Remediation of security vulnerabilities in computer software

US 9,589,134 B2
Filed: 03/17/2016
Issued: 03/07/2017
Est. Priority Date: 10/09/2012
Status: Active Grant

First Claim

Patent Images

1. A computer hardware system, comprising:

a hardware processor configured to initiate the following executable operations;

constructing, for a computer software application, an initial set of candidate downgrader placement locations;

identifying, for the computer software application, a set of security-sensitive data flows;

generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and

determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, whereineach of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, andeach of the transitions participates in at least one of the data flows in the set of security-sensitive data flows.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

46 Citations

View as Search Results

15 Claims

1. A computer hardware system, comprising:
- a hardware processor configured to initiate the following executable operations;
  
  constructing, for a computer software application, an initial set of candidate downgrader placement locations;
  
  identifying, for the computer software application, a set of security-sensitive data flows;
  
  generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and
  
  determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, whereineach of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, andeach of the transitions participates in at least one of the data flows in the set of security-sensitive data flows.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, whereinthe downgrader specification indicates downgrader placement locations to eliminate.
  - 3. The system of claim 1, whereinthe downgrader specification is defined by a computer user.
  - 4. The system of claim 1, whereinthe downgrader specification indicates areas of the computer software application in which downgraders are not to be placed.
  - 5. The system of claim 1, whereinthe downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a code location within the computer software application where untrusted data is read.
  - 6. The system of claim 1, whereinthe downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a security-sensitive operation within the computer software application.

7. A computer hardware system, comprising:
- a hardware processor configured to initiate the following executable operations;
  
  identifying, for a computer software application, a set of security-sensitive data flows;
  
  constructing, for the computer software application, an initial set of candidate downgraders for processing the set of security-sensitive data flows;
  
  generating, by reducing the initial set of candidate downgraders using a downgrader specification, a reduced set of candidate downgraders; and
  
  determining, based upon each of the data flows in the security of security-sensitive data flows being processable by at least one candidate downgrader in the reduced set of candidate downgraders, that the downgrader specification provides full coverage of the set of security-sensitive data flows.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, whereinthe downgrader specification indicates downgraders to eliminate.
  - 9. The system of claim 7, whereinthe downgrader specification indicates areas of the computer software application in which downgraders are not to be placed.

10. A computer program product, comprising:
- a computer-readable storage medium having stored therein computer-readable program code,the computer-readable program code, which when executed by a computer hardware system, causes the computer hardware system to perform;
  
  constructing, for a computer software application, an initial set of candidate downgrader placement locations;
  
  identifying, for the computer software application, a set of security-sensitive data flows;
  
  generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and
  
  determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, whereineach of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, andeach of the transitions participates in at least one of the data flows in the set of security-sensitive data flows.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer program product of claim 10, whereinthe downgrader specification indicates downgrader placement locations to eliminate.
  - 12. The computer program product of claim 10, whereinthe downgrader specification is defined by a computer user.
  - 13. The computer program product of claim 10, whereinthe downgrader specification indicates areas of the computer software application in which downgraders are not to be placed.
  - 14. The computer program product of claim 10, whereinthe downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a code location within the computer software application where untrusted data is read.
  - 15. The computer program product of claim 10, whereinthe downgrader specification indicates that downgraders be placed within a predefined number of instruction steps from a security-sensitive operation within the computer software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tripp, Omer
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US15/073,208
Publication Number

US 20160196429A1
Time in Patent Office

355 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/9024   Graphs; Linked lists G06F16...

G06F 21/12   Protecting executable software

G06F 21/52   during program execution, e...

G06F 21/54   by adding security routines...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/033   Test or assess software

Remediation of security vulnerabilities in computer software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Remediation of security vulnerabilities in computer software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links