Identifying implicit assumptions associated with a software product

摘要

A framework is described herein for identifying implicit assumptions associated with an SDK and its accompanying documentation (e.g., dev guide). An implicit assumption is information that is not expressly stated in the documentation, but which would be useful in assisting an application developer in building an application. The framework also describes a systematic approach for identifying one or more vulnerability patterns based on the identified implicit assumptions. An application developer may run a test on an application that is being developed to ensure that it does not have any deficiency which matches a vulnerability pattern.

主权项

1. A method performed by at least one computing device, the method comprising: obtaining natural language documentation relating to a software development kit (SDK), wherein the natural language documentation relating to the SDK describes a recommended use of the SDK by an application in order to achieve a stated objective;
obtaining a model which represents at least: the SDK, the natural language documentation relating to the SDK, system environment in which the SDK is expected to be used by the application, and assertions pertaining to the stated objective that are expressed as properties expected to be met by the application; analyzing the model to provide a result, the analyzing including non-deterministically invoking functions provided by the SDK in accordance with the natural language documentation relating to the SDK; and outputting the result, the result indicating whether there is at least one assumption that is not explicitly stated in the natural language documentation relating to the SDK, but where satisfaction of the stated objective depends on knowledge of said at least one assumption.