PROGRAM INSTRUMENTATION METHOD AND APPARATUS FOR CONSTRAINING THE BEHAVIOR OF EMBEDDED SCRIPT IN DOCUMENTS

US 20080083012A1
Filed: 06/20/2007
Published: 04/03/2008
Est. Priority Date: 06/26/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

downloading a document with a script program embedded therein, wherein the script program comprises self-modifying code;

inspecting the script program; and

rewriting the script program to cause behavior resulting from execution of the script to conform to one or more policies defining safety and security.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed herein for constraining the behavior of embedded script in documents using program instrumentation. In one embodiment, the method comprises downloading a document with a script program embedded therein, inspecting the script program, and rewriting the script program to cause behavior resulting from execution of the script to conform to one or more policies defining safety and security. The script program comprises self-modifying code (e.g., dynamically generated script).

Citations

28 Claims

1. A method comprising:
- downloading a document with a script program embedded therein, wherein the script program comprises self-modifying code;
  
  inspecting the script program; and
  
  rewriting the script program to cause behavior resulting from execution of the script to conform to one or more policies defining safety and security.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method defined in claim 1 wherein the self-modifying code comprises dynamically-generated JavaScript.
  - 3. The method defined in claim 1 wherein rewriting the script program comprises performing syntax-directed rewriting on demand.
  - 4. The method defined in claim 1 wherein rewriting the script program comprises inserting a run-time check into the script program.
  - 5. The method defined in claim 4 wherein the run-time check comprises one or more of a group consisting of a security check and a user warning.
  - 6. The method defined in claim 4 wherein the run-time check comprises code, which when executed at run-time, causes a call to an instrumentation process to instrument the script program in the document in response to performing an evaluation operation of the document.
  - 7. The method defined in claim 1 wherein rewriting the script program comprises adding code to redirect an action through a policy module during run-time execution.
  - 8. The method defined in claim 7 further comprising the policy module performing a replacement action for the action at run-time.
  - 9. The method defined in claim 1 wherein the rewritten script program is part of an instrumented version of the document.
  - 10. The method defined in claim 9 wherein the instrumented version of the document includes hidden script, and further comprising rewriting the hidden script when the hidden script is generated during run-time.
  - 11. The method defined in claim 1 wherein rewriting the script program comprises:
    - parsing the document into abstract syntax trees;
      
      performing rewriting on the abstract syntax trees; and
      
      generating instrumented script code and an instrumented document from the abstract syntax trees.
  - 12. The method defined in claim 1 wherein the one or more policies are dynamically modifiable.
  - 13. The method defined in claim 1 wherein the one or more policies are expressed as edit automata.
  - 14. The method defined in claim 1 wherein at least one policy transforms a first action sequence in script program to a second action sequence different than the first action sequence.
  - 15. The method defined in claim 1 wherein the one or more policies comprise one policy that combines multiple policies into one policy.
  - 16. The method defined in claim 1 further comprising:
    - maintaining states relevant to an edit automaton of the policy, including a current state and a complete transition function; and
      
      calling a check function on an action and, in response thereto, advancing the state of the automaton and provides a replacement action for the action.
  - 17. The method defined in claim 1 wherein the document is an HTML document.
  - 18. The method defined in claim 1 wherein the script program is one of a group consisting of JavaScript and an ECMAscript-based program.
  - 19. The method defined in claim 1 wherein downloading the document is performed by a browser or other software that includes an interpreter for JavaScript program or an interpreter for an ECMAscript-based program in a client.

20. A proxy comprising:
- a policy management module to implement a security policy;
  
  a rewriting module to perform a rewriting process to rewrite a script embedded in a document based on the security policy, wherein the script program comprises self-modifying code, wherein the rewriting process instruments the document based on one or more policies to control the script in the document so that behavior resulting from execution of the script conforms to safety and security requirements;
  
  an interpretation module to interpret instructions added to the scripts during rewriting.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The proxy defined in claim 20 wherein the proxy comprises a part of a browser.
  - 22. The proxy defined in claim 20 wherein execution of one of the instructions added to the script program causes an expression corresponding to the document with the script embedded therein to be evaluated at run-time and cause a document generated by the interpretation module at run-time to be sent through the rewriting module to undergo a rewriting process.
  - 23. The proxy defined in claim 20 wherein the policy management module and the rewriting module are separate modules.
  - 24. The proxy defined in claim 20 wherein the policy module maintains states relevant to the edit automaton of the policy, including a current state and a complete transition function.
  - 25. The proxy defined in claim 24 wherein the policy module is called with a check function on an action and, in response thereto, advances the state of the automaton and provides a replacement action for the action.
  - 26. The proxy defined in claim 20 wherein the document is downloaded from a networked environment in response to a request from a browser.
  - 27. The proxy defined in claim 20 wherein the rewriting module:
    - parses documents into abstract syntax trees. performs rewriting on the abstract syntax trees, and generates instrumented script code and documents from the abstract syntax trees.

28. An article of manufacturing having one or more machine-readable media storing instructions which, when executed by a machine, cause the machine to:
- download a document with a script program embedded therein, wherein the script program comprises self-modifying code;
  
  inspect the script program; and
  
  rewrite the script program to cause behavior resulting from execution of the script to conform to one or more policies defining safety and security.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NTT Docomo Incorporated (Nippon Telegraph and Telephone Corporation)
Original Assignee
DOCOMO Communications Laboratories USA, Inc.
Inventors
Chander, Ajay, Islam, Nayeem, Yu, Dachuan

Application Number

US11/765,918
Publication Number

US 20080083012A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

PROGRAM INSTRUMENTATION METHOD AND APPARATUS FOR CONSTRAINING THE BEHAVIOR OF EMBEDDED SCRIPT IN DOCUMENTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

PROGRAM INSTRUMENTATION METHOD AND APPARATUS FOR CONSTRAINING THE BEHAVIOR OF EMBEDDED SCRIPT IN DOCUMENTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links