-
公开(公告)号:US08434064B2
公开(公告)日:2013-04-30
申请号:US12058513
申请日:2008-03-28
申请人: Periklis Akritidis , Manuel Costa , Miguel Castro
发明人: Periklis Akritidis , Manuel Costa , Miguel Castro
CPC分类号: G06F11/3612 , G06F21/52 , G06F21/54
摘要: Methods of detecting memory errors using write integrity testing are described. In an embodiment, additional analysis is performed when a program is compiled. This analysis identifies a set of objects which can be written by each instruction in the program. Additional code is then inserted into the program so that, at runtime, the program checks before performing a write instruction that the particular object being written is one of the set of objects that it is allowed to write. The inserted code causes an exception to be raised if this check fails and allows the write to proceed if the check is successful. In a further embodiment, code may also be inserted to perform checks before indirect control-flow transfer instructions, to ensure that those instructions cannot transfer control to locations different from those intended.
摘要翻译: 描述使用写入完整性测试来检测存储器错误的方法。 在一个实施例中,当编译程序时执行附加分析。 此分析标识可由程序中的每条指令写入的一组对象。 然后将附加代码插入到程序中,使得在运行时,程序在执行写入指令之前检查所写入的特定对象是被允许写入的一组对象之一。 如果此检查失败,则插入的代码会引发异常,如果检查成功,则允许写入继续。 在另一实施例中,还可以插入代码以在间接控制流传输指令之前执行检查,以确保那些指令不能将控制转移到与预期不同的位置。
-
公开(公告)号:US08316448B2
公开(公告)日:2012-11-20
申请号:US11925575
申请日:2007-10-26
申请人: Marcus Peinado , Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang
发明人: Marcus Peinado , Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang
IPC分类号: H04L29/06
CPC分类号: G06F21/55 , G06F21/52 , G06F21/577
摘要: Methods and architectures for automatic filter generation are described. In an embodiment, these filters are generated in order to block inputs which would otherwise disrupt the normal functioning of a program. An initial set of filter conditions is generated by analyzing the path of a program from a point at which a bad input is received to the point at which the malfunctioning of the program is detected and creating conditions on an input which ensure that this path is followed. Having generated the initial set of filter conditions, the set is made less specific by determining which instructions do not influence whether the point of detection of the attack is reached and removing the filter conditions which correspond to these instructions.
摘要翻译: 描述了自动过滤器生成的方法和体系结构。 在一个实施例中,生成这些滤波器以便阻止否则将中断程序的正常功能的输入。 通过从接收到不良输入的点到检测到程序故障的点分析程序的路径并在输入上创建条件来产生初始的过滤条件集合,以确保遵循该路径 。 在产生初始的滤波条件集之后,通过确定哪些指令不影响是否达到攻击的检测点,并且去除与这些指令相对应的滤波条件,使该集合具有较小的特定性。
-
公开(公告)号:US20090249289A1
公开(公告)日:2009-10-01
申请号:US12058513
申请日:2008-03-28
申请人: Periklis Akritidis , Manuel Costa , Miguel Castro
发明人: Periklis Akritidis , Manuel Costa , Miguel Castro
IPC分类号: G06F9/44
CPC分类号: G06F11/3612 , G06F21/52 , G06F21/54
摘要: Methods of detecting memory errors using write integrity testing are described. In an embodiment, additional analysis is performed when a program is compiled. This analysis identifies a set of objects which can be written by each instruction in the program. Additional code is then inserted into the program so that, at runtime, the program checks before performing a write instruction that the particular object being written is one of the set of objects that it is allowed to write. The inserted code causes an exception to be raised if this check fails and allows the write to proceed if the check is successful. In a further embodiment, code may also be inserted to perform checks before indirect control-flow transfer instructions, to ensure that those instructions cannot transfer control to locations different from those intended.
摘要翻译: 描述使用写入完整性测试来检测存储器错误的方法。 在一个实施例中,当编译程序时执行附加分析。 此分析标识可由程序中的每条指令写入的一组对象。 然后将附加代码插入到程序中,使得在运行时,程序在执行写入指令之前检查所写入的特定对象是被允许写入的一组对象之一。 如果此检查失败,则插入的代码会引发异常,如果检查成功,则允许写入继续。 在另一实施例中,还可以插入代码以在间接控制流传输指令之前执行检查,以确保那些指令不能将控制转移到与预期不同的位置。
-
公开(公告)号:US20090113550A1
公开(公告)日:2009-04-30
申请号:US11925575
申请日:2007-10-26
申请人: Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado
发明人: Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado
IPC分类号: G06F21/00
CPC分类号: G06F21/55 , G06F21/52 , G06F21/577
摘要: Methods and architectures for automatic filter generation are described. In an embodiment, these filters are generated in order to block inputs which would otherwise disrupt the normal functioning of a program. An initial set of filter conditions is generated by analyzing the path of a program from a point at which a bad input is received to the point at which the malfunctioning of the program is detected and creating conditions on an input which ensure that this path is followed. Having generated the initial set of filter conditions, the set is made less specific by determining which instructions do not influence whether the point of detection of the attack is reached and removing the filter conditions which correspond to these instructions.
摘要翻译: 描述了自动过滤器生成的方法和体系结构。 在一个实施例中,生成这些滤波器以便阻止否则将中断程序的正常功能的输入。 通过从接收到不良输入的点到检测到程序故障的点分析程序的路径并在输入上创建条件来产生初始的过滤条件集合,以确保遵循该路径 。 在产生初始的滤波条件集之后,通过确定哪些指令不影响是否达到攻击的检测点,并且去除与这些指令相对应的滤波条件,使该集合具有较小的特定性。
-
公开(公告)号:US07634813B2
公开(公告)日:2009-12-15
申请号:US11095291
申请日:2005-03-30
申请人: Manuel Costa , Miguel Castro , Antony Rowstron , Jon Crowcroft
发明人: Manuel Costa , Miguel Castro , Antony Rowstron , Jon Crowcroft
IPC分类号: G06F12/14
CPC分类号: H04L63/1433 , G06F21/554 , G06F21/577 , H04L63/1416
摘要: A containment system may include generating and/or sending an alert as the basis for safely sharing knowledge about detected worms. An alert may contain information that proves that a given program has a vulnerability. The alert may be self-certifying such that its authenticity may be independently verified by a computing system.
摘要翻译: 遏制系统可以包括生成和/或发送警报作为安全地分享关于检测到的蠕虫的知识的基础。 警报可能包含证明给定程序有漏洞的信息。 警报可以是自我认证的,使得其真实性可以由计算系统独立地验证。
-
公开(公告)号:US07603715B2
公开(公告)日:2009-10-13
申请号:US11096054
申请日:2005-03-30
申请人: Manuel Costa , Miguel Castro , Antony Rowstron , Jon Crowcroft
发明人: Manuel Costa , Miguel Castro , Antony Rowstron , Jon Crowcroft
IPC分类号: G06F12/14
CPC分类号: G06F21/566 , H04L63/1416
摘要: One aspect of the invention is a vulnerability detection mechanism that can detect a large class of attacks through dynamic dataflow analysis. Another aspect of the invention includes self-certifying alerts as the basis for safely sharing knowledge about worms. Another aspect of the invention is a resilient and self-organizing protocol to propagate alerts to all non-infected nodes in a timely fashion, even when under active attack during a worm outbreak. Another aspect of the invention is a system architecture that enables a large number of mutually untrusting computers to collaborate in the task of stopping a previously unknown worm, even when the worm is spreading rapidly and exploiting unknown vulnerabilities in popular software packages.
摘要翻译: 本发明的一个方面是可以通过动态数据流分析来检测大类攻击的漏洞检测机制。 本发明的另一方面包括自我认证警报作为安全地共享关于蠕虫的知识的基础。 本发明的另一方面是一种弹性和自组织协议,即使在蠕虫爆发期间受到主动攻击时,也可以及时向所有非感染节点传播警报。 本发明的另一方面是使得大量相互不信任的计算机能够在停止以前未知的蠕虫的任务中进行协作,即使当蠕虫迅速传播并利用流行的软件包中的未知的漏洞时。
-
公开(公告)号:US20070225133A1
公开(公告)日:2007-09-27
申请号:US11389649
申请日:2006-03-23
申请人: Miguel Castro
发明人: Miguel Castro
CPC分类号: A63B21/0004 , A63B21/00047 , A63B26/00 , A63B2208/0252 , A63B2225/62
摘要: A spherical exercise apparatus including two flexible inflatable hemispherical members that can be inflated with fluid or air and attached together to form a spherical object. The flat bases of the hemispherical member are made to adjoin with means to attach them, permitting a user to perform exercises on the spherical object, or each hemispherical member. The hemispherical members include gripping and anti-slip features on their round surfaces. The apparatus further includes a plate-like member that acts as a base for the hemispherical members when used individually. Alternately, each hemispherical member can include a permanently attached base member attached to its flat surface, wherein the base members include a means to attach the hemispherical members.
摘要翻译: 一种球形锻炼装置,包括两个柔性的可充气半球形构件,其可以用流体或空气充气并连接在一起以形成球形物体。 使半球形构件的平坦的基座与附接装置相邻,允许使用者对球形物体或每个半球形构件进行锻炼。 半球形构件包括其圆形表面上的夹紧和防滑特征。 该装置还包括一个板状构件,当单独使用时,其作为半球形构件的基座。 或者,每个半球形构件可以包括附接到其平坦表面的永久附接的基底构件,其中基座构件包括附接半球形构件的装置。
-
公开(公告)号:US20090089909A1
公开(公告)日:2009-04-09
申请号:US11973600
申请日:2007-10-08
申请人: Miguel Castro
发明人: Miguel Castro
CPC分类号: A63B71/148 , A63B43/005 , A63B2209/10 , A63B2243/0037
摘要: An exercise apparatus comprising at least one glove, at least one sphere and an adhering means that adheres the glove to the sphere. The glove comprises a central panel comprising finger engaging portions and a thumb hole, a plurality of straps extending from either side of the central panel are adapted to be attached together across the back of the hand for securing the glove, and an elevated pad on the central panel disposed in a way to contact the sphere and elevate the hand when performing exercises.
摘要翻译: 一种运动装置,其包括至少一个手套,至少一个球体和将手套粘附到球体上的粘附装置。 手套包括包括手指接合部分和拇指孔的中央面板,从中央面板的任一侧延伸的多个带子适于连接在手的背面,以固定手套,并且将高架垫 中央面板以进行锻炼的方式与球体接触并提升手。
-
公开(公告)号:US07715396B2
公开(公告)日:2010-05-11
申请号:US11118240
申请日:2005-04-28
摘要: To reduce the dependency of overlay networks on underlay networks to route messages, a virtual ring routing architecture may be formed that leverages the design of the overlay network to achieve their desirable scaling and robustness properties but also reduce the dependency on any underlay network to setup and maintain connectivity. More particularly, each node may have a single, fixed, location independent node identifier, to organize the nodes into a virtual ring. The connectivity between nodes through the actual network topology may be formed by a plurality of nodes in the virtual ring by maintaining connectivity to those nodes identified as virtual neighbor nodes within the virtual ring. The path segments defining communication connections between virtual neighbor nodes may be used to route messages between any pair of nodes in the network and may reduce route discovery overhead, reduce delay in transmission, and reduce or eliminate flooding to setup or maintain the path segments.
摘要翻译: 为了减少叠加网络对底层网络的依赖性以路由消息,可以形成利用覆盖网络的设计来实现其期望的缩放和鲁棒性属性的虚拟环路由架构,而且还减少对任何底层网络的依赖,以建立和 保持连接。 更具体地,每个节点可以具有单个,固定的,位置独立的节点标识符,以将节点组织成虚拟环。 通过实际网络拓扑的节点之间的连接可以由虚拟环中的多个节点通过维持与被识别为虚拟环内的虚拟邻居节点的那些节点的连接来形成。 定义虚拟相邻节点之间的通信连接的路径段可以用于在网络中的任何一对节点之间路由消息,并且可以减少路由发现开销,减少传输中的延迟,以及减少或消除洪泛以建立或维护路径段。
-
公开(公告)号:US06671821B1
公开(公告)日:2003-12-30
申请号:US09717755
申请日:2000-11-21
申请人: Miguel Castro , Barbara Liskov
发明人: Miguel Castro , Barbara Liskov
IPC分类号: H02H305
CPC分类号: G06F17/30212 , G06F11/1482 , G06F11/2041 , G06F21/577
摘要: A new approach for asynchronous state-machine replication in a fault-tolerant system offers both integrity and high availability in the presence of Byzantine faults. The approach also improves the security of previous systems by recovering replicas proactively without necessarily identifying that they have failed or been attacked. This proactive recovery limits the time extent of a particular fault by regularly recovering replicas. In this way, the system works correctly even when all the replicas fail multiple times over the lifetime of the system, provided that less than ⅓ of the replicas are all faulty within a window of vulnerability. The approach also features an efficient implementation of message authentication that prevents an attacker from impersonating a replicated node that was faulty after that node recovers
摘要翻译: 在容错系统中异步状态机复制的新方法在拜占庭故障存在的情况下提供完整性和高可用性。 该方法还通过主动恢复副本来提高以前系统的安全性,而不必确定它们已经失败或已被攻击。 这种主动恢复通过定期恢复副本来限制特定故障的时间范围。 以这种方式,即使所有副本在系统的整个生命周期内多次出现故障,系统也能正常工作,只要少于1/3的副本在漏洞的窗口内都是有故障的。 该方法还具有消息认证的有效实现,防止攻击者在该节点恢复之后冒充错误的复制节点
-
-
-
-
-
-
-
-
-
搜索结果
21 条记录 (耗时 0.026 秒)