verifies information flow downgraders
Hacks, phishing, and other malicious cyberattacks all
to bugs in a software program’s code. Because no one can manually check the
millions of lines of code behind a mobile app or a website, developers use
verification software to check their work. And even then, sometimes the analysis that traditionally
trusts that defenses installed by the developer were implemented correctly, misses
This is where IBM Master Inventors Omer Tripp, PhD and
Marco Pistoia, PhD focused patent #8,635,602: Verification
of information-flow downgraders. Filed in 2010, the invention aims
to close the loop on code that – because of poorly implemented defenses – compromises
sensitive data, such as bank account numbers, and passwords.
“I would say the patent is more valuable today (it was
issued in 2014) because of the explosion in cloud and mobile technologies,
defenses that are more challenging to implement correctly than ever before.
We’re all accessing websites that require sensitive information about
ourselves, and sometimes the software asking for that information is
vulnerable,” said Omer, who has filed 174 patent applications and been issued
64. In 2012, Omer earned more than 1 percent of IBM’s entire patent total of
What I see most often is someone with a great idea, but who
doesn't think of it in terms of a patentable idea. As a Master Inventor, I
want to help my colleagues move those ideas to patents. – Marco Pistoia
It’s also about point of view. Many file patents that describe
what they have done. But what’s more valuable is the abstract, creative use
of the idea. – Omer Tripp
Omer and Marco set out four years ago to verify what
software applications claimed to be secure “downgrader” code (the part of a
software program that sanitizes or validates untrusted input to a website,
or obfuscates and declassifies confidential data before its release). By
developing a way to check a website’s information flow downgrader, they found
that live, implemented code still had security holes. “Our tool simulates what
developers have a hard time testing for, such as ‘double encoded’ input, or
other odd combinations of validation routines,” said Marco, who has 148 patent
filings and 72 patent issuances to his name.
Trust and verify
Downgraders take input that’s not trusted, like
erroneous details entered into a website login form, and help make it trusted.
They sanitize the information by getting rid of certain unintended, and potentially
malicious, characters and substrings. But they can be tricked by recursive nesting
of the payload, and other clever tricks. The invention detects when a
downgrader incorrectly allows (or rejects) accurate input – and can be
integrated into standard analysis tools.
"Developers do validate that their software works as it
should. But what’s often left unchecked are the inputs to the software – how
the average person checks Twitter, or applies for a bank account,” Marco said.
“We can now analyze those inputs to make sure the defenses a developer puts in
place work, or alternatively, have errors.”
“Now, we want to connect this invention with others
we’re working on in this area, namely tools that automatically fix broken defenses. This would help developers
check their code, and their downgraders,” Omer said.
More about IBM's 2014 patent leadership
Labels: cybersecurity, invention, mobile, patent, verification