Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

InventorsYINNON HAVIV, Roee Hay, Marco Pistoia, Guy Podjarny, Adi Sharabani, Takaaki Tateishi, Omer Tripp, Omri Weisman
Original AssigneeINTERNATIONAL BUSINESS MACHINES CORPORATION
Current U.S. Classification717/155

View patent at USPTO
Search USPTO Assignment Database
Download USPTO Public PAIR data

Claims

1. A method for static detection and categorization of information-flow downgraders, comprising:

transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment for each variable in an instruction set;

translating the instruction set to production rules with string operations to identify a finite set of strings;

generating a context-free grammar from the production rules; and

identifying an information-flow downgrader function by checking the finite set of strings against one or more function specifications.

2. The method as recited in claim 1, wherein identifying includes detecting and categorizing the downgrader functions based upon a purpose the downgrader function.

3. The method as recited in claim 1, wherein the one or more functions include a security-sensitive function in the program.

4. The method as recited in claim 1, further comprising comparing the context free grammar with a specification of the security-sensitive function such that if the grammar satisfies the specification, the input is considered properly downgraded.

5. The method as recited in claim 4, further comprising labeling a string to locate string-manipulating functions that modified the input and made the input specification-compliant.

6. The method as recited in claim 1, wherein the one or more function specifications are employed to categorize the downgrader function.

7. The method as recited in claim 1, wherein transforming the program includes transforming the program by employing pseudo notations for program variable assignments.

8. The method as recited in claim 1, wherein the downgrader function is generated by a Web application.

9. A computer readable storage medium comprising a computer readable program for static detection and categorization of information-flow downgraders, wherein the computer readable program when executed on a computer causes the computer to perform the steps of:

transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set;

translating the instruction set to production rules with string operations;

generating a context-free grammar from the production rules to identify a finite set of strings; and

identifying an information-flow downgrader function by checking the finite set of strings against one or more function specifications.

10. The computer readable storage medium as recited in claim 9, wherein identifying includes detecting and categorizing the downgrader functions based upon a purpose the downgrader function.

11. The computer readable storage medium as recited in claim 9, wherein the one or more functions include a security-sensitive function in the program.

12. The computer readable storage medium as recited in claim 9, further comprising comparing the context free grammar with a specification of the security-sensitive function such that if the grammar satisfies the specification the input is considered properly downgraded.

13. The computer readable storage medium as recited in claim 12, further comprising labeling a string to locate string-manipulating functions that modified the input and made the input specification-compliant.

14. The computer readable storage medium as recited in claim 9, wherein the one or more function specifications are employed to categorize the downgrader.

15. The computer readable storage medium as recited in claim 9, wherein transforming the program includes transforming the program by employing pseudo notations for program variable assignments.

16. A method for static detection and categorization of information-flow downgraders, comprising:

transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set;

translating the instruction set to production rules with string operations;

performing a pointer analysis on the production rules with string operations to improve precision;

generating a context-free grammar from the production rules to identify a finite set of strings;
comparing the context free grammar with a specification of a security-sensitive function such that if the grammar satisfies the specification the input is considered properly downgraded; and
labeling a string to locate string-manipulating functions that modified an input and made the input specification-compliant to identify and categorize an information-flow downgrader function.

17. The method as recited in claim 16, wherein transforming the program includes transforming the program by employing pseudo notations for program variable assignments.

18. The method as recited in claim 17, wherein the downgrader function is generated by a Web application.

19. A system for static detection and categorization of information-flow downgraders, comprising:

a program storage device configured to store a program, the program storage device further configured to work in conjunction with a processor to execute program instructions to detect and categorize information-flow downgraders in the program;

a static analysis framework configured to analyze an application program and to perform a static string assignment on the application program to transform program variables to yield a single assignment for each variable in an instruction set, the framework configured to translate the instruction set to production rules with string operations and generate a context-free grammar from the production rules to identify a finite set of strings; and

a comparison module configured to detect and categorize the finite set of strings by comparing the finite set of strings against one or more function specifications to identify an information-flow downgrader function.

20. The system as recited in claim 19, wherein downgrader functions are categorized based upon a purpose of the downgrader function.

22. The system as recited in claim 19, wherein the one or more functions include a security-sensitive function in the program.

23. The system as recited in claim 19, wherein the comparison module compares the context free grammar with a specification of a security-sensitive function such that if the grammar satisfies the specification the input is considered properly downgraded.

24. The system as recited in claim 23, a labeler configured to label a string to locate string-manipulating functions that modified the input and made the input specification-compliant.

25. The system as recited in claim 19, wherein the downgrader function is generated by a Web application.

Drawings