Invention Grant
US09384354B2 Rule matching in the presence of languages with no types or as an adjunct to current analyses for security vulnerability analysis
有权
在没有类型的语言的情况下进行规则匹配,或作为当前安全漏洞分析分析的附件
- Patent Title: Rule matching in the presence of languages with no types or as an adjunct to current analyses for security vulnerability analysis
- Patent Title (中): 在没有类型的语言的情况下进行规则匹配,或作为当前安全漏洞分析分析的附件
-
Application No.: US13771917Application Date: 2013-02-20
-
Publication No.: US09384354B2Publication Date: 2016-07-05
- Inventor: Salvatore Angelo Guarnieri , Marco Pistoia , Stephen Darwin Teilhet , Omer Tripp
- Applicant: International Business MAchines Corporation
- Applicant Address: US NY Armonk
- Assignee: International Business Machines Corporation
- Current Assignee: International Business Machines Corporation
- Current Assignee Address: US NY Armonk
- Agency: Harrington & Smith
- Main IPC: G06F21/00
- IPC: G06F21/00 ; G06F21/57 ; G06F11/36
Abstract:
A method includes a computing system reading a rule file that includes one or more rules having specified paths to methods, such that each method corresponds to one of a sink, source, or sanitizer. The method includes the computing system matching the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes the computing system, using the sinks, sources, and sanitizers found by the matching, performing a taint analysis to determine at least tainted flows from sources to sinks, the tainted flows being flows that pass information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also shown.
Public/Granted literature
Information query
