Hacks, phishing, and other malicious cyberattacks all
happen due
to bugs in a software program’s code. Because no one can manually check the
millions of lines of code behind a mobile app or a website, developers use
verification software to check their work. And even then, sometimes the analysis that traditionally
trusts that defenses installed by the developer were implemented correctly, misses
vulnerabilities.
The
patent process
What I see most often is someone with a great idea, but who doesn't think of it in terms of a patentable idea. As a Master Inventor, I want to help my colleagues move those ideas to patents. – Marco Pistoia It’s also about point of view. Many file patents that describe what they have done. But what’s more valuable is the abstract, creative use of the idea. – Omer Tripp |
“I would say the patent is more valuable today (it was issued in 2014) because of the explosion in cloud and mobile technologies, which necessitate defenses that are more challenging to implement correctly than ever before. We’re all accessing websites that require sensitive information about ourselves, and sometimes the software asking for that information is vulnerable,” said Omer, who has filed 174 patent applications and been issued 64. In 2012, Omer earned more than 1 percent of IBM’s entire patent total of 6,478.
Omer and Marco set out four years ago to verify what
software applications claimed to be secure “downgrader” code (the part of a
software program that sanitizes or validates untrusted input to a website,
or obfuscates and declassifies confidential data before its release). By
developing a way to check a website’s information flow downgrader, they found
that live, implemented code still had security holes. “Our tool simulates what
developers have a hard time testing for, such as ‘double encoded’ input, or
other odd combinations of validation routines,” said Marco, who has 148 patent
filings and 72 patent issuances to his name.
Their
ISSTA 2011 paper, Path-and index-sensitive string analysis
based on monadic second-order logic demonstrated vulnerabilities on
several open source websites, earning ACM SIGSOFT’s Distinguished Paper Award.
Downgraders take input that’s not trusted, like
erroneous details entered into a website login form, and help make it trusted.
They sanitize the information by getting rid of certain unintended, and potentially
malicious, characters and substrings. But they can be tricked by recursive nesting
of the payload, and other clever tricks. The invention detects when a
downgrader incorrectly allows (or rejects) accurate input – and can be
integrated into standard analysis tools.
"Developers do validate that their software works as it
should. But what’s often left unchecked are the inputs to the software – how
the average person checks Twitter, or applies for a bank account,” Marco said.
“We can now analyze those inputs to make sure the defenses a developer puts in
place work, or alternatively, have errors.”
“Now, we want to connect this invention with others we’re working on in this area, namely tools that automatically fix broken defenses. This would help developers check their code, and their downgraders,” Omer said.
“Now, we want to connect this invention with others we’re working on in this area, namely tools that automatically fix broken defenses. This would help developers check their code, and their downgraders,” Omer said.
More about IBM's 2014 patent leadership