AUTOMATIC CLASSIFICATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS
    1.
    发明申请
    AUTOMATIC CLASSIFICATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS 有权
    计算机软件应用中安全漏洞的自动分类

    公开(公告)号:US20140075560A1

    公开(公告)日:2014-03-13

    申请号:US13609320

    申请日:2012-09-11

    IPC分类号: G06F21/00

    CPC分类号: G06F21/577

    摘要: Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerability in the second computer software application.

    摘要翻译: 通过识别包括至少第一计算机软件应用程序的学习集中的候选安全漏洞来自动分类计算机软件应用中的安全漏洞,使用预定义分类对每个候选安全漏洞进行分类,为每个候选安全漏洞确定预定义的值 属性,创建属性值与候选安全漏洞的分类之间的一组相关性,识别第二计算机软件应用中的候选安全漏洞,为第二计算机软件应用中的候选安全漏洞确定预定义的值 属性,并使用一组相关性对第二计算机软件应用程序中的候选安全漏洞进行分类,从预定义的分类中分类,这些分类与坦率的属性值最相关 在第二台计算机软件应用程序中出现安全漏洞。

    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING

    公开(公告)号:US20130205398A1

    公开(公告)日:2013-08-08

    申请号:US13367633

    申请日:2012-02-07

    IPC分类号: G06F21/00

    摘要: Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING
    5.
    发明申请
    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING 有权
    用于安全测试的自动综合测试

    公开(公告)号:US20130205399A1

    公开(公告)日:2013-08-08

    申请号:US13563376

    申请日:2012-07-31

    IPC分类号: G06F21/00

    摘要: Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

    摘要翻译: 对被测电脑程式(CPUT)执行安全性分析。 可以分析CPUT以识别与CPUT的潜在安全漏洞相关的数据。 至少可以自动合成在CPUT内测试程序代码的特定单位的第一单元测试。 可以将第一单元测试配置为初始化由CPUT内的程序代码的特定单元使用的至少一个参数,并且可以提供至少一个被配置为利用CPUT的至少一个潜在安全漏洞的第一测试负载。 可以动态地处理第一单元测试,以将第一测试有效负载传送到CPUT内的程序代码的特定单元。 是否可以确定第一个测试有效负载是否利用CPUT的实际安全漏洞,并可以输出安全分析报告。

    DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES
    7.
    发明申请
    DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES 审中-公开
    检测基于DOM的跨站脚本的漏洞

    公开(公告)号:US20130111595A1

    公开(公告)日:2013-05-02

    申请号:US13447904

    申请日:2012-04-16

    IPC分类号: G06F21/00

    摘要: Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

    摘要翻译: 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型(DOM)对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

    BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION
    8.
    发明申请
    BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION 有权
    使用客户端代码评估的WEB应用程序的黑盒测试

    公开(公告)号:US20130007885A1

    公开(公告)日:2013-01-03

    申请号:US13170839

    申请日:2011-06-28

    IPC分类号: G06F21/00

    摘要: Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

    摘要翻译: 通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞,识别由Web应用程序提供的客户端指令,响应于与Web应用程序的交互,其中客户端指令是 被配置为由从计算机服务器接收客户端指令的客户端计算机实现,评估所识别的客户端指令,以及识别与客户端指令相关联的安全漏洞。

    SELECTIVE DATA FLOW ANALYSIS OF BOUNDED REGIONS OF COMPUTER SOFTWARE APPLICATIONS
    9.
    发明申请
    SELECTIVE DATA FLOW ANALYSIS OF BOUNDED REGIONS OF COMPUTER SOFTWARE APPLICATIONS 有权
    选择性数据流分析计算机软件应用的边界区域

    公开(公告)号:US20130081003A1

    公开(公告)日:2013-03-28

    申请号:US13411771

    申请日:2012-03-05

    IPC分类号: G06F9/44

    摘要: Performing data flow analysis of a computer software application, including, for a data flow analysis type, identifying within a computer software application code base a plurality of seeds relating to the data flow analysis type, for each of the plurality of seeds, defining a portion of the computer software application code base to a predefined depth of calls backward from the seed and to a predefined depth of calls forward from the seed, thereby resulting in a plurality of bounded portions of the computer software application code base, detecting a change in the computer software application code base, and performing, on any of the bounded portions affected by the change, a data flow analysis relating to the data flow analysis type.

    摘要翻译: 执行计算机软件应用的数据流分析,包括对于数据流分析类型,在计算机软件应用程序代码库内识别与数据流分析类型相关的多个种子,为多个种子中的每一个定义一部分 的计算机软件应用程序代码库的预定深度从种子返回到预定义的深度,并且从种子转发到预定义的呼叫深度,从而导致计算机软件应用程序代码库的多个有界部分, 计算机软件应用程序代码库,并在受变更影响的任何有界部分执行与数据流分析类型相关的数据流分析。