公开(公告)号：US20100088668A1

公开(公告)日：2010-04-08

申请号：US12246065

申请日：2008-10-06

申请人： Sachiko Yoshihama ,  Shinya Kawanaka ,  Takaaki Tateishi ,  Ory Segal ,  Adi Sharabani ,  Marco Pistoia ,  Guy Podjarny

发明人： Sachiko Yoshihama ,  Shinya Kawanaka ,  Takaaki Tateishi ,  Ory Segal ,  Adi Sharabani ,  Marco Pistoia ,  Guy Podjarny

IPC分类号： G06F9/44

CPC分类号： G06F8/10

摘要： A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a directed graph in which each node is connected to one or more other nodes. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. Crawling-oriented actions are performed in relation to the OM by being performed in relation to the transformation graph.

摘要翻译： 定义了对象模型（OM）的转换树。 转换树具有通过边缘互连的节点，其中每个节点连接到最多一个其他树节点。 每个节点对应于OM的状态; 每个边缘对应于导致OM从一个节点的状态转变到另一个节点的状态的事件。 通过模拟转换树构建OM的变换图。 转换图具有通过边缘互连的节点，并且是有向图，其中每个节点连接到一个或多个其他节点。 每个节点对应于OM的状态; 每个边缘对应于导致OM从一个节点的状态转变到另一个节点的状态的事件。 通过相对于变换图执行针对OM执行针对爬行的动作。

公开(公告)号：US08296722B2

公开(公告)日：2012-10-23

申请号：US12246065

申请日：2008-10-06

申请人： Sachiko Yoshihama ,  Shinya Kawanaka ,  Takaaki Tateishi ,  Ory Segal ,  Adi Sharabani ,  Marco Pistoia ,  Guy Podjarny

发明人： Sachiko Yoshihama ,  Shinya Kawanaka ,  Takaaki Tateishi ,  Ory Segal ,  Adi Sharabani ,  Marco Pistoia ,  Guy Podjarny

IPC分类号： G06F9/44

CPC分类号： G06F8/10

摘要： A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a directed graph in which each node is connected to one or more other nodes. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. Crawling-oriented actions are performed in relation to the OM by being performed in relation to the transformation graph.

摘要翻译： 定义了对象模型（OM）的转换树。 转换树具有通过边缘互连的节点，其中每个节点连接到最多一个其他树节点。 每个节点都对应于OM的状态; 每个边缘对应于导致OM从一个节点的状态转变到另一个节点的状态的事件。 通过模拟转换树构建OM的变换图。 转换图具有通过边缘互连的节点，并且是有向图，其中每个节点连接到一个或多个其他节点。 每个节点对应于OM的状态; 每个边缘对应于导致OM从一个节点的状态转变到另一个节点的状态的事件。 通过相对于变换图执行针对OM执行针对爬行的动作。

公开(公告)号：US08528095B2

公开(公告)日：2013-09-03

申请号：US12825293

申请日：2010-06-28

申请人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/00 ,  H04L9/32 ,  G06F15/173 ,  G06F9/44

CPC分类号： G06F11/3604 ,  G06F8/75 ,  G06F21/577

摘要： Embodiments of the invention generally relate to injection context based static analysis of computer software applications. Embodiments of the invention may include selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions.

摘要翻译： 本发明的实施例一般涉及计算机软件应用的基于注入上下文的静态分析。 本发明的实施例可以包括选择计算机软件应用程序内的汇点，跟踪通向计算机软件应用程序内的汇点的字符输出流，确定汇点处的字符输出流的注入上下文，其中注入上下文在 与汇点处的字符输出流的状态相关联，识别已经与所识别的注入上下文相关联地预定义的任何动作，以及提供动作的报告。

公开(公告)号：US20120215757A1

公开(公告)日：2012-08-23

申请号：US13032638

申请日：2011-02-22

申请人： Omri Weisman ,  Yinnon Avraham Haviv ,  Adi Sharabani ,  Omer Tripp ,  Marco Pistoia ,  Takaaki Tateishi ,  Guy Podjarny

发明人： Omri Weisman ,  Yinnon Avraham Haviv ,  Adi Sharabani ,  Omer Tripp ,  Marco Pistoia ,  Takaaki Tateishi ,  Guy Podjarny

IPC分类号： G06F17/30

CPC分类号： G06F16/951

摘要： A crawler including a document retriever configured to retrieve a first computer-based document, a link identifier configured to identify an actual string within the computer-based document as being a hyperlink-type string, and a static analyzer configured to perform static analysis of an operation on a variable within the first computer-based document to identify a possible string value of the variable as being a hyperlink-type string, where any of the strings indicate a location of at least a second computer-based document.

摘要翻译： 包括被配置为检索第一基于计算机的文档的文档检索器的爬行器，被配置为将所述基于计算机的文档内的实际字符串标识为超链接字符串的链接标识符和被配置为执行静态分析的静态分析器 操作第一基于计算机的文档中的变量，以将变量的可能字符串值标识为超链接类型的字符串，其中任何字符串指示至少第二基于计算机的文档的位置。

公开(公告)号：US09275246B2

公开(公告)日：2016-03-01

申请号：US12575647

申请日：2009-10-08

申请人： Yinnon Haviv ,  Roee Hay ,  Marco Pistoia ,  Guy Podjarny ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon Haviv ,  Roee Hay ,  Marco Pistoia ,  Guy Podjarny ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F17/30 ,  G06F7/00 ,  G06F21/62 ,  G06F9/45 ,  G06F11/36

CPC分类号： H04L63/1416 ,  G06F8/49 ,  G06F11/3608 ,  G06F21/6218

摘要： A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

摘要翻译： 用于信息流降级器的静态检测和分类的系统和方法包括通过静态分析程序变量来变换存储在存储器件中的程序，以产生对指令集中的每个变量的单个赋值。 指令集被转换为具有字符串操作的生产规则。 从生产规则生成上下文无关的语法，以识别有限的字符串集。 通过根据一个或多个功能规范检查有限的字符串来识别信息流降级功能。

公开(公告)号：US20110088023A1

公开(公告)日：2011-04-14

申请号：US12575647

申请日：2009-10-08

申请人： YINNON HAVIV ,  Roee Hay ,  Marco Pistoia ,  Guy Podjarny ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： YINNON HAVIV ,  Roee Hay ,  Marco Pistoia ,  Guy Podjarny ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/45

CPC分类号： H04L63/1416 ,  G06F8/49 ,  G06F11/3608 ,  G06F21/6218

摘要： A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

摘要翻译： 用于信息流降级器的静态检测和分类的系统和方法包括通过静态分析程序变量来变换存储在存储器件中的程序，以产生对指令集中的每个变量的单个赋值。 指令集被转换为具有字符串操作的生产规则。 从生产规则生成上下文无关的语法，以识别有限的字符串集。 通过根据一个或多个功能规范检查有限的字符串来识别信息流降级功能。

公开(公告)号：US09720798B2

公开(公告)日：2017-08-01

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US20120254839A1

公开(公告)日：2012-10-04

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

摘要翻译： 系统，方法是使用从白盒测试获得的信息来模拟黑盒测试结果的程序产品，包括分析计算机软件（例如应用程序）以识别计算机软件应用程序中的潜在漏洞以及与潜在漏洞相关联的多个里程碑 ，其中每个里程碑指示计算机软件应用程序内的位置，跟踪从第一个里程碑到入口点的路径到计算机软件应用程序中，识别入口点的输入将导致控制流从 描述在描述入口点和输入的描述中的潜在漏洞，以及经由计算机控制的输出介质呈现描述的入口点和通过每个里程碑。

公开(公告)号：US09747187B2

公开(公告)日：2017-08-29

申请号：US12913314

申请日：2010-10-27

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US20120110551A1

公开(公告)日：2012-05-03

申请号：US12913314

申请日：2010-10-27

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/36

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.