Detection of security vulnerabilities in computer programs
US7849509B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Oct 7, 2005 |
| Grant date | Dec 7, 2010 |
| Priority date | — |
| Expiry date | Aug 10, 2028 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/577
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Methods and systems for analyzing a computer program use static and interprocedural analysis techniques and engines. A data processing operation, such as a function, is automatically identified within the computer program. It is determined whether the function represents a potential source for entry of untrusted data into the computer program. A course of the untrusted data is modeled through the identified function to produce a validation result, such as a call stack. Based on an attribute of the untrusted data (for example, whether the untrusted data is an unbounded integer or a string), it is determined whether the validation result identifies a security vulnerability of the computer program. A security vulnerability may exist, for example, when the modeled course of an unbounded integer through the function produces a buffer overrun in a call stack. The validation result is provided, via an API, software development tool, or user interface, for example.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.