公开(公告)号：US07899817B2

公开(公告)日：2011-03-01

申请号：US11245322

申请日：2005-10-05

申请人： Aaron A. Stern ,  Pompiliu Diplan ,  Geary L. Eppley ,  Umesh Madan

发明人： Aaron A. Stern ,  Pompiliu Diplan ,  Geary L. Eppley ,  Umesh Madan

IPC分类号： G06F7/00 ,  G06F11/00

CPC分类号： G06F17/30938 ,  G06F21/52

摘要： Embodiments herein prevent or mitigate attacks on inverse query engines by providing safe mode routines that allow for the acceptance of third party messages and/or query expressions, as well as prevent trusted sources from accidental attacks. The mitigations fall into two categories: compile-time and runtime. Compile-time mitigations prevent query expressions from being accepted and compiled that are susceptible to known attacks. For example, the complexity of query expressions may be limited to functions with linear runtimes; constant memory usage; or ones that do not create large strings. Further, language constructs for the criteria in the query expression may not allow for nested predicates complexities. Runtime mitigations, on the other hand, monitor the data size and processing lengths of messages against the various query expressions. If these runtime quotas are exceeded, an exception or other violation indication may be thrown (e.g., abort), deeming the evaluation as under attack.

摘要翻译： 这里的实施例通过提供允许接受第三方消息和/或查询表达式的安全模式例程，以及防止可信源来自意外攻击来防止或减轻对反向查询引擎的攻击。 缓解分为两类：编译时和运行时。 编译时缓解阻止查询表达式受到已知攻击的接受和编译。 例如，查询表达式的复杂性可能限于具有线性运行时的函数; 不断的内存使用; 或者不创建大字符串的那些。 此外，查询表达式中的条件的语言结构可能不允许嵌套谓词的复杂性。 另一方面，运行缓解则根据各种查询表达式监视消息的数据大小和处理长度。 如果超出这些运行时配额，可能会抛出异常或其他违规指示（例如，中止），将评估视为受到攻击。

公开(公告)号：US20070078829A1

公开(公告)日：2007-04-05

申请号：US11245322

申请日：2005-10-05

申请人： Aaron Stern ,  Geary Eppley ,  Pompiliu Diplan ,  Umesh Madan

发明人： Aaron Stern ,  Geary Eppley ,  Pompiliu Diplan ,  Umesh Madan

IPC分类号： G06F17/30

CPC分类号： G06F17/30938 ,  G06F21/52

摘要： Embodiments herein prevent or mitigate attacks on inverse query engines by providing safe mode routines that allow for the acceptance of third party messages and/or query expressions, as well as prevent trusted sources from accidental attacks. The mitigations fall into two categories: compile-time and runtime. Compile-time mitigations prevent query expressions from being accepted and compiled that are susceptible to known attacks. For example, the complexity of query expressions may be limited to functions with linear runtimes; constant memory usage; or ones that do not create large strings. Further, language constructs for the criteria in the query expression may not allow for nested predicates complexities. Runtime mitigations, on the other hand, monitor the data size and processing lengths of messages against the various query expressions. If these runtime quotas are exceeded, an exception or other violation indication may be thrown (e.g., abort), deeming the evaluation as under attack.

摘要翻译： 这里的实施例通过提供允许接受第三方消息和/或查询表达式的安全模式例程，以及防止可信源来自意外攻击来防止或减轻对反向查询引擎的攻击。 缓解分为两类：编译时和运行时。 编译时缓解阻止查询表达式受到已知攻击的接受和编译。 例如，查询表达式的复杂性可能限于具有线性运行时的函数; 不断的内存使用; 或者不创建大字符串的那些。 此外，查询表达式中的条件的语言结构可能不允许嵌套谓词的复杂性。 另一方面，运行缓解则根据各种查询表达式监视消息的数据大小和处理长度。 如果超出这些运行时配额，可能会抛出异常或其他违规指示（例如，中止），将评估视为受到攻击。

公开(公告)号：US20070078816A1

公开(公告)日：2007-04-05

申请号：US11244724

申请日：2005-10-05

申请人： Aaron Stern ,  Pompiliu Diplan ,  Geary Eppley ,  Umesh Madan

发明人： Aaron Stern ,  Pompiliu Diplan ,  Geary Eppley ,  Umesh Madan

IPC分类号： G06F17/30

CPC分类号： G06F16/9027

摘要： Provided herein are optimizations for an instruction tree of an inverse query engine. Secondary sub-expression elimination trees are provided, which are data structures configured to include nodes that allow for temporary variables that hold processing context or state for idempotent fragments of query expression(s). As such, when sub-paths for a query expression are processed against a message, the processing context may be stored within nodes of one or more sub-expression elimination trees. The next time this same fragment is processed, regardless of where it appears within the instruction tree, the data structure is accessed to identify and retrieve the state information such that the idempotent fragment is only calculated or evaluated once.

摘要翻译： 这里提供了反向查询引擎的指令树的优化。 提供次级子表达式消除树，其是被配置为包括允许存储用于查询表达式的幂等分片段的处理上下文或状态的临时变量的节点的数据结构。 因此，当针对消息处理查询表达式的子路径时，处理上下文可以存储在一个或多个子表达式消除树的节点内。 下一次处理这个相同的片段时，无论它在指令树中出现的位置如何，都会访问数据结构，以便识别和检索状态信息，以便仅计算或评估幂等片段。