Systems and methods for detecting software security vulnerabilities

US 7,392,545 B1
Filed: 01/15/2003
Issued: 06/24/2008
Est. Priority Date: 01/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method of detecting buffer vulnerabilities in software, comprising:

receiving a software artifact for analysis;

receiving a set of buffer vulnerabilities that may exist in the software artifact, wherein a buffer vulnerability is defined as a software feature capable of facilitating attacks against a user of the software;

at least one of creating and receiving a system dependency graph, the system dependency graph being a representation of (i) possible sequences of instructions that may be encountered if the software artifact were executed, and (ii) possible ways in which variables in the software artifact could have their values defined and used if the software artifact were executed;

defining constraints for a plurality of program statements of which the software artifact is a component, wherein each of the constraints comprises one or more mathematical assertions describing how a given statement, function or procedure affects the software artifact if the software artifact were executed;

for each potential buffer vulnerability, tracing through the system dependency graph by visiting statements in the plurality of program statements in a predetermined order determined by the system dependency graph, starting at a location of the potential buffer vulnerability, and collecting the constraints associated with each statement, function or procedure of the software artifact so visited determining a maximum value length that has been assigned to a buffer corresponding to a potential buffer vulnerability and comparing the determined maximum value length to an amount of memory that has been allocated to the buffer to detect a buffer vulnerability; and

displaying a list of buffer vulnerabilities that are not marked as being safe,wherein at least some of the constraints are linking constraints that link values of one variable between two consecutive program statements.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention relate to systems and methods for static analysis of a software application. According to an embodiment, a system includes a program scanner coupled to an analysis engine. The program scanner is configured to identify one or more vulnerability patterns in a software program and to output an initial potential vulnerability list. The analysis engine is configured to apply one or more rules to a potential vulnerability to determine whether the potential vulnerability is a vulnerability.

79 Citations

View as Search Results

10 Claims

1. A method of detecting buffer vulnerabilities in software, comprising:
- receiving a software artifact for analysis;
  
  receiving a set of buffer vulnerabilities that may exist in the software artifact, wherein a buffer vulnerability is defined as a software feature capable of facilitating attacks against a user of the software;
  
  at least one of creating and receiving a system dependency graph, the system dependency graph being a representation of (i) possible sequences of instructions that may be encountered if the software artifact were executed, and (ii) possible ways in which variables in the software artifact could have their values defined and used if the software artifact were executed;
  
  defining constraints for a plurality of program statements of which the software artifact is a component, wherein each of the constraints comprises one or more mathematical assertions describing how a given statement, function or procedure affects the software artifact if the software artifact were executed;
  
  for each potential buffer vulnerability, tracing through the system dependency graph by visiting statements in the plurality of program statements in a predetermined order determined by the system dependency graph, starting at a location of the potential buffer vulnerability, and collecting the constraints associated with each statement, function or procedure of the software artifact so visited determining a maximum value length that has been assigned to a buffer corresponding to a potential buffer vulnerability and comparing the determined maximum value length to an amount of memory that has been allocated to the buffer to detect a buffer vulnerability; and
  
  displaying a list of buffer vulnerabilities that are not marked as being safe,wherein at least some of the constraints are linking constraints that link values of one variable between two consecutive program statements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising generating sets of summary constrains for predetermined statement-sequences, functions or procedures of the software being analyzed, wherein a summary constraint describes where in a given statement, function, or procedure a particular variable is first used and where in the given statement, function or procedure the variable is last defined, wherein a use of a variable is defined as a program statement whose outcome may be affected by the variable'"'"'s value if the program statement were executed, and wherein a defined variable is defined as a program statement where the variable'"'"'s value might be modified if the software were executed.
  - 3. The method of claim 2, wherein the constraints are flow-insensitive in that software variables mentioned by the constraints do not include information about where the variable appears in the software artifact source code.
  - 4. The method of claim 3, wherein the software artifact being analyzed is in the form of source code.
  - 5. The method of claim 2, wherein the constraints are not flow insensitive, in that at least some software variables mentioned do include information about where the variable appears in the software artifact source code.
  - 6. The method of claim 5, wherein the software artifact being analyzed is in the form of source code.
  - 7. The method of claim 2, wherein the software artifact being analyzed is in the form of source code.
  - 8. The method of claim 1, wherein the constraints are not flow-insensitive due to the addition of linking constraints, where a linking constraint is a constraint that connects the location where a variable'"'"'s value is used to the location where the variable is defined.
  - 9. The method of claim 1, wherein the generation of constraints is repeated twice, first using flow-insensitive constraints to rule out a first number of potential buffer vulnerabilities, and then using flow-sensitive constraints to rule out a second number of vulnerabilities, where ruling out a vulnerability comprises determining, based on information in the constraints, that a feature of the software artifact cannot be used in a malicious manner.
  - 10. The method of claim 1, wherein the software artifact being analyzed is in the form of source code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Software Integrity Group Incorporated
Original Assignee
Cigital, Incorporated (Synopsys Incorporated)
Inventors
Weber, Michael D., Shah, Viren R., Ren, Chuangang
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Shiferaw; Eleni A

Application Number

US10/342,310
Time in Patent Office

1,987 Days
Field of Search

726/22, 726/25, 726/23, 726/24, 713/188, 713/189, 713/190, 705/51, 717/174
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

Systems and methods for detecting software security vulnerabilities

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting software security vulnerabilities

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links