Invention Grant
US08627465B2 Automatic inference of whitelist-based validation as part of static analysis for security
失效
自动推论基于白名单的验证,作为安全性静态分析的一部分
- Patent Title: Automatic inference of whitelist-based validation as part of static analysis for security
- Patent Title (中): 自动推论基于白名单的验证,作为安全性静态分析的一部分
-
Application No.: US13088711Application Date: 2011-04-18
-
Publication No.: US08627465B2Publication Date: 2014-01-07
- Inventor: Lotem Guy , Marco Pistoia , Takaaki Tateishi , Omer Tripp
- Applicant: Lotem Guy , Marco Pistoia , Takaaki Tateishi , Omer Tripp
- Applicant Address: US NY Armonk
- Assignee: International Business Machines Corporation
- Current Assignee: International Business Machines Corporation
- Current Assignee Address: US NY Armonk
- Agency: Harrington & Smith
- Agent Louis J. Percello
- Main IPC: G06F21/00
- IPC: G06F21/00
Abstract:
A method includes performing taint analysis of a computer program and determining an original set of paths from sources to sinks. Each path corresponds to a vulnerability. The method includes determining for each variable whose type is a collection and is accessed in one of the paths in the original set of paths whether the variable points to a concrete value whose internal state is not tainted according to the taint analysis. The method further includes, for each of the variables whose type is a collection found not to be tainted according to the taint analysis, determining all points in the computer program where a membership check against the collection is performed. The method also includes, for each of the points, determining corresponding paths and removing those paths from the original set of paths to create a reduced set of paths. Apparatus and computer readable program products are also disclosed.
Public/Granted literature
- US20120266247A1 Automatic Inference Of Whitelist-Based Validation As Part Of Static Analysis For Security Public/Granted day:2012-10-18
Information query
