CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS
First Claim
1. A non-transitory machine readable storage medium non-transiently storing computer instructions for immunizing a computer program against vulnerabilities and attacks at runtime, the computer instructions comprising:
- a node manager in communication with a central management console and configured to dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint;
a managed program execution engine configured to insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and
a constraint management engine in communication with the node manager and the managed program execution engine, the constraint management engine being configured to dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input.
1 Assignment
0 Petitions
Accused Products
Abstract
A constraint is inserted into a program to address a vulnerability of the program to attacks. The constraint includes a segment of code that determines when the program has been asked to execute a “corner case” which does not occur in normal operations. The constraint code can access a library of detector and remediator functions to detect various attacks and remediate against them. Optionally, the detector can be employed without the remediator for analysis. The context of the program can be saved and restored if necessary to continue operating after remediation is performed. The constraints can include descriptors, along with machine instructions or byte code, which indicate how the constraints are to be used.
-
Citations
20 Claims
-
1. A non-transitory machine readable storage medium non-transiently storing computer instructions for immunizing a computer program against vulnerabilities and attacks at runtime, the computer instructions comprising:
-
a node manager in communication with a central management console and configured to dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint; a managed program execution engine configured to insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and a constraint management engine in communication with the node manager and the managed program execution engine, the constraint management engine being configured to dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for immunizing a computer program against vulnerabilities and attacks at runtime, the method comprising:
-
dynamically loading a constraint library into a computer program while the computer program is running, the constraint library containing a constraint; inserting constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and dynamically turning the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus configured to immunize a computer program against vulnerabilities and attacks at runtime, the apparatus comprising:
-
one or more computer processors; and a computer-readable storage medium comprising instructions for controlling the one or more computer processors to be operable to; dynamically load a constraint library into a computer program while the computer program is running, the constraint library containing a constraint; insert constraint code associated with the constraint of the loaded library into the computer program while the computer program is running, the constraint code comprising machine instructions that correct a flaw of the computer program, the flaw being a security vulnerability or a bug; and dynamically turn the constraint code of the loaded constraint library on or off as the computer program is running, in response to user input. - View Dependent Claims (20)
-
Specification