-
公开(公告)号:US11526600B2
公开(公告)日:2022-12-13
申请号:US17127772
申请日:2020-12-18
Applicant: SAP SE
Inventor: Thomas Barber , David Klein , Martin Johns
Abstract: Various embodiments of systems and methods to track tainting information via non-intrusive bytecode instrumentation are described herein. The described techniques include, at one aspect, defining a taint-aware class to shadow an original data class. The taint-aware class includes a payload field to store objects of the original data class, a metadata field to store tainting information corresponding to the objects of the original data class, and a method proxying a corresponding method of the original data class. In another aspect, the instances of the original data class are replaced with corresponding instances of the taint-aware class in an application bytecode. Further, in a yet another aspect, when executing the application in a runtime environment, the method propagates the content of the metadata filed and calls the corresponding method of the original data class to manage the content of the payload field.
-
公开(公告)号:US11283834B2
公开(公告)日:2022-03-22
申请号:US16218732
申请日:2018-12-13
Applicant: SAP SE
Inventor: Martin Johns
Abstract: Methods, systems, and computer-readable storage media for receiving, by a web browser executing on a client-side device, a response from a server, the response provided in a taint-enhanced data format, processing, by a Javascript framework executed by the web browser, the response to parse data within the response and, for any data values marked as tainted, providing respective taint string Javascript objects as sanitized data, and providing the sanitized data to a document object model (DOM).
-
公开(公告)号:US10992759B2
公开(公告)日:2021-04-27
申请号:US16002399
申请日:2018-06-07
Applicant: SAP SE
Inventor: Martin Johns
Abstract: Various examples are directed to systems and methods for secure communication sessions between a web application and a server. A session vault routine executing at a computing device may receive a first request message directed to a server computing device. The first request message may comprise a client session identifier at a session identifier field of the first request message. The session vault routine may access supplemental session identifier data from a session vault persistence at the data storage. The session vault routine may write the supplemental session identifier data to a second field of the first request message, and initiate sending the first request message to the server computing device.
-
公开(公告)号:US20210004502A1
公开(公告)日:2021-01-07
申请号:US17031448
申请日:2020-09-24
Applicant: SAP SE
Inventor: Martin Johns
IPC: G06F21/84 , H04L29/06 , G06F21/60 , G06F16/958 , G06F21/83
Abstract: Various examples are directed to systems and methods for executing a web application with client-side encryption. A web application may execute in a web browser at a client computing device. The web browser may generate a document comprising a secure display element. The web browser may request to render the document at the client computing device. A cryptographic tool of the web browser may decrypt the first encrypted value to generate a first clear value. The web browser may render the document at an output device of the client computing device using the clear value. The web browser may also be programmed to prevent the web application from accessing the first clear value.
-
公开(公告)号:US10783243B2
公开(公告)日:2020-09-22
申请号:US15862347
申请日:2018-01-04
Applicant: SAP SE
Inventor: Florian Loch , Martin Johns
Abstract: Systems and methods are provided herein for dynamic, non-invasive taint tracking using auto-generated datatypes. A proxy entry point component of a taint-aware environment continuously monitors for a request to initiate an application. The application has an associated runtime environment and profile parameters specific to the application. Upon identifying the request, a core component of the taint-aware environment generates a set of augmented classes based on the profile parameters. The set of augmented classes contains taint-tracking functionality. The proxy entry point component modifies an initiation pathway of the application to force the runtime environment to retrieve the set of augmented classes prior to execution of the application. The runtime environment continuously monitors for tainted data or tainted code passed through or contained within the application based on the taint-tracking functionality of the set of augmented classes.
-
Patent Agency Ranking
公开(公告)号:US10657280B2
公开(公告)日:2020-05-19
申请号:US15882043
申请日:2018-01-29
Applicant: SAP SE
Inventor: Patrick Spiegel , Martin Johns
IPC: G06F16/00 , G06F21/62 , G06F16/25 , G06F16/245 , G06F16/242 , G06F21/55
Abstract: For mitigation of injection security attacks against non-relational databases, a database driver layer is integrated with a security layer. A trigger associated with the security layer is set to implement a learning phase of the security layer. In response to enabling the trigger, queries and query parameters associated with the respective queries are received. For the queries, a previously-stored security pattern is identified based on the query and the associated query parameters. The trigger associated with the security layer is reset to implement an execution of the security patterns. In response to resetting the trigger, an additional query and additional query parameters associated with the additional query is received. A particular security pattern is identified that is associated with the additional query and the additional query parameters. At least one of the additional query parameters is determined to not match a corresponding query parameter of the particular security pattern.
-
公开(公告)号:US20190377877A1
公开(公告)日:2019-12-12
申请号:US16002412
申请日:2018-06-07
Applicant: SAP SE
Inventor: Martin Johns
Abstract: Various examples are directed to systems and methods for securing a web browser. The web browser may parse web content received from a server and identify a script associated with the web content. The web browser may generate script fingerprint data for the script. The script fingerprint data may comprise script code data describing script code for the script and script syntax data describing the script. The web browser may determine that the script fingerprint data is not described by local known script data and may send an anomalous script report to the server, where the anomalous script report comprising the script fingerprint data. The web browser may also update the local known script data to describe the script fingerprint data.
-
公开(公告)号:US10454969B2
公开(公告)日:2019-10-22
申请号:US15650974
申请日:2017-07-17
Applicant: SAP SE
Inventor: Martin Haerterich , Martin Johns , Marius Musch
Abstract: Various embodiments of systems, computer program products, and methods to automatically generate low-interaction honeypots to protect application landscapes through are described herein. In an aspect, representative applications associated with resources in a network are identified. The low-interaction honeypots are automatically generated for the identified representative applications. Further, the representative applications are probed to retrieve responses corresponding to different requests. Templates are generated corresponding to request-response pairs by parsing the responses and the requests. During operation, new requests for accessing the resources are responded based on the generated templates. The new requests and corresponding responses are recorded.
-
公开(公告)号:US20190236301A1
公开(公告)日:2019-08-01
申请号:US15882043
申请日:2018-01-29
Applicant: SAP SE
Inventor: Patrick Spiegel , Martin Johns
CPC classification number: G06F21/6227 , G06F16/2433 , G06F16/245 , G06F16/25 , G06F21/552 , G06F21/554
Abstract: For mitigation of injection security attacks against non-relational databases, a database driver layer is integrated with a security layer. A trigger associated with the security layer is set to implement a learning phase of the security layer. In response to enabling the trigger, queries and query parameters associated with the respective queries are received. For the queries, a previously-stored security pattern is identified based on the query and the associated query parameters. The trigger associated with the security layer is reset to implement an execution of the security patterns. In response to resetting the trigger, an additional query and additional query parameters associated with the additional query is received. A particular security pattern is identified that is associated with the additional query and the additional query parameters. At least one of the additional query parameters is determined to not match a corresponding query parameter of the particular security pattern.
-
公开(公告)号:US10242180B2
公开(公告)日:2019-03-26
申请号:US15403603
申请日:2017-01-11
Applicant: SAP SE
Inventor: Christoph Haefner , Martin Johns , Martin Haerterich
Abstract: Systems and methods are provided herein for establishing a protection framework for a component. Identified assets of a component requiring protection from a potential attack are received. A list of assets is generated based on the identified assets. A protection framework is configured to include at least one defensive pattern to protect the list of assets against the potential attack. The protection framework is executed to establish a hardened boundary between the component and an attack surface of the component.
-
-
-
-
-
-
-
-
-
Search Results
41
records
(took 0.02 seconds)
