Remediation of security vulnerabilities in computer software
First Claim
1. A system for processing a downgrader specification, the system comprising:
- a processor programmed to implement executable operations comprising;
constructing a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application;
applying a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and
determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.
1 Assignment
0 Petitions
Accused Products
Abstract
Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.
-
Citations
16 Claims
-
1. A system for processing a downgrader specification, the system comprising:
-
a processor programmed to implement executable operations comprising; constructing a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application; applying a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for processing a downgrader specification, the system comprising:
-
a processor programmed to implement executable operations comprising; constructing a set of candidate downgraders for processing a set of security-sensitive data flows within a computer software application, wherein each of the security-sensitive data flows is processable by at least one of the candidate downgraders; applying a downgrader specification to the set of candidate downgraders, wherein applying the downgrader specification comprises eliminating from the set of candidate downgraders any of the candidate downgraders whose elimination is indicated by the downgrader specification; and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if each of the security-sensitive data flows is processable by at least one of the candidate downgraders remaining in the set of candidate downgraders. - View Dependent Claims (8)
-
-
9. A computer program product for processing a downgrader specification, the computer program product comprising a computer-readable storage medium storing computer-readable program code, wherein the computer-readable program code is executable by a processor to perform a method comprising:
-
constructing, using the processor, a set of candidate downgrader placement locations found within a computer software application, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and wherein each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application; applying, using the processor, a downgrader specification to the set of candidate downgrader placement locations, wherein applying the downgrader specification comprises eliminating from the set of candidate downgrader placement locations any of the candidate downgrader placement locations whose elimination is indicated by the downgrader specification; and determining, using the processor, that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer program product for processing a downgrader specification, the computer program product comprising a computer-readable storage medium storing computer-readable program code, wherein the computer-readable program code is executable by a processor to perform a method comprising:
-
constructing, using the processor, a set of candidate downgraders for processing a set of security-sensitive data flows within a computer software application, wherein each of the security-sensitive data flows is processable by at least one of the candidate downgraders; applying, using the processor, a downgrader specification to the set of candidate downgraders, wherein applying the downgrader specification comprises eliminating from the set of candidate downgraders any of the candidate downgraders whose elimination is indicated by the downgrader specification; and determining, using the processor, that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if each of the security-sensitive data flows is processable by at least one of the candidate downgraders remaining in the set of candidate downgraders. - View Dependent Claims (16)
-
Specification