37 results about "Dynamic program analysis" patented technology

A virtual machine system decouples dynamic program analysis from program execution. Program analysis is decoupled from program execution through the use of a virtual machine to record program execution and an analysis platform to replay and analyze the program execution. Optimization techniques are applied to prevent the analysis platform from falling too far behind the program execution platform during replay.

In systems and methods of detecting malicious software, a software agent comprising at least one scan module is assembled by a source system and is transferred by the source system to a target system. In response to a connection request from the software agent a connection is established to the software agent and a file is received from the target system. At the source system, a static analysis is performed on the transferred file to generate a static threat score, and a dynamic analysis is performed to generate a dynamic threat score. Based on the static threat score and the dynamic threat score an aggregate threat score is generated for the transferred file.

The invention relates to a system for detecting a software bug triggered during practical running of a computer program in the technical field of computers. The system comprises a binary code dynamic inserting module, a program basic block recognizing module, a function call graph constructing module, a control flow graph constructing module, a function recognizing module and a static analysis module. By combining two technologies of dynamic program analysis and static analysis path complementation, the invention not only can detect the bugs which can be triggered during the practical running of the program but also can reach higher program path coverage rate, carry out bug detects on the path which is not covered in the dynamic analysis process, improve the success rate of bug detection and reduce the false rate of the bugs. Meanwhile, the static analysis path complementation technology only analyzes a path which is not executed in dynamic analysis instead of all program paths, thereby greatly reducing the cost on time and system resources.

An on-device security vulnerability detection method performs dynamic analysis of application programs on a mobile device. In one aspect, an operating system of a mobile device is configured to include instrumentations and an analysis application program package is configured for installation on the mobile device to interact with the instrumentations. When an application program executes on the mobile device, the instrumentations enables recording of information related to execution of the application program. The analysis application interfaces with the instrumented operating system to analyze the behaviors of the application program using the recorded information. The application program is categorized (e.g., as benign or malicious) based on its behaviors, for example by using machine learning models.

Dynamic program analysis is decoupled from execution in virtual computer environments so that program analysis can be performed on a running computer program without affecting or perturbing the workload of the system on which the program is executing. Decoupled dynamic program analysis is enabled by separating execution and analysis into two tasks: (1) recording, where system execution is recorded with minimal interference, and (2) analysis, where the execution is replayed and analyzed. Recording and analysis are carried out on heterogeneous systems so that they can be separately optimized.

Dynamic program analysis is decoupled from execution in virtual computer environments so that program analysis can be performed on a running computer program without affecting or perturbing the workload of the system on which the program is executing. Decoupled dynamic program analysis is enabled by separating execution and analysis into two tasks: (1) recording, where system execution is recorded with minimal interference, and (2) analysis, where the execution is replayed and analyzed.

A system and method for efficient bounded hash table sorting during dynamic whole program profiling of software applications. A computing system comprises a dynamic binary instrumentation (DBI) tool coupled to a virtual machine configured to translate and execute binary code of a software application. The binary code is augmented with instrumentation and analysis code during translation and execution. A dynamic binary analysis (DBA) tool identifies hierarchical layers of cycles within the application that describe the dynamic behavior of the application. Correpsonding characterization information is stored in a hash table. Periodic sorting of entries of the hash table occur for highly accessed entries in deep buckets within the hash table. Repositioning the entries within the hash table may reduce pointer chasing problems and identify program phase changes within the dynamic behavior of the application.

The invention provides an automated evaluation method for binary code coverage of a testing case set for an executable program. The automated evaluation method includes step 1, executing static analysis on the executable program with a binary code expression form, converting the binary code expression form into an assembly instruction expression form through disassembly during static analysis, and performing basic block division on the executable program with the assembly instruction expression form; step 2, utilizing a testing case to execute dynamic analysis on program process, executing instrumentation processing during dynamic analysis to capture executing track, executing filtering operation during instrumentation processing for basic block filtering to remove an external instruction of the executable program; step 3, utilizing a virtual memory address of the executable program to evaluate binary code coverage of the testing case set by matching static analysis result of the step 1 and dynamic analysis result of the step 2.

A program analysis system that analyzes a program while adjusting time elapse velocity in program execution environment sets analysis conditions such as time elapse velocity in the execution environment, program execution start time and execution termination time, adjusts the time elapse velocity and the program execution start time according to the determination of an analysis manager, executes the program till the execution termination time, monitors the execution environment, acquires an action record of the program, analyzes the action record, and clarifies the behavior of the program. Further, the program analysis system resets the analysis conditions based upon a result of analysis, re-analyzes, monitors communication between a sample and an external terminal, and varies the time elapse velocity set by the analysis manager to prevent time-out from occurring in communication.

The invention discloses a visualization method and system for program analysis processes. The method includes a program switch module, a standardized processing module, a meta-level operation module and a graphical display module, wherein the program switch module generates intermediate representation of a computer program; the standardized processing module normalizes and simplifies the intermediate representation of the program; the meta-level operation module provides the intermediate representation with a primary program modification mode; the graphical display module extracts information of data flows and control flows of the program, and displays an abstract syntax tree, a control flow diagram and a program dependence graph in a graphical mode. The visualization method and system for program analysis processes have the advantages of visually showing the whole processes of a program analysis, using a graph to demonstrate the result of the program analysis, and helping students better understand analysis processes and analysis methods of programs.

The invention provides a shaping vulnerability detection method based on dynamic and static analysis. Static and dynamic program analysis technologies are combined. Points to be protected include thefollowing contents that in a static analysis stage, the tool decompiles the binary program and creates a suspicious instruction set; in a dynamic analysis stage, the tool dynamically scans instructions in the suspicious instruction set, and whether the instructions are vulnerabilities or not is judged in combination with input capable of triggering the vulnerabilities. At present, vulnerability mining is either static analysis or dynamic analysis. The vulnerability detection technology can well overcome the defects of existing vulnerability mining, accurate and sufficient type information is provided, and through static analysis based on the decompiler, the number of instructions needing to be detected during dynamic operation is reduced.

The invention discloses a parallel acceleration method for dynamic analysis of a program behavior. The method comprises the following steps of: acquiring an analyzed program, and generating fragments of all threads of the analyzed program on the basis of resource and load states; performing analysis code pile pitching on all the fragments; allocating the fragments subjected to the pile pitching to a specific processor core and performing concurrent execution on the fragments and the analyzed threads; performing reduction processing on execution results of the fragments after the concurrent execution is finished; and acquiring program behavior information on the basis of reduction processing results. Due to the adoption of behavior information of an idle computer resource collection program, the dynamic analysis process of the program is accelerated.

A computer implemented method for maintaining a program's calling context correct even when a monitoring of the program goes out of a scope of a program analysis by validating function call transitions and recovering partial paths before and after the violation of the program's control flow. The method includes detecting a violation of control flow invariants in the software system including validating a source and destination of a function call in the software system, interpreting a pre-violation partial path responsive to a failure of the validating, and interpreting a post violation path after a violation of program flow.

The invention discloses a malicious code behavior feature extraction method. The method comprises the following steps of 1, performing disassembling analysis on a malicious code sample by using a disassembling tool through adopting a static analysis method to obtain a function call graph and a control flow graph; 2, performing optimization processing on the function call graph and the control flowgraph, generating an executable path set, and allocating a dynamic analysis node to each path; 3, through a dynamic analysis tool, performing dynamic analysis by using an automatic single-step debugging method, enabling a program to be executed according to a control flow sequence of executable paths obtained by static analysis, and obtaining an API call correlation of a malicious code; and 4, according to API call correlation analysis, obtaining a behavior feature value of the malicious code. A behavior feature of the code can be represented more accurately, so that the analysis and detection of the malicious code are more accurate.

A hybrid program analysis method includes initiating a static program analysis of an application, generating, by a static program analyzer, a query to a dynamic program analyzer upon determining a code construct of the application requiring dynamic analysis, resolving, by the dynamic program analyzer, the query into a set of arguments with which to invoke the code construct of the application, generating, by the dynamic program analyzer, the set of arguments, invoking, by the dynamic program analyzer, the code construct of the application using set of arguments, answering, by the dynamic program analyzer, the query, and continuing the static program analysis of the application.

An exemplary apparatus and computer program product are disclosed which employ a method that includes performing a first static analysis to locate elements within a program and instrumenting the program to enable a subsequent dynamic analysis based on the located elements. The method includes executing the instrumented program and performing during execution analysis to determine individual sets of statements in the program affected by a corresponding element. The method includes partitioning the sets of statements into partitions based on one or more considerations, each partition including one or more of the elements. The method includes performing a second static analysis on the partitions of the program to produce results and outputting the results. The method may be performed for, e.g., security (e.g., taint) analysis, buffer overflow analysis, and typestate analysis.

The invention discloses a static program analysis system for a target code. The system comprises a decompilation module, an intermediate expression refinement module, a program analysis module and a visual module. The decompilation module adopts a to-be-analyzed target code file as input, performs packaging format removal and decompilation operations on an input file, generates an assembly code, a control flowchart and process boundary and other information and adopts the same as the output of the model; the intermediate expression refinement module generates a corresponding data structure and performs a refinement operation according to the information generated by the decompilation module; the program analysis module generates several expression forms of the to-be-analyzed program according to the information output by the decompilation module and the intermediate expression refinement module; and the visual module is applied to visible display of various patterns and other information in an analysis process. The system analyzes the program behaviors according to actually executed binary codes and has higher fidelity compared with an analysis tool for source codes.

The invention discloses a program analysis and variation input-based cross-site script attack detection method. The method comprises the steps of firstly, analyzing a crawled webpage by using htmlparser2 to obtain a DOM structure of the webpage; secondly, finding all possible input points in a website by traversing the DOM structure, and recording IDs of the input points; thirdly, generating possible user inputs in combination with a variation operator; and finally, automatically running a test script by using a tool Selenium, and mining possibly existent XSS vulnerabilities in the website.