US 12,034,754 B2
Using static analysis for vulnerability detection
Peter W. O'Hearn, London (GB); Theodore M. Reed, Berkeley Heights, NJ (US); Yijou Chen, Cupertino, CA (US); and Robert Schoening, Oakland, CA (US)
Assigned to LACEWORK, INC., Mountain View, CA (US)
Filed by LACEWORK, INC., San Jose, CA (US)
Filed on Jun. 13, 2022, as Appl. No. 17/838,818.
Application 17/838,818 is a continuation in part of application No. 17/504,311, filed on Oct. 18, 2021, granted, now 11,677,772.
Application 17/504,311 is a continuation of application No. 16/665,961, filed on Oct. 28, 2019, granted, now 11,153,339, issued on Oct. 19, 2021.
Application 16/665,961 is a continuation of application No. 16/134,794, filed on Sep. 18, 2018, granted, now 10,581,891, issued on Mar. 3, 2020.
Claims priority of provisional application 63/341,792, filed on May 13, 2022.
Claims priority of provisional application 62/650,971, filed on Mar. 30, 2018.
Claims priority of provisional application 62/590,986, filed on Nov. 27, 2017.
Prior Publication US 2022/0329616 A1, Oct. 13, 2022
Int. Cl. H04L 9/40 (2022.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); G06F 16/901 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2022.01); H04L 43/06 (2022.01); H04L 67/306 (2022.01); H04L 67/50 (2022.01); G06F 16/2455 (2019.01)
CPC H04L 63/1425 (2013.01) [G06F 9/455 (2013.01); G06F 9/545 (2013.01); G06F 16/9024 (2019.01); G06F 16/9038 (2019.01); G06F 16/9535 (2019.01); G06F 16/9537 (2019.01); G06F 21/57 (2013.01); H04L 43/045 (2013.01); H04L 43/06 (2013.01); H04L 63/10 (2013.01); H04L 67/306 (2013.01); H04L 67/535 (2022.05); G06F 16/2456 (2019.01)] 18 Claims
OG exemplary drawing
 
1. A method of using static analysis for vulnerability detection, the method comprising:
inspecting, using an underapproximate static code analysis, a non-executable representation of an application to identify one or more vulnerabilities in the application, wherein the underapproximate static code analysis is a static code analysis limited to realizable flows in the application, wherein inspecting the non-executable representation of the application comprises:
identifying one or more realizable flows in the application using a taint analysis; and
analyzing only the one or more realizable flows in the application identified using the taint analysis to identify the one or more vulnerabilities; and
providing an indication of the one or more vulnerabilities.