Runtime protection of web services
First Claim
Patent Images
1. A system for protecting a runtime Web service application, the system comprising:
- a trace instrumenter for enabling a Web service application to log its operation and to create an execution trace;
a vulnerability detector for identifying a trace point vulnerability using one or more data payloads;
a taint analyzer for identifying a candidate trace point operation associated with the trace point vulnerability;
a string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability;
a defensive instrumenter for instrumenting the Web service application with the supplementary candidate operation;
a memory configured to store an application and an instrumented version of the application;
a processor in communication with the memory, wherein the memory stores processor executable program instructions, that when executed, configure the processor to perform functions of the trace instrumenter, the vulnerability detector, the taint analyzer, the string analyzer, and the defensive instrumenter, and wherein each data payload comprises an example set of data, and wherein the identifying the candidate trace point operation associated with the trace point vulnerability is performed by checking data flow through the application and the instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, and wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer, and wherein the trace point vulnerability is reported, and wherein the vulnerability detector performs further vulnerabilities testing after the application has been further instrumented with one or more supplementary candidate operations;
wherein the vulnerability detector for identifying a trace point vulnerability using one or more data payloads such that the system infers a security specification according to the trace point vulnerability; and
wherein the string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability such that the system acts automatically to satisfy the security specification by supplying the supplementary candidate operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations.
21 Citations
1 Claim
-
1. A system for protecting a runtime Web service application, the system comprising:
-
a trace instrumenter for enabling a Web service application to log its operation and to create an execution trace; a vulnerability detector for identifying a trace point vulnerability using one or more data payloads; a taint analyzer for identifying a candidate trace point operation associated with the trace point vulnerability; a string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability; a defensive instrumenter for instrumenting the Web service application with the supplementary candidate operation; a memory configured to store an application and an instrumented version of the application; a processor in communication with the memory, wherein the memory stores processor executable program instructions, that when executed, configure the processor to perform functions of the trace instrumenter, the vulnerability detector, the taint analyzer, the string analyzer, and the defensive instrumenter, and wherein each data payload comprises an example set of data, and wherein the identifying the candidate trace point operation associated with the trace point vulnerability is performed by checking data flow through the application and the instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, and wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer, and wherein the trace point vulnerability is reported, and wherein the vulnerability detector performs further vulnerabilities testing after the application has been further instrumented with one or more supplementary candidate operations; wherein the vulnerability detector for identifying a trace point vulnerability using one or more data payloads such that the system infers a security specification according to the trace point vulnerability; and wherein the string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability such that the system acts automatically to satisfy the security specification by supplying the supplementary candidate operation.
-
Specification