-
21.发明专利
公开(公告)号:GB2499353A
公开(公告)日:2013-08-14
申请号:GB201310455
申请日:2012-01-30
Applicant: IBM
Inventor: PISTOIA MARCO , SEGAL ORI , TRIPP OMER
Abstract: Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source.
-
22.发明专利
公开(公告)号:GB2496730A
公开(公告)日:2013-05-22
申请号:GB201218726
申请日:2012-10-18
Applicant: IBM
Inventor: TRIPP OMER , AMIT YAIR , KALMAN DANIEL , WEISMAN OMRI , HAVIV YINNON
Abstract: A client 120 request 130 comprising a payload 132 an injected script for example is communicated to a web-based application 112. The payload has a unique identifier. Response HTML 134 with an associated Document Object Model (DOM) object 136 is received from the web-based application and content corresponding to the payload is identified in the DOM object via its unique identifier. A section of the DOM object comprising the payload is then identified as un-trusted. A DOM abstraction 126 may be generated from the DOM object comprising a section of the DOM object containing the content corresponding to the payload whilst, preferably, excluding sections of the DOM object not comprising said content. The response HTML is then preferably rendered using the DOM abstraction in lieu of the DOM object. A static security analysis of the response HTML may be performed when rendering to identify whether any access to a DOM abstraction retrieves content corresponding to the payload and, if so, a flag is generated to indicate that a vulnerability exists within the web-based application.
-
公开(公告)号:GB2529363A
公开(公告)日:2016-02-17
申请号:GB201521768
申请日:2014-05-22
Applicant: IBM
Inventor: LIGMAN JOSEPH WILLIAM , PISTOIA MARCO , THOMAS GEGI , TRIPP OMER
Abstract: A method to share a computation task amongst a plurality of devices including at least one mobile device. The method includes estimating a cost to perform a computation task on a data set. If the estimated cost is greater than a threshold cost, the method further includes forming an ad-hoc wireless network comprised of a plurality of devices; downloading a portion of the data set to individual ones of the devices; performing a computation task by each device on the downloaded portion of the data set; and wirelessly transferring a result of the computation task from each device to all other devices of the network. The method can be performed by execution of an application program stored in mobile devices configured for local area wireless connectivity with neighboring mobile devices and for wireless connectivity to a remote server from which the portion of the data set is downloaded.
-
公开(公告)号:GB2519159A
公开(公告)日:2015-04-15
申请号:GB201318119
申请日:2013-10-14
Applicant: IBM
Inventor: WURTH EMMANUEL , TRIPP OMER
Abstract: Method and system for security testing of web applications comprises; submitting 304 a test to a web application, wherein the test has a payload with a (possibly empty) set of constraints or variables. It further comprises receiving 305 a response from the web application, deriving 308 at least one constraint from the response, and using these to update the previous set of constraints and synthesize 310 a new payload. The test is then repeated 304 by submitting the new payload, and iterating this method until a security vulnerability is discovered 307 or a new payload cannot be constructed under all determined constraints and which possibly respects the grammar of a computer language used. This method may be used to check for input or script that is not sanitised by the web application and thus may be used as a cross-site scripting (XSS) attack. The constraints may be regarded as tokens, and tokens may be replaced with new tokens when generating the new payload.
-
公开(公告)号:GB2496730B
公开(公告)日:2015-01-14
申请号:GB201218726
申请日:2012-10-18
Applicant: IBM
Inventor: TRIPP OMER , KALMAN DANIEL , WEISMAN OMRI , HAVIV YINNON , AMIT YAIR
-
Patent Agency Ranking
公开(公告)号:GB2505623B
公开(公告)日:2014-06-11
申请号:GB201400029
申请日:2012-06-26
Applicant: IBM
Inventor: PISTOIA MARCO , SEGAL ORI , TRIPP OMER
Abstract: Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability.
-
公开(公告)号:GB2503696A
公开(公告)日:2014-01-08
申请号:GB201211872
申请日:2012-07-04
Applicant: IBM
Inventor: BESKROVNY EVGENY , WURTH EMMANUEL , TRIPP OMER
IPC: G06F17/30
Abstract: A method (400) of searching a service registry system (200) comprising a plurality of services (120) identified by respective service names is disclosed in which at least some of said service names are associated with a set of client identifiers. The method at least comprises receiving (410) a search request (250) at said service registry system, said request including a service name (121) and a further set of client identifiers (251); searching (420) the service registry system for a match between the requested service name and a service name of one of said services in the service registry system; and in the absence of such a match, searching (250) the service registry system for services that have an association with at least some of the client identifiers in said further set; and returning a search result (260).
-
公开(公告)号:DE102012216597A1
公开(公告)日:2013-04-11
申请号:DE102012216597
申请日:2012-09-18
Applicant: IBM
Inventor: BESKROVNY EVGENY , TRIPP OMER
IPC: G06F11/36
Abstract: Es kann ein Berechtigungsalgorithmus einer Software-Komponente ausgewählt werden. Eine statische Codeanalyse kann durchgeführt werden, um eine bedingte Anweisung innerhalb eines Algorithmus der Software-Komponente zu ermitteln. Das Ergebnis der bedingten Anweisung kann auf der Grundlage einer Eingabe und eines Kriteriums mithilfe einer dynamischen Codeanalyse ermittelt werden. Bei der Eingabe kann es sich um einen Wert handeln, der einem Anspruchssatz einer Berechtigungsprüfungsrichtlinie auf der Grundlage von Ansprüchen zugehörig ist. Bei dem Kriterium kann es sich um ein Berechtigungsprüfungskriterium handeln, das innerhalb des Algorithmus angegeben ist. In Reaktion auf das Ergebnis kann ein Ausführungspfad ermittelt werden, der dem Ergebnis zugehörig ist, und ein Codeabdeckungskriterium kann für die bedingte Anweisung erfüllt werden.
-
公开(公告)号:GB2494738A
公开(公告)日:2013-03-20
申请号:GB201209473
申请日:2012-05-29
Applicant: IBM
Inventor: AMIT YAIR , LANDA ALEXANDER , TRIPP OMER
Abstract: A system for detecting security vulnerabilities in web applications, the system including, a black-box tester 100 configured to provide a payload 110 to a web application 102 during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine 114 configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload 110, whether the payload instruction underwent a security check such as a validator or a sanitizer prior to execution of the payload instruction. The interaction initiating instruction is preferably an AJAX request and the invention is preferably used to detect vulnerability to stored cross site scripting (XSS) attacks.
-
公开(公告)号:DE112010004526T5
公开(公告)日:2012-10-31
申请号:DE112010004526
申请日:2010-09-14
Applicant: IBM
Inventor: CENTONZE PAOLINA , HAVIV YINNON AVRAHAM , HAY ROEE , SHARABANI ADI , TRIPP OMER , PISTOIA MARCO
Abstract: Richtlinien zur Zugriffskontrolle und Integrität von Informationsflüssen werden in einem Computersystem durchgesetzt, indem sicherheitsrelevante Senken im Software-Code für eine Anwendung ermittelt werden, die auf dem Computersystem ausgeführt wird, und eine Richtlinie zur Zugriffskontrolle aus einer Datenbank abgerufen wird, auf die das Computersystem zugreifen kann. Die Richtlinie zur Zugriffskontrolle bildet einen Satz von Zugriffsberechtigungen in dem Computersystem auf jeden einer Vielzahl von Prinzipalen ab. Für jede ermittelte sicherheitsrelevante Senke werden alle Prinzipale ermittelt, die diese sicherheitsrelevante Senke beeinflussen, und jeder sicherheitsrelevanten Senke wird eine umfassende Zugriffsberechtigung zugeordnet, indem die Schnittmenge der Zugriffsberechtigungssätze für alle Einfluss nehmenden Prinzipale dieser sicherheitsrelevanten Senke gebildet wird. Wenn dieser Berechtigungssatz nicht ausreicht, wird eine Verletzung der Integrität gemeldet. Darüber hinaus werden jedem Wert von Variablen, die in den sicherheitsrelevanten Senken verwendet werden, Berechtigungslabels zugeordnet. Jedes Berechtigungslabel ist ein Berechtigungssatz.
-
-
-
-
-
-
-
-
-
Search Results
45
records
(took 0.02 seconds)
