Progressive static security analysis
First Claim
1. An apparatus, comprising:
- one or more memories comprising computer-readable code;
one or more processors,wherein the one or more processors are configured, in response to execution of the computer-readable code, to cause the apparatus to perform the following;
determining modifications have been made to a program;
deriving data flow seeds that are affected by the modifications;
selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications;
performing a security analysis on the program, wherein the security analysis comprises tracking flows emanating from the selected data flow seeds to sinks terminating the flows; and
outputting results of the security analysis, wherein the results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds,wherein at least the deriving, selecting, and performing are performed using a static analysis of the program.
1 Assignment
0 Petitions
Accused Products
Abstract
A disclosed method includes determining modifications have been made to a program and deriving data flow seeds that are affected by the modifications. The method includes selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications and performing a security analysis on the program. The security analysis includes tracking flows emanating from the selected data flow seeds to sinks terminating the flows. The method includes outputting results of the security analysis. The results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds. At least the deriving, selecting, and performing are performed using a static analysis of the program. Apparatus and program products are also disclosed.
12 Citations
20 Claims
-
1. An apparatus, comprising:
-
one or more memories comprising computer-readable code; one or more processors, wherein the one or more processors are configured, in response to execution of the computer-readable code, to cause the apparatus to perform the following; determining modifications have been made to a program; deriving data flow seeds that are affected by the modifications; selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications; performing a security analysis on the program, wherein the security analysis comprises tracking flows emanating from the selected data flow seeds to sinks terminating the flows; and outputting results of the security analysis, wherein the results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds, wherein at least the deriving, selecting, and performing are performed using a static analysis of the program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer program product comprising a computer readable storage medium having program code embodied therewith, the program code executable by a computing system causing the computing system to perform:
-
determining modifications have been made to a program; deriving data flow seeds that are affected by the modifications; selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications; performing a security analysis on the program, wherein the security analysis comprises tracking flows emanating from the selected data flow seeds to sinks terminating the flows; and outputting results of the security analysis, wherein the results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds, wherein at least the deriving, selecting, and performing are performed using a static analysis of the program. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification