Remediation of security vulnerabilities in computer software

US 9,292,693 B2
Filed: 10/09/2012
Issued: 03/22/2016
Est. Priority Date: 10/09/2012
Status: Active Grant

First Claim

Patent Images

1. A system for processing a downgrader specification, the system comprising:

a processor programmed to implement executable operations comprising;

constructing a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application;

applying a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and

determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Citations

16 Claims

1. A system for processing a downgrader specification, the system comprising:
- a processor programmed to implement executable operations comprising;
  
  constructing a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application;
  
  applying a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and
  
  determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1 wherein the processor is configured to construct the set of candidate downgrader placement locations wherein membership of each of the candidate downgrader placement locations in the set of candidate downgrader placement locations is indicated by the downgrader specification.
  - 3. The system according to claim 1 wherein the downgrader specification is defined by a computer user.
  - 4. The system according to claim 1 wherein the downgrader specification indicates areas of the computer software application where downgraders are not to be placed.
  - 5. The system according to claim 1 wherein the downgrader specification indicates that downgraders be placed within a predefined number of instructions steps from a code location within the computer software application where untrusted data is read.
  - 6. The system according to claim 1 wherein the downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a security-sensitive operation within the computer software application.

7. A system for processing a downgrader specification, the system comprising:
- a processor programmed to implement executable operations comprising;
  
  constructing a set of candidate downgraders for processing a set of security-sensitive data flows within a computer software application, wherein each of the security-sensitive data flows is processable by at least one of the candidate downgraders;
  
  applying a downgrader specification to the set of candidate downgraders, wherein applying the downgrader specification comprises eliminating from the set of candidate downgraders any of the candidate downgraders whose elimination is indicated by the downgrader specification; and
  
  determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if each of the security-sensitive data flows is processable by at least one of the candidate downgraders remaining in the set of candidate downgraders.
- View Dependent Claims (8)
- - 8. The system according to claim 7 wherein the processor is configured to construct the set of candidate downgraders wherein membership of each of the candidate downgraders in the set of candidate downgraders is indicated by the downgrader specification.

9. A computer program product for processing a downgrader specification, the computer program product comprising a computer-readable storage medium storing computer-readable program code, wherein the computer-readable program code is executable by a processor to perform a method comprising:
- constructing, using the processor, a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application;
  
  applying, using the processor, a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and
  
  determining, using the processor, that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product according to claim 9 wherein the method further comprises constructing the set of candidate downgrader placement locations wherein membership of each of the candidate downgrader placement locations in the set of candidate downgrader placement locations is indicated by the downgrader specification.
  - 11. The computer program product according to claim 9 wherein the downgrader specification is defined by a computer user.
  - 12. The computer program product according to claim 9 wherein the downgrader specification indicates areas of the computer software application where downgraders are not to be placed.
  - 13. The computer program product according to claim 9 wherein the downgrader specification indicates that downgraders be placed within a predefined number of instructions steps from a code location within the computer software application where untrusted data is read.
  - 14. The computer program product according to claim 9 wherein the downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a security-sensitive operation within the computer software application.

15. A computer program product for processing a downgrader specification, the computer program product comprising a computer-readable storage medium storing computer-readable program code, wherein the computer-readable program code is executable by a processor to perform a method comprising:
- constructing, using the processor, a set of candidate downgraders for processing a set of security-sensitive data flows within a computer software application, wherein each of the security-sensitive data flows is processable by at least one of the candidate downgraders;
  
  applying, using the processor, a downgrader specification to the set of candidate downgraders, wherein applying the downgrader specification comprises eliminating from the set of candidate downgraders any of the candidate downgraders whose elimination is indicated by the downgrader specification; and
  
  determining, using the processor, that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if each of the security-sensitive data flows is processable by at least one of the candidate downgraders remaining in the set of candidate downgraders.
- View Dependent Claims (16)
- - 16. The computer program product according to claim 15 wherein the method further comprises constructing the set of candidate downgraders wherein membership of each of the candidate downgraders in the set of candidate downgraders is indicated by the downgrader specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tripp, Omer
Primary Examiner(s)
Mehrmanesh, Amir
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US13/647,711
Publication Number

US 20140101756A1
Time in Patent Office

1,260 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/12   Protecting executable software

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/033   Test or assess software

Remediation of security vulnerabilities in computer software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Remediation of security vulnerabilities in computer software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links