Detecting and localizing security vulnerabilities in client-server application

Assignee

• International Business Machines Corporation · US

Inventors

• Shay Artzi · Brookline, US
• Julian Timothy Dolby · The Bronx, US
• Marco Pistoia · Amawalk, US
• Frank Tip · Ridgewood, US
• Omer Tripp · Herzliya, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F11/3604
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

The present invention provides a system, computer program product, and a computer implemented method for analyzing a set of two or more communicating applications. The method includes executing a first application, such as a client application, and executing a second application, such as a server application. The applications are communicating with each other. A correlation is recorded between the applications and an execution characteristic exhibited on execution. An oracle is used to determine an analysis of the first application that has been executed. The execution of the first application causes a change of state in the second application and/or a change control flow in the second application. Code fragment in the first application and/or the second application are prioritized based on an evaluation produced by the oracle, and based on the correlation between the code fragments that have been executed and the execution characteristic exhibited by the code fragments.