Browse Prior Art Database

Method and System for Automatic Validation of Static Security Reports in Form of Dynamic Scripts

IP.com Disclosure Number: IPCOM000239555D
Publication Date: 2014-Nov-14
Document File: 2 page(s) / 35K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system is disclosed for automatic validation of static security reports in form of dynamic scripts.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Method and System for Automatic Validation of Static Security Reports in Form of Dynamic Scripts

Disclosed is a method and system for automatic validation of static security reports in form of dynamic scripts.

The method and system improves an overall precision and usability of an analysis tool .

A post-processing analysis is introduced that takes results as input by the baseline static analysis instead of improving precision in generating reports by the analysis . The post-processing analysis attempts to translate these results into executable dynamic scripts that demonstrate a reported problem.

The method and system translates a static witness into a dynamic script that interacts

with the target system to expose the reported problem. For decidability reasons, the translation fails at times, therefore a algorithm is followed. The algorithm is given as:

For each reported static vulnerability, while analysis budget permits,

Try to translate a finding into the dynamic script;

If the translation is successful, break and report to a user;

Otherwise, draw a feedback from the failure; and

Refine the translation step accordingly.

To translate a static report into the dynamic script, there are at least two possibilities. One possibility is to utilize dynamic profiling information, wherein an instrumented version of the application is executed to correlate between User Interface (UI) states and code statements. Another possibility is to build a static approximation of the UI states and the state machine...