Assessment and analysis of software security flaws in virtual machines
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-029/06
출원번호
US-0154576
(2011-06-07)
등록번호
US-8613080
(2013-12-17)
발명자
/ 주소
Wysopal, Christopher J.
Moynahan, Matthew P.
Stevenson, Jon R.
출원인 / 주소
Veracode, Inc.
대리인 / 주소
Goodwin Procter LLP
인용정보
피인용 횟수 :
28인용 특허 :
99
초록▼
Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software,
Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.
대표청구항▼
1. A computer-implemented method of identifying vulnerabilities of a collection of software programs compiled into a virtual machine image, the method comprising the steps of: receiving an image file representing a computer system as a virtual machine, wherein the image file comprises at least one o
1. A computer-implemented method of identifying vulnerabilities of a collection of software programs compiled into a virtual machine image, the method comprising the steps of: receiving an image file representing a computer system as a virtual machine, wherein the image file comprises at least one of operating system information, an application, an application server, application data, and configuration information;loading the image file into a computer memory;executing the loaded image file to implement the virtual machine on a processor; andanalyzing the executing image file to obtain a listing of potential vulnerabilities, the analysis comprising: extracting files of the virtual machine from the image file;identifying at least one installed application within the virtual machine;identifying and separating one or more files related to the installed application;building a control flow model of at least one of the separated files;building a data flow model of at least one of the separated files;detecting one or more potential vulnerabilities of each separated file by scanning one or more of the models and using a vulnerability database; andcombining the detected potential vulnerabilities with the listing of potential vulnerabilities. 2. The method of claim 1, wherein the analyzing step further comprises inspecting an operating system configuration to detect one or more potential vulnerabilities. 3. The method of claim 1, wherein the analyzing step further comprises inspecting registry files to detect one or more potential vulnerabilities. 4. The method of claim 1, wherein the analyzing step further comprises determining if a plurality of applications are included in the virtual machine, and if so, analyzing interactions among the plurality of installed applications comprising the steps of: building an interaction control flow model among the plurality of installed applications;building an interaction data flow model among the plurality of installed applications; anddetecting one or more potential vulnerabilities by scanning each interaction model. 5. The method of claim 1, wherein the analyzing step comprises scanning the executing image file using one or more of a network vulnerability scanner and a host vulnerability scanner. 6. The method of claim 1, further comprising the steps of: detecting an executing application within the virtual machine;detecting potential vulnerabilities of the executing application using a scanner; andcombining the detected potential vulnerabilities with the listing of potential vulnerabilities. 7. The method of claim 6, wherein the detecting the potential vulnerabilities of the executing application comprises: connecting to the executing application within the virtual machine;providing at least one test input to the executing application; andinspecting a response from the executing application to the at least one test input to detect one or more potential vulnerabilities. 8. The method of claim 7, further comprising providing login credentials of the executing application. 9. The method of claim 7, further comprising providing predetermined user interface navigation information associated with the executing application to the scanner for use in detecting the potential vulnerabilities of the executing application. 10. The method of claim 7, further comprising providing sample user input data associated with the executing application to the scanner for use in detecting the potential vulnerabilities of the executing application. 11. The method of claim 6, further comprising performing fuzz testing on the executing application comprising the steps of: sending test data to the executing application through a network port; andinspecting a response of the executing application to the test data to detect one or more potential vulnerabilities. 12. The method of claim 11, further comprising re-executing the loaded image file if the executing application does not respond to the test data. 13. The method of claim 1, further comprising: creating a security report from the listing of potential vulnerabilities;computing a security score from the security report; andcomparing the security score with at least one security score associated with an implementation of the computer system. 14. The method of claim 13, further comprising the steps of: receiving a validation policy;comparing the security report with the validation policy to derive a set of security data; andassociating the security data with the image file. 15. The method of claim 14, wherein the associating step comprises creating a unique hash of the image file. 16. The method of claim 14, wherein the associating step comprises creating a signature.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (99)
Townsend, Timothy J., Adaptive countermeasure selection method and apparatus.
Haley Matthew A. ; Pincus Jonathan D. ; Bush William R., Analysis of the effect of program execution of calling components with data variable checkpointing and resource allocation analysis.
Ju Dz-ching ; Gillies David Mitford ; Sastry A. V. S., Apparatus and method for incrementally update static single assignment form for cloned variable name definitions.
Gregory Brent ; Chatterjee Trinanjan ; Lin Jing C. ; Raghvendra Srinivas ; Girczyc Emil ; Estrada Paul ; Seawright Andrew, Architecture and methods for a hardware description language source level analysis and debugging system.
Ian Carmichael CA; Derek B. Inglis CA; Michael Karasick ; Vincent J. Kruskal ; Harold L. Ossher ; David J. Streeter CA, Compiler for supporting multiple runtime data representations.
McKeeman William M. (Hollis NH) Aki Shota (Weare NH), Compiler using clean lines table with entries indicating unchanged text lines for incrementally compiling only changed s.
Levy Jacob Y. ; Lim Swee Boon ; Kretsch Donald J. ; Mitchell Wesley E. ; Lerner Benjamin, Compiler with generic front end and dynamically loadable back ends.
Furgerson Donald F. (Murrysville PA), Computer monitored or controlled system which may be modified and de-bugged on-line by one not skilled in computer progr.
Franssen Frank,BEX ; van Swaaij Michael,BEX ; Nachtergaele Lode,BEX ; Samsom Hans,BEX ; Catthoor Francky,BEX ; De Man Hugo,BEX, Control flow and memory management optimization.
Frieder Gideon (Williamsville NY) Hughes David T. (Amherst NY) Kline Mark H. (Williamsville NY) Liebel ; Jr. John T. (Williamsville NY) Meier David P. (Orchard Park NY) Wolff Edward A. (Tonawanda NY), Data processing system.
Hammes,Jeffrey; Poznanovic,Daniel; Gliem,Lonnie, Debugging and performance profiling using control-dataflow graph representations with reconfigurable hardware emulation.
Tracy, Richard P.; Barrett, Hugh; Catlin, Gary M., Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment.
Kitain Eduard ; Karaev Isaak ; Mahoney John J. ; McCarthy Mary Ellen ; Tousignant James M. ; Baird George ; Blazek Paul, Information delivery system and method including on-line entitlements.
Luc M. Burgun FR; Alain Raynaud FR, Method and apparatus for gate-level simulation of synthesized register transfer level design with source-level debugging.
Raynaud Alain,FRX ; Burgun Luc M.,FRX, Method and apparatus for gate-level simulation of synthesized register transfer level designs with source-level debugging.
Tirumalai,Partha P.; Kalogeropulos,Spiros; Song,Yonghong; Goebel,Kurt J., Method and apparatus for optimizing computer program performance using steered execution.
Dumais,Susan T.; Horvitz,Eric J.; Cutrell,Edward B.; Cadiz,Jonathan J.; Jancke,Gavin; Sarin,Raman K.; Robbins,Daniel C.; Gupta,Anoop; Robertson,George G.; Ringel,Meredith J.; Goecks,Jeremy, Method and system for usage analyzer that determines user accessed sources, indexes data subsets, and associated metadata, processing implicit queries based on potential interest to users.
Jong-Deok Choi ; Manish Gupta ; Mauricio J. Serrano ; Vugranam C. Sreedhar ; Samuel Pratt Midkiff, Method for optimizing creation and destruction of objects in computer programs.
Van Praet Johan Roland,BEX ; Lanneer Dirk,BEX ; Theresia Geurts Werner Gustaaf,BEX ; Goossens Gert Lodewijk Huibrecht,BEX, Method for processor modeling in code generation and instruction set simulation.
Van Praet Johan Roland,BEX ; Lanneer Dirk,BEX ; Geurts Werner Gustaaf Theresia,BEX ; Goossens Gert Lodewijk Huibrecht,BEX, Method of generating code for programmable processors, code generator and application thereof.
Lundeby Bruce A. (Colorado Springs CO), Method of validating a label translation configuration by parsing a real expression describing the translation configura.
Lo Raymond ; Chow Frederick, Method, system, and computer program product for extending sparse partial redundancy elimination to support speculative code motion within an optimizing compiler.
Caron Ilan G. (Redmond WA) Carter Alan W. (Bellevue WA) Canady Dennis M. (Redmond WA) Corbett Tom (Eugene OR) Kumar Rajiv (Redmond WA), Module dependency based incremental compiler and method.
Callahan, II, Charles David; Shields, Keith Arnett; Briggs, III, Preston Pengra, Parallelism performance analysis based on execution trace information.
Wright, Gregory M.; Wolczko, Mario I.; Seidl, Matthew L., Reducing the overhead involved in executing native code in a virtual machine through binary reoptimization.
Tseng Ping-Sheng ; Lin Sharon Sheau-Pyng ; Shen Quincy Kun-Hsu ; Sun Richard Yachyang ; Tsai Mike Mon Yen ; Tsay Ren-Song ; Wang Steven, Simulation/emulation system and method.
Grover, Vinod K.; Mitchell, Charles L.; Gillies, David Mitford; Roberts, Mark Leslie; Plesko, Mark Ronald; Tarditi, Jr., David Read; Edwards, Andrew James; Burger, Julian; Ayers, Andrew Edward; Sastry, Akella V. S., Software development infrastructure.
Homing, James J.; Sibert, W. Olin; Tarjan, Robert E.; Maheshwari, Umesh; Home, William G.; Wright, Andrew K.; Matheson, Lesley R.; Owicki, Susan, Software self-defense systems and methods.
Rozenberg, Boris; Gudes, Ehud; Elovici, Yuval, System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled malware prevention.
Nayak,Anshuman; Haldar,Malay; Choudhary,Alok; Saxena,Vikram; Banerjee,Prithviraj, System for architecture and resource specification and methods to compile the specification onto hardware.
Chow Jyh-Herng ; Fuh You-Chin (Gene) ; Mattos Nelson Mendonca ; Tran Brian T., System, method, and program for extending a SQL compiler for handling control statements packaged with SQL query statem.
Papakipos, Matthew N.; Grant, Brian K.; McGuire, Morgan S.; Demetriou, Christopher G., Systems and methods for determining compute kernels for an application in a parallel-processing computer system.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
Griffith, John A.; Rhames, Daniel P.; Riedel, Philip R.; Schmidt, David L., Controlling a discovery component, within a virtual environment, that sends authenticated data to a discovery engine outside the virtual environment.
Serrano, Miguel Saiz; Tsai, Julie; Manglani, Kamal; Walker, Kevin D., System, method, and non-transitory computer-readable storage media for analyzing software application modules and provide actionable intelligence on remediation efforts.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.