Verifying application security vulnerabilities

US 9,160,762 B2
Filed: 12/18/2014
Issued: 10/13/2015
Est. Priority Date: 05/18/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented process for verifying application security vulnerabilities of a source code, comprising:

generating, responsive to all static analysis results not being validated, mock objects using a vulnerability call trace for the source code;

creating a unit test using the generated mock objects;

executing the unit test using the generated mock objects to determine whether an identified vulnerability was validated; and

selecting, responsive to a determination that the identified vulnerability was validated, a next static analysis result.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Verifying application security vulnerabilities includes receiving a source code to analyze, performing a static analysis using the received source code and generating a vulnerability call trace for the received source code. Responsive to a determination that all static analysis results are not validated, mock objects are generated using the vulnerability call trace and a unit test is created using the generated mock objects. The unit test is executed using the generated mock objects and responsive to a determination that an identified vulnerability was validated; a next static analysis result is selected. Responsive to a determination that all static analysis results are validated, results and computed unit tests are reported.

Citations

20 Claims

1. A computer-implemented process for verifying application security vulnerabilities of a source code, comprising:
- generating, responsive to all static analysis results not being validated, mock objects using a vulnerability call trace for the source code;
  
  creating a unit test using the generated mock objects;
  
  executing the unit test using the generated mock objects to determine whether an identified vulnerability was validated; and
  
  selecting, responsive to a determination that the identified vulnerability was validated, a next static analysis result.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The process of claim 1, further comprising:
    - identifying, in the source code, an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities.
  - 3. The process of claim 1, whereinthe vulnerability call trace is generated by identifying a path, suspected to have vulnerabilities, defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 4. The process of claim 1, whereinthe creating the unit test includes:
    - converting the vulnerability call trace into a test method,creating a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace, andcreating a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, andthe mock response object contains validation logic for a specified vulnerability.
  - 5. The process of claim 4, whereinthe creating the mock response object includes selectively replacing the request object identified in the vulnerability call trace with one of:
    - a mock database access mechanism,a file system access, anda specified type of sink.
  - 6. The process of claim 1, whereinthe executing the unit test includes modifying the generated mock objects to incorporate changes caused by filters in a processing path,the processing path processes:
    - a request object by a filter before being passed to an application code, anda response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

7. A computer program product for verifying application security vulnerabilities of a source code, comprising:
- a computer recordable storage medium having stored therein computer executable program code, which when executed by a computer hardware system, causes the computer hardware system to perform;
  
  generating, responsive to all static analysis results not being validated, mock objects using a vulnerability call trace for the source code;
  
  creating a unit test using the generated mock objects;
  
  executing the unit test using the generated mock objects to determine whether an identified vulnerability was validated; and
  
  selecting, responsive to a determination that the identified vulnerability was validated, a next static analysis result.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer program product of claim 7, wherein the computer executable program code further causes the computer hardware system to perform:
    - identifying, in the source code, an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities.
  - 9. The computer program product of claim 7, whereinthe vulnerability call trace is generated by identifying a path, suspected to have vulnerabilities, defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 10. The computer program product of claim 7, whereinthe creating the unit test includes:
    - converting the vulnerability call trace into a test method,creating a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace, andcreating a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, and the mock response object contains validation logic for a specified vulnerability.
  - 11. The computer program product of claim 10, whereinthe creating the mock response object includes selectively replacing the request object identified in the vulnerability call trace with one of:
    - a mock database access mechanism,a file system access, anda specified type of sink.
  - 12. The computer program product of claim 7, wherein the computer executable program code further causes the computer hardware system to perform:
    - marking, responsive to a determination that an identified vulnerability was not validated, a current static analysis as a false positive.
  - 13. The computer program product of claim 7, whereinthe executing the unit test includes modifying the generated mock objects to incorporate changes caused by filters in a processing path,the processing path processes:
    - a request object by a filter before being passed to an application code, anda response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

14. An apparatus for verifying application security vulnerabilities of a source code:
- at least one hardware processor, wherein the at least one hardware processor is configured to initiate and/or perform;
  
  generating, responsive to all static analysis results not being validated, mock objects using a vulnerability call trace for the source code;
  
  creating a unit test using the generated mock objects;
  
  executing the unit test using the generated mock objects to determine whether an identified vulnerability was validated; and
  
  selecting, responsive to a determination that the identified vulnerability was validated, a next static analysis result.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the at least one hardware processor is further configured to initiate and/or perform:
    - identifying, in the source code, an entry point and a corresponding sensitive location for potentially malicious user input in a path suspected to have vulnerabilities.
  - 16. The apparatus of claim 14, whereinthe vulnerability call trace is generated by identifying a path, suspected to have vulnerabilities, defining a sequence comprising a set of function calls and operations from an entry point associated with a user input to a corresponding sensitive location for potentially malicious user input.
  - 17. The apparatus of claim 14, whereinthe creating the unit test includes:
    - converting the vulnerability call trace into a test method,creating a mock request object representing a mutated request object for a specified parameter of a request object identified in the vulnerability call trace, andcreating a mock response object representing a mutated response object for a corresponding request object identified in the vulnerability call trace, and the mock response object contains validation logic for a specified vulnerability.
  - 18. The apparatus of claim 17, whereinthe creating the mock response object includes selectively replacing the request object identified in the vulnerability call trace with one of:
    - a mock database access mechanism,a file system access, anda specified type of sink.
  - 19. The apparatus of claim 14, wherein the at least one hardware processor is further configured to initiate and/or perform:
    - marking, responsive to a determination that an identified vulnerability was not validated, a current static analysis as a false positive.
  - 20. The apparatus of claim 14, whereinthe executing the unit test includes modifying the generated mock objects to incorporate changes caused by filters in a processing path,the processing path processes:
    - a request object by a filter before being passed to an application code, anda response object by a filter before being sent back to an HTTP client, to recreate effects of an environment on a mock request object and a mock response object used in the unit test.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
International Business Machines Corporation
Inventors
Brake, Nevon C., Ionescu, Paul, Onut, Iosif Viorel, Peyton, John T. Jr., Smith, Wayne Duncan
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US14/574,790
Publication Number

US 20150156216A1
Time in Patent Office

299 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Verifying application security vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying application security vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links