公开(公告)号：US20120192161A1

公开(公告)日：2012-07-26

申请号：US13012804

申请日：2011-01-25

申请人： Marco PISTOIA ,  Omer Tripp ,  Omri Weisman

发明人： Marco PISTOIA ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F8/75 ,  G06F11/3604

摘要： A method for distributed static analysis of computer software applications, includes: statically analyzing instructions of a computer software application; identifying at least one entry point in the computer software application; assigning a primary agent to statically analyze the computer software application from the entry point; assigning a secondary agent to statically analyze a call site encountered by the primary agent and produce a static analysis summary of the call site; and presenting results of any of the static analyses via a computer-controlled output device.

摘要翻译： 一种计算机软件应用分布式静态分析方法，包括：静态分析计算机软件应用指令; 识别计算机软件应用程序中的至少一个入口点; 分配主代理从入口点静态分析计算机软件应用程序; 分配二级代理以静态分析主代理遇到的呼叫站点并产生呼叫站点的静态分析摘要; 并通过计算机控制的输出设备呈现任何静态分析的结果。

公开(公告)号：US20120023486A1

公开(公告)日：2012-01-26

申请号：US12843308

申请日：2010-07-26

申请人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/577 ,  H04L63/105

摘要： A method includes determining grammar for output of an information-flow downgrader in a software program. The software program directs the output of the information-flow downgrader to a sink. The method includes determining whether the grammar of the output conforms to one or more predetermined specifications of the sink. The method includes, in response to a determination the grammar of the output conforms to the one or more predetermined specifications of the sink, determining the information-flow downgrader is verified for the sink, wherein determining grammar, determining whether the grammar, and determining the information-flow downgrader are performed via static analysis of the software program. Apparatus and computer program products are also disclosed. An apparatus includes a user interface providing a result of whether or not output of an information-flow downgrader in the software program conforms to one or more predetermined specifications of a sink in the software program.

摘要翻译： 一种方法包括在软件程序中确定信息流降级器的输出的语法。 软件程序将信息流降级器的输出引导到宿。 该方法包括确定输出的语法是否符合汇的一个或多个预定规范。 该方法包括响应于确定，输出的语法符合信宿的一个或多个预定规范，确定信宿流降级器对于汇点进行验证，其中确定语法，确定语法，并确定 信息流降级器通过软件程序的静态分析来执行。 还公开了装置和计算机程序产品。 一种装置，包括提供软件程序中的信息流下载器的输出是否符合软件程序中的接收器的一个或多个预定规格的结果的用户界面。

公开(公告)号：US09720798B2

公开(公告)日：2017-08-01

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US20100284527A1

公开(公告)日：2010-11-11

申请号：US12437894

申请日：2009-05-08

申请人： Stephen Fink ,  Yinnon Avraham Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon Avraham Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

IPC分类号： H04M15/00 ,  G06T11/20

CPC分类号： G06F11/3604 ,  G06T11/206 ,  H04M15/00 ,  H04M15/58 ,  H04M15/83 ,  H04M15/85 ,  H04M15/851 ,  H04M2215/0188 ,  H04M2215/815 ,  H04M2215/82

摘要： A system and method for importance-based call graph construction, including a) analyzing a computer software application to identify a plurality of calls within the computer software application, b) assigning an importance value to any of the calls in accordance with a predefined importance rule, c) selecting any of the calls for inclusion in a call graph in accordance with a predefined inclusion rule, d) representing the call in the call graph, e) adjusting the importance value of any call represented in the call graph in accordance with a predefined importance adjustment rule, and f) iteratively performing any of steps a)-e) until a predefined termination condition is met.

摘要翻译： 一种用于基于重要性的呼叫图构造的系统和方法，包括：a）分析计算机软件应用程序以识别所述计算机软件应用程序内的多个呼叫，b）根据预定义的重要性规则向任何呼叫分配重要性值 c）根据预定义的包含规则选择任何呼叫包括在呼叫图中，d）表示呼叫图中的呼叫，e）根据呼叫图表调用在呼叫图表中表示的任何呼叫的重要性值， 预定义的重要性调整规则，以及f）迭代地执行步骤a）-e）中的任何一个，直到满足预定的终止条件。

公开(公告)号：US20120254839A1

公开(公告)日：2012-10-04

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

摘要翻译： 系统，方法是使用从白盒测试获得的信息来模拟黑盒测试结果的程序产品，包括分析计算机软件（例如应用程序）以识别计算机软件应用程序中的潜在漏洞以及与潜在漏洞相关联的多个里程碑 ，其中每个里程碑指示计算机软件应用程序内的位置，跟踪从第一个里程碑到入口点的路径到计算机软件应用程序中，识别入口点的输入将导致控制流从 描述在描述入口点和输入的描述中的潜在漏洞，以及经由计算机控制的输出介质呈现描述的入口点和通过每个里程碑。

公开(公告)号：US20090300266A1

公开(公告)日：2009-12-03

申请号：US12129894

申请日：2008-05-30

申请人： Marco Pistoia ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Marco Pistoia ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F12/00

CPC分类号： G06F8/433

摘要： A system for identifying read/write chains in computer software, including a static analysis engine identifying within computer software logical container accesses, a string analyzer configured to at least partly resolve any variables identifying the logical container in any of the accesses by determining a set of potential values of any of the variables, and a Logical Container Access Virtualization component (LCAV) configured to identify the type and scope of any permutations of the accesses, where each of the permutations is defined by substituting any of the potential values for any of the access variables, and identify any read/write chains within the computer software by matching any of the access permutations that read from the logical container with any of the access permutations that write to the logical container if there is an intersection between the scopes of the read and write access permutations.

摘要翻译： 一种用于识别计算机软件中的读/写链的系统，包括在计算机软件逻辑容器访问内识别的静态分析引擎，串行分析器，其被配置为至少部分地解析任何访问中识别逻辑容器的任何变量， 任何变量的潜在值和逻辑容器访问虚拟化组件（LCAV），其被配置为识别访问的任何排列的类型和范围，其中每个排列通过将任何潜在值替换为任何 访问变量，并通过将从逻辑容器读取的任何访问排列与写入逻辑容器的任何访问排列进行匹配，以识别计算机软件中的任何读/写链，如果读取范围之间存在交集 并写入访问排列。

公开(公告)号：US09747187B2

公开(公告)日：2017-08-29

申请号：US12913314

申请日：2010-10-27

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US08856764B2

公开(公告)日：2014-10-07

申请号：US13012804

申请日：2011-01-25

申请人： Marco Pistoia ,  Omer Tripp ,  Omri Weisman

发明人： Marco Pistoia ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/45 ,  G06F9/44 ,  G06F11/36

CPC分类号： G06F8/75 ,  G06F11/3604

摘要： A method for distributed static analysis of computer software applications, includes: statically analyzing instructions of a computer software application; identifying at least one entry point in the computer software application; assigning a primary agent to statically analyze the computer software application from the entry point; assigning a secondary agent to statically analyze a call site encountered by the primary agent and produce a static analysis summary of the call site; and presenting results of any of the static analyses via a computer-controlled output device.

摘要翻译： 一种计算机软件应用分布式静态分析方法，包括：静态分析计算机软件应用指令; 识别计算机软件应用程序中的至少一个入口点; 分配主代理从入口点静态分析计算机软件应用程序; 分配二级代理以静态分析主代理遇到的呼叫站点并产生呼叫站点的静态分析摘要; 并通过计算机控制的输出设备呈现任何静态分析的结果。

公开(公告)号：US08850405B2

公开(公告)日：2014-09-30

申请号：US13033024

申请日：2011-02-23

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F8/75 ,  G06F8/77

摘要： A method is disclosed that includes, using a static analysis, analyzing a software program to determine a number of paths from sources accepting information to sinks using that information or a modified version of that information and to determine multiple paths from the number of paths. The determined multiple paths have a same transition from an application portion of the software program to a library portion of the software program and require a same downgrading action to address a vulnerability associated with source-sink pairs in the multiple paths. The analyzing includes determining the multiple paths using a path-sensitive analysis. The method includes, for the determined multiple paths, grouping the determined multiple paths into a single representative indication of the determined multiple paths. The method includes outputting the single representative indication. Computer program products and apparatus are also disclosed.

摘要翻译： 公开了一种方法，其包括使用静态分析来分析软件程序以使用该信息或该信息的修改版本从接收信息的信源到汇点确定多个路径，并且从路径数确定多条路径。 所确定的多个路径具有从软件程序的应用部分到软件程序的库部分的相同转换，并且需要相同的降级动作来解决与多个路径中的源 - 汇对相关联的漏洞。 分析包括使用路径敏感分析来确定多个路径。 该方法包括对于所确定的多个路径，将所确定的多个路径分组成所确定的多个路径的单个代表性指示。 该方法包括输出单个代表性指示。 还公开了计算机程序产品和装置。

公开(公告)号：US08635602B2

公开(公告)日：2014-01-21

申请号：US12843308

申请日：2010-07-26

申请人： Yinnon Avraham Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon Avraham Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/577 ,  H04L63/105

摘要： A method includes determining grammar for output of an information-flow downgrader in a software program. The software program directs the output of the information-flow downgrader to a sink. The method includes determining whether the grammar of the output conforms to one or more predetermined specifications of the sink. The method includes, in response to a determination the grammar of the output conforms to the one or more predetermined specifications of the sink, determining the information-flow downgrader is verified for the sink, wherein determining grammar, determining whether the grammar, and determining the information-flow downgrader are performed via static analysis of the software program. Apparatus and computer program products are also disclosed. An apparatus includes a user interface providing a result of whether or not output of an information-flow downgrader in the software program conforms to one or more predetermined specifications of a sink in the software program.

摘要翻译： 一种方法包括在软件程序中确定信息流降级器的输出的语法。 软件程序将信息流降级器的输出引导到宿。 该方法包括确定输出的语法是否符合汇的一个或多个预定规范。 该方法包括响应于确定，输出的语法符合信宿的一个或多个预定规范，确定信宿流降级器对于汇点进行验证，其中确定语法，确定语法，并确定 信息流降级器通过软件程序的静态分析来执行。 还公开了装置和计算机程序产品。 一种装置，包括提供软件程序中的信息流下载器的输出是否符合软件程序中的接收器的一个或多个预定规格的结果的用户界面。