公开(公告)号：US10783243B2

公开(公告)日：2020-09-22

申请号：US15862347

申请日：2018-01-04

Applicant: SAP SE

Inventor： Florian Loch ,  Martin Johns

IPC: G06F21/55 ,  H04L29/06 ,  G06F3/06 ,  G06F12/14 ,  G06F21/53

Abstract: Systems and methods are provided herein for dynamic, non-invasive taint tracking using auto-generated datatypes. A proxy entry point component of a taint-aware environment continuously monitors for a request to initiate an application. The application has an associated runtime environment and profile parameters specific to the application. Upon identifying the request, a core component of the taint-aware environment generates a set of augmented classes based on the profile parameters. The set of augmented classes contains taint-tracking functionality. The proxy entry point component modifies an initiation pathway of the application to force the runtime environment to retrieve the set of augmented classes prior to execution of the application. The runtime environment continuously monitors for tainted data or tainted code passed through or contained within the application based on the taint-tracking functionality of the set of augmented classes.

公开(公告)号：US11275840B2

公开(公告)日：2022-03-15

申请号：US16524891

申请日：2019-07-29

Applicant: SAP SE

Inventor： Florian Loch

IPC: H04L29/06 ,  G06F21/52 ,  G06F21/56 ,  G06F21/57 ,  G06F21/60

Abstract: Disclosed herein are system, method, and computer program product embodiments for propagating taint information for strings using metadata. Taint information for a string is encoded using taint ranges. When an operation is performed on the string, the operation and any additional taint information corresponding to the operation is encoded into a delta layer of the metadata. Rather than immediately obtaining taint information for a result string when the operation is performed on the string, the delta layer stores the taint information for the operation, and any subsequent operation, until it is needed. Once the taint information is needed, then the delta layers are collapsed into base layer taint information in order to resolve taint information for a result string.

公开(公告)号：US20210192052A1

公开(公告)日：2021-06-24

申请号：US16722564

申请日：2019-12-20

Applicant: SAP SE

Inventor： Florian Loch ,  Benny Rolle

IPC: G06F21/57 ,  G06F11/36

Abstract: Disclosed herein are system, method, and computer program product embodiments for conducting taint analysis on inputted data from a user to a process, where based on pre-defined rules, input data may be marked as tainted. In a passive mode, logging or deletion actions may be taken on the tainted data. In an active mode, the process may be interrupted and a user prompt may be displayed each time a taint point is reached.

公开(公告)号：US11741237B2

公开(公告)日：2023-08-29

申请号：US16722564

申请日：2019-12-20

Applicant: SAP SE

Inventor： Florian Loch ,  Benny Rolle

IPC: G06F21/57 ,  G06F11/36 ,  G06F21/62

CPC classification number: G06F21/577 ,  G06F11/3636 ,  G06F11/3664 ,  G06F21/62

Abstract: Disclosed herein are system, method, and computer program product embodiments for conducting taint analysis on inputted data from a user to a process, where based on pre-defined rules, input data may be marked as tainted. In a passive mode, logging or deletion actions may be taken on the tainted data. In an active mode, the process may be interrupted and a user prompt may be displayed each time a taint point is reached.

公开(公告)号：US10560539B1

公开(公告)日：2020-02-11

申请号：US16136628

申请日：2018-09-20

Applicant: SAP SE

Inventor： Florian Loch ,  Martin Johns

IPC: G06F9/44 ,  H04L29/08 ,  G06F11/36 ,  G06F9/445 ,  G06F16/95

Abstract: In an example embodiment, a proxy server receives a request from a web browser operated on a client device, the request including a call for computer code written in a scripting language. The request is forwarded to a web server to obtain the computer code written in the scripting language. The computer code written in the scripting language is automatically instrumented by adding instrumentation code to the computer code written in the scripting language, the instrumentation code configured to, when executed, measure one or more metrics and report the resultant measurements. Then the instrumented computer code written in the scripting language is sent to the web browser for execution.

公开(公告)号：US20190205532A1

公开(公告)日：2019-07-04

申请号：US15862347

申请日：2018-01-04

Applicant: SAP SE

Inventor： Florian Loch ,  Martin Johns

IPC: G06F21/55 ,  H04L29/06 ,  G06F3/06 ,  G06F12/14 ,  G06F21/53

Abstract: Systems and methods are provided herein for dynamic, non-invasive taint tracking using auto-generated datatypes. A proxy entry point component of a taint-aware environment continuously monitors for a request to initiate an application. The application has an associated runtime environment and profile parameters specific to the application. Upon identifying the request, a core component of the taint-aware environment generates a set of augmented classes based on the profile parameters. The set of augmented classes contains taint-tracking functionality. The proxy entry point component modifies an initiation pathway of the application to force the runtime environment to retrieve the set of augmented classes prior to execution of the application. The runtime environment continuously monitors for tainted data or tainted code passed through or contained within the application based on the taint-tracking functionality of the set of augmented classes.