-
41.发明授权Policy-driven detection and verification of methods such as sanitizers and validators 失效政策驱动的检测和验证方法,如消毒剂和验证器公开(公告)号:US08572747B2
公开(公告)日:2013-10-29
申请号:US12950049
申请日:2010-11-19
申请人: Ryan Berg , Marco Pistoia , Takaaki Tateishi , Omer Tripp
发明人: Ryan Berg , Marco Pistoia , Takaaki Tateishi , Omer Tripp
IPC分类号: G06F9/455
CPC分类号: G06F8/75 , G06F21/577
摘要: A method includes performing a static analysis on a program having sources and sinks to track string flow from the sources to the sinks. The static analysis includes, for string variables in the program that begin at sources, computing grammar of all possible string values for each of the string variables and, for methods in the program operating on any of the string variables, computing grammar of string variables returned by the methods. The static analysis also includes, in response to one of the string variables reaching a sink that performs a security-sensitive operation, comparing current grammar of the one string variable with a policy corresponding to the security-sensitive operation, and performing a reporting operation based on the comparing. Apparatus and computer program products are also disclosed.
摘要翻译: 一种方法包括对具有源和汇的程序执行静态分析以跟踪从源到汇的字符串流。 静态分析包括对于从源头开始的程序中的字符串变量,计算每个字符串变量的所有可能的字符串值的语法,对于在任何字符串变量上运行的程序中的方法,返回的字符串变量的计算语法 通过方法。 静态分析还响应于到达执行安全敏感操作的汇点之一的字符串变量之一,将一个字符串变量的当前语法与对应于安全敏感操作的策略进行比较,并且基于 在比较上。 还公开了装置和计算机程序产品。
-
公开(公告)号:US08473899B2
公开(公告)日:2013-06-25
申请号:US12638581
申请日:2009-12-15
CPC分类号: G06F8/4434
摘要: Access is obtained to an input object-oriented computer program. In the input object-oriented computer program, semantically equivalent objects are identified, which exist in different memory locations. If at least one of: a number of occurrences for the semantically equivalent objects exceeds a first threshold value, the threshold value being at least two; and a number of equality tests on the semantically equivalent objects exceeds a second threshold value, then a further step includes identifying an application program interface to reduce the semantically equivalent objects to a single object in a single memory location.
摘要翻译: 获取到输入面向对象的计算机程序。 在输入面向对象的计算机程序中,识别了语义上等效的对象,存在于不同的存储器位置。 如果以下中的至少一个:用于语义等效对象的多个事件超过第一阈值,则该阈值为至少两个; 并且对于语义上等价的对象的多个等式测试超过第二阈值,则进一步的步骤包括识别应用程序接口以将语义上等价的对象减少到单个存储器位置中的单个对象。
-
43.发明授权公开(公告)号:US08381199B2
公开(公告)日:2013-02-19
申请号:US12907974
申请日:2010-10-19
申请人: Takaaki Tateishi , Omer Tripp , Marco Pistoia
发明人: Takaaki Tateishi , Omer Tripp , Marco Pistoia
CPC分类号: G06F9/4482
摘要: Modular and/or demand-driven string analysis of a computer program is performed. Each method of the program is encoded into monadic second-order logic (M2L) to yield a set of predicate declarations and a set of constraints. The two sets for each method are composed to yield a union set of predicate declarations and a union set of constraints for the program. The union set of constraints includes a particular set of constraints corresponding to call relationships among the methods. An M2L formula including a free variable corresponding to a program variable is added to the union set of constraints. The two union sets are processed to verify a satisfiability of the constraints in relation to an illegal pattern. Where the constraints are satisfiable, the program can generate a string containing the illegal pattern. Where the constraints are not satisfiable, the program never generates a string containing the illegal pattern.
摘要翻译: 执行计算机程序的模块化和/或需求驱动的字符串分析。 程序的每个方法被编码成一元二阶逻辑(M2L),以产生一组谓词声明和一组约束。 每个方法的两个集合被组合以产生一个联合集的谓词声明和该程序的约束集合。 联合约束集包括与方法之间的调用关系相对应的特定一组约束。 包含与程序变量相对应的自由变量的M2L公式被添加到约束集合中。 处理两个联合集以验证与非法模式相关的约束的可满足性。 在约束满足的情况下,程序可以生成包含非法模式的字符串。 在约束不可满足的情况下,程序不会生成包含非法模式的字符串。
-
44.发明申请Policy-Driven Detection And Verification Of Methods Such As Sanitizers And Validators 失效政策驱动的检测和验证方法如消毒剂和验证器公开(公告)号:US20120131668A1
公开(公告)日:2012-05-24
申请号:US12950049
申请日:2010-11-19
申请人: Ryan Berg , Marco Pistoia , Takaaki Tateishi , Omer Tripp
发明人: Ryan Berg , Marco Pistoia , Takaaki Tateishi , Omer Tripp
CPC分类号: G06F8/75 , G06F21/577
摘要: A method includes performing a static analysis on a program having sources and sinks to track string flow from the sources to the sinks. The static analysis includes, for string variables in the program that begin at sources, computing grammar of all possible string values for each of the string variables and, for methods in the program operating on any of the string variables, computing grammar of string variables returned by the methods. The static analysis also includes, in response to one of the string variables reaching a sink that performs a security-sensitive operation, comparing current grammar of the one string variable with a policy corresponding to the security-sensitive operation, and performing a reporting operation based on the comparing. Apparatus and computer program products are also disclosed.
摘要翻译: 一种方法包括对具有源和汇的程序执行静态分析以跟踪从源到汇的字符串流。 静态分析包括对于从源头开始的程序中的字符串变量,计算每个字符串变量的所有可能的字符串值的语法,对于在任何字符串变量上运行的程序中的方法,返回的字符串变量的计算语法 通过方法。 静态分析还响应于到达执行安全敏感操作的汇点之一的字符串变量之一,将一个字符串变量的当前语法与对应于安全敏感操作的策略进行比较,并且基于 在比较上。 还公开了装置和计算机程序产品。
-
45.发明申请公开(公告)号:US20120096440A1
公开(公告)日:2012-04-19
申请号:US12907974
申请日:2010-10-19
申请人: Takaaki Tateishi , Omer Tripp , Marco Pistoia
发明人: Takaaki Tateishi , Omer Tripp , Marco Pistoia
CPC分类号: G06F9/4482
摘要: Modular and/or demand-driven string analysis of a computer program is performed. Each method of the program is encoded into monadic second-order logic (M2L) to yield a set of predicate declarations and a set of constraints. The two sets for each method are composed to yield a union set of predicate declarations and a union set of constraints for the program. The union set of constraints includes a particular set of constraints corresponding to call relationships among the methods. An M2L formula including a free variable corresponding to a program variable is added to the union set of constraints. The two union sets are processed to verify a satisfiability of the constraints in relation to an illegal pattern. Where the constraints are satisfiable, the program can generate a string containing the illegal pattern. Where the constraints are not satisfiable, the program never generates a string containing the illegal pattern.
摘要翻译: 执行计算机程序的模块化和/或需求驱动的字符串分析。 程序的每个方法被编码成一元二阶逻辑(M2L),以产生一组谓词声明和一组约束。 每个方法的两个集合被组合以产生一个联合集的谓词声明和该程序的约束集合。 联合约束集包括与方法之间的呼叫关系相对应的特定一组约束。 包含与程序变量相对应的自由变量的M2L公式被添加到约束集合中。 处理两个联合集以验证与非法模式相关的约束的可满足性。 在约束满足的情况下,程序可以生成包含非法模式的字符串。 在约束不可满足的情况下,程序不会生成包含非法模式的字符串。
-
公开(公告)号:US20110145785A1
公开(公告)日:2011-06-16
申请号:US12638581
申请日:2009-12-15
IPC分类号: G06F9/44
CPC分类号: G06F8/4434
摘要: Access is obtained to an input object-oriented computer program. In the input object-oriented computer program, semantically equivalent objects are identified, which exist in different memory locations. If at least one of: a number of occurrences for the semantically equivalent objects exceeds a first threshold value, the threshold value being at least two; and a number of equality tests on the semantically equivalent objects exceeds a second threshold value, then a further step includes identifying an application program interface to reduce the semantically equivalent objects to a single object in a single memory location.
摘要翻译: 获取到输入面向对象的计算机程序。 在输入面向对象的计算机程序中,识别了语义上等效的对象,存在于不同的存储器位置。 如果以下中的至少一个:用于语义等效对象的多个事件超过第一阈值,则该阈值为至少两个; 并且对于语义上等价的对象的多个等式测试超过第二阈值,则进一步的步骤包括识别应用程序接口以将语义上等价的对象减少到单个存储器位置中的单个对象。
-
公开(公告)号:US20100333201A1
公开(公告)日:2010-12-30
申请号:US12825610
申请日:2010-06-29
IPC分类号: G06F11/00
CPC分类号: G06F21/577 , G06F8/43 , G06F11/3604 , G06F21/563
摘要: A computer-implemented method, program product, and system for determining the validity of a string generated by a computer programming language program. The method includes: abstracting a constraint between variables extracted from a source code for a programming language, describing the constraint in M2L, and storing the constraint; and evaluating the validity of the string on an M2L solver on the basis of the constraint and a M2L specification to determine whether the string is safe or unsafe.
摘要翻译: 用于确定由计算机程序设计语言程序生成的字符串的有效性的计算机实现的方法,程序产品和系统。 该方法包括:从用于编程语言的源代码提取的变量之间抽取约束,描述M2L中的约束,并存储该约束; 并基于约束和M2L规范来评估M2L求解器上的字符串的有效性,以确定字符串是安全还是不安全。
-
48.发明申请IDENTIFICATION OF READ/WRITE CHAINS DURING STATIC ANALYSIS OF COMPUTER SOFTWARE 有权计算机软件静态分析期间读/写链的识别公开(公告)号:US20090300266A1
公开(公告)日:2009-12-03
申请号:US12129894
申请日:2008-05-30
申请人: Marco Pistoia , Takaaki Tateishi , Omer Tripp , Omri Weisman
发明人: Marco Pistoia , Takaaki Tateishi , Omer Tripp , Omri Weisman
IPC分类号: G06F12/00
CPC分类号: G06F8/433
摘要: A system for identifying read/write chains in computer software, including a static analysis engine identifying within computer software logical container accesses, a string analyzer configured to at least partly resolve any variables identifying the logical container in any of the accesses by determining a set of potential values of any of the variables, and a Logical Container Access Virtualization component (LCAV) configured to identify the type and scope of any permutations of the accesses, where each of the permutations is defined by substituting any of the potential values for any of the access variables, and identify any read/write chains within the computer software by matching any of the access permutations that read from the logical container with any of the access permutations that write to the logical container if there is an intersection between the scopes of the read and write access permutations.
摘要翻译: 一种用于识别计算机软件中的读/写链的系统,包括在计算机软件逻辑容器访问内识别的静态分析引擎,串行分析器,其被配置为至少部分地解析任何访问中识别逻辑容器的任何变量, 任何变量的潜在值和逻辑容器访问虚拟化组件(LCAV),其被配置为识别访问的任何排列的类型和范围,其中每个排列通过将任何潜在值替换为任何 访问变量,并通过将从逻辑容器读取的任何访问排列与写入逻辑容器的任何访问排列进行匹配,以识别计算机软件中的任何读/写链,如果读取范围之间存在交集 并写入访问排列。
-
49.发明授权公开(公告)号:US08914890B2
公开(公告)日:2014-12-16
申请号:US13018342
申请日:2011-01-31
申请人: Marco Pistoia , Ori Segal , Omer Tripp
发明人: Marco Pistoia , Ori Segal , Omer Tripp
CPC分类号: G06F21/563 , G06F21/577 , H04L63/1433
摘要: Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source.
-
50.发明申请公开(公告)号:US20140075561A1
公开(公告)日:2014-03-13
申请号:US13611201
申请日:2012-09-12
IPC分类号: G06F21/00
CPC分类号: G06F21/577 , G06F17/211 , G06F17/2211 , G06F17/27 , G06F17/272 , G06F17/2765 , G06F21/552 , G06F21/554 , G06F21/563 , H04L63/1408 , H04L63/1433 , H04L63/168
摘要: Methods for creating a hybrid string representations include receiving string information as input; parsing the string information to produce one or more string components; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations; abstracting all string components that could not be represented concretely; and creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component.
摘要翻译: 用于创建混合字符串表示的方法包括接收字符串信息作为输入; 解析字符串信息以产生一个或多个字符串组件; 确定可以通过将一个或多个组件与一组已知具体化进行比较来具体表示的字符串组件; 抽象出不能具体表现的所有字符串组件; 以及创建包括至少一个具体字符串组件和至少一个抽象字符串组件的混合字符串表示。
-
-
-
-
-
-
-
-
-
搜索结果
137 条记录 (耗时 0.038 秒)
