Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Mitigating security risks via code movement

a security risk and code movement technology, applied in the field of application code analysis, can solve the problems of web applications, web services, and web applications continuously exposed to security threats, and are too complex to reason about statically, and are vulnerable to a sophisticated remote code execution attack

Inactive Publication Date: 2014-07-24
IBM CORP
View PDF2 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

The patent describes a method and apparatus for analyzing the code of an application to determine the flows of information from sources to sinks that use that information. This analysis is performed using a static analysis of the code and identifies security-sensitive operations, which are then further analyzed to determine the scope of each operation. The method also includes determining which parts of the code should be moved to a separate section of code to improve security. The technical effects of this patent include improved security analysis and vulnerability reduction in applications, as well as improved efficiency and ease of use for security-sensitive operation analysis.

Problems solved by technology

Web applications, as well as web services, are continuously exposed to security threats.
These include (i) injection attacks, where a malicious user injects malicious code into the application through web parameters, database hijacking, and the like, (ii) information leakage, where the application leaks confidential data, and (iii) denial-of-service and other attacks.
However, a wide range of security threats typically lie outside the scope of static security analysis, being too complex to reason about statically.
In rare situations, usually due to application errors, session data intended for one client might be seen by another client.
As another example, IIS (a web server application and set of feature extension modules) was also found to be vulnerable to a sophisticated remote-code-execution attack that is hard to uncover using static analysis.
The growing need to protect web applications against threats like the above, which lie outside the scope of existing static security-scanning solutions—where the focus is on unchecked data flows from “sources” (statements reading (untrusted) user-provided input) to “sinks” (security-sensitive operations)—has not yet been addressed by commercial security tools.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Mitigating security risks via code movement
  • Mitigating security risks via code movement
  • Mitigating security risks via code movement

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025]As stated above, there is a growing need to protect web applications against threats that lie outside the scope of existing static security-scanning solutions. Exemplary embodiments herein take steps toward enhancing security analysis tools, such that the enhanced tools mitigate security threats that lie beyond insecure data-flow vulnerabilities. An exemplary technique is (i) to identify security-sensitive areas within an application, and (ii) to reduce the computations performed within these areas, so as to minimize the exposure of the application to security threats. The exemplary embodiments move code from the security-sensitive areas within the computations to areas outside the security-sensitive areas. Examples of JAVA (a programming language and computing platform first released by Sun Microsystems in 1995) code and movement are provided below after an overview of an exemplary computing system suitable for use with the exemplary embodiments.

[0026]Referring to FIG. 1, thi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A method includes performing on a computing system a source-to-sink reachability analysis of code of an application. The reachability analysis is performed using a static analysis of the code and determines flows from sources of information to sinks that use the information. The method includes determining scopes for corresponding security sensitive operations using the determined flows, each of the security sensitive operations corresponding to statements in the code and one or more flows. A scope for a security sensitive operation includes a block of statements in the code that correspond to a set of one or more flows ending at a sink. The method includes, for each of one or more selected scopes, moving statements in a corresponding block of statements that are independent of a security sensitive operation in the block to code before or after the block. Apparatus and program products are also disclosed.

Description

BACKGROUND[0001]This invention relates generally to analysis of application code and, more specifically, relates to mitigating security risks via code movement.[0002]This section is intended to provide a background or context to the invention disclosed below. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived, implemented or described. Therefore, unless otherwise explicitly indicated herein, what is described in this section is not prior art to the description in this application and is not admitted to be prior art by inclusion in this section. Acronyms that appear in the text or drawings are defined below, prior to the claims.[0003]Web applications, as well as web services, are continuously exposed to security threats. These include (i) injection attacks, where a malicious user injects malicious code into the application through web parameters, database hijacking, and the like, (ii) information leakage...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(United States)
IPC IPC(8): G06F21/57
CPCG06F21/577G06F8/72G06F21/52
Inventor GUARNIERI, SALVATORE A.PISTOIA, MARCOTRIPP, OMER
Owner IBM CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com