News Column

Patent Issued for Eliminating False-Positive Reports Resulting from Static Analysis of Computer Software

June 19, 2014

By a News Reporter-Staff News Editor at Computer Weekly News -- A patent by the inventors Pistoia, Marco (Amawalk, NY); Tripp, Omer (Har-Adar, IL), filed on December 4, 2011, was published online on June 3, 2014, according to news reporting originating from Alexandria, Virginia, by VerticalNews correspondents.

Patent number 8745578 is assigned to International Business Machines Corporation (Armonk, NY).

The following quote was obtained by the news editors from the background information supplied by the inventors: "The present invention relates to computer code analysis and more particularly, to eliminating false positive reports in such an analysis.

"While being instrumental in detecting elusive and complex problems, bugs, and vulnerabilities in computer software, static program analysis often errs on the conservative side by neglecting to represent important correlations between the artifacts it tracks. For example, a security analysis attempts to identify vulnerable information flows in an application. A report produced by such an analysis would comprise of a flow starting at a 'source' statement (i.e., a statement reading untrusted user input into the context of the application) and ending at a 'sink' statement (i.e., a statement performing a security-sensitive operation). While such a flow may be viewed as viable in isolation, it may be infeasible in the broader context of the entire application. Following is an example for two such flows that potentially exhibit a security issue:

"TABLE-US-00001 String src = source( ); // SOURCE #1 String safeAgainstXSS = sanitizeForXss(src); session.set('someSrc', src); // SINK #1 Flow (1) ..... String str = session.get('someSrc'); // SOURCE #2 xssSink(str); // SINK #2 Flow (2)

"As illustrated by the above two flows, both of the flows are valid and may stand by their own. However, as the session object is global across requests, injecting vulnerable content into it may invoke a security problem, so that content read from it might be considered untrusted. On the other hand, if both flows are taken together, they may cancel out each other so that the security problem is actually a non issue.

"The aforementioned example points out an important source of false-positive reports. An existing static analyzer would report an issue on the code including flows 1 and 2 explained above. This would ignore, however, the fact that these two statements, when combined, may cancel each other, thus eliminating the security problem.

"As another example, an entire flow may be enclosed inside a DEBUG flag, which is turned off automatically when the system is deployed. Finally, a flow may be viable only if another flow (or set of flows) is also present in the report. Using the example of security analysis again, consider an application that owns a database (i.e., the database is used only by this particular application, which is fairly common), and consider the following sequence of statements inside the application:

"TABLE-US-00002 String userName = readUntrustedInfoFromDb('userName'); sensitiveOperation.perform(userName);

"Clearly, these two statements pose as a vulnerable flow when viewed in isolation. However, if there is no corresponding flow showing that untrusted information has ever been written to the database, then no security attack can result from executing the two lines above.

"To conclude, a large number of false-positive reports produced by the static analyzer is not the result of overapproximation in the report itself (when viewed in isolation), but rather, the problem is that in the wider context in which the flow is embedded, it loses its viability. To our knowledge, this observation has not been addressed to date by static-analysis tools. In fact, our experience with existing tools suggests that in some cases, the same block of code is reported both as dead code and as containing security vulnerability."

In addition to the background information obtained for this patent, VerticalNews journalists also obtained the inventors' summary information for this patent: "One aspect of the present invention provides a system for eliminating false-positive reports resulting from static analysis of computer software is provided herein. The system includes the following components executed by a processor: a modeler configured to model a computer code into a model that defines sources, sinks, and flows; a static analyzer configured to apply static analysis to the code or the model, to yield reports indicative of at least one issue relating to one or more of the flows; a preconditions generator configured to generate preconditions for eliminating false-positive issues in the reports, based on the model and user-provided input; and a preconditions checker configured to apply the generated preconditions to the reports for eliminating false-positive issues in the reports.

"Other aspects of the invention may include a method arranged to execute the aforementioned system and a computer readable program configured to execute the aforementioned system. These, additional, and/or other aspects and/or advantages of the embodiments of the present invention are set forth in the detailed description which follows; possibly inferable from the detailed description; and/or learnable by practice of the embodiments of the present invention.

"Embodiments of the present invention address the challenge of enforcing correlation constraints (as exemplified above) by adding preconditions to issues reported by the static-analysis tool. For example, one precondition governing an SQL-injection report is that the value returned by the input function may contain problematic characters, such as `-`. Another precondition is that this flow must not reside in dead code. By exposing the preconditions associated with each of the issues and the postconditions it guarantees, the analysis can perform a post-processing step where issues whose preconditions are not fully satisfied are eliminated."

URL and more information on this patent, see: Pistoia, Marco; Tripp, Omer. Eliminating False-Positive Reports Resulting from Static Analysis of Computer Software. U.S. Patent Number 8745578, filed December 4, 2011, and published online on June 3, 2014. Patent URL:

Keywords for this news article include: Software, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Computer Weekly News

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters