Security scan based on dynamic taint

US 9,558,355 B2
Filed: 08/29/2012
Issued: 01/31/2017
Est. Priority Date: 08/29/2012
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

an application security scanner including at least one hardware processor and a machine-readable storage medium storing instructions that, when executed by the at least one hardware processor, cause the at least one hardware processor to;

cause a dynamic taint module associated with the application security scanner to initiate a crawl phase of a security test for an application under test to execute at a server separate from the scanner,wherein the dynamic taint module is executed at the server,wherein the dynamic taint module is to;

intercept program execution of the application under test during the crawl phase to determine a plurality of security vulnerability candidates, wherein the dynamic taint module is to mark a plurality of untrusted user inputs as taint sources and trace the respective untrusted user inputs to determine whether the respective untrusted user input lead to a function call associated with vulnerability;

wherein the security test includes the crawl phase and an attack;

perform a dynamic taint analysis by the dynamic taint module as part of the crawl phase of the security test;

receive a report including the security vulnerability candidates from the dynamic taint module;

cause restriction of the dynamic taint module; and

generate a scanning strategy based on the security vulnerability candidates from the report received from the dynamic taint module to use in the attack.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments disclosed herein relate to generating a scanning strategy based on a dynamic taint module. A dynamic taint module associated with an application is caused to be initiated for a crawling phase of a security test. A report is received from the dynamic taint module. The dynamic taint module is restricted. The scanning strategy is based on the report.

44 Citations

View as Search Results

16 Claims

1. A computing system comprising:
- an application security scanner including at least one hardware processor and a machine-readable storage medium storing instructions that, when executed by the at least one hardware processor, cause the at least one hardware processor to;
  
  cause a dynamic taint module associated with the application security scanner to initiate a crawl phase of a security test for an application under test to execute at a server separate from the scanner,wherein the dynamic taint module is executed at the server,wherein the dynamic taint module is to;
  
  intercept program execution of the application under test during the crawl phase to determine a plurality of security vulnerability candidates, wherein the dynamic taint module is to mark a plurality of untrusted user inputs as taint sources and trace the respective untrusted user inputs to determine whether the respective untrusted user input lead to a function call associated with vulnerability;
  
  wherein the security test includes the crawl phase and an attack;
  
  perform a dynamic taint analysis by the dynamic taint module as part of the crawl phase of the security test;
  
  receive a report including the security vulnerability candidates from the dynamic taint module;
  
  cause restriction of the dynamic taint module; and
  
  generate a scanning strategy based on the security vulnerability candidates from the report received from the dynamic taint module to use in the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system of claim 1, further comprising:
    - the dynamic taint module to;
      
      receive a first message from the application security scanner to initiate the dynamic taint module;
      
      initiate the dynamic taint module in response to the first message;
      
      generate the report during the crawl phase;
      
      cause sending of the report to the application security scanner;
      
      receive a second message to disable the dynamic taint module; and
      
      disable at least part of the dynamic taint module based on the second message for the attack.
  - 3. The computing system of claim 1, wherein the function call includes at least one of:
    - a direct database query, a file open, a file delete, and a write function to a HyperText Markup Language response stream.
  - 4. The computing system of claim 1, wherein the dynamic taint module is to initiate activation of a functionality of the dynamic taint module to assist the application security scanner, and wherein the dynamic taint module is to restrict the dynamic taint module by disabling the functionality.
  - 5. The computing system of claim 1, wherein the application security scanner further comprising a crawler to:
    - obtain attack entry points of the application under test during the crawl phase, wherein the application security scanner is further to;
      
      receive a vulnerability candidate list of the security vulnerability candidates of the application under test, wherein the vulnerability candidate list is determined by the dynamic taint module.
  - 6. The computing system of claim 5, wherein the application security scanner further comprising:
    - an adjustment module to determine the scanning strategy by prioritizing the vulnerability candidate list in an attack; and
      
      an attack module to conduct the attack on the application under test based on the scanning strategy in the attack phase.
  - 7. The computing system of claim 5, further comprising:
    - an adjustment module to determine the scanning strategy by determining attacks for the respective attack entry points focused on the security vulnerability candidates associated with the respective attack entry points; and
      
      an attack module to attack the application under test based on the scanning strategy during the attack.

8. A non-transitory machine-readable storage medium storing instructions that, when executed by at least one hardware processor of an application security scanner, cause the application security scanner to:
- cause a dynamic taint module associated with the application security scanner to initiate during a crawl phase of a security test of an application under test,wherein the security test includes the crawl phase and an attack,wherein the dynamic taint module is located on a server that is used to execute the application under test and that is separate from the application security scanner, wherein the dynamic taint module is to perform a dynamic taint analysis as part of the crawl phase of the security test that includes interception of program execution of the application under test during the crawl phase to determine a plurality of security vulnerability candidates by marking a plurality of untrusted inputs as taint sources and tracing the respective untrusted user inputs to determine whether the respective untrusted user inputs lead to a function call associated with vulnerability;
  
  receive a report from the dynamic taint module that includes a vulnerability candidate list that includes the security vulnerability candidates;
  
  cause restriction of the dynamic taint module; and
  
  generate a scanning strategy based on the vulnerability candidate list received from the dynamic taint module to use in the attack.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The non-transitory machine-readable storage medium of claim 8, further comprising instructions that, when executed by the at least one hardware processor, cause the application security scanner to:
    - obtain attack entry points of the application under test during the crawl phase;
      
      determine the scanning strategy by prioritizing the vulnerability candidate list to use for an attack on the application under test; and
      
      attack the application under test based on the scanning strategy.
  - 10. The non-transitory machine-readable storage medium of claim 8, further comprising instructions that, when executed by the at least one hardware processor, cause the application security scanner to:
    - obtain attack entry points of the application under test during the crawl phase;
      
      determine the scanning strategy by determining attacks for the respective attack entry points based on the vulnerability candidate list; and
      
      attack the application under test based on the scanning strategy.
  - 11. The non-transitory machine-readable storage medium of claim 9, further comprising instructions that, when executed by the at least one hardware processor, cause the application security scanner to obtain the attack entry points of the application under test by performing a crawl via a website interface of the application under test during the crawl phase.
  - 12. The non-transitory machine-readable storage medium of claim 11, wherein each of the security vulnerability candidates are associated with a particular attack entry point determined during the crawl phase.

13. A method implemented by at least one hardware processor of an application security scanner, the method comprising:
- causing, by the at least one hardware processor, a dynamic taint module associated with the application security scanner, the dynamic taint module executing at a server separate from the application security scanner, to initiate during a crawl phase of a security test for an application under test also executing at the server, wherein the security test includes the crawl phase and an attack,wherein the dynamic taint module performs a dynamic taint analysis during the crawl phase of the security test to yield a plurality of security vulnerability candidates by intercepting program execution of the application under test to determine the security vulnerability candidates by marking a plurality of untrusted user inputs of the crawling of the application under test as taint sources and tracing the respective untrusted user input to determine whether the respective untrusted user input leads to a function call associated with vulnerability;
  
  receiving a report from the dynamic taint module that includes the vulnerability candidate list;
  
  causing, by the at least one hardware processor, restriction of the dynamic taint module;
  
  generating, by the at least one hardware processor, a scanning strategy based on the vulnerability candidate list received from the dynamic taint module to use in the attack; and
  
  attacking, by the at least one hardware processor, the application under test based on the scanning strategy.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising prioritizing the attack in the scanning strategy based on the vulnerability candidate list.
  - 15. The method of claim 13, further comprising attacking the application under test based on the security vulnerability candidates on the vulnerability candidate list, wherein each of the security vulnerability candidates are associated with a particular attack entry point determined during the crawl phase.
  - 16. The method of claim 13, further comprising crawling the application under test during the crawl phase, by the at least one hardware processor, via a website interface of the application under test, to determine an attack surface of the application under test.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Madou, Matias, Sum, Sam Ng Ming
Primary Examiner(s)
LEE, JASON T

Application Number

US14/424,401
Publication Number

US 20150248559A1
Time in Patent Office

1,616 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 16/24   Querying

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

Security scan based on dynamic taint

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security scan based on dynamic taint

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links