Characterizing, detecting and healing vulnerabilities in computer code

摘要

An example process includes identifying, by one or more processing devices, a location in computer code that is subject to vulnerability, where the location corresponds to a memory access that is repeatable and that operates on a particular type of variable; and performing processes, by one or more processing devices, to heal the vulnerability. The memory access may be part of a system-to-system or a user-to-system interaction that is repeatable.

主权项

1. A method comprising:
using one or more particular processing devices:
inserting support code into computer code on a non-transitory machine-readable medium, the support code performing operations comprising:
identifying a location in the computer code that is subject to vulnerability, the location corresponding to a memory access instruction that is repeatable and that operates on a particular type of variable, the vulnerability enabling access to the computer code, leakage of information from the computer code, exploitation of the computer code, or attack of the computer code; andperforming a process to heal the vulnerability, the process comprising:
identifying a point in the computer code at which a boundary for the memory access instruction is established;establishing a link between the point and the memory access instruction, the point being on an execution path containing the memory access instruction;determining a range accessed by the memory access instruction, the support code being inserted prior to, and executing before, the memory access instruction; andat runtime, invoking a handler routine to thwart, based on the boundary and the range, an attempt to leverage the vulnerability, the handler routine being configured to selectively prevent the memory access instruction from executing when the boundary is violated, the handler routine being invoked after the attempt to leverage the vulnerability.