公开(公告)号：US20190171544A1

公开(公告)日：2019-06-06

申请号：US16271210

申请日：2019-02-08

Applicant: Salesforce.com, Inc.

Inventor： Sergey GORBATY

IPC: G06F11/36 ,  G06F9/455 ,  G06F21/57

CPC classification number: G06F11/36 ,  G06F9/45508 ,  G06F21/577

Abstract: Computer program, methods, and systems for code modification of a programming language platform and a software application in an intermediate language at different times are disclosed. The methods and system may modify a portion of the programming language platform in the intermediate language at a first time to alter a functionality of or add a new functionality to the programming language platform; and may modify the software application in the intermediate language at a second time different from the first time, where the software application may be modified based on a runtime analysis rule that uses the altered or added new functionality of the programming language platform. The modified programming language platform may be included in a first package, and the modified software application may be included in a second package, and executed on the modified programming language platform.

公开(公告)号：US20180032314A1

公开(公告)日：2018-02-01

申请号：US15222629

申请日：2016-07-28

Applicant: salesforce.com, inc.

Inventor： Sergey GORBATY

IPC: G06F9/44

CPC classification number: G06F11/36 ,  G06F9/45508 ,  G06F21/577

Abstract: Computer program, methods, and systems for code modification of a programming language platform and a software application in an intermediate language at different times are disclosed. The methods and system may modify a portion of the programming language platform in the intermediate language at a first time to alter a functionality of or add a new functionality to the programming language platform; and may modify the software application in the intermediate language at a second time different from the first time, where the software application may be modified based on a runtime analysis rule that uses the altered or added new functionality of the programming language platform. The modified programming language platform may be included in a first package, and the modified software application may be included in a second package, and executed on the modified programming language platform.

公开(公告)号：US20190042762A1

公开(公告)日：2019-02-07

申请号：US16158098

申请日：2018-10-11

Applicant: salesforce.com, inc.

Inventor： Sergey GORBATY ,  Trav is SAFFORD ,  Xiaoran WANG ,  Yoel GLUCK

IPC: G06F21/57 ,  G06F17/30

CPC classification number: G06F21/577 ,  G06F16/22 ,  G06F2221/033

Abstract: During runtime of the software application, the runtime analysis framework may assign input tags to objects associated with the user requests. The input tags may identify the requests as potentially malicious and carry a security risk. The RTA framework then may assign sanitization tags to the objects identifying security checks performed on the objects during runtime. The RTA framework identifies output responses to the user requests that include the objects and compares the input tags assigned to the objects with any sanitization tags assigned to the objects. The RTA framework may identify the software application as susceptible to a security vulnerability when the input tags for the objects do not include corresponding sanitization tags.

公开(公告)号：US20170357811A1

公开(公告)日：2017-12-14

申请号：US15177017

申请日：2016-06-08

Applicant: salesforce.com, inc.

Inventor： Sergey GORBATY ,  Travis SAFFORD ,  Xiaoran WANG

IPC: G06F21/57 ,  G06F17/30

CPC classification number: G06F21/577 ,  G06F16/282

Abstract: A runtime analysis framework (RTA) stores a hierarchical list of input tags and a hierarchical list of output tags. The RTA stores defined vulnerabilities that include associated input tags and output tags. During runtime the software application may receive a request from a user system. The RTA assigns an input tag from the hierarchical list of input tags to an object associated with the request and assigns an output tag from the hierarchical list of output tags to a method generating a response to the request. The RTA identifies one of the defined vulnerabilities as a potential vulnerability if the assigned output tag and output tag associated the potential vulnerability are in a same subtree of the hierarchical list of output tags and the assigned input tag and the input tag associated with the potential vulnerability are in a same subtree of the hierarchical list of input tags.

公开(公告)号：US20170357810A1

公开(公告)日：2017-12-14

申请号：US15176963

申请日：2016-06-08

Applicant: salesforce.com, inc.

Inventor： Sergey GORBATY ,  Travis SAFFORD ,  Xiaoran WANG ,  Yoel GLUCK

IPC: G06F21/57 ,  G06F17/30

CPC classification number: G06F21/577 ,  G06F17/30312 ,  G06F2221/033

Abstract: During runtime of the software application, the runtime analysis framework may assign input tags to objects associated with the user requests. The input tags may identify the requests as potentially malicious and carry a security risk. The RTA framework then may assign sanitization tags to the objects identifying security checks performed on the objects during runtime. The RTA framework identifies output responses to the user requests that include the objects and compares the input tags assigned to the objects with any sanitization tags assigned to the objects. The RTA framework may identify the software application as susceptible to a security vulnerability when the input tags for the objects do not include corresponding sanitization tags.