Application aware virtual patching

US 10,083,024 B2
Filed: 12/01/2015
Issued: 09/25/2018
Est. Priority Date: 12/01/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for patching code for web apps in between software releases, the method comprising:

receiving a particular web application request comprising request data;

retrieving by a filter implemented by one of a plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises;

a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch;

a condition applying to the request data and referencing;

a value of one or more parameters in an http request message that invokes an interface in the web application; and

a value of a local state variable in the particular application-specific local context; and

a directive that specifies at least one action to be performed when the condition is satisfied;

in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and

responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The technology disclosed relates to thwarting attempts in between software releases to take advantage of security holes in web applications. A virtual patch is a data object comprising an identifier that indicates a relevant local context for the patch and may be created while the application is running. One or more conditions included in the patch are evaluated using data from a service request or from the local context. A patch directive specifies an action to perform when the one or more conditions are satisfied. A virtual patch may be applied to the running application without requiring replacing the application code. Responsive to a request for a web service, a web application may execute code in multiple distinct local contexts such as session management, authorization, and application-specific business logic. The code for each local context may independently retrieve a set of virtual patches relevant to its particular local context.

171 Citations

19 Claims

1. A computer-implemented method for patching code for web apps in between software releases, the method comprising:
- receiving a particular web application request comprising request data;
  
  retrieving by a filter implemented by one of a plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises;
  
  a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch;
  
  a condition applying to the request data and referencing;
  
  a value of one or more parameters in an http request message that invokes an interface in the web application; and
  
  a value of a local state variable in the particular application-specific local context; and
  
  a directive that specifies at least one action to be performed when the condition is satisfied;
  
  in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and
  
  responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, wherein a plurality of application-specific components each retrieves respective virtual patches.
  - 3. The computer-implemented method of claim 1, wherein the request data comprises an http request message including at least HEADER data and optionally COOKIE or PARAMETER data.
  - 4. The computer-implemented method of claim 3, where the identification of the particular local context is derived from a value in the Universal Resource Identifier (URI) of the http header.
  - 5. The computer-implemented method of claim 1, wherein the particular local context includes private state data maintained by one of a set of protected components including at least a session component and an authorization component.
  - 6. The computer-implemented method of claim 1, wherein a virtual patch is expressed in XML.
  - 7. The computer-implemented method of claim 1, wherein the particular web application request is received by the web application during execution, and a matching virtual patch is applied without replacing web application code or restarting the web application.
  - 8. The computer-implemented method of claim 1, wherein the condition of a virtual patch invokes a function that is only accessible within the local context to retrieve a data value in the local context.
  - 9. The computer-implemented method of claim 1, wherein a virtual patch is received from an administrative console and stored, wherein the virtual patch is stored after the web application is ready to receive web application requests.
  - 10. The computer-implemented method of claim 1, wherein the directive included in the virtual patch is one of:
    - block the web application request; and
      
      log the web application request.
  - 11. The computer-implemented method of claim 1, wherein the condition included in the virtual patch includes a parameter name, a matching type, and a string, wherein:
    - the matching type is one of MATCH, SUB STRING, REGULAR EXPRESSION; and
      
      the condition is satisfied when one of the following is true;
      
      the matching type is MATCH and the string exactly matches the value of the named parameter;
      
      the matching type is SUBSTRING, and the string is a substring of the value of the named parameter;
      
      orthe matching type is REGULAR EXPRESSION, and the string is a regular expression that matches the value of the named parameter.
  - 12. The computer-implemented method of claim 1, further comprising preparing a plurality of virtual patches for deployment as temporary fixes to a plurality of web applications, the preparing comprises:
    - transforming user input into a particular data object that specifies a particular virtual patch to change how a http request message is processed by a particular web application, wherein attributes of the particular virtual patch comprise;
      
      a specification of a respective particular context that identifies a respective protected logic component to which control may be returned of the particular web application that will apply test input against the particular virtual patch;
      
      a particular condition that references at least one of;
      
      a particular value of a parameter in an http request message that invokes an interface in the particular web application; and
      
      a value of a particular local state variable in the respective particular context; and
      
      a particular directive that specifies at least one particular action to be performed when the particular condition is satisfied, the at least one particular action including;
      
      block the http request message from being further processed; and
      
      log data from the http request message; and
      
      storing the particular virtual patch in a manner retrievable by or pushable to the particular web application.
  - 13. The computer-implemented method of claim 12, wherein the directive specifies one of the following further actions to be performed:
    - change the value of data in the http request message; and
      
      change the value of one or more application state variables.
  - 14. The method of claim 12, wherein the method is performed by an administrative console and the particular virtual patch is received from a user through a user interface.
  - 15. The computer-implemented method of claim 12, wherein storing the particular virtual patch comprises one or more of:
    - pushing the particular virtual patch to the particular web application which it patches;
      
      storing the particular virtual patch in a database that is directly accessible by the particular web application which it patches; and
      
      receiving a request for undelivered virtual patches and delivering the particular virtual patch to the particular web application which it patches.
  - 16. The method of claim 1, wherein each distinct application component includes its own application-specific local context comprising one or more tasks or functions performed by the distinct application component and a data state including at least data used in the application component that is not available to code in other application components within the same application.
  - 17. The method of claim 1, wherein a filter is on same side of a firewall as the application component that implements the filter.

18. A non-transitory computer readable memory storing instructions for patching code for web apps in between software releases, wherein the instructions perform:
- receiving a particular web application request comprising request data;
  
  retrieving by a filter implemented by one of a plurality of application components on the same side of a firewall as the one of the plurality of application components, the filter for processing virtual patches that access a private state of the one of the application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises;
  
  a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch;
  
  a condition applying to the request data and referencing;
  
  a value of one or more parameters in an http request message that invokes an interface in the web application; and
  
  a value of a local state variable in the particular application-specific local context; and
  
  a directive that specifies at least one action to be performed when the condition is satisfied;
  
  in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and
  
  responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.

19. A web server that patches code for web apps in between software releases, the web server comprising:
- a processor coupled to a network interface and a memory storing instructions that perform;
  
  receiving a particular web application request comprising request data;
  
  retrieving by a filter implemented by one of a plurality of application components on the same side of a firewall as the one of the plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises;
  
  a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch;
  
  a condition applying to the request data and referencing;
  
  a value of one or more parameters in an http request message that invokes an interface in the web application; and
  
  a value of a local state variable in the particular application-specific local context; and
  
  a directive that specifies at least one action to be performed when the condition is satisfied;
  
  in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and
  
  responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Gopalakrishnan, Amalkrishnan Chemmany
Primary Examiner(s)
Dascomb, Jacob D

Application Number

US14/956,129
Publication Number

US 20170153882A1
Time in Patent Office

1,029 Days
Field of Search
US Class Current
CPC Class Codes

G06F 8/65   Updates security arrangemen...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/34   involving the movement of s...

Application aware virtual patching

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

171 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Application aware virtual patching

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links