Policy-driven detection and verification of methods such as sanitizers and validators

Assignee

• International Business Machines Corporation · US

Inventors

• Ryan Berg · Austin, US
• Marco Pistoia · Amawalk, US
• Takaaki Tateishi · Yamato, JP
• Omer Tripp · Herzliya, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/577
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A method includes performing a static analysis on a program having sources and sinks to track string flow from the sources to the sinks. The static analysis includes, for string variables in the program that begin at sources, computing grammar of all possible string values for each of the string variables and, for methods in the program operating on any of the string variables, computing grammar of string variables returned by the methods. The static analysis also includes, in response to one of the string variables reaching a sink that performs a security-sensitive operation, comparing current grammar of the one string variable with a policy corresponding to the security-sensitive operation, and performing a reporting operation based on the comparing. Apparatus and computer program products are also disclosed.