-
31.发明申请System, Method, and Apparatus for Modular, String-Sensitive, Access Rights Analysis with Demand-Driven Precision 有权用于采用需求驱动精度的模块化,字符串敏感的访问权限分析的系统,方法和装置公开(公告)号:US20100043048A1
公开(公告)日:2010-02-18
申请号:US12190718
申请日:2008-08-13
IPC分类号: G06F21/00
CPC分类号: G06F21/57 , G06F21/53 , G06F21/6218
摘要: A static analysis for identification of permission-requirements on stack-inspection authorization systems is provided. The analysis employs functional modularity for improved scalability. To enhance precision, the analysis utilizes program slicing to detect the origin of each parameter passed to a security-sensitive function. Furthermore, since strings are essential when defining permissions, the analysis integrates a sophisticated string analysis that models string computations.
摘要翻译: 提供了一个用于识别堆栈检查授权系统的许可要求的静态分析。 该分析采用功能模块化,以提高可扩展性。 为了提高精度,分析使用程序分片来检测传递给安全敏感功能的每个参数的原点。 此外,由于字符串在定义权限时至关重要,因此分析集成了一个用于模拟字符串计算的复杂字符串分析。
-
32.发明申请SYSTEM AND METHOD FOR THE AUTOMATIC EVALUATION OF EXISTING SECURITY POLICIES AND AUTOMATIC CREATION OF NEW SECURITY POLICIES 有权自动评估现有安全政策的制度与方法及新安全政策的自动创新公开(公告)号:US20080201760A1
公开(公告)日:2008-08-21
申请号:US11677298
申请日:2007-02-21
申请人: Paolina Centonze , Marco Pistoia
发明人: Paolina Centonze , Marco Pistoia
IPC分类号: H04L9/00
CPC分类号: H04L63/102 , G06F21/604
摘要: The present invention relates to methodologies for combining policy analysis and static analysis of code and thereafter determining whether the permissions granted by the policy to the code and to the subjects executing it are appropriate. In particular, this involves the verification that too many permissions have not been granted (wherein this would be a violation of the Principle of Least Privilege), and that the permissions being granted are sufficient to execute the code without run-time authorization failures, thus resulting in the failure of the program to execute.
摘要翻译: 本发明涉及用于组合策略分析和代码的静态分析的方法,此后确定由策略授予代码的权限和执行代码的对象是否合适。 特别地,这涉及验证是否没有授予太多的权限(其中这将违反最优权限的原则),并且被许可的权限足以执行代码而没有运行时授权失败,因此 导致程序执行失败。
-
33.发明申请公开(公告)号:US20080201688A1
公开(公告)日:2008-08-21
申请号:US11677259
申请日:2007-02-21
申请人: Paolina Centonze , Marco Pistoia
发明人: Paolina Centonze , Marco Pistoia
IPC分类号: G06F9/44
摘要: The present relates to a method for verifying privileged and subject-executed code within a program, the method further comprising the steps of constructing a static model of a program, identifying checkPermission nodes that are comprised within the invocation graph, and performing a fixed-point iteration, wherein each determined permission set is propagated backwards across the nodes of the static model until a privilege-asserting code node is reached. The method further comprises the steps of associating each node of the invocation graph with a set of Permission allocation sites, analyzing each identified privilege-asserting code node and subject-executing code node to determine the Permission allocation site set that is associated with each privilege-asserting code node and subject-executing code node, and determining the cardinality of a Permission allocation-site set that is associated with each privilege-asserting code node and subject-executing code node.
摘要翻译: 本发明涉及一种用于验证程序内的特权和主体执行代码的方法,所述方法还包括以下步骤:构建程序的静态模型,识别包含在调用图中的checkPermission节点,并执行定点 迭代,其中每个确定的权限集合经过静态模型的节点向后传播,直到达到特权确定代码节点。 该方法还包括以下步骤:将调用图的每个节点与一组权限分配站点相关联,分析每个已识别的特权代理节点和主体执行代码节点,以确定与每个权限分配站点相关联的权限分配站点集, 断言代码节点和主体执行代码节点,以及确定与每个特权代理节点和主体执行代码节点相关联的权限分配站点集合的基数。
-
公开(公告)号:US09720798B2
公开(公告)日:2017-08-01
申请号:US13493067
申请日:2012-06-11
申请人: Stephen Fink , Yinnon A. Haviv , Roee Hay , Marco Pistoia , Ory Segal , Adi Sharabani , Manu Sridharan , Frank Tip , Omer Tripp , Omri Weisman
发明人: Stephen Fink , Yinnon A. Haviv , Roee Hay , Marco Pistoia , Ory Segal , Adi Sharabani , Manu Sridharan , Frank Tip , Omer Tripp , Omri Weisman
CPC分类号: G06F11/3604 , G06F9/44589 , G06F9/455 , G06F11/36 , G06F11/362 , G06F21/577 , G06F2221/033
摘要: Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.
-
35.发明授权Using a heuristically-generated policy to dynamically select string analysis algorithms for client queries 有权使用启发式生成的策略来动态选择客户端查询的字符串分析算法公开(公告)号:US09092723B2
公开(公告)日:2015-07-28
申请号:US13412121
申请日:2012-03-05
申请人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
发明人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
IPC分类号: G06N5/00
CPC分类号: G06N5/00
摘要: A method for dynamically selecting string analysis algorithms can begin with the training of the dynamic string analysis handler of a string analysis module to effectively handle a subset of string queries having contextual metadata received from a client application in an instructional environment. The effectiveness of the training module can be based upon feedback from the client application. Upon completion of the training, a string analysis algorithm selection policy can be synthesized. The string analysis algorithm selection policy can correlate a context of a string query in the subset to the usage of a string analysis algorithm. When in the operational environment, the dynamic string analysis handler can dynamically handle string queries having contextual metadata received from the client application in accordance with the string analysis algorithm selection policy. The string analysis algorithm to be used for a string query can be dynamically and independently determined.
摘要翻译: 用于动态选择字符串分析算法的方法可以开始于字符串分析模块的动态字符串分析处理程序的训练,以有效地处理在教学环境中从客户端应用程序接收的具有上下文元数据的字符串查询的子集。 培训模块的有效性可以基于客户端应用程序的反馈。 完成培训后,可以合成字符串分析算法选择策略。 字符串分析算法选择策略可以将子集中的字符串查询的上下文与字符串分析算法的使用相关联。 在操作环境中,动态字符串分析处理程序可以根据字符串分析算法选择策略来动态地处理具有从客户端应用程序接收的上下文元数据的字符串查询。 用于字符串查询的字符串分析算法可以动态和独立地确定。
-
公开(公告)号:US08799874B2
公开(公告)日:2014-08-05
申请号:US13411779
申请日:2012-03-05
申请人: Marco Pistoia , Omer Tripp
发明人: Marco Pistoia , Omer Tripp
IPC分类号: G06F9/44
CPC分类号: G06F8/43
摘要: Static analysis of a computer software application can be performed by applying a first level of abstraction to model a plurality of run-time objects, thereby producing a set of object abstractions. Static data-flow analysis of the computer software application can be performed using the set of object abstractions, thereby producing a first data-flow propagation graph. A data-flow bottleneck can be identified within the data-flow propagation graph. A second level of abstraction can be applied to model any of the run-time objects having in the set of object abstractions a corresponding object abstraction that is traceable to the data-flow bottleneck. The applying the second level of abstraction can decompose the corresponding object abstraction into a set of object abstractions, thereby modifying the set of object abstractions. Static data-flow analysis of the computer software application can be performed using the modified set of object abstractions.
-
37.发明授权Static analysis based on observed string values during execution of a computer-based software application 失效在基于计算机的软件应用程序执行期间,基于观察到的字符串值的静态分析公开(公告)号:US08650546B2
公开(公告)日:2014-02-11
申请号:US13173012
申请日:2011-06-30
申请人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
发明人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
IPC分类号: G06F9/44
CPC分类号: G06F11/3608
摘要: Improving static analysis precision by recording a value pointed to by a string variable within the computer-based software application during the execution of a computer-based software application, modeling an invariant based on the recorded value, where the invariant represents at least one possible value pointed to by the string variable, performing a first static analysis of the computer-based software application to determine whether the invariant is valid with respect to the computer-based software application, and seeding a second static analysis of the computer-based software application with the invariant if the invariant is valid with respect to the computer-based software application.
摘要翻译: 通过在执行基于计算机的软件应用程序期间记录基于计算机的软件应用程序中由字符串变量指向的值来提高静态分析精度,基于记录的值对不变量建模,其中不变量表示至少一个可能的值 由字符串变量指向,对基于计算机的软件应用进行第一静态分析,以确定相对于基于计算机的软件应用是否不变量是否有效;以及将基于计算机的软件应用的第二静态分析与 如果不变式对于基于计算机的软件应用程序是有效的则不变量。
-
公开(公告)号:US08646088B2
公开(公告)日:2014-02-04
申请号:US12983407
申请日:2011-01-03
申请人: Marco Pistoia , Omer Tripp , Martin Vechev , Eran Yahav
发明人: Marco Pistoia , Omer Tripp , Martin Vechev , Eran Yahav
IPC分类号: G06F21/00
CPC分类号: H04L63/1441 , G06F21/554
摘要: A method is disclosed that includes tracking untrusted inputs through an executing program into a sink, the tracking including maintaining context of the sink as strings based on the untrusted inputs flow into the sink. The method also includes, while tracking, in response to a string based on an untrusted input being about to flow into the sink and a determination the string could lead to an attack if the string flows into a current context of the sink, endorsing the string using an endorser selected based at least on the current context of the sink, and providing the endorsed string to the sink. Computer program products and apparatus are also disclosed.
摘要翻译: 公开了一种方法,其包括通过执行程序将不可信任的输入跟踪到宿中,所述跟踪包括基于所述不可信任的输入流入宿来维持宿的上下文作为字符串。 该方法还包括响应于基于不可信输入的字符串的跟踪而被跟踪,并且如果字符串流入接收器的当前上下文,则确定该字符串可能导致攻击,认证字符串 使用至少基于汇的当前上下文选择的支持者,并将批准的字符串提供给汇点。 还公开了计算机程序产品和装置。
-
公开(公告)号:US08572748B2
公开(公告)日:2013-10-29
申请号:US13028237
申请日:2011-02-16
申请人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
发明人: Marco Pistoia , Takaaki Tateishi , Omer Tripp
CPC分类号: G06F11/3604
摘要: A computer-implemented method and apparatus, adapted to receive a computer program, and dynamically analyze the computer program to determine flow of untrusted data with respect to a computer resource associated with the computer program. Based on the flow of untrusted data, the method and apparatus determine an abstraction of the computerized resource, and performing static analysis of the computer program with respect to the abstraction, wherein the static analysis is for identifying whether the computer program is susceptible to one or more possible security vulnerabilities.
摘要翻译: 一种计算机实现的方法和装置,适于接收计算机程序,并且动态分析所述计算机程序以确定相对于与所述计算机程序相关联的计算机资源的不受信任数据的流动。 基于不可信数据的流程,该方法和装置确定计算机化资源的抽象,并且针对抽象执行计算机程序的静态分析,其中静态分析用于识别计算机程序是否易受一个或多个 更多可能的安全漏洞。
-
公开(公告)号:US20130262617A1
公开(公告)日:2013-10-03
申请号:US13431422
申请日:2012-03-27
申请人: Joseph W. Ligman , Marco Pistoia , John J. Ponzo , Umut Topkara
发明人: Joseph W. Ligman , Marco Pistoia , John J. Ponzo , Umut Topkara
CPC分类号: G06F11/3644 , G06F11/3466 , G06F11/3476 , G06F2201/865
摘要: Automatic application logging, in one aspect, may receive a directive for logging data associated with an application. One or more runtime objects of an instance of the application running on a processor may be modified according to the directive to collect the data. The data may be collected via the modified one or more runtime objects.
摘要翻译: 在一个方面,自动应用程序日志记录可以接收用于记录与应用程序相关联的数据的指令。 可以根据指令来修改在处理器上运行的应用的实例的一个或多个运行时对象以收集数据。 可以经由修改的一个或多个运行时对象来收集数据。
-
-
-
-
-
-
-
-
-
搜索结果
137 条记录 (耗时 0.026 秒)
