`US 7,207,065 B2
`This application claims priority to the U.S. Provisional
`Patent Application entitled "Apparatus and Method for
`Developing, Testing and Monitoring Secure Software", Ser.
`No. 60/577,066, filed Jun. 4, 2004. This application is
`related to the following commonly owned and concurrently
`filed patent applications: "Apparatus and Method for Devel(cid:173)
`oping, Testing and Monitoring Secure Software", U.S. Ser. 10
`No. 11/009,570, filed Dec. 10, 2004; "Apparatus and
`Method for Testing Secure Software", U.S. Ser. No. 11/009,
`474, filed Dec. 10, 2004; "Apparatus and Method for Moni(cid:173)
`toring Secure Software", U.S. Ser. No. 11/009,572, filed
`Dec. 10, 2004.
`This invention relates generally to software security.
`More particularly, this invention relates to comprehensive
`techniques for identifYing software security vulnerabilities
`during software development, testing and deployment.
`flaw in the outside-in premise, however, is that vulnerable
`software can be protected at all-somehow made un-vul(cid:173)
`Given this background, a question naturally presents
`itself: Why are network-based computer security solutions
`applied to what is clearly a software problem? One answer
`is that most information security practitioners have network
`security backgrounds and are spread thin resolving opera-
`tional security issues, leaving little time to interact with the
`core software development process. At the same time,
`application developers are rewarded for producing new
`features against tight deadlines, with little room for security
`considerations. Rarely does any one person own responsi(cid:173)
`bility for the security elements of the application itself.
`15 Conventional practice has been that development gets the
`business critical application shipped, and network operation
`teams will secure it. The dichotomy of these roles creates an
`extraordinary advantage for the attacker-they are the only
`ones truly experienced and focused on software security or
`20 more precisely business critical application insecurity.
`Experts in and around software development have
`increasingly acknowledged that something must be done
`about software security. Nevertheless, coherent and practical
`solutions have not been identified. There are a number of
`factors that make solutions difficult to identify. For example,
`software security vulnerabilities are subtle, logical errors
`that can span thousands of lines of code, making accurate
`detection with reasonable performance extremely difficult.
`30 At first glance, the technology challenges make such a
`solution appear more akin to compilers or niche develop(cid:173)
`ment tools. The large software development tools vendors,
`however, have not made security a core part of their offer(cid:173)
`ings. Their customer base is still largely focused on how to
`35 improve creation of features and functionality-and the
`vendors' internal teams caunot easily recognize a changing
`paradigm while they work to improve the feature sets of
`their single-purpose products. This is a classic innovators
`dilemma. In addition, the high volume development tool
`40 providers are not adept at delivering enterprise-like solutions
`that a risk management system requires or sustaining the
`price points needed to support such a solution. Indeed, the
`current state of development tool pricing has generally
`discouraged the security community from building devel-
`45 oper-oriented solutions.
`Apart from the downsides inherent in the development
`tool landscape, software security requires specialized exper(cid:173)
`tise in a constantly changing field. The problem is not just
`about finding technology to scan code, but includes creating
`50 and continually updating rules to detect these vulnerabilities.
`Delivering the rules requires expert knowledge of a con(cid:173)
`stantly growing body of research and real-world architec(cid:173)
`tures, frameworks, use patterns and many other factors that
`cause vulnerabilities in business critical applications. For
`55 example, every release of an operating system or library
`application program interfaces (APis) introduces new ways
`to make mistakes that lead to security vulnerabilities. Ven(cid:173)
`dors must deliver solutions that account for these cross-
`boundary, multi-platform architectures.
`Finally, it is unlikely that software security can be accom-
`plished by a single point solution. Similarly, it is unlikely
`that software security can be addressed solely at the devel(cid:173)
`oper level. Software security is largely a risk management
`problem. Addressing such a problem requires detailed infor-
`65 mation collected over time. It requires an approach that
`keeps software developers as productive as before, yet
`makes security metrics visible to management during devel-
`Businesses are increasingly dependent on information
`technology. Information systems are becoming increasingly
`more complex, higher-powered, inter-connected, and openly
`accessible to partners and customers over vastly distributed
`networks. The business environment has
`shifted from face-to-face interactions to largely anonymous
`electronic transactions. Software development itself is
`becoming more distributed through offshore development
`arrangements and intra-company collaborative computing.
`These trends strain the ability of organizations to secure and
`protect digital data from misuse or unauthorized access.
`Nearly every major business critical application deployed
`today contains vulnerabilities that can be exploited to cause
`considerable harm to the business or the assets it manages.
`These vulnerabilities can be leveraged to steal important
`information, sabotage computer systems or influence pro(cid:173)
`cessing for the profit or malicious intent of the attacker.
`For an experienced hacker or rouge insider, manipulating
`software to this end is made especially easy due to the
`variety of information and tools available on-line. An attack(cid:173)
`er's biggest challenge is simply finding the vulnerabilities in
`the context of a large business application. Compounding
`the problem, mainstream computer security solutions, such
`as firewalls, are based on the premise that exposed and
`vulnerable software can be protected by isolating it from the
`dangers of the outside world. Business requirements dictate
`that few business critical applications can be truly isolated.
`Most have numerous access points via data transfer inter(cid:173)
`faces, remote procedure calls, and internal and remote users.
`Firewalls and other network-oriented security solutions are
`not configured to block the type of access that business
`critical applications require. In fact, today's business func(cid:173)
`tions rely on this access so much that they would fail to
`operate if denied. For example, the stock market would fail 60
`to execute trades without the links from brokers to the
`exchanges, supply chains would break without information
`flowing between suppliers and producers, and telecommu(cid:173)
`nications would cease without the ability to connect cell
`phones to the computers that control the network or the
`billing systems that underlie the business. Attackers make
`use of these facts to compromise systems every day. The true
`PALO ALTO NETWORKS Exhibit 1021 Page 9

`US 7,207,065 B2
`opment, testing and deployment. It requires an enterprise
`software-like solution for managers and organizations.
`In view of the foregoing, it would be highly desirable to
`provide an improved technique for software security.
`The invention includes a computer readable medium with
`executable instructions to analyze program instructions for
`security vulnerabilities. The executable instructions convert
`diverse program instruction formats to a common format. A
`system model is derived from the common format. A static
`analysis is performed on the system model to identify
`security vulnerabilities. Security vulnerabilities are then
`The invention also includes a method of analyzing pro(cid:173)
`gram instructions for security vulnerabilities. Diverse pro(cid:173)
`gram instruction formats are converted to a common format.
`A system model is derived from the common format. A static
`analysis is performed on the system model to identify
`security vulnerabilities. Security vulnerabilities are then
`The invention is more fully appreciated in connection
`with the following detailed description taken in conjunction
`with the accompanying drawings, in which:
`FIG. 1 illustrates an apparatus configured in accordance
`with an embodiment of the invention.
`FIG. 2 illustrates processing operations associated with an
`embodiment of a security development module of the inven(cid:173)
`FIG. 2A illustrates data flow security operations to track
`taint propagation through an exemplary common code for(cid:173)
`mat utilized in accordance with an embodiment of the
`FIG. 3 illustrates processing operations associated with an
`embodiment of a security test module of the invention.
`FIG. 4 illustrates processing operations associated with an
`embodiment of a security monitoring module of the inven(cid:173)
`FIG. 5 illustrates the operation of a security monitoring
`module configured in accordance with an embodiment of the
`FIG. 6 illustrates components of a security monitoring
`module configured in accordance with an embodiment of the
`Like reference numerals refer to corresponding parts
`throughout the several views of the drawings.
`ment, the executable instructions include three major mod(cid:173)
`ules: a security development module 114, a security test
`module 116, and a security monitoring module 118.
`The security development module 114 includes execut(cid:173)
`able instructions to facilitate a static analysis of software in
`order to identify security vulnerabilities inherent to the
`structure of the software. The software includes program
`instructions. As discussed below, the invention is operative
`with diverse program instruction formats. For example, the
`10 program instruction formats may be different source or
`executable code formats, different machine instruction for(cid:173)
`mats, and/or different program configuration file formats.
`The program instructions form various software applica(cid:173)
`tions. A set of software applications define a software
`15 system, which is analyzed in accordance with the invention,
`as discussed below. In one embodiment, the security devel(cid:173)
`opment module 114 is implemented with an interface mod(cid:173)
`ule 120, a common format generator 122, security develop(cid:173)
`ment rules 123, an analysis engine 124, and a report
`20 generator 126.
`The security test module 116 includes executable instruc(cid:173)
`tions to test the operation of software for security vulner(cid:173)
`abilities. Preferably, the security test module 116 relies upon
`information gathered by the security development module
`25 114 to refine its testing protocol. In one embodiment, the
`security test module 116 is implemented with an attack
`manager module 128, an attack database 130, security test
`rules 131, a fault injection module 132, and a test report
`generator 134.
`The security monitoring module 118 includes executable
`instructions to monitor the execution of software in order to
`identify security vulnerabilities. Preferably, the security
`monitoring module 118 relies upon information associated
`with the local execution of a program and the global
`35 execution of related programs to identifY security vulner(cid:173)
`abilities. In one embodiment, the security monitoring mod(cid:173)
`ule 118 is implemented with a sensor insertion module 136,
`security monitoring rules 137, a monitoring analysis module
`138, and a monitoring report generator 140.
`The configuration of the executable programs of FIG. 1 is
`exemplary. It should be appreciated that these modules may
`be combined in any manner and may otherwise be executed
`in any manner, such as across a network. Indeed, in many
`embodiments of the invention, these components are dis(cid:173)
`tributed across a network. Further, the operations performed
`by individual sub-modules may be combined in any number
`of ways.
`Now that the primary processing operations of the inven-
`50 tion have been introduced, attention turns to a more detailed
`discussion of these primary processing operations. As shown
`in FIG. 1, the security development module 114 includes an
`interface module 120. The interface module 120 includes
`executable code to handle interface operations. For example,
`55 the interface module handles interactions with the user via
`command lines, pull-down menus, IDE plug-ins and the
`like. The interface module also interacts with the other
`executable programs of the system, including the security
`test module 116 and the security monitoring module 118.
`FIG. 2 illustrates the primary processing operations asso-
`ciated with the other executable modules of the security
`development module 114. The first processing operation
`shown in FIG. 2 is to convert source or executable code into
`a common format 200. This operation may be implemented
`65 with the common format generator 122. The common format
`generator 122 converts all of the source or executable code
`files for all of the tiers of an application to be analyzed into
`FIG. 1 illustrates an apparatus 100 configured in accor(cid:173)
`dance with an embodiment of the invention. The apparatus
`100 includes a central processing unit 102 connected to a set
`of input and output devices 104 over a bus 106. By way of
`example, the input and output devices may include a key(cid:173)
`board, mouse, computer monitor, printer, and the like. Also 60
`connected to the bus 106 is a network interface 108, which
`uses standard devices to interface with a network 110, which
`may be a local area network, an intranet, the Internet, and the
`A memory 112 is also connected to the bus 106. The
`memory 112 stores a set of executable instructions to
`implement the operations of the invention. In one embodi-
`PALO ALTO NETWORKS Exhibit 1021 Page 10

`US 7,207,065 B2
`and review over massive code bases. In addition, the global
`analysis must often be facilitated without access to the entire
`body of code.
`The present invention addresses these challenges that
`exist in the prior art. The security development module 114
`provides a new form of static analysis that is directed solely
`to software security issues. The security development mod(cid:173)
`ule 114 provides useful information that can be immediately
`utilized to improve software security. In addition, it provides
`10 useful information that is exploited during testing and moni(cid:173)
`toring phases.
`These operations are more fully appreciated in connection
`with an example. The following example illustrates the steps
`carried out by the security development module for a simple
`15 2-tier application. The following example is complete in that
`it provides sufficient input to identifY code vulnerabilities.
`The example is incomplete in the sense that additional
`standard tools, support logic, and configuration files are
`required to actually run the application. These additional
`20 elements are standard in the art and therefore are not subject
`to further discussion.
`The sample application consists of a Java servlet and a
`PLISQL package. The purpose of the application is to
`display an account balance to a user. The application works
`as follows. The Java servlet accepts an HTTP POST request
`that contains a parameter named "acct". This is the type of
`HTTP request typically generated by a web browser when a
`user fills out and submits a form on a web page. The "acct"
`parameter might be set, for example, by the user selecting an
`account name from a drop-down list. The servlet passes the
`value of the "acct" parameter to a database query. The query
`invokes a stored procedure in the database named "ACCT(cid:173)
`.get_balance". The stored procedure uses the parameter
`passed from the servlet in order to construct an SQL query.
`"ACCOUNTS". It returns the value in the "balance" column
`for the row matching the account name that is passed in. The
`stored procedure returns the balance value to the servlet, and
`the servlet in turn returns the balance value to the user.
`A malicious user can exploit vulnerability in the applica(cid:173)
`tion in order to see account balances that they are not
`authorized to see. The vulnerability is simple: the applica(cid:173)
`tion never checks to see whether the user has permission to
`see the balance of the account number that they have
`requested. This type of vulnerability is common in poorly
`written web-based applications. The problem can be viewed
`in terms of data flow: the "acct" value provided by the user
`flows unchecked into the SQL query in the database. This
`class of vulnerabilities is known as "SQL injection" because
`a malicious user can "inject" information of their choosing
`into a SQL query.
`The following is exemplary Java code for an account
`balance application:
`a common format. The example common format disclosed
`herein is called the Normalized Syntax Tree (NST) format.
`An application system model is then derived from the
`common format 202. The common format generator 122
`may perform this operation as well. In particular, the execut(cid:173)
`able code is used to create a uniform model of the applica(cid:173)
`tion from the NST files.
`A data flow analysis is then performed on the system
`model to identifY security vulnerabilities 204. The analysis
`engine 124 may be used to implement this operation. The
`analysis engine 124 identifies possible execution paths
`through the program where user input can reach a dangerous
`function or construct. The analysis engine 124 invokes
`security development rules 123. Typically, the security
`development module 114 is deployed with a set of security
`development rules 123. These rules may be updated on a
`subscription basis from a remote computer connected to
`network 110. In addition to these supplied rules, a user may
`tailor specific security development rules for a particular
`application. The analysis engine 124 is a separate compu(cid:173)
`tational kernel and therefore it can be used with a diverse set
`of standard and customized security development rules 123.
`The security vulnerabilities identified by the analysis
`engine 124 are reported to the user and related modules 206.
`The report generator 126 may be used to implement this 25
`The security development module 114 performs a form of
`semantic analysis across multiple tiers and languages to find
`security vulnerabilities, such as stack buffers, tainted vari(cid:173)
`ables, SQL injection and custom-defined security flaws. The 30
`tiers range from the operating system to the database,
`application server to user interface, in applications that span
`multiple languages, including Java, CIC++, HTML, JSP and
`PLISQL. The invention's analysis of diverse program
`instruction formats and systems that include multiple soft- 35
`ware applications is a significant advance over prior art
`The security development module 114 of the invention
`may be integrated into commercially available integrated
`development environments, thus investigating warnings and 40
`removing security errors becomes a natural part of the
`edit-compile-debug software development process.
`As shown in FIG. 1, the security development module 114
`may be implemented with an analysis engine 124. The
`analysis engine 124 preferably implements a static analysis. 45
`Static analysis is a technique for analyzing software without
`executing the software. Static analysis has historically suf(cid:173)
`fered from high complexity. In particular, static analysis has
`gained a reputation for producing a high volume of suspect
`or hard to interpret results when applied to real world 50
`There are a number of challenges associated with using
`static analysis in software security operations. First, both
`global dataflow and control flow static analysis techniques
`must be used to provide accuracy. Second, the myriad 55
`languages and frameworks create special cases that must be
`handled. Third, security analysis must be extensible to cover
`the large set of application-specific vulnerabilities. Fourth,
`security analysis requires the study of attacks to define the
`semantic representation of particular vulnerability classes
`and the studies must be kept up-to-date since these attacks
`change over time. Finally, any analysis must be constrained
`by realistic commercial product requirements. The two most
`difficult requirements to satisfY in a commercial setting are
`scalability and code access. With respect to scalability, the 65
`analysis must perform with extremely low overhead at the
`developer's desktop, yet perform well in a full-scale audit
`import java.sql. *;
`import javax.servlet.http. *;
`class AccountView extends HttpServlet {
`private Connection connection;
`public void doPost(HttpServletRequest request,
`HttpServletResponse response) {
`String acctNurnber ~ request.getParameter("acct");
`CallableStatement strnt ~ null;
`strnt ~
`connection.prepareCall("begin ACCT.get_balance(?, ?); end;");
`PALO ALTO NETWORKS Exhibit 1021 Page 11

`US 7,207,065 B2
`translate the language into an executable form. Humans do
`not write the NST format, so it does not supply the niceties
`and shortcuts that are usually provided for programmers.
`Because the NST format is created from a number of
`different high-level languages, it targets the lowest common
`denominator between the languages. Of course, it must
`provide enough expressiveness to capture the meaning of all
`of the constructs in all of the languages. Compiler research(cid:173)
`ers have defined well-accepted methods for building pro-
`10 gram models. For example, see chapters 3, 4, and 8 of Aho,
`eta!., Compilers, Principles, Techniques and Tools, Pearson
`Higher Education (1985).
`Translation from a high-level language into the NST
`format is governed by a set of translation rules that are
`15 specific to the high-level language being translated. For
`example, some of the rules controlling the translation from
`Java to NST are:
`NST does not include a construct like Java's import
`statement. Java import statements have no explicit
`representation in the NST.
`Java does not require programmers to fully qualify vari(cid:173)
`able, class, and method names unless a name is poten(cid:173)
`tially ambiguous. NST requires all names to be fully
`qualified so that there is no need to check for ambiguity.
`When a name is translated from Java to NST, it is
`translated into a fully qualified form. Type and method
`resolution in Java is achieved by following the rules
`and instructions set forth in the Java Language Speci(cid:173)
`fication (section 15.12,
`In Java, all objects are referenced through pointers.
`Because there is only one way to reference an object,
`no pointer notation is necessary in Java. Because NST
`is used to represent languages like C and C++ where
`objects may be referenced directly or through pointers,
`all Java object references are translated to include
`explicit pointer reference notation in NST.
`In Java, a member function can operate on its object using
`the keyword "this". NST has no "this" keyword.
`Instead, the object associated with a member function
`is explicitly represented as the first argument to the
`The following text describes the NST syntax using gram(cid:173)
`mar-like constructs. The following conventions are used:
`I I Bind parameter types
`strnt.setString(l, acctNumber); II Bind 1st parameter
`strnt.registerOutParameter(2, Types.INTEGER); II 2nd is result
`I I Execute tbe callable statement
`strnt.execute( );
`int balance~ strnt.getlnt(2); II get result
`response.getWriter( ).write("Account balance: "+ balance);
`} catch(SQLException ex) { II Trap SQL Errors
`response.getWriter( ).write("Error: "+ ex.toString( ));
`} finally {
`if(strnt !~ null) {
`strnt.close( ); II close tbe statement
`} catch(SQLException ex) {
`Relying upon the same example, the following is PLISQL
`code for the Account Balance application:
`FUNCTION get_balance(
`-- Package body TEST
`FUNCTION get_balance(
`show errors;
`As previously indicated, the initial operation performed
`by the security development module is to convert all of the
`source or executable code files for all of the tiers of the 55
`application into a common format, called the Normalized
`Syntax Tree (NST) format.
`This step involves parsing each source or executable code
`file according to the language it is written in and then
`translating the parsed information into the NST format. This
`step closely resembles the first phase carried out by a
`modern high-level language compiler (such as the Gnu C
`compiler, gee) where the compiler creates a high-

