公开(公告)号：US08910291B2

公开(公告)日：2014-12-09

申请号：US13430013

申请日：2012-03-26

申请人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： H04L29/06 ,  G06F21/57

CPC分类号： G06F21/577 ,  H04L63/1433 ,  H04L63/1441

摘要： Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

摘要翻译： 通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞，识别由Web应用程序提供的客户端指令，响应于与Web应用程序的交互，其中客户端指令是 被配置为由从计算机服务器接收客户端指令的客户端计算机实现，评估所识别的客户端指令，以及识别与客户端指令相关联的安全漏洞。

公开(公告)号：US10157049B2

公开(公告)日：2018-12-18

申请号：US13281653

申请日：2011-10-26

申请人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44 ,  G06F8/41 ,  G06F11/36 ,  G06F8/75

摘要： Statically analyzing a computer software application can include identifying a plurality of objects within the instructions of a computer software application, where the objects in the plurality of objects are of the same object type, and preparing a modified version of the instructions in which any of the objects in the plurality of objects determined to be extraneous is omitted.

公开(公告)号：US09032528B2

公开(公告)日：2015-05-12

申请号：US13170839

申请日：2011-06-28

申请人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： H04L29/06 ,  G06F21/57

CPC分类号： G06F21/577 ,  H04L63/1433 ,  H04L63/1441

摘要： Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

摘要翻译： 通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞，识别由Web应用程序提供的客户端指令，响应于与Web应用程序的交互，其中客户端指令是 被配置为由从计算机服务器接收客户端指令的客户端计算机实现，评估所识别的客户端指令，以及识别与客户端指令相关联的安全漏洞。

公开(公告)号：US08683596B2

公开(公告)日：2014-03-25

申请号：US13283989

申请日：2011-10-28

申请人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

发明人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F21/52 ,  G06F21/577

摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

摘要翻译： 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

公开(公告)号：US09223977B2

公开(公告)日：2015-12-29

申请号：US13447904

申请日：2012-04-16

申请人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

发明人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F21/55 ,  G06F21/56 ,  G06F21/52 ,  G06F21/57

CPC分类号： G06F21/566 ,  G06F21/52 ,  G06F21/577

摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

摘要翻译： 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

公开(公告)号：US08819644B2

公开(公告)日：2014-08-26

申请号：US13411771

申请日：2012-03-05

申请人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/52 ,  G06F8/51 ,  G06F8/75 ,  G06F11/3604

摘要： Performing data flow analysis of a computer software application, including, for a data flow analysis type, identifying within a computer software application code base a plurality of seeds relating to the data flow analysis type, for each of the plurality of seeds, defining a portion of the computer software application code base to a predefined depth of calls backward from the seed and to a predefined depth of calls forward from the seed, thereby resulting in a plurality of bounded portions of the computer software application code base, detecting a change in the computer software application code base, and performing, on any of the bounded portions affected by the change, a data flow analysis relating to the data flow analysis type.

公开(公告)号：US08671397B2

公开(公告)日：2014-03-11

申请号：US13246260

申请日：2011-09-27

申请人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/52 ,  G06F8/51 ,  G06F8/75 ,  G06F11/3604

摘要： Performing data flow analysis of a computer software application, including, for a data flow analysis type, identifying within a computer software application code base a plurality of seeds relating to the data flow analysis type, for each of the plurality of seeds, defining a portion of the computer software application code base to a predefined depth of calls backward from the seed and to a predefined depth of calls forward from the seed, thereby resulting in a plurality of bounded portions of the computer software application code base, detecting a change in the computer software application code base, and performing, on any of the bounded portions affected by the change, a data flow analysis relating to the data flow analysis type.

摘要翻译： 执行计算机软件应用的数据流分析，包括对于数据流分析类型，在计算机软件应用程序代码库内识别与数据流分析类型相关的多个种子，为多个种子中的每一个定义一部分 的计算机软件应用程序代码库的预定深度从种子返回到预定义的深度，并且从种子转发到预定义的呼叫深度，从而导致计算机软件应用程序代码库的多个有界部分， 计算机软件应用程序代码库，并在受变更影响的任何有界部分执行与数据流分析类型相关的数据流分析。

公开(公告)号：US08528095B2

公开(公告)日：2013-09-03

申请号：US12825293

申请日：2010-06-28

申请人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Ory Segal ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F11/00 ,  H04L9/32 ,  G06F15/173 ,  G06F9/44

CPC分类号： G06F11/3604 ,  G06F8/75 ,  G06F21/577

摘要： Embodiments of the invention generally relate to injection context based static analysis of computer software applications. Embodiments of the invention may include selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions.

摘要翻译： 本发明的实施例一般涉及计算机软件应用的基于注入上下文的静态分析。 本发明的实施例可以包括选择计算机软件应用程序内的汇点，跟踪通向计算机软件应用程序内的汇点的字符输出流，确定汇点处的字符输出流的注入上下文，其中注入上下文在 与汇点处的字符输出流的状态相关联，识别已经与所识别的注入上下文相关联地预定义的任何动作，以及提供动作的报告。

公开(公告)号：US20120216177A1

公开(公告)日：2012-08-23

申请号：US13033024

申请日：2011-02-23

申请人： Stephen Fink ,  Yinnon A. Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

发明人： Stephen Fink ,  Yinnon A. Haviv ,  Marco Pistoia ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F8/75 ,  G06F8/77

摘要： A method is disclosed that includes, using a static analysis, analyzing a software program to determine a number of paths from sources accepting information to sinks using that information or a modified version of that information and to determine multiple paths from the number of paths. The determined multiple paths have a same transition from an application portion of the software program to a library portion of the software program and require a same downgrading action to address a vulnerability associated with source-sink pairs in the multiple paths. The analyzing includes determining the multiple paths using a path-sensitive analysis. The method includes, for the determined multiple paths, grouping the determined multiple paths into a single representative indication of the determined multiple paths. The method includes outputting the single representative indication. Computer program products and apparatus are also disclosed.

摘要翻译： 公开了一种方法，其包括使用静态分析来分析软件程序以使用该信息或该信息的修改版本从接收信息的信源到汇点确定多个路径，并且从路径数确定多条路径。 所确定的多个路径具有从软件程序的应用部分到软件程序的库部分的相同转换，并且需要相同的降级动作来解决与多个路径中的源 - 汇对相关联的漏洞。 分析包括使用路径敏感分析来确定多个路径。 该方法包括对于所确定的多个路径，将所确定的多个路径分组成所确定的多个路径的单个代表性指示。 该方法包括输出单个代表性指示。 还公开了计算机程序产品和装置。

公开(公告)号：US20120023486A1

公开(公告)日：2012-01-26

申请号：US12843308

申请日：2010-07-26

申请人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Roee Hay ,  Marco Pistoia ,  Adi Sharabani ,  Takaaki Tateishi ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/577 ,  H04L63/105

摘要： A method includes determining grammar for output of an information-flow downgrader in a software program. The software program directs the output of the information-flow downgrader to a sink. The method includes determining whether the grammar of the output conforms to one or more predetermined specifications of the sink. The method includes, in response to a determination the grammar of the output conforms to the one or more predetermined specifications of the sink, determining the information-flow downgrader is verified for the sink, wherein determining grammar, determining whether the grammar, and determining the information-flow downgrader are performed via static analysis of the software program. Apparatus and computer program products are also disclosed. An apparatus includes a user interface providing a result of whether or not output of an information-flow downgrader in the software program conforms to one or more predetermined specifications of a sink in the software program.

摘要翻译： 一种方法包括在软件程序中确定信息流降级器的输出的语法。 软件程序将信息流降级器的输出引导到宿。 该方法包括确定输出的语法是否符合汇的一个或多个预定规范。 该方法包括响应于确定，输出的语法符合信宿的一个或多个预定规范，确定信宿流降级器对于汇点进行验证，其中确定语法，确定语法，并确定 信息流降级器通过软件程序的静态分析来执行。 还公开了装置和计算机程序产品。 一种装置，包括提供软件程序中的信息流下载器的输出是否符合软件程序中的接收器的一个或多个预定规格的结果的用户界面。