Abstract: In the context of software security, reachability analysis provides a mechanism to assess the ease of exploitability of a particular vulnerability or whether a vulnerability is exploitable at all. The present techniques provide a mechanism to compute reachability for one or more binary executables within the context of an execution environment. These reachability analyses can be used to determine whether the executables or components therein present any potential vulnerabilities which, in turn, can cause a computing system executing such binary executable to exhibit undesired behavior. The analyses include determining reachability metrics for each of a plurality of program locations. These metrics are used to determine an environment-aware reachability metric reflecting the runtime properties of a computing environment specified by artefacts associated with the software.

Abstract: Features are extracted and/or derived from a software package (e.g., a binary executable, etc.) which are input into a machine learning model to determine an estimated peak memory usage required to analyze the software package. A number of memory resource units required for the determined peak memory usage is then determined. If the number of available memory resource units is less than the determined number of required memory resource units, then the software package can be queue in a backoff queue. The determined number of required memory units to analyze the software package can be allocated when a number of available memory resource units equals or exceeds the determined number of required memory resource units (whether or not the software package has been queued). The software package can then be analyzed using the allocated memory units. Information characterizing this analysis can be provided to a consuming application or process.

Abstract: A software package is received so that functions within the software package that implement or use cryptographic primitives can be identified. Further, a set of calls with each of the identified functions are determined. A call site analysis is performed based on the set of calls to determine cryptographic algorithm parameters. Thereafter, based on the set of calls and the call site analysis, a cryptography bill of materials (CBOM) detailing cryptographic primitives within the software package is generated. This CBOM can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A software package is received so that functions within the software package that implement or use cryptographic primitives can be identified. Further, a set of calls with each of the identified functions are determined. A call site analysis is performed based on the set of calls to determine cryptographic algorithm parameters. Thereafter, based on the set of calls and the call site analysis, a cryptography bill of materials (CBOM) detailing cryptographic primitives within the software package is generated. This CBOM can be provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A code analyzer implements machine learning to detect vulnerabilities in computer code. The code analyzer trains a machine learning model using training vectors that characterize vulnerable programming patterns. The code analyzer evaluates a topological representation of the computer code using the machine learning model to identify a potential vulnerability. The potential vulnerability corresponds to a portion of the computer code where an attack can be used to bypass a security procedure. The code analyzer tests the potential vulnerability by emulating a fault injection during execution of the portion of the computer code. Upon confirming that the potential vulnerability can be exploited via a fault injection, the code analyzer generates a training vector that characterizes a vulnerable programming pattern associated with the portion of the computer code. The training vector can be used to further train the machine learning model.