Computer system vulnerability analysis apparatus and method

US 9,858,139 B1
Filed: 09/06/2016
Issued: 01/02/2018
Est. Priority Date: 06/06/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method of determining vulnerability of a computing system, the method comprising:

identifying a component, the component being included in the computing system, the component characterized by first addresses, controlling at least one of control and configuration of the component;

selecting second addresses, the second addresses being a subset of the first addresses; and

sequentially, for each address of the second addresses, performing the following stepsselecting, the each address as a target address;

accessing the target address;

determining that the accessing the target address causes a system failure; and

documenting consequences of the accessing of the target address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods to evaluate computing systems'"'"' vulnerability implement a series of steps wherein a system may be selected, and a specific component identified. Obtaining component information may include methods for accessing its configuration address space. Creation of a list of control or configuration addresses is followed by filtering to identify documented, reserved addresses, documented reserved test addresses, and undocumented addresses. A filtered subset is tested by accessing each address contained in the subset, and verifying continuity of operation of the tested component, then accesses by reading, writing, or both to subset addresses to classify as benign to component and system. Failure may constitute data damage, component damage, system damage, component failure, or system failure.

9 Citations

View as Search Results

20 Claims

1. A computerized method of determining vulnerability of a computing system, the method comprising:
- identifying a component, the component being included in the computing system, the component characterized by first addresses, controlling at least one of control and configuration of the component;
  
  selecting second addresses, the second addresses being a subset of the first addresses; and
  
  sequentially, for each address of the second addresses, performing the following stepsselecting, the each address as a target address;
  
  accessing the target address;
  
  determining that the accessing the target address causes a system failure; and
  
  documenting consequences of the accessing of the target address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1,wherein:
3. The method of claim 1, wherein:
- the documenting consequences further comprises identifying the consequences as including the system failure;
  
  associating the system failure with the target address; and
  
  removing the access to the target address.
4. The method of claim 1, wherein at least one of the conditions exists, selected from:
- the address corresponds to one of a register address, a memory address, and an input/output address; and
  
  the component is one of a physical component, a virtual component, a simulated component, and an emulated component.
5. The method of claim 1, wherein access is selected from:
- reading from the target address;
  
  writing to the target address;
  
  writing to, followed by reading from, the target address;
  
  reading from, followed by writing to, the target address; and
  
  both reading from and writing to the target address, with each of the reading and writing performed at least once.
6. The method of claim 1, further comprising programming into a processor, the processor being a hardware processor:
- an address population module to define the first addresses;
  
  an address selection module to select the second addresses; and
  
  an access module to access the target address.
7. The method of claim 6, further comprising programming into the processor a verification module to test the operability of at least one of the computing system and the component.
8. The method of claim 6, further comprising at least one of:
- selecting the target address from a first group consisting of a register address, a memory address, and an input/output address;
  
  selecting the component from a second group consisting of a physical component, a virtual component, a simulated component, and an emulated component.
9. The method of claim 8, wherein the access is selected fromreading from the target address;
- writing to the target address;
  
  writing to, followed by reading from, the target address;
  
  reading from, followed by writing to, the target address; and
  
  both reading from and writing to the target address, with each of the reading and writing performed at least once.

10. An article comprising a computer readable, non-transitory medium storing data structures comprising executables operable on a hardware processor and operational data processable by the executables, the data structures comprising:
- an address selection module effective to select addresses from a configuration address space of a component in a computing system, the addresses corresponding to at least one of internal memory, internal registers, and input/output ports of the component, based on each address of said addresses being at least one of a reserved address, a reserved test address, and an undocumented address;
  
  an access module effective to access addresses in the configuration address space via component access methods specific to the component by executing at least one of a read command or a write command to each address of at least a portion of the configuration address space;
  
  a control module effective to programmatically identify the component, direct the access module in address accesses, and document whether at least one of the component and the computing system has caused a system failure in response to the access.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The article of claim 10, wherein the executables further comprise:
    - a component specification module obtaining at least one of a specification and a datasheet defining operation of the component;
      
      an address populating module populating first addresses including all addresses in the configuration address space; and
      
      a filtering module filtering the first addresses.
  - 12. The article of claim 10, wherein the data structures further comprise:
    - a resident set of modules including the control module and the access module;
      
      second addresses stored in the resident set; and
      
      the component access methods.
  - 13. The article of claim 12, wherein the data structures within the resident set further comprise an access module containing:
    - an access methods module containing the access methods;
      
      a read module effective to read from the second addresses; and
      
      a write module effective to write to the second addresses.
  - 14. The article of claim 13, wherein the data structures further comprise outside the resident set at least one of:
    - an address processing module containing the address populating module and the address selection module;
      
      a methods module effective to extract the component access methods corresponding to the component and provide them to the resident set;
      
      a programming interface module effective to implement the resident set.
  - 15. The article of claim 14, wherein the resident set further comprises a verification module effective to verify whether at least one of the component, the computing system, and both of the component and the computing system has caused a system failure in response to the access module accessing the second addresses and do at least one of remove access to the second addresses and classify the target address in accordance therewith.
  - 16. The article of claim 15, further comprising a hardware processor external to the component and operably connected to the computer readable, non-transitory medium and effective to load and execute the resident set.

17. A system comprising:
- a processor operably connected in a computing system, the processor being a hardware processor;
  
  a configuration address space corresponding to a component in the computing system, the component including at least one computer chip physically mounted within the computer system, the configuration address space referencing at least one of internal registers within the component, internal memory within the component, and ports of the component;
  
  a computer-readable, non-transitory medium operably connected to the processor;
  
  a set of modules effective to be executed by the processor to access the configuration address space;
  
  the set further comprising component access methods unique to the component and effective for accessing, by the processor, second addresses selected from at least one of reserved addresses, reserved test addresses, and undocumented addresses in the configuration address space;
  
  the processor, further programmed to determine that at least one of the component and the computing system has caused a system failure in consequence of accessing the second addresses; and
  
  the processor, further programmed to document the second addresses that caused the system failure.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the processor is programmed to classify consequences resulting from the accessing and correspond the consequences to the second addresses, and the accessing further comprises:
    - reading from the configuration address space;
      
      writing to the configuration address space;
      
      writing to, followed by reading from, the configuration address space;
      
      reading from, followed by writing to, the configuration address space; and
      
      both reading from and writing to the configuration address space, with each of the reading and writing performed at least once.
  - 19. The system of claim 18, wherein at least one of the structural connections exists that:
    - the processor is external to the component;
      
      the processor is embedded in the component; and
      
      the component is selected froma Super I/O,a bridge, anda device connected to the processor through at least one bridge.
  - 20. The system of claim 17, further comprising:
    - a north bridge operably connected to the processor;
      
      a south bridge operably connected to the north bridge;
      
      a Super I/O operably connected to the south bridge;
      
      individual devices operably connected to at least one of the north bridge, the south bridge, and the Super I/O; and
      
      the component being selected from the north bridge, the south bridge, the Super I/O, and the individual devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Phillip M. Adams
Original Assignee
Phillip M. Adams
Inventors
Adams, Phillip M.
Primary Examiner(s)
LEE, JASON T

Application Number

US15/256,902
Time in Patent Office

483 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/0751   Error or fault detection no...

G06F 11/079   Root cause analysis, i.e. e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

Computer system vulnerability analysis apparatus and method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system vulnerability analysis apparatus and method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links