专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US08925094B2 Automatic synthesis of unit tests for security testing 有权
公开(公告)号：US08925094B2
公开(公告)日：2014-12-30
申请号：US13563376
申请日：2012-07-31
申请人： Daniel Kalman , Ory Segal , Omer Tripp , Omri Weisman
发明人： Daniel Kalman , Ory Segal , Omer Tripp , Omri Weisman
IPC分类号： H04L29/06 , G06F21/00 , G06F21/57 , G06F21/10
CPC分类号： G06F21/577 , G06F21/10 , G06F2221/034 , H04L63/1433
摘要： Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

2. 发明授权

US08856935B2 Automatic synthesis of unit tests for security testing 有权
标题翻译：自动合成单元测试用于安全测试
公开(公告)号：US08856935B2
公开(公告)日：2014-10-07
申请号：US13367633
申请日：2012-02-07
申请人： Daniel Kalman , Ory Segal , Omer Tripp , Omri Weisman
发明人： Daniel Kalman , Ory Segal , Omer Tripp , Omri Weisman
IPC分类号： H04L29/06 , G06F21/00
CPC分类号： G06F21/577 , G06F21/10 , G06F2221/034 , H04L63/1433
摘要： Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.
摘要翻译：对被测电脑程式（CPUT）执行安全性分析。可以分析CPUT以识别与CPUT的潜在安全漏洞相关的数据。至少可以自动合成在CPUT内测试程序代码的特定单位的第一单元测试。可以将第一单元测试配置为初始化由CPUT内的程序代码的特定单元使用的至少一个参数，并且可以提供至少一个被配置为利用CPUT的至少一个潜在安全漏洞的第一测试负载。可以动态地处理第一单元测试，以将第一测试有效负载传送到CPUT内的程序代码的特定单元。是否可以确定第一个测试有效负载是否能够利用CPUT的实际安全漏洞，并可以输出安全性分析报告。

3. 发明申请

US20120054724A1 INCREMENTAL STATIC ANALYSIS 审中-公开
标题翻译：增量静态分析
公开(公告)号：US20120054724A1
公开(公告)日：2012-03-01
申请号：US12873219
申请日：2010-08-31
申请人： Daniel Kalman , Marco Pistoia , Guy Podjarny , Omer Tripp , Omri Weisman
发明人： Daniel Kalman , Marco Pistoia , Guy Podjarny , Omer Tripp , Omri Weisman
IPC分类号： G06F9/44
CPC分类号： G06F8/75 , G06F11/3604 , G06F21/577
摘要： A system, method and computer program product for incremental static analysis, including a change impact analyzer for identifying a changed portion of a computer software (e.g., an application), where the changed portion was changed subsequent to performing a static analysis on the application, a static analysis result invalidator for invalidating any static analysis result that is dependent on the changed portion, and an incremental static analyzer for performing a first incremental static analysis on at least the changed portion, presenting the results of the first incremental static analysis, receiving a request to provide additional information regarding a selected result of the first incremental static analysis, performing, responsive to receiving the request, a second incremental static analysis on any portion of the application to gather the additional information, and presenting results of the second incremental static analysis, thereby providing the additional information regarding the selected result of the first incremental static analysis.
摘要翻译：一种用于增量静态分析的系统，方法和计算机程序产品，包括用于识别计算机软件（例如，应用程序）的改变部分的变化影响分析器，其中在对应用执行静态分析之后改变部分被改变，静态分析结果无效器，用于使依赖于改变的部分的任何静态分析结果无效;以及增量静态分析器，用于至少对所述改变的部分执行第一增量静态分析，呈现第一增量静态分析的结果，请求提供关于第一增量静态分析的选定结果的附加信息，响应于接收到请求执行，对应用的任何部分进行第二增量静态分析以收集附加信息，以及呈现第二增量静态分析的结果，从而提供附加信息rega 选择第一个增量静态分析的结果。

4. 发明授权

US08819644B2 Selective data flow analysis of bounded regions of computer software applications 有权
公开(公告)号：US08819644B2
公开(公告)日：2014-08-26
申请号：US13411771
申请日：2012-03-05
申请人： Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
发明人： Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
IPC分类号： G06F9/44
CPC分类号： G06F21/52 , G06F8/51 , G06F8/75 , G06F11/3604
摘要： Performing data flow analysis of a computer software application, including, for a data flow analysis type, identifying within a computer software application code base a plurality of seeds relating to the data flow analysis type, for each of the plurality of seeds, defining a portion of the computer software application code base to a predefined depth of calls backward from the seed and to a predefined depth of calls forward from the seed, thereby resulting in a plurality of bounded portions of the computer software application code base, detecting a change in the computer software application code base, and performing, on any of the bounded portions affected by the change, a data flow analysis relating to the data flow analysis type.

5. 发明授权

US08910291B2 Black-box testing of web applications with client-side code evaluation 有权
标题翻译：使用客户端代码评估对Web应用程序进行黑盒测试
公开(公告)号：US08910291B2
公开(公告)日：2014-12-09
申请号：US13430013
申请日：2012-03-26
申请人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
发明人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
IPC分类号： H04L29/06 , G06F21/57
CPC分类号： G06F21/577 , H04L63/1433 , H04L63/1441
摘要： Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.
摘要翻译：通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞，识别由Web应用程序提供的客户端指令，响应于与Web应用程序的交互，其中客户端指令是被配置为由从计算机服务器接收客户端指令的客户端计算机实现，评估所识别的客户端指令，以及识别与客户端指令相关联的安全漏洞。

6. 发明授权

US08683596B2 Detection of DOM-based cross-site scripting vulnerabilities 有权
标题翻译：检测基于DOM的跨站点脚本漏洞
公开(公告)号：US08683596B2
公开(公告)日：2014-03-25
申请号：US13283989
申请日：2011-10-28
申请人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
发明人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
IPC分类号： G06F21/00
CPC分类号： G06F21/566 , G06F21/52 , G06F21/577
摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.
摘要翻译：测试基于Web的应用程序的安全漏洞。包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。包括有效载荷的DOM对象的一部分可以被识别为不可信。

7. 发明授权

US10157049B2 Static analysis with input reduction 有权
公开(公告)号：US10157049B2
公开(公告)日：2018-12-18
申请号：US13281653
申请日：2011-10-26
申请人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
发明人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
IPC分类号： G06F9/44 , G06F8/41 , G06F11/36 , G06F8/75
摘要： Statically analyzing a computer software application can include identifying a plurality of objects within the instructions of a computer software application, where the objects in the plurality of objects are of the same object type, and preparing a modified version of the instructions in which any of the objects in the plurality of objects determined to be extraneous is omitted.

8. 发明授权

US09223977B2 Detection of DOM-based cross-site scripting vulnerabilities 有权
标题翻译：检测基于DOM的跨站点脚本漏洞
公开(公告)号：US09223977B2
公开(公告)日：2015-12-29
申请号：US13447904
申请日：2012-04-16
申请人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
发明人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
IPC分类号： G06F21/55 , G06F21/56 , G06F21/52 , G06F21/57
CPC分类号： G06F21/566 , G06F21/52 , G06F21/577
摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.
摘要翻译：测试基于Web的应用程序的安全漏洞。包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。包括有效载荷的DOM对象的一部分可以被识别为不可信。

9. 发明授权

US09032528B2 Black-box testing of web applications with client-side code evaluation 有权
标题翻译：使用客户端代码评估对Web应用程序进行黑盒测试
公开(公告)号：US09032528B2
公开(公告)日：2015-05-12
申请号：US13170839
申请日：2011-06-28
申请人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
发明人： Yinnon A. Haviv , Daniel Kalman , Dmitri Pikus , Omer Tripp , Omri Weisman
IPC分类号： H04L29/06 , G06F21/57
CPC分类号： G06F21/577 , H04L63/1433 , H04L63/1441
摘要： Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.
摘要翻译：通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞，识别由Web应用程序提供的客户端指令，响应于与Web应用程序的交互，其中客户端指令是被配置为由从计算机服务器接收客户端指令的客户端计算机实现，评估所识别的客户端指令，以及识别与客户端指令相关联的安全漏洞。

10. 发明授权

US08806648B2 Automatic classification of security vulnerabilities in computer software applications 有权
标题翻译：自动分类计算机软件应用程序中的安全漏洞
公开(公告)号：US08806648B2
公开(公告)日：2014-08-12
申请号：US13609320
申请日：2012-09-11
申请人： Lotem Guy , Daniel Kalman , Omer Tripp , Omri Weisman
发明人： Lotem Guy , Daniel Kalman , Omer Tripp , Omri Weisman
IPC分类号： G06F21/00
CPC分类号： G06F21/577
摘要： Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerability in the second computer software application.
摘要翻译：通过识别包括至少第一计算机软件应用程序的学习集中的候选安全漏洞来自动分类计算机软件应用中的安全漏洞，使用预定义分类对每个候选安全漏洞进行分类，为每个候选安全漏洞确定预定义的值属性，创建属性值与候选安全漏洞的分类之间的一组相关性，识别第二计算机软件应用中的候选安全漏洞，为第二计算机软件应用中的候选安全漏洞确定预定义的值属性，并使用一组相关性对第二计算机软件应用程序中的候选安全漏洞进行分类，从预定义的分类中分类，这些分类与坦率的属性值最相关在第二台计算机软件应用程序中出现安全漏洞。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式