| 发明名称 | Method, system, and computer program product for automatically mitigating vulnerabilities in source code | ||
| 摘要 | A method for automatically mitigating vulnerabilities in a source code of an application is provided in the present invention. The method includes the following steps. First, the source code is complied, and a path graph is built according to the compiled source code. The path graph includes a plurality of paths traversing from sources to sinks, and each of the paths includes a plurality of nodes. Then, at least one tainted path is identified by enabling a plurality of vulnerability rules. Each of the at least one tainted path corresponds to a vulnerability, and each of the at least one vulnerability corresponds to a sanitization method. Then, the at least one vulnerability is determined if it is mitigable. If the at least one vulnerability is mitigable, the at least one vulnerability is mitigated automatically. Furthermore, the method may be implemented as a system and a computer program product. | ||
| 申请公布号 | US9639703(B2) | 申请公布日期 | 2017.05.02 |
| 申请号 | US201514845281 | 申请日期 | 2015.09.04 |
| 申请人 | Lucent Sky Corporation | 发明人 | Liu Jim |
| 分类号 | G06F21/57;G06F9/45;G06F21/53 | 主分类号 | G06F21/57 |
| 代理机构 | Jianq Chyun IP Office | 代理人 | Jianq Chyun IP Office |
| 主权项 | 1. A method for automatically mitigating vulnerabilities in a source code of an application via static analysis comprising: building a path graph according to the source code, wherein the path graph comprises a plurality of paths traversing from sources to sinks, and wherein each of the paths comprises a plurality of nodes; identifying at least one tainted path from the path graph, wherein each of the at least one tainted path corresponds to a vulnerability; locating a target node in each of the at least one tainted path based on an existence of a tainted object and a result of syntax analysis comprising: obtaining a list of candidate nodes from each of the at least one tainted path based on the existence of the tainted object;performing syntax analysis on each of the candidate nodes and accordingly evaluating a priority order for each of the candidate nodes; andselecting the target node from the candidate nodes based on the priority orders comprising: identifying and setting the candidate node with the highest priority order in each of the at least one tainted path as the target node, wherein when there exists more than one candidate node with the same highest priority order in each of the at least one tainted path, setting the node with the same highest priority order and closest to the sink in each of the at least one tainted path as the target node; and mitigating at least one vulnerability in the target node in each of the at least one tainted path automatically. | ||
| 地址 | Pasadena CA US | ||