This patent application is assigned to The Government of
The following quote was obtained by the news editors from the background information supplied by the inventors: "Many serious vulnerabilities in cyber systems arise from security flaws in software. To detect these flaws, organizations can invest enormous sums and significant human effort in testing and in certifying and accrediting the security of software. However, a serious limitation of testing, the most widely used method for obtaining evidence for certification and accreditation, is that by itself testing provides low confidence that the software is secure. Although code verification and analysis of abstract program models could significantly increase confidence in the security of software, this approach is currently viewed by those of ordinary skill in the art as too technically difficult, too expensive, and too time consuming. Therefore, obtaining high confidence that software code satisfies critical security properties remains a very difficult problem.
"Recently, some commercial tools have been introduced that can be used, in addition to testing, to increase assurance in the security of software. Based on research in static analysis and similar techniques, these tools (e.g., PREfast,
"Despite the success of these tools, both the research community and commercial tool vendors have paid far less attention to detecting a second important class of security flaws in software, application-specific errors. Application-specific errors are typically design errors that are violations of security properties specific to the application. Examples include violations of the allowed data flows and failure of a program to sanitize data areas after processing sensitive data in those areas. Some security experts estimate that, of the large number of security vulnerabilities that exist in current programs, approximately 50% belong to this second class of errors. However, detecting application-specific errors can be extremely difficult. Unlike the case of application-independent errors, where the developer can run a pushbutton tool to detect many code vulnerabilities automatically, the developer whose goal is to detect application-specific errors must define the specific security properties of interest. Specifying these properties can be a challenge, especially if the developer must express the properties in an unfamiliar language or logic.
"Accordingly, a need remains in the art to develop an environment and a set of user-friendly, pushbutton tools that a developer can apply interactively to build a robust software program that satisfies developer-specified application-specific security properties."
In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "According to one aspect of the invention, a computer implemented tool is described that includes an assertion generator module that can automatically generate assertions, which are usable to verify application-specific security properties, for a computer software program. An assertion checker module can automatically analyze the computer software program to ensure that it satisfies the application-specific security properties. A graphical user interface module can display feedback to diagnose security flaws detected in the computer software program based on the analysis by the assertion checker module. In support of these modules are a code preprocessor module that can translate source code of the computer software program into an intermediate abstract representation, and a database module that can store the generated assertions and associated data in a database. Each of the modules can provide functionality at any time during code construction of the computer software program.
"According to another aspect of the invention, a method for diagnosing security flaws detected in a computer software program is provided by translating source code of the computer software program into an intermediate abstract representation. Next assertions are automatically generated, wherein the assertions are usable to verify application-specific security properties, for the computer software program, and the assertions are stored in a database. The computer software program is then automatically analyzed to ensure that it satisfies the application-specific security properties. Finally, feedback is generated to diagnose security flaws detected in the computer software program based on the analysis.
"These and other aspects, objects, and features of the present invention will become apparent from the following detailed description of the exemplary embodiments, read in conjunction with, and reference to, the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
"The following description and drawings set forth certain illustrative implementations of the disclosure in detail, which are indicative of several exemplary ways in which the various principles of the disclosure may be carried out. The illustrated examples, however, are not exhaustive of the many possible embodiments of the disclosure. Other objects, advantages and novel features of the disclosure will be set forth in the following detailed description of the disclosure when considered in conjunction with the drawings, in which:
"FIG. 1 is a block diagram representing a computer implemented tool in accordance with an exemplary embodiment of the invention.
"FIG. 2 is an example of a GUI in accordance with an exemplary embodiment of the invention.
"FIG. 3 is an example GUI in accordance with an exemplary embodiment of the invention."
URL and more information on this patent application, see: Archer, Myla M.; Heitmeyer,
Keywords for this news article include: Software, The Government of
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Larry Ellison Steps Down as Oracle CEO
- Apple Locks Itself Out of Devices
- Alibaba: Today China, Tomorrow the World
- John Cantlie Delivers ISIS Message to Save Life
- U.S. Families 'Extraordinarily Vulnerable': Yellen
- Hillary Clinton to Address CHCI Conference
- Veterans to Get Training as Solar Panel Installers
- Hispanics Doubt Marco Rubio's Chances
- Wildfires Rage in California
- Alibaba Prices IPO at $68 a Share