Simulating black box test results using information from white box testing

US 9,747,187 B2
Filed: 10/27/2010
Issued: 08/29/2017
Est. Priority Date: 10/27/2010
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a white box tester that statically analyzes computer software to identify a plurality of milestones, including a first milestone, associated with a potential vulnerability within the computer software, wherein each of the milestones indicates a location of a method call of a source code statement within the computer software at which a data item can be accessed and modified and wherein the first milestone indicates a first source code location within the computer software at which the data item can be accessed and modified without validation, resulting in the potential vulnerability;

an entry point tracer that identifies one or more entry points into the computer software associated with the potential vulnerability by tracing paths from the source code statement of the first milestone, wherein each entry point provides a method location where an interface of the computer software is exposed to receive input external to the computer software;

an input analyzer that identifies one or more HTTP request parameter inputs to at least a first one of the one or more entry points that results in a control flow from the first entry point to the first milestone; and

a black box simulator that;

automatically identifies, from a consultation of an Extensible Markup Language (XML) configuration file for a web server executing the computer software, a uniform resource locator (URL) of a class representing the computer software having the potential vulnerability based on the first entry point and the one or more identified HTTP request parameter inputs; and

presents a simulated black box test result for the computer software by generating a description of the potential vulnerability indicating the identified URL exposing the potential vulnerability, and one or more of the identified HTTP request parameter inputs that have not been validated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

Citations

8 Claims

1. A system, comprising:
- a white box tester that statically analyzes computer software to identify a plurality of milestones, including a first milestone, associated with a potential vulnerability within the computer software, wherein each of the milestones indicates a location of a method call of a source code statement within the computer software at which a data item can be accessed and modified and wherein the first milestone indicates a first source code location within the computer software at which the data item can be accessed and modified without validation, resulting in the potential vulnerability;
  
  an entry point tracer that identifies one or more entry points into the computer software associated with the potential vulnerability by tracing paths from the source code statement of the first milestone, wherein each entry point provides a method location where an interface of the computer software is exposed to receive input external to the computer software;
  
  an input analyzer that identifies one or more HTTP request parameter inputs to at least a first one of the one or more entry points that results in a control flow from the first entry point to the first milestone; and
  
  a black box simulator that;
  
  automatically identifies, from a consultation of an Extensible Markup Language (XML) configuration file for a web server executing the computer software, a uniform resource locator (URL) of a class representing the computer software having the potential vulnerability based on the first entry point and the one or more identified HTTP request parameter inputs; and
  
  presents a simulated black box test result for the computer software by generating a description of the potential vulnerability indicating the identified URL exposing the potential vulnerability, and one or more of the identified HTTP request parameter inputs that have not been validated.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein the entry point tracer is configured to construct a call graph of method invocations within the computer software and utilize the call graph to trace the path.
  - 3. The system of claim 1 wherein the input analyzer is configured to analyze each of the milestones to identify any constraints the milestone places on the input in order to allow the control flow to reach first the milestone given the input.
  - 4. The system of claim 1 wherein the computer software is an application.

5. A computer program product, comprising:
- a non-transitory computer-readable storage medium; and
  
  computer-readable program code embodied in the computer-readable storage medium, wherein the computer-readable program code;
  
  statically analyzes computer software to identify a plurality of milestones, including a first milestone, associated with a potential vulnerability within the computer software, wherein each of the milestones indicates a respective location of a method call within a respective source code statement of the computer software which accesses a data variable associated with the potential vulnerability and the first milestone indicates a first source code location of the method call within the computer software which allows the data variable to be accessed and modified without validation, resulting in the potential vulnerability,identifies one or more entry points into the computer software associated with the potential vulnerability by tracing paths from the source code statement associated with the first milestone, wherein each entry point is a location where an interface of the computer software is exposed to receive input to the computer software from a source that is external to the computer software,identifies one or more HTTP request parameter inputs to at least a first one of the one or more entry points that results in a control flow from the first entry point to the first milestone,automatically identifies, from a consultation of an Extensible Markup Language (XML) configuration file for a web server executing the computer software, a uniform resource locator (URL) of a class representing the computer software having the potential vulnerability based on the first entry point and the one or more HTTP request parameter inputs, andpresents a simulated black box test result detailing, for the computer software, a description of the potential vulnerability, the identified URL exposing the potential vulnerability, and one or more of the identified HTTP request parameter inputs that have not been validated.
- View Dependent Claims (6, 7, 8)
- - 6. The computer program product of claim 5, wherein the computer-readable program code is configured to construct a call graph of method invocations within the computer software and utilizing the call graph to trace the path.
  - 7. The computer program product of claim 5, wherein the computer-readable program code is configured to analyze each of the milestones to identify any constraints the milestone places on the input in order to allow the control flow to reach the first milestone given the input.
  - 8. The computer program product of claim 5 wherein the computer software is an application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
International Business Machines Corporation
Inventors
Fink, Stephen, Haviv, Yinnon A., Hay, Roee, Pistoia, Marco, Segal, Ory, Sharabani, Adi, Sridharan, Manu, Tip, Frank, Tripp, Omer, Weisman, Omri
Primary Examiner(s)
Bullock, Jr., Lewis A
Assistant Examiner(s)
Dascomb, Jacob

Application Number

US12/913,314
Publication Number

US 20120110551A1
Time in Patent Office

2,498 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/362   Software debugging

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 9/44589   Program code verification, ...

G06F 9/455   Emulation; Interpretation; ...

Simulating black box test results using information from white box testing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Simulating black box test results using information from white box testing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links