Browse Prior Art Database

Scalable & Distributed Vulnerability Scanning Solution for Mixed Language Applications Disclosure Number: IPCOM000244722D
Publication Date: 2016-Jan-06
Document File: 5 page(s) / 58K

Publishing Venue

The Prior Art Database


Disclosed is a method for doing effective vulnerability scanning in mixed language enviornments.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 23% of the total text.

Page 01 of 5

Scalable & Distributed Vulnerability Scanning Solution for Mixed Language Applications The term Security Vulnerability refers to a flaw or weakness in a system that can leave it open to security attacks. There are tools and techniques available in the industry today to examine a given set of code and determine or highlight potential vulnerabilities in the code. Two major ways of security testing/scanning application code are:

1) Dynamic application security testing: Tests the run time functionality and behavior of an application. Referred to as black box testing.

2) Static application security testing: Examines the internal structures and logic of an application. Referred to as white box testing.

Static Application Security Testing (SAST) involves statically scanning code for security vulnerabilities and generate a vulnerability assessment report . This report usually includes various different types of security vulnerability which may cause a security risk to the application. There are various pre-defined types of scan configuration and policies available in most of the standard tools. These policies are typical rule engines that are updated based on knowledge of Common Vulnerabilities and Exposures (CVEs). The vulnerability assessment report can be published for each application scan on a shared server.

The application scanning tools generally support the security testing of numerous languages - Android, Java, client-side JavaScript, JSP, ColdFusion, C, C++, .NET (C#, ASP.NET, and VB.NET), Classic ASP, (JavaScript/VBScript), PHP, Perl, Visual Basic 6, PL/SQL, T-SQL, and COBOL. However, these tools scan one language at a time and cross-project analysis only works between projects of the same language.

Most of the existing vulnerability scanning tools do not support multi-language or distributed application scanning. That is, they are unable to support any language runtime with a mixed language stack, for example Java Native Interface (JNI) which is a standard interface between C and Java code. Let's see this in a bit more detail with an example:

Java is a widely used language for developing applications. While a lot of code (ex: core classes) in Java is written using Java itself, it also has good amount of native code written using C/C++ languages. Java supports native code via the Java Native Interface (JNI). JNI allows Java code that runs inside a Java Virtual Machine (VM) to interoperate with applications and libraries written in other programming languages, such as C, C++, and assembly.

Thus, a non-trivial Java application consists of multiple languages namely - Java, C and C++. If we want to scan and detect vulnerabilities in the Java source code, the tool should be capable of scanning the call stacks involving multi language code (Java/C/C++). However, the existing tools/solutions don't have this capability and once they hit the native method in the call stack, the scanning stops. This requires the users to scan the native...