Directed execution of dynamic programs in isolated environments

US 9,317,694 B2
Filed: 12/03/2013
Issued: 04/19/2016
Est. Priority Date: 12/03/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a device that includes at least one processor, the device including a dynamic program validation engine comprising instructions stored on a computer readable storage medium for execution by the at least one processor, the dynamic program validation engine including;

an object acquisition component that obtains a test object that includes dynamic executable code;

an object transformation component that transforms at least a portion of the test object into a transformed format test object that is configured to execute in a hosted isolated computing environment, the transforming the at least a portion of the test object including replacing item names of referenced content items with local reference names of items that are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment;

a directed execution component that initiates directed execution of the transformed format test object, in the hosted isolated computing environment; and

a vulnerability detection component that detects dynamic code vulnerabilities of the test object, based on the directed execution.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A test object that includes at least one computer program that includes dynamic executable code is obtained. The at least one computer program is transformed into a format that is configured to execute in a hosted isolated computing environment. Directed execution of the at least one computer program is initiated, in the hosted isolated computing environment. Dynamic code vulnerabilities of the at least one computer program are detected, based on the directed execution.

16 Citations

View as Search Results

20 Claims

1. A system comprising:
- a device that includes at least one processor, the device including a dynamic program validation engine comprising instructions stored on a computer readable storage medium for execution by the at least one processor, the dynamic program validation engine including;
  
  an object acquisition component that obtains a test object that includes dynamic executable code;
  
  an object transformation component that transforms at least a portion of the test object into a transformed format test object that is configured to execute in a hosted isolated computing environment, the transforming the at least a portion of the test object including replacing item names of referenced content items with local reference names of items that are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment;
  
  a directed execution component that initiates directed execution of the transformed format test object, in the hosted isolated computing environment; and
  
  a vulnerability detection component that detects dynamic code vulnerabilities of the test object, based on the directed execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein:
    - the directed execution component initiates the directed execution of the transformed format test object, in the hosted isolated computing environment, without accessing non-local source servers from which the test object was obtained, and without accessing non-local referenced servers that are referenced by the test object.
  - 3. The system of claim 1, wherein:
    - the directed execution is performed without using a browser, within the hosted isolated computing environment that includes a computing environment that is under the control of only a single hosting entity.
  - 4. The system of claim 1, wherein:
    - the directed execution includes instantiating an instance of at least one computer program included in the test object, without using a browser, within the hosted isolated computing environment that includes a computing environment that is under the control of only a single hosting entity, with references to referenced content items resolved to references to copies of the referenced content items that have been obtained and stored locally within the hosted isolated computing environment, and iterating through all different execution paths of the at least one computer program to detect the dynamic code vulnerabilities.
  - 5. The system of claim 1, wherein:
    - obtaining the test object includes obtaining a first web page from an initial source server, and obtaining one or more referenced content items from one or more referenced sources that are referenced by content obtained from the initial source server.
  - 6. The system of claim 1, further comprising:
    - a reset component that resets a state of the transformed format test object to a prior version during testing.
  - 7. The system of claim 1, wherein:
    - transforming the at least a portion of the test object includes;
      
      replacing item names of referenced content items with local reference names corresponding to Universal Resource Identifiers (URIs) located in the hosted isolated computing environment, where the referenced content items are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment, andreplacing Universal Resource Identifiers (URIs) included in code of at least one computer program included in the test object with corresponding ones of the local reference names.
  - 8. The system of claim 1, wherein:
    - the object transformation component transforms the at least a portion of the test object into a locally stored document object model (DOM) format that is configured to model at least one computer program included in the test object, with Universal Resource Identifiers (URIs) modified to reference only items located locally to the hosted isolated computing environment.
  - 9. The system of claim 8, further comprising:
    - an object instrumentation component that instruments the transformed format test object for testing at least a portion of the dynamic executable code for cross-site scripting (XSS) vulnerabilities.
  - 10. The system of claim 8, wherein:
    - the vulnerability detection component detects the dynamic code vulnerabilities of the test object based on determining one or more changes in state of the transformed DOM format, from an initial transformed state, to a changed state, after the directed execution locally in the hosted isolated computing environment.
  - 11. The system of claim 10, wherein:
    - determining one or more changes in state of the transformed DOM format includes determining whether the dynamic executable code is configured for execution-time modification of the dynamic executable code to an unacceptable execution state, from a user perspective.
  - 12. The system of claim 1, wherein:
    - the directed execution of the transformed format test object includes directed execution of the transformed format test object that is comprehensively performed within a local process boundary using only resources that are under the control of a local testing tool of a user of the dynamic program validation engine.
  - 13. The system of claim 1, wherein:
    - the directed execution of the transformed format test object includes directed execution of the transformed format test object that is performed within a local process boundary using only resources that are under the control of a local testing tool, as a background process to a browser processing of the test object, that is not configured to be performed totally within the hosted isolated computing environment.
  - 14. The system of claim 13, wherein:
    - the vulnerability detection component initiates a blocking of one or more execution paths of at least one computer program included in the test object, based on one or more detected dynamic code vulnerabilities of the at least one computer program, after detection by the local testing tool.
  - 15. The system of claim 1, wherein:
    - the vulnerability detection component provides a report of the dynamic code vulnerabilities of the test object.

16. A method comprising:
- obtaining a test object that includes at least one computer program that includes dynamic executable code;
  
  transforming the at least one computer program into a format that is configured to execute in a hosted isolated computing environment, the transforming the at least one computer program including replacing item names of referenced content items with local reference names of items that are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment;
  
  initiating directed execution of the at least one computer program in the hosted isolated computing environment; and
  
  detecting dynamic code vulnerabilities of the at least one computer program, via at least one device processor, based on the directed execution.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, further comprising:
    - statically analyzing the obtained test object, to determine locations of sink functions and entry points.
  - 18. The method of claim 16, further comprising:
    - obtaining a Universal Resource Identifier (URI) that references the test object, that is located at an external resource that is not under control of a local testing tool that performs the directed execution.

19. A computer program product comprising a hardware computer-readable storage medium storing executable code that, when executed, causes at least one data processing apparatus to:
- obtain a test object that includes at least one computer program that includes dynamic executable code;
  
  transform the at least one computer program into a format that is configured to execute in a hosted isolated computing environment, the transforming the at least one computer program including replacing item names of referenced content items with local reference names of items that are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment;
  
  initiate directed execution of the at least one computer program, in the hosted isolated computing environment; and
  
  detect dynamic code vulnerabilities of the at least one computer program, based on the directed execution.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19, wherein:
    - the dynamic executable code includes JAVASCRIPT code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Arbabi, Reza, Wan, Wing Kwong, Derryberry, George Raymond Jr., Fanning, Michael C.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US14/095,538
Publication Number

US 20150154402A1
Time in Patent Office

868 Days
Field of Search

726/3, 726 22- 27
US Class Current

1/1
CPC Class Codes

G06F 11/3688   for test execution, e.g. sc...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Directed execution of dynamic programs in isolated environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Directed execution of dynamic programs in isolated environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links