公开(公告)号：US20120102474A1

公开(公告)日：2012-04-26

申请号：US12912382

申请日：2010-10-26

申请人： Shay Artzi ,  Ryan Berg ,  Yinnon A. Haviv ,  John T. Peyton, JR. ,  Marco Pistoia ,  Manu Sridharan ,  Babita Sharma ,  Omri Weisman ,  Robert Wiener

发明人： Shay Artzi ,  Ryan Berg ,  Yinnon A. Haviv ,  John T. Peyton, JR. ,  Marco Pistoia ,  Manu Sridharan ,  Babita Sharma ,  Omri Weisman ,  Robert Wiener

IPC分类号： G06F9/45

CPC分类号： G06F8/75

摘要： Systems and methods are provided for statically analyzing a software application that is based on at least one framework. According to the method, source code of the software application and a specification associated with the software application are analyzed. The specification includes a list of synthetic methods that model framework-related behavior of the software application, and a list of entry points indicating the synthetic methods and/or application methods of the software application that can be invoked by the framework. Based on the source code and the specification, intermediate representations for the source code and the synthetic methods are generated. Based on the intermediate representations and the specification, call graphs are generated to model which application methods of the software application invoke synthetic methods or other application methods of the software application. The software application is statically analyzed based on the call graphs and the intermediate representations so as to generate analysis results for the software application.

摘要翻译： 提供了系统和方法，用于静态分析基于至少一个框架的软件应用程序。 根据该方法，分析软件应用的源代码和与软件应用相关的规范。 该规范包括对软件应用程序的框架相关行为进行建模的综合方法列表，以及指示框架可以调用的软件应用程序的合成方法和/或应用方法的入口点列表。 基于源代码和规范，生成源代码和合成方法的中间表示。 基于中间表示和规范，生成调用图来模拟软件应用程序的哪些应用程序调用软件应用程序的合成方法或其他应用程序。 基于调用图和中间表示静态分析软件应用程序，以生成软件应用程序的分析结果。

公开(公告)号：US08434070B2

公开(公告)日：2013-04-30

申请号：US12912345

申请日：2010-10-26

申请人： Shay Artzi ,  Ryan Berg ,  John T. Peyton, Jr. ,  Marco Pistoia ,  Manu Sridharan ,  Robert Wiener

发明人： Shay Artzi ,  Ryan Berg ,  John T. Peyton, Jr. ,  Marco Pistoia ,  Manu Sridharan ,  Robert Wiener

IPC分类号： G06F9/44 ,  G06F9/45

CPC分类号： G06F8/30

摘要： Systems and methods are provided for creating a data structure associated with a software application that is based on at least one framework. According to the method, source code and at least one configuration file of the software application is analyzed by at least one framework-specific processor so as to determine entry point information indicating entry points in the source code, request attribute access information indicating where attributes attached to a request data structure are read and written, and forward information indicating forwards performed by the software application. A data structure for a static analysis engine is created based on this information. The data structure includes a list of synthetic methods that model framework-related behavior of the software application, and a list of entry points indicating the synthetic methods and/or application methods of the software application that can be invoked by the framework.

摘要翻译： 系统和方法被提供用于创建与基于至少一个框架的软件应用相关联的数据结构。 根据该方法，由至少一个特定于框架的处理器分析软件应用的源代码和至少一个配置文件，以便确定指示源代码中的入口点的入口点信息，指示附加属性的属性访问信息 读取和写入请求数据结构，以及指示由软件应用执行的转发的转发信息。 基于此信息创建静态分析引擎的数据结构。 数据结构包括对软件应用程序的框架相关行为进行建模的综合方法列表，以及指示框架可以调用的软件应用程序的合成方法和/或应用方法的入口点列表。

公开(公告)号：US08656496B2

公开(公告)日：2014-02-18

申请号：US12951435

申请日：2010-11-22

申请人： Shay Artzi ,  Ryan Berg ,  John Peyton ,  Marco Pistoia ,  Manu Sridharan ,  Takaaki Tateishi ,  Omer Tripp ,  Robert Wiener

发明人： Shay Artzi ,  Ryan Berg ,  John Peyton ,  Marco Pistoia ,  Manu Sridharan ,  Takaaki Tateishi ,  Omer Tripp ,  Robert Wiener

IPC分类号： G06F11/07 ,  G06F9/455

CPC分类号： G06F21/577 ,  G06F21/00 ,  G06F2221/034

摘要： A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed.

摘要翻译： 一种方法包括确定在所述程序中选择的全局变量，通过所述程序，所选择的全局变量的流程将被跟踪。 所选的全局变量小于程序中的所有全局变量。 该方法包括使用对程序执行的静态分析，跟踪所选择的全局变量的程序流程。 响应于在流中的安全敏感操作中使用的一个或多个所选择的全局变量，在相应的安全敏感操作中对所选择的全局变量中的每一个进行分析。 为了回应确定，使用可能是潜在的安全违规，报告潜在的安全违规。 还公开了装置和计算机程序产品。

公开(公告)号：US20120254839A1

公开(公告)日：2012-10-04

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

摘要翻译： 系统，方法是使用从白盒测试获得的信息来模拟黑盒测试结果的程序产品，包括分析计算机软件（例如应用程序）以识别计算机软件应用程序中的潜在漏洞以及与潜在漏洞相关联的多个里程碑 ，其中每个里程碑指示计算机软件应用程序内的位置，跟踪从第一个里程碑到入口点的路径到计算机软件应用程序中，识别入口点的输入将导致控制流从 描述在描述入口点和输入的描述中的潜在漏洞，以及经由计算机控制的输出介质呈现描述的入口点和通过每个里程碑。

公开(公告)号：US20120131670A1

公开(公告)日：2012-05-24

申请号：US12951435

申请日：2010-11-22

申请人： Shay Artzi ,  Ryan Berg ,  John Peyton ,  Marco Pistoia ,  Manu Sridharan ,  Takaaki Tateishi ,  Omer Tripp ,  Robert Wiener

发明人： Shay Artzi ,  Ryan Berg ,  John Peyton ,  Marco Pistoia ,  Manu Sridharan ,  Takaaki Tateishi ,  Omer Tripp ,  Robert Wiener

IPC分类号： G06F21/00

CPC分类号： G06F21/577 ,  G06F21/00 ,  G06F2221/034

摘要： A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed.

摘要翻译： 一种方法包括确定在所述程序中选择的全局变量，通过所述程序，所选择的全局变量的流程将被跟踪。 所选的全局变量小于程序中的所有全局变量。 该方法包括使用对程序执行的静态分析，跟踪所选择的全局变量的程序流程。 响应于在流中的安全敏感操作中使用的一个或多个所选择的全局变量，在相应的安全敏感操作中对所选择的全局变量中的每一个进行分析。 为了回应确定，使用可能是潜在的安全违规，报告潜在的安全违规。 还公开了装置和计算机程序产品。

公开(公告)号：US09720798B2

公开(公告)日：2017-08-01

申请号：US13493067

申请日：2012-06-11

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US09747187B2

公开(公告)日：2017-08-29

申请号：US12913314

申请日：2010-10-27

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/36 ,  G06F9/445 ,  G06F9/455 ,  G06F21/57

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US20120110551A1

公开(公告)日：2012-05-03

申请号：US12913314

申请日：2010-10-27

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/36

CPC分类号： G06F11/3604 ,  G06F9/44589 ,  G06F9/455 ,  G06F11/36 ,  G06F11/362 ,  G06F21/577 ,  G06F2221/033

摘要： Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

公开(公告)号：US09135147B2

公开(公告)日：2015-09-15

申请号：US13457083

申请日：2012-04-26

申请人： Shay Artzi ,  Julian Dolby ,  Salvatore A. Guarnieri ,  Simon H. Jensen ,  Marco Pistoia ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp

发明人： Shay Artzi ,  Julian Dolby ,  Salvatore A. Guarnieri ,  Simon H. Jensen ,  Marco Pistoia ,  Manu Sridharan ,  Frank Tip ,  Omer Tripp

IPC分类号： G06F9/44 ,  G06F11/36 ,  G06F11/34

CPC分类号： G06F11/3676 ,  G06F11/3466 ,  G06F11/3684 ,  G06F11/3688

摘要： A novel system, computer program product, and method are disclosed for feedback-directed automated test generation for programs, such as JavaScript, in which execution is monitored to collect information that directs the test generator towards inputs that yield increased coverage. Several instantiations of the framework are implemented, corresponding to variations on feedback-directed random testing, in a tool called Artemis.

摘要翻译： 公开了一种新颖的系统，计算机程序产品和方法用于诸如JavaScript的程序的反馈定向的自动测试生成，其中执行被监视以收集将测试发生器引导到产生增加的覆盖的输入的信息。 在一个名为Artemis的工具中，实现了框架的几个实例，对应于反馈导向随机测试的变化。

公开(公告)号：US08903702B2

公开(公告)日：2014-12-02

申请号：US13222612

申请日：2011-08-31

申请人： Shay Artzi ,  Manu Sridharan

发明人： Shay Artzi ,  Manu Sridharan

IPC分类号： G06F9/45 ,  G06F9/44 ,  G06F17/30

CPC分类号： G06F17/30 ,  G06F8/75

摘要： Systems and methods are provided for creating a data structure associated with a software application that is based on at least one framework. According to the method, at least one Java Server Page file associated with the software application is analyzed. The Java Server Page (JSP) file includes at least one call to at least one library tag, and at least one Expression Language (EL) expression. A set of tag library usage information for the JSP file is generated based. The set of tag library usage information includes at least one variable, and a value of the at least one variable created by the at least one call. The EL expression is evaluated based on the variable and the value of the variable. A data structure is created for a static analysis engine based on EL expression. The data structure includes at least one Java expression representing the EL expression.

摘要翻译： 系统和方法被提供用于创建与基于至少一个框架的软件应用相关联的数据结构。 根据该方法，分析与软件应用程序相关联的至少一个Java服务器页面文件。 Java服务器页面（JSP）文件至少包含一个对至少一个库标签的调用，以及至少一个表达式语言（EL）表达式。 基于JSP文件生成一组标签库使用信息。 所述标签库使用信息集合包括至少一个变量和由所述至少一个呼叫创建的所述至少一个变量的值。 基于变量和变量的值来评估EL表达式。 基于EL表达式为静态分析引擎创建数据结构。 数据结构包括至少一个表达EL表达式的Java表达式。