Remediation of security vulnerabilities in computer software
First Claim
1. A computer hardware system, comprising:
- a hardware processor configured to initiate the following executable operations;
constructing, for a computer software application, an initial set of candidate downgrader placement locations;
identifying, for the computer software application, a set of security-sensitive data flows;
generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and
determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, whereineach of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, andeach of the transitions participates in at least one of the data flows in the set of security-sensitive data flows.
1 Assignment
0 Petitions
Accused Products
Abstract
Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.
-
Citations
15 Claims
-
1. A computer hardware system, comprising:
-
a hardware processor configured to initiate the following executable operations; constructing, for a computer software application, an initial set of candidate downgrader placement locations; identifying, for the computer software application, a set of security-sensitive data flows; generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and each of the transitions participates in at least one of the data flows in the set of security-sensitive data flows. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer hardware system, comprising:
a hardware processor configured to initiate the following executable operations; identifying, for a computer software application, a set of security-sensitive data flows; constructing, for the computer software application, an initial set of candidate downgraders for processing the set of security-sensitive data flows; generating, by reducing the initial set of candidate downgraders using a downgrader specification, a reduced set of candidate downgraders; and determining, based upon each of the data flows in the security of security-sensitive data flows being processable by at least one candidate downgrader in the reduced set of candidate downgraders, that the downgrader specification provides full coverage of the set of security-sensitive data flows. - View Dependent Claims (8, 9)
-
10. A computer program product, comprising:
-
a computer-readable storage medium having stored therein computer-readable program code, the computer-readable program code, which when executed by a computer hardware system, causes the computer hardware system to perform; constructing, for a computer software application, an initial set of candidate downgrader placement locations; identifying, for the computer software application, a set of security-sensitive data flows; generating, by reducing the initial set of candidate downgrader placement locations using a downgrader specification, a reduced set of candidate downgrader placement locations; and determining, based upon each of the data flows in the security of security-sensitive data flows including at least one candidate downgrader placement location in the reduced set of candidate downgrader placement locations, that the downgrader specification provides full coverage of the set of security-sensitive data flows, wherein each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and each of the transitions participates in at least one of the data flows in the set of security-sensitive data flows. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification