-
公开(公告)号:US20120084755A1
公开(公告)日:2012-04-05
申请号:US12895470
申请日:2010-09-30
申请人: Marco Pistoia , Omer Tripp
发明人: Marco Pistoia , Omer Tripp
IPC分类号: G06F9/44
CPC分类号: G06F11/3604
摘要: Systems, methods and program products are provided for confidence-based static analysis, including initiating a static analysis of computer software, associating a confidence value with a first element of the static analysis, determining a current state of the static analysis, calculating an adjusted confidence value in accordance with a confidence adjustment function as applied to the current state and the confidence value associated with the first element, associating the adjusted confidence value with a second element of the static analysis resulting from a transition from the first element, and eliminating the second element from the static analysis if the adjusted confidence value meets elimination criteria.
摘要翻译: 提供系统,方法和程序产品用于基于置信度的静态分析,包括启动计算机软件的静态分析,将置信度值与静态分析的第一要素相关联,确定静态分析的当前状态,计算调整后的置信度 根据应用于当前状态的置信度调整函数和与第一元素相关联的置信度值,将调整后的置信度值与由第一元素的转变产生的静态分析的第二元素相关联,并且消除第二元素 如果调整的置信度值符合消除标准,则来自静态分析的元素。
-
公开(公告)号:US20110277037A1
公开(公告)日:2011-11-10
申请号:US12776465
申请日:2010-05-10
申请人: Michael G. Burke , Igor Peshansky , Marco Pistoia , Omer Tripp
发明人: Michael G. Burke , Igor Peshansky , Marco Pistoia , Omer Tripp
IPC分类号: G06F21/24
CPC分类号: G06F21/60 , G06F19/00 , G06F21/6245 , G16H10/60
摘要: A computer-readable medium is disclosed that tangibly embodies a program of machine-readable instructions executable by a digital processing apparatus to perform operations including determining whether data to be released from a database is associated with one or more confidential mappings between sets of data in the database. The operations also include, in response to the data being associated with the one or more confidential mappings, determining whether release of the data meets one or more predetermined anonymity requirements of an anonymity policy. Methods and apparatus are also disclosed.
摘要翻译: 公开了一种计算机可读介质,其有形地体现了可由数字处理装置执行的机器可读指令的程序,以执行操作,以执行包括确定要从数据库释放的数据是否与所述数据集中的数据集之间的一个或多个机密映射相关联 数据库。 操作还包括响应于与一个或多个机密映射相关联的数据,确定数据的释放是否符合匿名策略的一个或多个预定匿名要求。 还公开了方法和装置。
-
113.发明申请公开(公告)号:US20110162072A1
公开(公告)日:2011-06-30
申请号:US12648445
申请日:2009-12-29
申请人: Roee Hay , Roi Saltzman , Adi Sharabani , Omer Tripp
发明人: Roee Hay , Roi Saltzman , Adi Sharabani , Omer Tripp
IPC分类号: G06F11/00
CPC分类号: H04L63/1433 , G06F21/577 , H04L63/1483 , H04L67/02
摘要: Determining the vulnerability of computer software applications to attacks by identifying a defense-related variable within a computer software application that is assigned results of a defense operation defending against a predefined type of attack, identifying a control-flow predicate dominating a security-sensitive operation within the application, identifying a data-flow dependent variable in the application that is data-flow dependent on the defense-related variable, determining whether the control-flow predicate uses the data-flow dependent variable to make a branching decision and whether a control-flow path leading to the security-sensitive operation is taken only if the data-flow dependent variable is compared against a value of a predefined type, determining that the security-sensitive operation is safe from the attack if both control-flow conditions are true, and determining that the application is safe from the attack if all security-sensitive operations in the application are determined to be safe from the attack.
摘要翻译: 通过在计算机软件应用程序中识别防御相关变量来确定计算机软件应用程序对攻击的脆弱性,该计算机软件应用程序分配了针对预定类型攻击的防御操作结果,识别控制安全敏感操作的控制流谓词 该应用程序在应用程序中识别数据流依赖于与防御相关变量的数据流相关变量,确定控制流谓词是否使用数据流依赖变量进行分支决策,以及控制 - 只有当数据流相关变量与预定义类型的值进行比较时,才能获得导致安全敏感操作的流程路径,如果两个控制流条件都为真,则确定安全敏感操作对于攻击是安全的, 并且如果应用程序中的所有安全敏感操作都确定应用程序是否安全 被确定为安全的攻击。
-
114.发明申请公开(公告)号:US20110072517A1
公开(公告)日:2011-03-24
申请号:US12564288
申请日:2009-09-22
申请人: Omer Tripp
发明人: Omer Tripp
IPC分类号: G06F11/36
CPC分类号: G06F11/3636
摘要: A system for detecting security vulnerabilities in computer software, including a cryptographic API identifier configured to identify a cryptographic API among the instructions of a computer software application, a path-to-source tracer configured to trace an information flow path among the instructions between the cryptographic API and a source that directly or indirectly provides data that are input to the cryptographic API, where a cryptographically-sensitive information carrier lies along the information flow path, a path-to-sink tracer configured to trace an information flow path among the instructions from the cryptographically-sensitive information carrier to a sink, and a security vulnerability identifier configured to provide a notification that the information flow path between the cryptographically-sensitive information carrier and the sink represents security vulnerability if the information flow path between the cryptographically-sensitive information carrier and the sink does not pass through a cryptographic API.
摘要翻译: 一种用于检测计算机软件中的安全漏洞的系统,包括被配置为在计算机软件应用程序的指令中识别密码API的密码API标识符,路径到源跟踪器,被配置为在所述加密API之间的指令之间追踪信息流路径 API和源,其直接或间接地提供输入到加密API的数据,其中加密敏感信息载体位于信息流路径上,路径到宿主跟踪器被配置为跟踪指令之间的信息流路径, 密码敏感信息载体到宿,以及安全漏洞标识符,其被配置为提供通知,即如果加密敏感信息载体之间的信息流路径,密码敏感信息载体和宿之间的信息流路径表示安全漏洞 和水槽 不通过加密API。
-
公开(公告)号:US20100306745A1
公开(公告)日:2010-12-02
申请号:US12475739
申请日:2009-06-01
申请人: Adi Sharabani , Omer Tripp
发明人: Adi Sharabani , Omer Tripp
CPC分类号: G06F11/3624 , G06F11/3636
摘要: A method for instrumenting a computer program, the method including identifying a program slice within a computer program, and instrumenting the program slice within the program.
摘要翻译: 一种用于仪器计算机程序的方法,所述方法包括识别计算机程序内的程序切片,以及在程序内对程序切片进行测量。
-
公开(公告)号:US10579802B2
公开(公告)日:2020-03-03
申请号:US13430002
申请日:2012-03-26
申请人: Yair Amit , Evgeny Beskrovny , Omer Tripp
发明人: Yair Amit , Evgeny Beskrovny , Omer Tripp
摘要: A method of detecting a vulnerability in a Web service can include determining, using a processor, whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service. The method further can include, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability.
-
117.发明授权公开(公告)号:US09471787B2
公开(公告)日:2016-10-18
申请号:US13217418
申请日:2011-08-25
申请人: Yair Amit , Alexander Landa , Omer Tripp
发明人: Yair Amit , Alexander Landa , Omer Tripp
CPC分类号: H04L63/1433 , G06F21/577 , G06F2221/033 , H04L63/1441 , H04L63/1483
摘要: A system for detecting security vulnerabilities in web applications, the system including, a black-box tester configured to provide a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.
摘要翻译: 一种用于检测Web应用程序中的安全漏洞的系统,该系统包括:黑盒测试器,被配置为在与计算机服务器处的web应用的第一次交互期间向web应用提供有效载荷,其中所述有效载荷包括有效载荷指令和 标识符和执行引擎,被配置为在第一交互之后与网络应用程序交互期间检测在该有效载荷内接收到的有效载荷内的标识符,并且响应于检测到有效载荷内的标识符,确定有效载荷指令是否在 执行有效载荷指令。
-
118.发明授权公开(公告)号:US09424423B2
公开(公告)日:2016-08-23
申请号:US13611201
申请日:2012-09-12
CPC分类号: G06F21/577 , G06F17/211 , G06F17/2211 , G06F17/27 , G06F17/272 , G06F17/2765 , G06F21/552 , G06F21/554 , G06F21/563 , H04L63/1408 , H04L63/1433 , H04L63/168
摘要: Methods for creating a hybrid string representations include receiving string information as input; parsing the string information to produce one or more string components; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations; abstracting all string components that could not be represented concretely; and creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component.
摘要翻译: 用于创建混合字符串表示的方法包括接收字符串信息作为输入; 解析字符串信息以产生一个或多个字符串组件; 确定可以通过将一个或多个组件与一组已知具体化进行比较来具体表示的字符串组件; 抽象出不能具体表现的所有字符串组件; 以及创建包括至少一个具体字符串组件和至少一个抽象字符串组件的混合字符串表示。
-
公开(公告)号:US09135147B2
公开(公告)日:2015-09-15
申请号:US13457083
申请日:2012-04-26
申请人: Shay Artzi , Julian Dolby , Salvatore A. Guarnieri , Simon H. Jensen , Marco Pistoia , Manu Sridharan , Frank Tip , Omer Tripp
发明人: Shay Artzi , Julian Dolby , Salvatore A. Guarnieri , Simon H. Jensen , Marco Pistoia , Manu Sridharan , Frank Tip , Omer Tripp
CPC分类号: G06F11/3676 , G06F11/3466 , G06F11/3684 , G06F11/3688
摘要: A novel system, computer program product, and method are disclosed for feedback-directed automated test generation for programs, such as JavaScript, in which execution is monitored to collect information that directs the test generator towards inputs that yield increased coverage. Several instantiations of the framework are implemented, corresponding to variations on feedback-directed random testing, in a tool called Artemis.
摘要翻译: 公开了一种新颖的系统,计算机程序产品和方法用于诸如JavaScript的程序的反馈定向的自动测试生成,其中执行被监视以收集将测试发生器引导到产生增加的覆盖的输入的信息。 在一个名为Artemis的工具中,实现了框架的几个实例,对应于反馈导向随机测试的变化。
-
公开(公告)号:US09009535B2
公开(公告)日:2015-04-14
申请号:US13587335
申请日:2012-08-16
申请人: Marco Pistoia , Omer Tripp
发明人: Marco Pistoia , Omer Tripp
CPC分类号: G06F11/0751
摘要: A useful embodiment of the invention is directed to a method associated with a computer program comprising one or more basic blocks, wherein the program defines and uses multiple data structures, such as the list of all customers of a bank along with their account information. The method includes identifying one or more invariants, wherein each invariant is associated with one of the data structures. The method further includes determining at specified times whether an invariant has been violated. Responsive to detecting a violation of one of the invariants, the detected violation is flagged as an anomaly.
摘要翻译: 本发明的有用实施例涉及与包括一个或多个基本块的计算机程序相关联的方法,其中该程序定义和使用多个数据结构,诸如银行的所有客户的列表及其帐户信息。 该方法包括识别一个或多个不变量,其中每个不变量与数据结构之一相关联。 该方法还包括在指定时间确定是否违反了不变量。 响应于检测违反其中一个不变量,检测到的违规被标记为异常。
-
-
-
-
-
-
-
-
-
搜索结果
132 条记录 (耗时 0.027 秒)
