US 10,891,216 B2
Parallel data flow analysis processing to stage automated vulnerability research
Andrew Calvano, Draper, UT (US)
Assigned to Raytheon Company, Waltham, MA (US)
Filed by Raytheon Company, Waltham, MA (US)
Filed on Dec. 21, 2018, as Appl. No. 16/228,963.
Prior Publication US 2020/0201742 A1, Jun. 25, 2020
Int. Cl. G06F 9/44 (2018.01); G06F 11/36 (2006.01); G06F 16/901 (2019.01); G06F 9/30 (2018.01)
CPC G06F 11/3636 (2013.01) [G06F 9/3005 (2013.01); G06F 11/3616 (2013.01); G06F 11/3668 (2013.01); G06F 16/9024 (2019.01)] 14 Claims
OG exemplary drawing
 
1. A method for data flow analysis, comprising:
obtaining, by a processing circuitry, an execution trace of a software program;
dividing, by the processing circuitry, the execution trace into a plurality of sections, each section identifying a sequence of instructions of the software program;
generating a plurality of definition-and-usage chains, at least some of the definition-and-usage chain being generated by different processors, at least some of the definition-and-usage chains being generated based on different sections of the execution trace, at least two of the definition-and-usage chains being generated in parallel with one another;
combining, by the processing circuitry, the plurality of definition-and-usage chains to produce a data flow graph, the definition-and-usage chains being combined based on information provided by at least one of the processors that are used to generate the definition-and-usage chains, the information indicating one or more unresolved memory locations that are accessed by respective operations corresponding to one or more incomplete usage nodes in the definition-and-usage chains; and
providing, by the processing circuitry, the data flow graph for further use in detecting vulnerabilities in the software program,
wherein any of the unresolved memory locations includes a memory location that is assigned a definition that is at least one of (A) produced by a first operation identified in one of the sections of the execution trace, and retrieved by a second operation identified in another one of the sections of the execution trace or (B) produced by a first operation corresponding to a first node in one of the definition-and-usage chains and retrieved by a second operation corresponding to a second node in another one of the definition-and-usage chains.