Runtime protection of Web services

US 9,942,258 B2
Filed: 05/22/2015
Issued: 04/10/2018
Est. Priority Date: 06/18/2014
Status: Active Grant

First Claim

Patent Images

1. A system for protecting a runtime Web service application, the system comprising:

a memory configured to store an application and an instrumented version of the application;

a processor in communication with the memory, wherein the memory storing processor-executable program instructions, that when executed, configure the processor to perform functions of;

a trace instrumenter for enabling the application to log its operation and to create an execution trace;

a vulnerability detector for identifying a trace point vulnerability using one or more data payloads, each data payload comprising an example set of data;

a taint analyzer for identifying a candidate trace point operation associated with the trace point vulnerability by checking data flow through the application and the instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer;

a string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability; and

a defensive instrumenter for instrumenting the runtime Web service application with the supplementary candidate operation, wherein the defensive instrumenter is further configured to apply a fix in the form of a trace point operation to the runtime Web service application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations.

Citations

15 Claims

1. A system for protecting a runtime Web service application, the system comprising:
- a memory configured to store an application and an instrumented version of the application;
  
  a processor in communication with the memory, wherein the memory storing processor-executable program instructions, that when executed, configure the processor to perform functions of;
  
  a trace instrumenter for enabling the application to log its operation and to create an execution trace;
  
  a vulnerability detector for identifying a trace point vulnerability using one or more data payloads, each data payload comprising an example set of data;
  
  a taint analyzer for identifying a candidate trace point operation associated with the trace point vulnerability by checking data flow through the application and the instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer;
  
  a string analyzer for computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability; and
  
  a defensive instrumenter for instrumenting the runtime Web service application with the supplementary candidate operation, wherein the defensive instrumenter is further configured to apply a fix in the form of a trace point operation to the runtime Web service application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the identified trace point vulnerability is reported.
  - 3. The system of claim 1, wherein the vulnerability detector starts over testing the runtime Web service application for further vulnerabilities.
  - 4. The system of claim 1, wherein, the vulnerability detector performs further vulnerabilities testing after the runtime Web service application has been further instrumented with one or more supplementary candidate operations.
  - 5. The system of claim 4, wherein in response to a pre-existing vulnerability being located again and being the same as a previously identified vulnerability, then no further measures are taken.
  - 6. The system of claim 4, wherein in response to a new vulnerability being located, the functions protecting the runtime Web service application are repeated to address the new vulnerability.

7. A method for protecting a runtime Web service application comprising:
- enabling the runtime Web service application to log its operation and creation an execution trace;
  
  identifying a trace point vulnerability using one or more data payloads, each data payload comprising an example set of data, and one or more security rules;
  
  identifying a candidate trace point operation associated with the trace point vulnerability by checking data flow through an application and an instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer;
  
  computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability;
  
  further enabling the runtime Web service application with the supplementary candidate operation; and
  
  applying a fix in the form of a trace point operation to the Web service application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the identified trace point vulnerability is reported.
  - 9. The method of claim 7, further comprising starting over testing the runtime Web service application for further vulnerabilities.
  - 10. The method of claim 7, further comprising performing further vulnerability testing after the runtime Web service application has been further instrumented with one or more supplementary candidate operations.
  - 11. The method of claim 10, wherein in response to a pre-existing vulnerability being located again and being the same as the previously identified vulnerability, then no further measures are taken.
  - 12. The method of claim 10, wherein in response to a new vulnerability being located, then the method for protecting the runtime Web service application is repeated to address the new vulnerability.

13. A computer program product for protecting a runtime Web service application, the computer program product comprising a tangible computer-readable storage device having computer-readable program code embodied therewith, the computer-readable program code configured to perform a method, the method comprising:
- enabling the runtime Web service application to log its operation and creation an execution trace;
  
  identifying a trace point vulnerability using one or more data payloads, each data payload comprising an example set of data, and one or more security rules;
  
  identifying a candidate trace point operation associated with the trace point vulnerability by checking data flow through an application and an instrumented version of the application using one of the one or more data payloads and specifying a security rule to define the data flow, wherein the candidate trace point operation is an operation for which a payload value has been rejected by a validator or has been sanitized by a sanitizer;
  
  computing a supplementary candidate operation based on the existing trace point operation and the trace point vulnerability;
  
  further enabling the runtime Web service application with the supplementary candidate operation; and
  
  applying a fix in the form of a trace point operation to the Web service application.
- View Dependent Claims (14, 15)
- - 14. The computer program product of claim 13 wherein the identified trace point vulnerability is reported.
  - 15. The computer program product of claim 13 wherein the method further comprises starting over testing the runtime Web service application for further vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tripp, Omer, Wurth, Emmanuel
Primary Examiner(s)
LE, KHOI V

Application Number

US14/719,613
Publication Number

US 20150373042A1
Time in Patent Office

1,054 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Runtime protection of Web services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Runtime protection of Web services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links