities of the source code received.
  - 10. The computer program product of claim 8, wherein computer executable program code for generating a vulnerability call trace for the received source code further comprises:
    - computer executable program code for identifying a path suspected to have vulnerabilities defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 11. The computer program product of claim 8, wherein computer executable program code for creating a unit test using the generated mock objects further comprises:
    - computer executable program code for converting the vulnerability call trace into a test method;
      
      computer executable program code for creating a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace; and
      
      computer executable program code for creating a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, wherein the mock response object contains validation logic for a specified vulnerability.
  - 12. The computer program product of claim 11, wherein computer executable program code for creating a mock response object further comprises:
    - computer executable program code for selectively replacing the request object identified in the vulnerability call trace with one of a mock database access mechanism, a file system access and a specified type of sink.
  - 13. The computer program product of claim 8, further comprising:
    - computer executable program code responsive to a determination that an identified vulnerability was not validated, for marking a current static analysis as a false positive; and
      
      computer executable program code for selecting a next static analysis result.
  - 14. The computer program product of claim 8, wherein computer executable program code for executing the unit test using the generated mock objects further comprises:
    - computer executable program code for modifying the generated mock objects to incorporate changes caused by filters in a processing path, which processes a request object by a filter before being passed to an application code, and which processes a response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

15. An apparatus for verifying application security vulnerabilities, the apparatus comprising:
- a communications fabric;
  
  a memory connected to the communications fabric, wherein the memory contains computer executable program code;
  
  a communications unit connected to the communications fabric;
  
  an input/output unit connected to the communications fabric; and
  
  a processor unit connected to the communications fabric, wherein the processor unit executes the computer executable program code to direct the apparatus to;
  
  receive a source code to analyze;
  
  perform a static analysis using the received source code;
  
  generate a vulnerability call trace for the received source code;
  
  determine whether all static analysis results are validated;
  
  responsive to a determination that all static analysis results are not validated, generate mock objects using the vulnerability call trace;
  
  create a unit test using the generated mock objects;
  
  execute the unit test using the generated mock objects;
  
  determine whether an identified vulnerability was validated;
  
  responsive to a determination that an identified vulnerability was validated, select a next static analysis result; and
  
  responsive to a determination that all static analysis results are validated, report results and computed unit tests.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the processor unit executes the computer executable program code to perform a static analysis using the received source code further directs the apparatus to:
    - identify an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities of the source code received.
  - 17. The apparatus of claim 15, wherein the processor unit executes the computer executable program code to generate a vulnerability call trace for the received source code further directs the apparatus to:
    - identify a path suspected to have vulnerabilities defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 18. The apparatus of claim 15, wherein the processor unit executes the computer executable program code to creating a unit test using the generated mock objects further directs the apparatus to:
    - convert the vulnerability call trace into a test method;
      
      create a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace; and
      
      create a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, wherein the mock response object contains validation logic for a specified vulnerability.
  - 19. The apparatus of claim 18, wherein the processor unit executes the computer executable program code to creating a mock response object further directs the apparatus to:
    - selectively replace the request object identified in the vulnerability call trace with one of a mock database access mechanism, a file system access and a specified type of sink.
  - 20. The apparatus of claim 15, wherein the processor unit executes the computer executable program code to execute the unit test using the generated mock objects further directs the apparatus to:
    - modify the generated mock objects to incorporate changes caused by filters in a processing path, which processes a request object by a filter before being passed to an application code, and which processes a response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
International Business Machines Corporation
Inventors
Brake, Nevon C., Ionescu, Paul, Onut, Iosif Viorel, Peyton, John T. Jr., Smith, Wayne Duncan
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US13/888,827
Publication Number

US 20130312102A1
Time in Patent Office

616 Days
Field of Search

726/22, 726/23, 726/25, 713/164, 713/193
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Verifying application security vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying application security vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links