-
公开(公告)号:US09152796B2
公开(公告)日:2015-10-06
申请号:US14288563
申请日:2014-05-28
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
CPC classification number: G06F21/577 , G06F11/3003 , G06F11/3072 , G06F11/3093 , G06F11/3466 , G06F11/3476 , G06F11/3604 , G06F2201/86 , G06F2201/865
Abstract: An interpreter is modified to create a source tracking object for a data object received from a data source and to record information associated with the data source into the source tracking object. The interpreter is modified to create a copy of the data object for a tracking event in an application program, to create a flow tracking object for the tracking event, and to record information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. The interpreter is modified to create a sink tracking object for outputting the copy of the data object to a data sink and to record information associated with the data sink into the sink tracking object. The source tracking object, the flow tracking object, and the sink tracking object are output as dynamic analysis of dataflow in the application program.
Abstract translation: 修改解释器以为从数据源接收的数据对象创建源跟踪对象,并将与数据源相关联的信息记录到源跟踪对象中。 解释器被修改以在应用程序中创建用于跟踪事件的数据对象的副本,以创建用于跟踪事件的流跟踪对象,并且将与跟踪事件相关联的信息记录到流跟踪对象中作为跟踪事件 处理数据对象的副本。 解释器被修改以创建接收器跟踪对象,用于将数据对象的副本输出到数据宿,并将与数据宿相关联的信息记录到宿跟踪对象中。 源跟踪对象,流跟踪对象和接收器跟踪对象作为应用程序中数据流的动态分析输出。
-
公开(公告)号:US20150121533A1
公开(公告)日:2015-04-30
申请号:US14288563
申请日:2014-05-28
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
IPC: G06F21/57
CPC classification number: G06F21/577 , G06F11/3003 , G06F11/3072 , G06F11/3093 , G06F11/3466 , G06F11/3476 , G06F11/3604 , G06F2201/86 , G06F2201/865
Abstract: An interpreter is modified to create a source tracking object for a data object received from a data source and to record information associated with the data source into the source tracking object. The interpreter is modified to create a copy of the data object for a tracking event in an application program, to create a flow tracking object for the tracking event, and to record information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. The interpreter is modified to create a sink tracking object for outputting the copy of the data object to a data sink and to record information associated with the data sink into the sink tracking object. The source tracking object, the flow tracking object, and the sink tracking object are output as dynamic analysis of dataflow in the application program.
Abstract translation: 修改解释器以为从数据源接收的数据对象创建源跟踪对象,并将与数据源相关联的信息记录到源跟踪对象中。 解释器被修改以在应用程序中创建用于跟踪事件的数据对象的副本,以创建用于跟踪事件的流跟踪对象,并且将与跟踪事件相关联的信息记录到流跟踪对象中作为跟踪事件 处理数据对象的副本。 解释器被修改以创建接收器跟踪对象,用于将数据对象的副本输出到数据宿,并将与数据宿相关联的信息记录到宿跟踪对象中。 源跟踪对象,流跟踪对象和接收器跟踪对象作为应用程序中数据流的动态分析输出。
-
公开(公告)号:US10387658B2
公开(公告)日:2019-08-20
申请号:US16158098
申请日:2018-10-11
Applicant: salesforce.com, inc.
Inventor: Sergey Gorbaty , Travis Safford , Xiaoran Wang , Yoel Gluck
Abstract: During runtime of the software application, the runtime analysis framework may assign input tags to objects associated with the user requests. The input tags may identify the requests as potentially malicious and carry a security risk. The RTA framework then may assign sanitization tags to the objects identifying security checks performed on the objects during runtime. The RTA framework identifies output responses to the user requests that include the objects and compares the input tags assigned to the objects with any sanitization tags assigned to the objects. The RTA framework may identify the software application as susceptible to a security vulnerability when the input tags for the objects do not include corresponding sanitization tags.
-
4.发明授权System and method for dynamic analysis tracking object associations for application dataflow 有权用于动态分析的系统和方法跟踪应用程序数据流的对象关联公开(公告)号:US09177137B2
公开(公告)日:2015-11-03
申请号:US14067247
申请日:2013-10-30
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
CPC classification number: G06F21/54 , G06F2221/2101 , H04L63/1433
Abstract: Data source information is recorded into a source tracking object embedded in a wrapper object pointing to a data object from the data source. Tracking event information is recorded into a flow tracking object embedded in a wrapper object copy as the tracking event processes the wrapper object copy. Other tracking event information is recorded into another flow tracking object embedded in another wrapper object as the other tracking event processes the other wrapper object. The flow tracking object is associated with the other flow tracking object in response to a field retrieval of the wrapper object copy from the other wrapper object. The wrapper object copy is output to a data sink. Data sink information is recorded into a sink tracking object embedded in the wrapper object copy. The tracking objects are output as dynamic analysis of dataflow in the application program.
Abstract translation: 数据源信息被记录到嵌入在指向数据源的数据对象的包装器对象中的源跟踪对象中。 当跟踪事件处理包装对象副本时,跟踪事件信息被记录在嵌入在包装对象副本中的流跟踪对象中。 当另一个跟踪事件处理另一个包装对象时,其他跟踪事件信息被记录到另一个包装对象嵌入的另一个流程跟踪对象中。 响应于来自另一包装对象的包装对象副本的字段检索,流跟踪对象与另一个流跟踪对象相关联。 包装对象副本被输出到数据接收器。 数据接收器信息被记录在嵌入在包装器对象副本中的接收器跟踪对象中。 跟踪对象作为应用程序中数据流的动态分析输出。
-
5.发明申请SYSTEM AND METHOD FOR DYNAMIC ANALYSIS TRACKING OBJECT ASSOCIATIONS FOR APPLICATION DATAFLOW 有权用于动态分析的系统和方法跟踪应用数据流的对象关联公开(公告)号:US20140173743A1
公开(公告)日:2014-06-19
申请号:US14067247
申请日:2013-10-30
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
IPC: G06F21/57
CPC classification number: G06F21/54 , G06F2221/2101 , H04L63/1433
Abstract: Data source information is recorded into a source tracking object embedded in a wrapper object pointing to a data object from the data source. Tracking event information is recorded into a flow tracking object embedded in a wrapper object copy as the tracking event processes the wrapper object copy. Other tracking event information is recorded into another flow tracking object embedded in another wrapper object as the other tracking event processes the other wrapper object. The flow tracking object is associated with the other flow tracking object in response to a field retrieval of the wrapper object copy from the other wrapper object. The wrapper object copy is output to a data sink. Data sink information is recorded into a sink tracking object embedded in the wrapper object copy. The tracking objects are output as dynamic analysis of dataflow in the application program.
Abstract translation: 数据源信息被记录到嵌入在指向数据源的数据对象的包装器对象中的源跟踪对象中。 当跟踪事件处理包装对象副本时,跟踪事件信息被记录在嵌入在包装对象副本中的流跟踪对象中。 当另一个跟踪事件处理另一个包装对象时,其他跟踪事件信息被记录到另一个包装对象嵌入的另一个流程跟踪对象中。 响应于来自另一包装对象的包装对象副本的字段检索,流跟踪对象与另一个流跟踪对象相关联。 包装对象副本被输出到数据接收器。 数据接收器信息被记录在嵌入在包装对象副本中的接收器跟踪对象中。 跟踪对象作为应用程序中数据流的动态分析输出。
-
Patent Agency Ranking
公开(公告)号:US10380347B2
公开(公告)日:2019-08-13
申请号:US15177017
申请日:2016-06-08
Applicant: salesforce.com, inc.
Inventor: Sergey Gorbaty , Travis Safford , Xiaoran Wang
Abstract: A runtime analysis framework (RTA) stores a hierarchical list of input tags and a hierarchical list of output tags. The RTA stores defined vulnerabilities that include associated input tags and output tags. During runtime the software application may receive a request from a user system. The RTA assigns an input tag from the hierarchical list of input tags to an object associated with the request and assigns an output tag from the hierarchical list of output tags to a method generating a response to the request. The RTA identifies one of the defined vulnerabilities as a potential vulnerability if the assigned output tag and output tag associated the potential vulnerability are in a same subtree of the hierarchical list of output tags and the assigned input tag and the input tag associated with the potential vulnerability are in a same subtree of the hierarchical list of input tags.
-
公开(公告)号:US10140456B2
公开(公告)日:2018-11-27
申请号:US15176963
申请日:2016-06-08
Applicant: salesforce.com, inc.
Inventor: Sergey Gorbaty , Travis Safford , Xiaoran Wang , Yoel Gluck
Abstract: During runtime of the software application, the runtime analysis framework may assign input tags to objects associated with the user requests. The input tags may identify the requests as potentially malicious and carry a security risk. The RTA framework then may assign sanitization tags to the objects identifying security checks performed on the objects during runtime. The RTA framework identifies output responses to the user requests that include the objects and compares the input tags assigned to the objects with any sanitization tags assigned to the objects. The RTA framework may identify the software application as susceptible to a security vulnerability when the input tags for the objects do not include corresponding sanitization tags.
-
8.发明申请SYSTEM AND METHOD FOR DYNAMIC ANALYSIS TRACKING OBJECTS FOR APPLICATION DATAFLOW 有权用于应用数据流的动态分析跟踪对象的系统和方法公开(公告)号:US20140173741A1
公开(公告)日:2014-06-19
申请号:US14067131
申请日:2013-10-30
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
IPC: G06F21/57
CPC classification number: G06F21/54 , G06F2221/2101 , H04L63/1433
Abstract: Systems and methods are provided for dynamic analysis tracking objects for application dataflow. A system receives a data object from a data source, creates a source tracking object for the data object, and records information associated with the data source into the source tracking object. The system creates a copy of the data object for a tracking event in the application program, creates a flow tracking object for the tracking event, and records information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. The system outputs the copy of the data object to a data sink, creates a sink tracking object for the data sink, and records information associated with the data sink into the sink tracking object. The system outputs the source tracking object, the flow tracking object, and the sink tracking object as dynamic analysis of dataflow in the application program.
Abstract translation: 为应用数据流的动态分析跟踪对象提供了系统和方法。 系统从数据源接收数据对象,为数据对象创建源跟踪对象,并将与数据源相关联的信息记录到源跟踪对象中。 该系统为应用程序中的跟踪事件创建数据对象的副本,为跟踪事件创建一个流程跟踪对象,并将跟踪事件相关联的信息记录到流程跟踪对象中,因为跟踪事件处理 数据对象。 系统将数据对象的副本输出到数据接收器,为数据接收器创建接收器跟踪对象,并将与数据接收器相关联的信息记录到接收器跟踪对象中。 系统输出源跟踪对象,流跟踪对象和宿跟踪对象作为应用程序中数据流的动态分析。
-
9.发明申请SYSTEM AND METHOD FOR DYNAMIC ANALYSIS BYTECODE INJECTION FOR APPLICATION DATAFLOW 有权用于应用数据流的动态分析跟踪注入的系统和方法公开(公告)号:US20140173571A1
公开(公告)日:2014-06-19
申请号:US14067294
申请日:2013-10-30
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
IPC: G06F11/36
CPC classification number: G06F11/30 , G06F11/3636 , G06F11/3644 , G06F21/00 , G06F21/54 , G06F2221/2123
Abstract: Bytecode is injected to create a source tracking object for a data object received from a data source and to record information associated with the data source into the source tracking object. Bytecode is injected to create a copy of the data object for a tracking event in an application program, to create a flow tracking object for the tracking event, and to record information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. Bytecode is injected to create a sink tracking object for outputting the copy of the data object to a data sink and to record information associated with the data sink into the sink tracking object. Bytecode is injected to output the source tracking object, the flow tracking object, and the sink tracking object as dynamic analysis of dataflow in the application program.
Abstract translation: 注入字节码以为从数据源接收的数据对象创建源跟踪对象,并将与数据源相关联的信息记录到源跟踪对象中。 注入字节代码以在应用程序中创建用于跟踪事件的数据对象的副本,以创建用于跟踪事件的流跟踪对象,并且在跟踪事件处理时将与跟踪事件相关联的信息记录到流跟踪对象中 数据对象的副本。 注入字节代码以创建用于将数据对象的副本输出到数据宿的接收器跟踪对象,并且将与数据宿相关联的信息记录到宿跟踪对象中。 注入字节代码输出源跟踪对象,流跟踪对象和宿跟踪对象,作为应用程序中数据流的动态分析。
-
10.发明授权System and method for dynamic analysis wrapper objects for application dataflow 有权动态分析用于应用程序数据流的包装对象的系统和方法公开(公告)号:US09171169B2
公开(公告)日:2015-10-27
申请号:US14067205
申请日:2013-10-30
Applicant: salesforce.com, inc.
Inventor: Yoel Gluck , Xiaoran Wang
CPC classification number: G06F21/577 , G06F21/54 , G06F2221/2101 , H04L63/1433
Abstract: Systems and methods are provided for dynamic analysis wrapper objects for application dataflow. A system creates a wrapper object that points to a data object received from a data source, creates a source tracking object for the wrapper object, and records information associated with the data source into the source tracking object. The system creates a copy of the wrapper object for a tracking event in an application program, creates a flow tracking object for the tracking event, and records information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the wrapper object. The system outputs the copy of the wrapper object to a data sink for the application program, creates a sink tracking object for the data sink, and records information associated with the data sink into the sink tracking object. The system outputs the source tracking object, the flow tracking object, and the sink tracking object as dynamic analysis of dataflow in the application program.
Abstract translation: 为应用程序数据流的动态分析包装对象提供了系统和方法。 系统创建指向从数据源接收的数据对象的包装对象,为包装对象创建源跟踪对象,并将与数据源相关联的信息记录到源跟踪对象中。 系统在应用程序中创建跟踪事件的包装对象的副本,为跟踪事件创建流跟踪对象,并将跟踪事件相关联的信息记录到流跟踪对象中,因为跟踪事件处理 包装对象。 系统将包装对象的副本输出到应用程序的数据接收器,为数据宿创建宿跟踪对象,并将与数据宿相关联的信息记录到宿跟踪对象中。 系统输出源跟踪对象,流跟踪对象和宿跟踪对象作为应用程序中数据流的动态分析。
-
-
-
-
-
-
-
-
-
Search Results
12
records
(took 0.014 seconds)
