News Column

"Automated Tools for Building Secure Software Programs" in Patent Application Approval Process

August 14, 2014

By a News Reporter-Staff News Editor at Computer Weekly News -- A patent application by the inventors Archer, Myla M. (Alexandria, VA); Heitmeyer, Constance L. (Washington, DC); Leonard, Elizabeth I. (Silver Spring, MD); Gasarch, Carolyn B. (Silver Spring, MD); Ding, Wei (Boston, MA), filed on January 24, 2014, was made available online on July 31, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to The Government of the United States of America, as represented by the Secretary of the Navy.

The following quote was obtained by the news editors from the background information supplied by the inventors: "Many serious vulnerabilities in cyber systems arise from security flaws in software. To detect these flaws, organizations can invest enormous sums and significant human effort in testing and in certifying and accrediting the security of software. However, a serious limitation of testing, the most widely used method for obtaining evidence for certification and accreditation, is that by itself testing provides low confidence that the software is secure. Although code verification and analysis of abstract program models could significantly increase confidence in the security of software, this approach is currently viewed by those of ordinary skill in the art as too technically difficult, too expensive, and too time consuming. Therefore, obtaining high confidence that software code satisfies critical security properties remains a very difficult problem.

"Recently, some commercial tools have been introduced that can be used, in addition to testing, to increase assurance in the security of software. Based on research in static analysis and similar techniques, these tools (e.g., PREfast, Coverity, Klocwork, CodeSonar, and Fortify) can detect code vulnerabilities automatically. Specifically, the class of security flaws which these tools uncover are application-independent, that is, errors and code vulnerabilities which do not depend on the application. Examples of the types of errors these tools can detect include null pointer deferences, format string problems, integer range errors, and buffer overflows. These tools have been effective in exposing and weeding out security errors in programs written in many languages, including C, Java, C++, and C#. An estimate is that the tools have exposed and led to the repair of tens of thousands of bugs, most of which traditional software testing would not have detected. One reason for the tools' success is their 'pushbutton' nature, and another is user ease of understanding of the feedback they provide. To apply the tools, developers require neither significant skills nor special training.

"Despite the success of these tools, both the research community and commercial tool vendors have paid far less attention to detecting a second important class of security flaws in software, application-specific errors. Application-specific errors are typically design errors that are violations of security properties specific to the application. Examples include violations of the allowed data flows and failure of a program to sanitize data areas after processing sensitive data in those areas. Some security experts estimate that, of the large number of security vulnerabilities that exist in current programs, approximately 50% belong to this second class of errors. However, detecting application-specific errors can be extremely difficult. Unlike the case of application-independent errors, where the developer can run a pushbutton tool to detect many code vulnerabilities automatically, the developer whose goal is to detect application-specific errors must define the specific security properties of interest. Specifying these properties can be a challenge, especially if the developer must express the properties in an unfamiliar language or logic.

"Accordingly, a need remains in the art to develop an environment and a set of user-friendly, pushbutton tools that a developer can apply interactively to build a robust software program that satisfies developer-specified application-specific security properties."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "According to one aspect of the invention, a computer implemented tool is described that includes an assertion generator module that can automatically generate assertions, which are usable to verify application-specific security properties, for a computer software program. An assertion checker module can automatically analyze the computer software program to ensure that it satisfies the application-specific security properties. A graphical user interface module can display feedback to diagnose security flaws detected in the computer software program based on the analysis by the assertion checker module. In support of these modules are a code preprocessor module that can translate source code of the computer software program into an intermediate abstract representation, and a database module that can store the generated assertions and associated data in a database. Each of the modules can provide functionality at any time during code construction of the computer software program.

"According to another aspect of the invention, a method for diagnosing security flaws detected in a computer software program is provided by translating source code of the computer software program into an intermediate abstract representation. Next assertions are automatically generated, wherein the assertions are usable to verify application-specific security properties, for the computer software program, and the assertions are stored in a database. The computer software program is then automatically analyzed to ensure that it satisfies the application-specific security properties. Finally, feedback is generated to diagnose security flaws detected in the computer software program based on the analysis.

"These and other aspects, objects, and features of the present invention will become apparent from the following detailed description of the exemplary embodiments, read in conjunction with, and reference to, the accompanying drawings.


"The following description and drawings set forth certain illustrative implementations of the disclosure in detail, which are indicative of several exemplary ways in which the various principles of the disclosure may be carried out. The illustrated examples, however, are not exhaustive of the many possible embodiments of the disclosure. Other objects, advantages and novel features of the disclosure will be set forth in the following detailed description of the disclosure when considered in conjunction with the drawings, in which:

"FIG. 1 is a block diagram representing a computer implemented tool in accordance with an exemplary embodiment of the invention.

"FIG. 2 is an example of a GUI in accordance with an exemplary embodiment of the invention.

"FIG. 3 is an example GUI in accordance with an exemplary embodiment of the invention."

URL and more information on this patent application, see: Archer, Myla M.; Heitmeyer, Constance L.; Leonard, Elizabeth I.; Gasarch, Carolyn B.; Ding, Wei. Automated Tools for Building Secure Software Programs. Filed January 24, 2014 and posted July 31, 2014. Patent URL:

Keywords for this news article include: Software, The Government of the United States of America as represented by the Secretary of the Navy.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: Computer Weekly News

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters