Directed execution of dynamic programs in isolated environments

US 9,785,778 B2
Filed: 04/07/2016
Issued: 10/10/2017
Est. Priority Date: 12/03/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one hardware device processor;

a receiver that obtains, via the at least one hardware device processor, a test object that includes dynamic executable code;

a transformer that transforms at least a portion of the test object into a transformed format test object that is configured to execute in a hosted isolated computing environment, the transforming including transforming the at least a portion of the test object into a locally stored document object model (DOM) format that is configured to model at least one computer program included in the test object, the transforming including modifying Universal Resource Identifiers (URIs) to reference only items located locally to the hosted isolated computing environment;

an execution engine that initiates, via the at least one hardware device processor, directed execution of the transformed format test object, in the hosted isolated computing environment; and

a detector that detects dynamic code vulnerabilities of the test object, based on the directed execution.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A test object that includes at least one computer program that includes dynamic executable code is obtained. The at least one computer program is transformed into a format that is configured to execute in a hosted isolated computing environment. Directed execution of the at least one computer program is initiated, in the hosted isolated computing environment. Dynamic code vulnerabilities of the at least one computer program are detected, based on the directed execution.

Citations

20 Claims

1. A system comprising:
- at least one hardware device processor;
  
  a receiver that obtains, via the at least one hardware device processor, a test object that includes dynamic executable code;
  
  a transformer that transforms at least a portion of the test object into a transformed format test object that is configured to execute in a hosted isolated computing environment, the transforming including transforming the at least a portion of the test object into a locally stored document object model (DOM) format that is configured to model at least one computer program included in the test object, the transforming including modifying Universal Resource Identifiers (URIs) to reference only items located locally to the hosted isolated computing environment;
  
  an execution engine that initiates, via the at least one hardware device processor, directed execution of the transformed format test object, in the hosted isolated computing environment; and
  
  a detector that detects dynamic code vulnerabilities of the test object, based on the directed execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein:
    - the execution engine initiates the directed execution of the transformed format test object, in the hosted isolated computing environment, without accessing non-local source servers from which the test object was obtained, and without accessing non-local referenced servers that are referenced by the test object.
  - 3. The system of claim 1, wherein:
    - the directed execution is performed without using a browser, within the hosted isolated computing environment that includes a computing environment that is under the control of only a single hosting entity.
  - 4. The system of claim 1, wherein:
    - the directed execution includes instantiating an instance of at least one computer program included in the test object, without using a browser, within the hosted isolated computing environment that includes a computing environment that is under the control of only a single hosting entity, with references to referenced content items resolved to references to copies of the referenced content items that have been obtained and stored locally within the hosted isolated computing environment, and iterating through all different execution paths of the at least one computer program to detect the dynamic code vulnerabilities.
  - 5. The system of claim 1, wherein:
    - obtaining the test object includes obtaining a first web page from an initial source server, and obtaining one or more referenced content items from one or more referenced sources that are referenced by content obtained from the initial source server.
  - 6. The system of claim 1, further comprising:
    - a resetter that resets a state of the transformed format test object to a prior version during testing.
  - 7. The system of claim 1, wherein:
    - transforming the at least a portion of the test object includes;
      
      replacing item names of referenced content items with local reference names corresponding to Universal Resource Identifiers (URIs) located in the hosted isolated computing environment, wherein the referenced content items are stored locally, after download from one or more referenced sources that are external to the hosted isolated computing environment, andreplacing Universal Resource Identifiers URIs included in code of the at least one computer program included in the test object with corresponding ones of the local reference names.
  - 8. The system of claim 1, further comprising:
    - an instrumenter that instruments the transformed format test object for testing at least a portion of the dynamic executable code for cross-site scripting (XSS) vulnerabilities.
  - 9. The system of claim 1, wherein:
    - the detector detects the dynamic code vulnerabilities of the test object based on determining one or more changes in state of the transformed DOM format, from an initial transformed state, to a changed state, after the directed execution locally in the hosted isolated computing environment.
  - 10. The system of claim 9, wherein:
    - determining one or more changes in state of the transformed DOM format includes determining whether the dynamic executable code is configured for execution-time modification of the dynamic executable code to an unacceptable execution state, from a user perspective.
  - 11. The system of claim 1, wherein:
    - the directed execution of the transformed format test object includes directed execution of the transformed format test object that is comprehensively performed within a local process boundary using only resources that are under the control of a local testing tool of a user of a dynamic program validation engine.
  - 12. The system of claim 1, wherein:
    - the directed execution of the transformed format test object includes directed execution of the transformed format test object that is performed within a local process boundary using only resources that are under the control of a local testing tool, as a background process to a browser processing of the test object, that is not configured to be performed totally within the hosted isolated computing environment.
  - 13. The system of claim 12, wherein:
    - the detector initiates a blocking of one or more execution paths of at least one computer program included in the test object, based on one or more detected dynamic code vulnerabilities of the at least one computer program, after detection by the local testing tool.
  - 14. The system of claim 1, wherein:
    - the detector provides a report of the dynamic code vulnerabilities of the test object.

15. A non-transitory computer readable medium storing executable code that, when executed by one or more processors, cause the one or more processors to:
- obtain a test object that includes at least one computer program that includes dynamic executable code;
  
  transform the at least one computer program into a locally stored document object model (DOM) format that is configured to execute in a hosted isolated computing environment and that is configured to model the at least one computer program, the transformation the at least one computer program including modifying Universal Resource Identifiers (URIs) to reference only items located locally to the hosted isolated computing environment;
  
  initiate directed execution of the at least one computer program in the hosted isolated computing environment; and
  
  detect dynamic code vulnerabilities of the at least one computer program, via at least one device processor, based on the directed execution.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer readable medium of claim 15, wherein the code further causes the one or more processors to:
    - statically analyze the obtained test object, to determine locations of sink functions and entry points.
  - 17. The non-transitory computer readable medium of claim 15, wherein the code further causes the one or more processors to:
    - obtain a Universal Resource Identifier (URI) that references the test object, that is located at an external resource that is not under control of a local testing tool that performs the directed execution.

18. A method comprising:
- obtaining a test object that includes dynamic executable code;
  
  transforming, via at least one hardware device processor, at least a portion of the test object into a transformed format test object that is configured to execute in a hosted isolated computing environment, the transforming including transforming the at least a portion of the test object into a locally stored document object model (DOM) format that is configured to model at least one computer program included in the test object, the transforming including modifying Universal Resource Identifiers (URIs) to reference only items located locally to the hosted isolated computing environment;
  
  initiating, via the at least one hardware device processor, directed execution of the transformed format test object, in the hosted isolated computing environment; and
  
  detecting dynamic code vulnerabilities of the test object, based on the directed execution.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein:
    - the dynamic executable code includes JAVASCRIPT code.
  - 20. The method of claim 18, wherein:
    - obtaining the test object includes obtaining a first web page from an initial source server, and obtaining one or more referenced content items from one or more referenced sources that are referenced by content obtained from the initial source server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Arbabi, Reza, Wan, Wing Kwong, Derryberry, Jr., George Raymond, Fanning, Michael C.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/092,663
Publication Number

US 20160300066A1
Time in Patent Office

551 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3688   for test execution, e.g. sc...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Directed execution of dynamic programs in isolated environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Directed execution of dynamic programs in isolated environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links