公开(公告)号：US08156559B2

公开(公告)日：2012-04-10

申请号：US11565426

申请日：2006-11-30

申请人： Shuo Chen ,  Jose Meseguer ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

发明人： Shuo Chen ,  Jose Meseguer ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

IPC分类号： H04L29/06

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

公开(公告)号：US08539585B2

公开(公告)日：2013-09-17

申请号：US11768134

申请日：2007-06-25

申请人： Shuo Chen ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

发明人： Shuo Chen ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

IPC分类号： G06F21/00

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

摘要翻译： 为了实现端到端的安全性，如果图形用户界面（GUI）的完整性受到损害，则传统的机器对机器的安全措施是不够的。 GUI逻辑缺陷是由GUI实现中的逻辑缺陷引起的一类软件漏洞。 这里描述的发明是使用系统推理方法揭露这些缺陷的技术。 该技术的主要步骤包括：（1）将视觉不变量映射到程序不变; （2）对程序逻辑，用户动作和执行上下文进行正式建模，并系统地探索违反程序不变的可能性; （3）根据探索找到真正的欺骗攻击。

公开(公告)号：US20080134338A1

公开(公告)日：2008-06-05

申请号：US11565426

申请日：2006-11-30

申请人： Shuo Chen ,  Jose Meseguer ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

发明人： Shuo Chen ,  Jose Meseguer ,  Ralf Sasse ,  Jiahe Helen Wang ,  Yi-Min Wang

IPC分类号： G08B23/00

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

公开(公告)号：US20080133976A1

公开(公告)日：2008-06-05

申请号：US11768134

申请日：2007-06-25

申请人： Shuo Chen ,  Yi-Min Wang ,  Ralf Sasse ,  Jiahe Helen Wang

发明人： Shuo Chen ,  Yi-Min Wang ,  Ralf Sasse ,  Jiahe Helen Wang

IPC分类号： G06F11/36

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

摘要翻译： 为了实现端到端的安全性，如果图形用户界面（GUI）的完整性受到损害，则传统的机器对机器的安全措施是不够的。 GUI逻辑缺陷是由GUI实现中的逻辑缺陷引起的一类软件漏洞。 这里描述的发明是使用系统推理方法揭露这些缺陷的技术。 该技术的主要步骤包括：（1）将视觉不变量映射到程序不变; （2）对程序逻辑，用户动作和执行上下文进行正式建模，并系统地探索违反程序不变的可能性; （3）根据探索找到真正的欺骗攻击。

公开(公告)号：US20080127341A1

公开(公告)日：2008-05-29

申请号：US11772085

申请日：2007-06-29

申请人： Shuo Chen ,  Jiahe Helen Wang ,  Yi-Min Wang

发明人： Shuo Chen ,  Jiahe Helen Wang ,  Yi-Min Wang

IPC分类号： H04L9/32 ,  G06F3/00

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

摘要翻译： 为了实现端到端的安全性，如果图形用户界面（GUI）的完整性受到损害，则传统的机器对机器的安全措施是不够的。 GUI逻辑缺陷是由GUI实现中的逻辑缺陷引起的一类软件漏洞。 这里描述的发明是使用系统推理方法揭露这些缺陷的技术。 该技术的主要步骤包括：（1）将视觉不变量映射到程序不变; （2）对程序逻辑，用户动作和执行上下文进行正式建模，并系统地探索违反程序不变的可能性; （3）根据探索找到真正的欺骗攻击。

公开(公告)号：US08125669B2

公开(公告)日：2012-02-28

申请号：US11772085

申请日：2007-06-29

申请人： Shuo Chen ,  Yi-Min Wang ,  Jiahe Helen Wang

发明人： Shuo Chen ,  Yi-Min Wang ,  Jiahe Helen Wang

IPC分类号： G06F15/00 ,  G06F11/00

CPC分类号： G06F11/3608 ,  G06F21/577 ,  G06F21/83

摘要： To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

摘要翻译： 为了实现端到端的安全性，如果图形用户界面（GUI）的完整性受到损害，则传统的机器对机器的安全措施是不够的。 GUI逻辑缺陷是由GUI实现中的逻辑缺陷引起的一类软件漏洞。 这里描述的发明是使用系统推理方法揭露这些缺陷的技术。 该技术的主要步骤包括：（1）将视觉不变量映射到程序不变; （2）对程序逻辑，用户动作和执行上下文进行正式建模，并系统地探索违反程序不变的可能性; （3）根据探索找到真正的欺骗攻击。

公开(公告)号：US08782797B2

公开(公告)日：2014-07-15

申请号：US12175264

申请日：2008-07-17

申请人： Jiahe Helen Wang ,  Xiaofeng Fan ,  Shuo Chen

发明人： Jiahe Helen Wang ,  Xiaofeng Fan ,  Shuo Chen

IPC分类号： G06F7/04

CPC分类号： G06F21/55 ,  H04L63/1416

摘要： Systems and methods to manage same-origin-policy (SOP) failures that occur in a computing environment are provided. In an illustrative implementation, an exemplary computing environment comprises a lockbox module, and an instruction set comprising at least one instruction directing the lockbox module to process data and/or computing application execution commands representative of and a request for a selected operation/feature according to a selected SOP management paradigm. In the illustrative implementation, the SOP management paradigm comprises one or more instructions to deploy a “lockbox” computing application element allowing for the management, monitoring, and control of computing application features/operations operable under a same origin policy.

摘要翻译： 提供了管理在计算环境中发生的相同来源策略（SOP）故障的系统和方法。 在说明性实现中，示例性计算环境包括锁箱模块，以及指令集，其包括指示锁箱模块处理数据和/或计算代表所选择的操作/特征的应用执行命令的至少一个指令，以及根据 一个选定的SOP管理模式。 在说明性实现中，SOP管理范例包括部署“锁箱”计算应用元件的一个或多个指令，允许管理，监视和控制可在相同原始策略下操作的计算应用特征/操作。

公开(公告)号：US20100017883A1

公开(公告)日：2010-01-21

申请号：US12175264

申请日：2008-07-17

申请人： Jiahe Helen Wang ,  Xiaofeng Fan ,  Shuo Chen

发明人： Jiahe Helen Wang ,  Xiaofeng Fan ,  Shuo Chen

IPC分类号： G06F21/00

CPC分类号： G06F21/55 ,  H04L63/1416

摘要： Systems and methods to manage same-origin-policy (SOP) failures that occur in a computing environment are provided. In an illustrative implementation, an exemplary computing environment comprises a lockbox module, and an instruction set comprising at least one instruction directing the lockbox module to process data and/or computing application execution commands representative of and a request for a selected operation/feature according to a selected SOP management paradigm. In the illustrative implementation, the SOP management paradigm comprises one or more instructions to deploy a “lockbox” computing application element allowing for the management, monitoring, and control of computing application features/operations operable under a same origin policy.

摘要翻译： 提供了管理在计算环境中发生的相同来源策略（SOP）故障的系统和方法。 在说明性实现中，示例性计算环境包括锁箱模块，以及指令集，其包括指示锁箱模块处理数据和/或计算代表所选择的操作/特征的应用执行命令的至少一个指令，以及根据 一个选定的SOP管理模式。 在说明性实现中，SOP管理范例包括部署“锁箱”计算应用元件的一个或多个指令，允许管理，监视和控制可在相同原始策略下操作的计算应用特征/操作。

公开(公告)号：US07784101B2

公开(公告)日：2010-08-24

申请号：US11214123

申请日：2005-08-29

申请人： Chad E Verbowski ,  John D. Dungan ,  Shuo Chen ,  Yi-Min Wang

发明人： Chad E Verbowski ,  John D. Dungan ,  Shuo Chen ,  Yi-Min Wang

IPC分类号： G06F21/00 ,  G06F17/30

CPC分类号： G06F21/6218 ,  G06F2221/2101

摘要： A technique for identifying dependencies of an application upon a given security context includes monitoring security checks generated by the application. The security checks requiring elevated rights are identified and the state of execution of the application corresponding to the identified security checks may be logged. The security checks requiring elevated rights may be identified by monitoring access checks, monitoring privilege checks, checking user/group identifiers against a list of known identifiers associated with elevated rights, or the like.

摘要翻译： 用于在给定的安全上下文中识别应用的依赖性的技术包括监视应用产生的安全检查。 识别需要提升权限的安全检查，并且可能会记录与识别的安全检查对应的应用程序的执行状态。 可以通过监视访问检查，监视特权检查，针对与提升的权限相关联的已知标识符的列表等来检查用户/组标识符来识别需要提高权限的安全检查。

公开(公告)号：US07779480B2

公开(公告)日：2010-08-17

申请号：US11214125

申请日：2005-08-29

申请人： Chad E Verbowski ,  John D. Dunagan ,  Shuo Chen ,  Yi-Min Wang

发明人： Chad E Verbowski ,  John D. Dunagan ,  Shuo Chen ,  Yi-Min Wang

IPC分类号： G06F21/00 ,  G06F17/30

CPC分类号： G06F21/6218 ,  G06F2221/2101

摘要： A technique for identifying dependencies of an application upon a given security context includes monitoring security checks generated by the application. The security checks requiring elevated rights are identified and the state of execution of the application corresponding to the identified security checks may be logged. The security checks requiring elevated rights may be identified by monitoring access checks, monitoring privilege checks, checking user/group identifiers against a list of known identifiers associated with elevated rights, or the like.