US20090019545A1 - Computer security method and system with input parameter validation - Google Patents

Computer security method and system with input parameter validation Download PDF

Info

Publication number
US20090019545A1
US20090019545A1 US12/174,592 US17459208A US2009019545A1 US 20090019545 A1 US20090019545 A1 US 20090019545A1 US 17459208 A US17459208 A US 17459208A US 2009019545 A1 US2009019545 A1 US 2009019545A1
Authority
US
United States
Prior art keywords
downloadable
computer
suspicious
input parameters
program code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/174,592
Other versions
US20120144485A9 (en
Inventor
Yuval Ben-Itzhak
Golan Yosef
Israel Taub
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Finjan Inc
Original Assignee
Finjan Software Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/298,475 external-priority patent/US7757289B2/en
Priority claimed from US11/354,893 external-priority patent/US7613918B2/en
Application filed by Finjan Software Ltd filed Critical Finjan Software Ltd
Priority to US12/174,592 priority Critical patent/US20120144485A9/en
Assigned to FINJAN SOFTWARE, LTD. reassignment FINJAN SOFTWARE, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BEN-ITZHAK, YUVAL, TAUB, ISRAEL, YOSEF, GOLAN
Publication of US20090019545A1 publication Critical patent/US20090019545A1/en
Assigned to FINJAN, INC. reassignment FINJAN, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: FINJAN SOFTWARE, LTD.
Publication of US20120144485A9 publication Critical patent/US20120144485A9/en
Priority to US14/482,434 priority patent/US9294493B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the field of the present invention is computer security.
  • Computer security software and hardware are used to inspect downloadables, to determine if they are malicious.
  • downloadable refers generally to an executable application program, which is downloaded from a source computer and run on a destination computer.
  • malicious downloadables including malware, phishing, spyware, Trojan horses, viruses and worms.
  • Malicious downloadables often enter an internal computer network from an external network, and infect all or most of the computers in the internal network once they break in.
  • computer security systems often employ gateway computers to scan and filter incoming downloadables.
  • Scanning downloadables at a gateway computer may be performed by running the programs; however, running the programs on the gateway computer instead of on the computer in the internal network for which the programs are intended, may result in the gateway computer failing to detect exploits in the downloadables.
  • Scanning downloadables at a gateway computer may also be performed by analyzing the programs.
  • Assignee's U.S. Pat. No. 6,092,194 describes such a gateway security system.
  • scanners When analyzing downloadables, scanners generally search for computer operations that are potentially suspicious. For example, if a suspect downloadable invokes a function call that writes to a file system or opens a network connection or changes a registry entry, such behavior raises a warning flag for potentially malicious activity.
  • a security system may block a downloadable from reaching an internal network if the downloadable includes a suspicious computer operation. However, most non-malicious downloadables use these same computer operations in an innocuous way, and such a security system may block both good and bad downloadables from reaching the internal network.
  • the method setRequestHeader( ) is generally a safe function that simply adds an HTTP header to a request.
  • the following code snippet shows how setRequestHeader( ) is used, for example, to set the HTTP Content-Type header to ‘text/xml’ before sending a request body.
  • var oReq new XMLHttpRequest( ); oReq.open(“POST”, sURL, false); oReq.setRequestHeader(CONTENT, “text/xml”); oReq.send(sRequestBody); As such, the example JavaScript above appears innocuous.
  • the input parameter to setRequestHeader( ) in the example JavaScript code above is only evaluated at run-time, and a code exploit may be triggered in the process of evaluating the input parameter. More generally, input parameters to function calls, even for safe functions, are potential hiding places for code exploits. Since input parameters may only be determined at run-time, such code exploits may go undetected when scanning downloadables.
  • a security system would thus be of advantage for a security system to be able to validate input parameters that are evaluated at run-time. It would be of further advantage for a security system to be able to determine if a given input parameter will exploit a non-malicious function, prior to actually executing the non-malicious function with the given input parameter.
  • aspects of the present invention relate to a computer security method and system that validates input parameters to computer operations when scanning a suspect downloadable.
  • the present invention overwrites suspicious computer operations, and appends special monitoring code to the suspect downloadable that, when invoked, validates input parameters to computer operations.
  • the present invention may be embodied at a gateway computer, at a server computer, or at a client computer.
  • a method for identifying suspicious downloadables including receiving a downloadable, scanning the downloadable to identify suspicious computer operations therein, and if at least one suspicious computer operation is identified, then overwriting the suspicious computer operations with substitute computer operations, and appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions for validating input parameters for the suspicious computer operations during run-time of the downloadable.
  • a computer security system including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable.
  • a method for identifying suspicious downloadables including receiving a downloadable, and appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions for identifying suspicious computer operations during run-time of the downloadable, for overwriting the suspicious computer operations with substitute computer operations during run-time of the downloadable, and for validating input parameters for the suspicious operations during run-time of the downloadable.
  • a computer security system including a receiver for receiving a downloadable, a code modifier, coupled with the scanner, for appending monitoring program code to the downloadable thereby generating a modified downloadable, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to identify suspicious computer operations during run-time of the downloadable, to overwrite the suspicious computer operations with substitute computer operations during run-time of the downloadable, and to validate input parameters for the suspicious computer operations during run time of the downloadable.
  • a method for identifying suspicious downloadables including scanning a downloadable to detect the presence of at least one suspicious computer operation, dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by the scanning, and determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
  • a computer security system including a scanner for scanning a downloadable to detect the presence of at least one suspicious computer operation, and a processor that executes programmed instructions for dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by the scanner, and for determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
  • FIG. 1 is a simplified block diagram of a computer security system with input parameter validation, in accordance with an embodiment of the present invention
  • FIG. 2 is a method for computer security with input parameter validation, in accordance with an embodiment of the present invention.
  • FIG. 3 is an alternative method for computer security with input parameter validation, in accordance with an embodiment of the present invention.
  • aspects of the present invention relate to a computer security method and system that receives as input a downloadable, and detects whether or not the downloadable is potentially malicious by inter alia validating input parameters to computer operations.
  • FIG. 1 is a simplified block diagram of a computer security system with input parameter validation, in accordance with an embodiment of the present invention.
  • the embodiment of the security system shown in FIG. 1 includes a gateway computer 100 and two destination computers 110 . Downloadables transmitted to destination computers 110 first pass through gateway 100 .
  • Downloadables may be inter alia in the form of source code, such as JavaScript, or in the form of complied code, such as Java applets, that is de-compiled in order to derive its source code.
  • gateway computer 100 One of the responsibilities of gateway computer 100 is to run security checks on downloadables prior to their reaching destination computers 110 . If gateway computer 100 identifies a potentially malicious downloadable, then it either blocks the downloadable from reaching destination computers 110 , or neutralizes the potentially malicious portions of the downloadable prior to forwarding the downloadable to destination computers 110 .
  • gateway computer 100 includes a processor 120 , for executing programmed instructions, a receiver 130 for receiving a downloadable in transit to one or both of destination computers 110 , and a transmitter 140 for forwarding the received downloadable to one or both of destination computers 110 .
  • Gateway computer 100 further includes a scanner 150 , for scanning a downloadable received by receiver 130 , and a code modifier 160 for appending special modification code to the downloadable received by receiver 130 .
  • scanner 150 inspects downloadable source code for the presence of suspicious computer operations. If the downloadable is in compiled object code form, the scanner 150 first de-compiles the object code to derive downloadable source code therefrom, and then inspects the downloadable source code for the presence of suspicious operations.
  • Modification code 170 includes instructions for overwriting the suspicious computer operations detected by scanner 150 , and for validating their input parameters. If all input parameters to all suspicious computer operations are validated, then the downloadable is deemed to be safe, and is forwarded to one or both of destination computers 110 . Otherwise, the downloadable is deemed to be potentially malicious.
  • processor 120 may neutralize the suspicious computer operations by eliminating such operations, or by replacing their input parameters with valid input parameters, and then forwarding the remedied downloadable to one or both of destination computers 110 . Further, processor 120 may first execute the remedied downloadable within a secure environment and inspect the execution results, prior to forwarding the downloadable. Alternatively, processor 120 may block the downloadable from being forwarded to destination computers 110 . Further details of operation of scanner 150 and code modifier 160 are provided in the discussion of FIG. 2 hereinbelow.
  • FIG. 2 is a method for computer security with input parameter validation, in accordance with an embodiment of the present invention.
  • FIG. 2 is a method for computer security with input parameter validation, in accordance with an embodiment of the present invention.
  • FIG. 2 reference is also made to the following example downloadable, used to supplement the description of various steps in FIG. 2 by way of example.
  • FIG. 2 begins at step 210 , whereat an original downloadable is received in transit to one or more destination computers.
  • the downloadable received at step 210 includes lines 1 - 4 . These lines of code cause a browser to create an ActiveX object named “Msxml2.XMLHTTP”, and assign the created object to variable b.
  • the setRequestHeader( ) method of object b is called using an input parameter “SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS”. At this stage it is unclear if the input parameter is legitimate for this method, or if it abuses the method call in a malicious way.
  • the received downloadable is scanned, to detect the presence of suspicious computer operations.
  • the function call setRequestHeader( ) is identified as being suspicious.
  • a dictionary of suspicious operations is accessed and consulted by scanner 150 , in order to detect which computer operations are potentially malicious. Such a dictionary is included in lines 6 - 9 of the example program code, as described below with reference to step 270 .
  • a dictionary of non-malicious computer operations is accessed and consulted by scanner 150 , in order to detect malicious computer operations.
  • the monitoring code includes lines 11 - 36 , and has two functions; namely, makeVulnDict(Arr) and checkAcx(acxId).
  • VulnAcxStruct[ ] is an array of three-element arrays, each three-element array corresponding to a potentially malicious function. For purposes of clarity, only one three-element array is defined in lines 6 - 9 , corresponding to the method setRequestHeader( ) of object Msxml2.XMLHTTP, but it will be appreciated by those skilled in the art that additional three-element arrays may be defined.
  • the first element of the three-element array in VulnAcxStruct[ ] is the name of the object containing the potentially malicious function; i.e. “Msxml2.XMLHTTP”.
  • the second element of this array is the name of the suspicious method, setRequestHeader( ), together with the function to be used for input validation of the method; namely,
  • VulnAcxStruct[ ] holds a list of vulnerabilities, where a “vulnerability” is of the form
  • the suspicious computer operations are overwritten.
  • the over-writing is performed at lines 29 and 30 . Specifically, lines 28 - 31 loop over the list of [method name, definition] and associate each method name with its corresponding definition.
  • the modified downloadable is executed.
  • the input parameters for each of the suspicious computer operations are validated during run-time.
  • the function checkAcx( ) defined at lines 23 - 36 , performs the validation. Specifically, if the ActiveX object to be created, as identified by acxId, is listed in the dictionary Vuln_Obj_Dict[ ], then the corresponding input validation function is performed. If the validation fails, then the call to alert (“malicious!”) is made. Otherwise, the desired ActiveX object is created and returned. It will be appreciated by those skilled in the art that other forms of notification of failed validation are within the scope of the present invention. For example, checkAcx( ) may generate a warning text message.
  • the validation fails since the input parameter does not match any of the expected input parameters GET, POST, HEAD, DELETE, PUT, CONNECT and OPTIONS. If the input parameter to setRequestHeader( ) had instead been valid, the desired ActiveX object, Msxml2.XMLHTTP, would have been created by checkAcx( ) and returned.
  • One such action, at step 291 is simply not to forward the downloadable to the destination computer.
  • Another such action, at step 292 is to neutralize the input parameters that were not validated, by replacing them with valid input parameters, and then forwarding the remedied downloadable to the destination computers.
  • Another such action, at step 293 is to consult a computer security policy to determine whether or not to forward the downloadable to the destination computer, based on the suspicious computer operations that were detected.
  • step 260 of overwriting suspicious computer operations may be performed either in a pre-scan phase, prior to executing the loop around step 270 , as indicated in FIG. 2 , or instead may be performed in real-time, within the loop.
  • the structure VulnAcxStruct[ ], defined at lines 6 - 9 which pre-identifies the suspicious computer operations, may be appended to the monitoring code.
  • the monitoring code overwrites the pre-identified operations in real-time at lines 29 and 30 .
  • FIG. 3 is an alternative method for computer security with input parameter validation, with the overwriting being performed during run-time, in accordance with an embodiment of the present invention.
  • FIG. 3 begins at step 310 , whereat an original downloadable is received in transit to one or more destination computers.
  • monitoring program code is appended to the original downloadable, to generate a modified downloadable.
  • step 355 suspicious computer operations are identified at run-time.
  • Step 355 may be performed by referencing a structure, such as the VulnAcxStruct[ ] structure in the example JavaScript, that lists pre-designated suspicious computer operations.
  • step 355 may be performed by referencing structure that lists pre-designated safe computer non-malicious computer operations.
  • the suspicious computer operations are overwritten at run-time.
  • the object method Referring to the example JavaScript, at lines 29 and 30 the object method
  • the input parameters for the suspicious computer operations are validated at run-time.
  • input parameter validation is performed by the function in lines 7 - 9 . If the input parameters are validated then the function returns normally; otherwise, the function invokes alert (“malicious!”). Other such methods to validate input parameters and to issue a notification when input parameters are not validated, are also within the scope of the present invention.
  • One such action, at step 391 is simply not to forward the downloadable to the destination computer.
  • Another such action, at step 392 is to neutralize the input parameters that were not validated, by replacing them with valid input parameters, and then forwarding the remedied downloadable to the destination computers.
  • Another such action, at step 393 is to consult a computer security policy to determine whether or not to forward the downloadable to the destination computer, based on the suspicious computer operations that were detected.

Abstract

A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.

Description

    PRIORITY REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation-in-part of assignee's pending U.S. application Ser. No. 11/354,893, filed on Feb. 16, 2006 entitled SYSTEM AND METHOD FOR ENFORCING A SECURITY CONTEXT ON A DOWNLOADABLE.
    • FIELD OF THE INVENTION
  • The field of the present invention is computer security.
    • BACKGROUND OF THE INVENTION
  • Computer security software and hardware are used to inspect downloadables, to determine if they are malicious. The term “downloadable” refers generally to an executable application program, which is downloaded from a source computer and run on a destination computer. There are many different types of malicious downloadables, including malware, phishing, spyware, Trojan horses, viruses and worms. Malicious downloadables often enter an internal computer network from an external network, and infect all or most of the computers in the internal network once they break in. As such, computer security systems often employ gateway computers to scan and filter incoming downloadables.
  • Scanning downloadables at a gateway computer may be performed by running the programs; however, running the programs on the gateway computer instead of on the computer in the internal network for which the programs are intended, may result in the gateway computer failing to detect exploits in the downloadables.
  • Scanning downloadables at a gateway computer may also be performed by analyzing the programs. Assignee's U.S. Pat. No. 6,092,194 describes such a gateway security system.
  • When analyzing downloadables, scanners generally search for computer operations that are potentially suspicious. For example, if a suspect downloadable invokes a function call that writes to a file system or opens a network connection or changes a registry entry, such behavior raises a warning flag for potentially malicious activity. A security system may block a downloadable from reaching an internal network if the downloadable includes a suspicious computer operation. However, most non-malicious downloadables use these same computer operations in an innocuous way, and such a security system may block both good and bad downloadables from reaching the internal network.
  • Consider, for example, a function that deletes a file in the file system. Many safe programs, such as software installation programs, generate temporary files during execution, and delete the temporary files upon completion. However, a malicious program may delete critical operating system files. A security system that blocks downloadables which invoke a function to delete a file would block safe downloadables in addition to the malicious ones.
  • Consider, for example, a downloadable that includes the following simple JavaScript source code:
  •
    <SCRIPT LANGUAGE=“JavaScript”>
      var b = new ActiveXObject(“Msxml2.XMLHTTP”);
      exploit data = “SSSSSSSSSSSSSSSSSSSSSS exploit”;
      b.setRequestHeader(exploit data);
    </SCRIPT>

    This source code initiates a new Msxml2.XMLHTTP ActiveX object, and invokes the object's method setRequestHeader( ). An Msxml2.XMLHTTP object is a standard object built into the Microsoft XML parser. The Msxml2.XMLHTTP object is an important part of the Ajax web development technique, and is used to implement responsive and dynamic web applications. It is used on a client side web page to grab information from the server, process it, and use the information on the current web page (as opposed to having to reload a web page).
  • The method setRequestHeader( ) is generally a safe function that simply adds an HTTP header to a request. The following code snippet shows how setRequestHeader( ) is used, for example, to set the HTTP Content-Type header to ‘text/xml’ before sending a request body.
  •
    var oReq = new XMLHttpRequest( );
    oReq.open(“POST”, sURL, false);
    oReq.setRequestHeader(CONTENT, “text/xml”);
    oReq.send(sRequestBody);

    As such, the example JavaScript above appears innocuous.
  • However, the input parameter to setRequestHeader( ) in the example JavaScript code above is only evaluated at run-time, and a code exploit may be triggered in the process of evaluating the input parameter. More generally, input parameters to function calls, even for safe functions, are potential hiding places for code exploits. Since input parameters may only be determined at run-time, such code exploits may go undetected when scanning downloadables.
  • It would thus be of advantage for a security system to be able to validate input parameters that are evaluated at run-time. It would be of further advantage for a security system to be able to determine if a given input parameter will exploit a non-malicious function, prior to actually executing the non-malicious function with the given input parameter.
    • SUMMARY OF THE DESCRIPTION
  • Aspects of the present invention relate to a computer security method and system that validates input parameters to computer operations when scanning a suspect downloadable. In one embodiment, the present invention overwrites suspicious computer operations, and appends special monitoring code to the suspect downloadable that, when invoked, validates input parameters to computer operations.
  • The present invention may be embodied at a gateway computer, at a server computer, or at a client computer.
  • There is thus provided in accordance with an embodiment of the present invention a method for identifying suspicious downloadables, including receiving a downloadable, scanning the downloadable to identify suspicious computer operations therein, and if at least one suspicious computer operation is identified, then overwriting the suspicious computer operations with substitute computer operations, and appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions for validating input parameters for the suspicious computer operations during run-time of the downloadable.
  • There is additionally provided in accordance with an embodiment of the present invention a computer security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable.
  • There is further provided in accordance with an embodiment of the present invention a method for identifying suspicious downloadables, including receiving a downloadable, and appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions for identifying suspicious computer operations during run-time of the downloadable, for overwriting the suspicious computer operations with substitute computer operations during run-time of the downloadable, and for validating input parameters for the suspicious operations during run-time of the downloadable.
  • There is yet further provided in accordance with an embodiment of the present invention a computer security system, including a receiver for receiving a downloadable, a code modifier, coupled with the scanner, for appending monitoring program code to the downloadable thereby generating a modified downloadable, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to identify suspicious computer operations during run-time of the downloadable, to overwrite the suspicious computer operations with substitute computer operations during run-time of the downloadable, and to validate input parameters for the suspicious computer operations during run time of the downloadable.
  • There is moreover provided in accordance with an embodiment of the present invention a method for identifying suspicious downloadables, including scanning a downloadable to detect the presence of at least one suspicious computer operation, dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by the scanning, and determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
  • There is additionally provided in accordance with an embodiment of the present invention a computer security system, including a scanner for scanning a downloadable to detect the presence of at least one suspicious computer operation, and a processor that executes programmed instructions for dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by the scanner, and for determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be more fully understood and appreciated from the following detailed description, taken in conjunction with the drawings in which:
  • FIG. 1 is a simplified block diagram of a computer security system with input parameter validation, in accordance with an embodiment of the present invention;
  • FIG. 2 is a method for computer security with input parameter validation, in accordance with an embodiment of the present invention; and
  • FIG. 3 is an alternative method for computer security with input parameter validation, in accordance with an embodiment of the present invention.
    •  DETAILED DESCRIPTION
  • Aspects of the present invention relate to a computer security method and system that receives as input a downloadable, and detects whether or not the downloadable is potentially malicious by inter alia validating input parameters to computer operations.
  • Reference is now made to FIG. 1, which is a simplified block diagram of a computer security system with input parameter validation, in accordance with an embodiment of the present invention. The embodiment of the security system shown in FIG. 1 includes a gateway computer 100 and two destination computers 110. Downloadables transmitted to destination computers 110 first pass through gateway 100.
  • Downloadables may be inter alia in the form of source code, such as JavaScript, or in the form of complied code, such as Java applets, that is de-compiled in order to derive its source code.
  • One of the responsibilities of gateway computer 100 is to run security checks on downloadables prior to their reaching destination computers 110. If gateway computer 100 identifies a potentially malicious downloadable, then it either blocks the downloadable from reaching destination computers 110, or neutralizes the potentially malicious portions of the downloadable prior to forwarding the downloadable to destination computers 110.
  • As shown in FIG. 1, gateway computer 100 includes a processor 120, for executing programmed instructions, a receiver 130 for receiving a downloadable in transit to one or both of destination computers 110, and a transmitter 140 for forwarding the received downloadable to one or both of destination computers 110. Gateway computer 100 further includes a scanner 150, for scanning a downloadable received by receiver 130, and a code modifier 160 for appending special modification code to the downloadable received by receiver 130.
  • Generally, scanner 150 inspects downloadable source code for the presence of suspicious computer operations. If the downloadable is in compiled object code form, the scanner 150 first de-compiles the object code to derive downloadable source code therefrom, and then inspects the downloadable source code for the presence of suspicious operations.
  • If no suspicious computer operations are detected, then the downloadable is deemed to be safe, and is forwarded to one or both of destination computers 110 via transmitter 140. However, if scanner 150 detects one or more suspicious computer operations, then processor 120 appends special modification code 170 to the downloadable, thereby generating a modified downloadable. Modification code 170 includes instructions for overwriting the suspicious computer operations detected by scanner 150, and for validating their input parameters. If all input parameters to all suspicious computer operations are validated, then the downloadable is deemed to be safe, and is forwarded to one or both of destination computers 110. Otherwise, the downloadable is deemed to be potentially malicious.
  • For a downloadable deemed to be potentially malicious, processor 120 may neutralize the suspicious computer operations by eliminating such operations, or by replacing their input parameters with valid input parameters, and then forwarding the remedied downloadable to one or both of destination computers 110. Further, processor 120 may first execute the remedied downloadable within a secure environment and inspect the execution results, prior to forwarding the downloadable. Alternatively, processor 120 may block the downloadable from being forwarded to destination computers 110. Further details of operation of scanner 150 and code modifier 160 are provided in the discussion of FIG. 2 hereinbelow.
  • Reference is now made to FIG. 2, which is a method for computer security with input parameter validation, in accordance with an embodiment of the present invention. In conjunction with FIG. 2, reference is also made to the following example downloadable, used to supplement the description of various steps in FIG. 2 by way of example.
    • Original Javascript Source Program Code:
  • 1 <SCRIPT LANGUAGE=“JavaScript”>
    2  var b = new ActiveXObject(“Msxml2.XMLHTTP”);
    3  b.setRequestHeader(“SSSSSSSSSSSSSSSSSSSSSS”);
    4 </SCRIPT>
  • Modified Program Code:
  •
     5 <SCRIPT LANGUAGE=“JavaScript”>
     6  VuInAcxStruct=[[“Msxml2.XMLHTTP”, [[‘setRequestHeader’,
     7  function( ){allow=[“GET”, “POST”, “HEAD”, “DELETE”,
     “PUT”,
     8  “CONNECT”,“OPTIONS”]; for(i in allow){if
     9  (arguments[0]==allow[i])return;}alert(“malicious!”)}]], [ ]]]
    10
    11  function makeVuInObjDict(arr)
    12  {
    13      dict=new Object( );
    14      for(i in arr){
    15        dict[arr[i][0]]=[arr[i][2],arr[i][3]];
    16        dict[arr[i][1]]=[arr[i][2],arr[i][3]];
    17      }
    18      return dict;
    19  }
    20
    21  VuIn_Obj_Dict=makeVuInObjDict(VuInAcxStruct);
    22
    23  function checkAcx(acxId)
    24  {
    25      if (acxId in VuIn_Obj_Dict){
    26        obj = new Object( );
    27        for(i in VuIn_Obj_Dict[acxId][0])
    28        {
    29          obj[VuIn_Obj_Dict[acxId][0][i][0]] =
    30          VuIn_Obj_Dict[acxId][0][i][1];
    31        }
    32        obj[‘myID’] = acxId;
    33        return obj;
    34      }
    35      return new Object( );
    36  }
    37
    38  window.ActiveXObject = checkAcx;
    39  var b = new ActiveXObject(“Msxml2.XMLHTTP”);
    40  b.setRequestHeader(“SSSSSSSSSSSSSSSSSSSSSS”);
    41 </SCRIPT>
  • FIG. 2 begins at step 210, whereat an original downloadable is received in transit to one or more destination computers. Referring to the example JavaScript code hereinabove, the downloadable received at step 210 includes lines 1-4. These lines of code cause a browser to create an ActiveX object named “Msxml2.XMLHTTP”, and assign the created object to variable b. The setRequestHeader( ) method of object b is called using an input parameter “SSSSSSSSSSSSSSSSSSSSSS”. At this stage it is unclear if the input parameter is legitimate for this method, or if it abuses the method call in a malicious way.
  • At step 220, the received downloadable is scanned, to detect the presence of suspicious computer operations. Referring further to the example code, the function call setRequestHeader( ) is identified as being suspicious. In one embodiment of the present invention, a dictionary of suspicious operations is accessed and consulted by scanner 150, in order to detect which computer operations are potentially malicious. Such a dictionary is included in lines 6-9 of the example program code, as described below with reference to step 270. In an alternative embodiment of the present invention, a dictionary of non-malicious computer operations is accessed and consulted by scanner 150, in order to detect malicious computer operations.
  • At step 230 a determination is made whether or not suspicious computer operations have been detected in the downloadable. If not, then the downloadable is deemed safe and is forwarded to its destination at step 240. Otherwise, if one or more suspicious computer operations have been detected, then at step 250 monitoring program code is appended to the original downloadable. Referring to the example above, the monitoring code includes lines 11-36, and has two functions; namely, makeVulnDict(Arr) and checkAcx(acxId).
  • At line 21 the function makeVulnDict( ) is called with array parameter VulnAcxStruct[ ], to build a dictionary, Vuln_Obj_Dict, of potentially malicious function calls. As seen at lines 6-9, VulnAcxStruct[ ] is an array of three-element arrays, each three-element array corresponding to a potentially malicious function. For purposes of clarity, only one three-element array is defined in lines 6-9, corresponding to the method setRequestHeader( ) of object Msxml2.XMLHTTP, but it will be appreciated by those skilled in the art that additional three-element arrays may be defined. The first element of the three-element array in VulnAcxStruct[ ] is the name of the object containing the potentially malicious function; i.e. “Msxml2.XMLHTTP”. The second element of this array is the name of the suspicious method, setRequestHeader( ), together with the function to be used for input validation of the method; namely,
  •
    function( )
    {
      allow = [“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,
              “CONNECT”, “OPTIONS”];
      for (i in allow){
        if (arguments[0]==allow[i] return;
      }
      alert(“malicious!”)
    }

    Thus to validate input parameters for the method setRequestHeader( ), the input parameter is matched against six expected non-malicious parameter values GET, POST, HEAD, DELETE, PUT, CONNECT and OPTIONS. If no match is found then an alert is made. It will be appreciated by those skilled in the art that the function given above is but one of many methods for validating input parameters. Other such methods to validate input parameters and to issue a notification when input parameters are not validated, are also within the scope of the present invention.
  • The third element of the three-element array in VulnAcxStruct[ ], shown empty at line 9, is reserved for a definition of vulnerable properties. In summary form, VulnAcxStruct[ ] holds a list of vulnerabilities, where a “vulnerability” is of the form
  • [object name, list of [method name, definition], properties].
  • Referring back to FIG. 2, at step 260 the suspicious computer operations are overwritten. Referring to the example JavaScript, the over-writing is performed at lines 29 and 30. Specifically, lines 28-31 loop over the list of [method name, definition] and associate each method name with its corresponding definition.
  • In addition, at line 38 the function window.ActiveXObject( ) is overwritten by the function checkAcx( ). As such, instead of invoking ActiveXObject( ) during run-time when an ActiveX object is created, the function checkAcx( ) is invoked.
  • Subsequently the modified downloadable is executed. At step 270 the input parameters for each of the suspicious computer operations are validated during run-time. Referring to the example code, the function checkAcx( ), defined at lines 23-36, performs the validation. Specifically, if the ActiveX object to be created, as identified by acxId, is listed in the dictionary Vuln_Obj_Dict[ ], then the corresponding input validation function is performed. If the validation fails, then the call to alert (“malicious!”) is made. Otherwise, the desired ActiveX object is created and returned. It will be appreciated by those skilled in the art that other forms of notification of failed validation are within the scope of the present invention. For example, checkAcx( ) may generate a warning text message.
  • For the example provided above, when the input parameter “SSSSSSSSSSSSSSSSSSSSSS” to setRequestHeader( ) is validated, the validation fails since the input parameter does not match any of the expected input parameters GET, POST, HEAD, DELETE, PUT, CONNECT and OPTIONS. If the input parameter to setRequestHeader( ) had instead been valid, the desired ActiveX object, Msxml2.XMLHTTP, would have been created by checkAcx( ) and returned.
  • At step 280 a determination is made whether or not the input parameters to each of the suspicious computer operations have been validated. If so, then the downloadable is deemed safe and is forwarded to its destination at step 240. Otherwise, the downloadable is deemed suspicious, an alert is made, and various preventive actions may be taken. One such action, at step 291, is simply not to forward the downloadable to the destination computer. Another such action, at step 292, is to neutralize the input parameters that were not validated, by replacing them with valid input parameters, and then forwarding the remedied downloadable to the destination computers. Another such action, at step 293, is to consult a computer security policy to determine whether or not to forward the downloadable to the destination computer, based on the suspicious computer operations that were detected.
  • It will be appreciated by those skilled in the art that step 260, of overwriting suspicious computer operations may be performed either in a pre-scan phase, prior to executing the loop around step 270, as indicated in FIG. 2, or instead may be performed in real-time, within the loop. Specifically, referring to the example JavaScript code provided hereinabove, the structure VulnAcxStruct[ ], defined at lines 6-9, which pre-identifies the suspicious computer operations, may be appended to the monitoring code. In turn, the monitoring code overwrites the pre-identified operations in real-time at lines 29 and 30. In this regard, reference is now made to FIG. 3, which is an alternative method for computer security with input parameter validation, with the overwriting being performed during run-time, in accordance with an embodiment of the present invention.
  • FIG. 3 begins at step 310, whereat an original downloadable is received in transit to one or more destination computers. At step 350 monitoring program code is appended to the original downloadable, to generate a modified downloadable.
  • Subsequent to step 350 the modified downloadable is executed. At step 355 suspicious computer operations are identified at run-time. Step 355 may be performed by referencing a structure, such as the VulnAcxStruct[ ] structure in the example JavaScript, that lists pre-designated suspicious computer operations. Alternatively, step 355 may be performed by referencing structure that lists pre-designated safe computer non-malicious computer operations.
  • At step 360 the suspicious computer operations are overwritten at run-time. Referring to the example JavaScript, at lines 29 and 30 the object method

  • obj[Vuln_Obj_Dict[acxId][0][i][0]]
  • is overwritten with the function

  • obj[Vuln_Obj_Dict[acxId][0][i][1]].
  • Based on lines 15 and 16, this corresponds to overwriting the method setRequestHeader( ) of object Msxml2.XMLHTTP with the function in lines 7-9; namely,
  •
    Function( )
    {
      allow =[“GET”, “POST”, “HEAD”, “DELETE”, “PUT”,
            “CONNECT”, “OPTIONS”];
      for (i in allow){
        if (arguments[0]==allow[i] return;
      }
      alert(“malicious!”)
    }
  • At step 370 the input parameters for the suspicious computer operations are validated at run-time. Referring to the JavaScript example, input parameter validation is performed by the function in lines 7-9. If the input parameters are validated then the function returns normally; otherwise, the function invokes alert (“malicious!”). Other such methods to validate input parameters and to issue a notification when input parameters are not validated, are also within the scope of the present invention.
  • At step 380 a determination is made whether or not the input parameters to each of the suspicious computer operations have been validated. If so, then the downloadable is deemed safe and is forwarded to its destination at step 340. Otherwise, the downloadable is deemed malicious, an alert is made, and various preventive actions may be taken. One such action, at step 391, is simply not to forward the downloadable to the destination computer. Another such action, at step 392, is to neutralize the input parameters that were not validated, by replacing them with valid input parameters, and then forwarding the remedied downloadable to the destination computers. Another such action, at step 393, is to consult a computer security policy to determine whether or not to forward the downloadable to the destination computer, based on the suspicious computer operations that were detected.
  • In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made to the specific exemplary embodiments without departing from the broader spirit and scope of the invention as set forth in the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

Claims (56)

1. A method for handling suspicious downloadables, comprising:
receiving a downloadable;
scanning the downloadable to identify suspicious computer operations therein; and
if at least one suspicious computer operation is identified, then:
overwriting the suspicious computer operations with substitute computer operations; and
appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions for validating input parameters for the suspicious computer operations during run-time of the downloadable.
2. The method of claim 1, wherein the substitute computer operations validate their input parameters, and indicate if their input parameters are not successfully validated.
3. The method of claim 2, wherein the substitute computer operations indicate if their input parameters are not successfully validated by invoking an alert.
4. The method of claim 2, wherein the substitute computer operations indicate if their input parameters are not successfully validated by generating a warning text message.
5. The method of claim 1, wherein the monitoring code further includes program instructions for replacing invalid input parameters with valid input parameters in the suspicious computer operations.
6. The method of claim 1, further comprising executing the modified downloadable.
7. The method of claim 6, wherein said executing comprises executing the modified downloadable in a secure environment.
8. The method of claim 1, wherein said receiving comprises receiving the downloadable in transit to an intended destination computer, the method further comprising transmitting the modified downloadable to the destination computer.
9. The method of claim 1, wherein said receiving comprises receiving the downloadable in transit to an intended destination computer, the method further comprising preventing the downloadable from executing on the destination computer if said validating fails.
10. The method of claim 1, wherein said receiving comprises receiving the downloadable in transit to an intended destination computer, the method further comprising consulting a security policy to determine whether to forward the downloadable to the destination computer if said validating fails.
11. The method of claim 1, wherein said validating input parameters comprises comparing actual input parameters to the suspicious computer operations with at least one descriptor of valid input parameters for the suspicious computer operations.
12. The method of claim 1, wherein said validating input parameters comprises comparing actual input parameters to the suspicious computer operations with at least one descriptor of invalid input parameters for the suspicious computer operations.
13. The method of claim 1, wherein said scanning comprises accessing a dictionary of suspicious computer operations.
14. The method of claim 1, wherein said validating comprises accessing a dictionary of valid input parameters.
15. The method of claim 1, wherein said validating comprises accessing a dictionary of invalid input parameters.
16. The method of claim 1, wherein the downloadable is JavaScript program code.
17. The method of claim 1, wherein the downloadable is VBScript program code.
18. The method of claim 1, wherein the downloadable is Flash object compiled program code, the method further comprising de-compiling the Flash object compiled program code to derive source code therefrom.
19. The method of claim 1, wherein the downloadable is applet program code, the method further comprising de-compiling the applet program code to derive source code therefrom.
20. A computer security system, comprising:
a receiver for receiving a downloadable;
a scanner, coupled with said receiver, for scanning the downloadable to identify suspicious computer operations therein;
a code modifier, coupled with said scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by said scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by said scanner; and
a processor, coupled with said code modifier, for executing programmed instructions,
wherein the monitoring program code includes program instructions for said processor to validate input parameters for the suspicious computer operations during run-time of the downloadable.
21. The security system of claim 20, wherein the substitute computer operations validate their input parameters, and indicate if their input parameters are not successfully validated.
22. The security system of claim 21, wherein the substitute computer operations indicate if their input parameters are not successfully validated by invoking an alert.
23. The security system of claim 21, wherein the substitute computer operations indicate if their input parameters are not successfully validated by generating a warning text message.
24. The security system of claim 20, wherein the monitoring code further includes program instructions for said processor to replace invalid input parameters with valid input parameters in the suspicious computer operations.
25. The security system of claim 20, wherein said processor executes the modified downloadable.
26. The security system of claim 25, wherein said processor executes the modified downloadable in a secure environment.
27. The security system of claim 20, wherein said receiver receives the downloadable in transit to an intended destination computer, the system further comprising a transmitter for transmitting the modified downloadable to the destination computer.
28. The security system of claim 20, wherein said receiver receives the downloadable in transit to an intended destination computer, and wherein said processor prevents the downloadable from executing on the destination computer if said processor fails to validate the input parameters.
29. The security system of claim 20, wherein said receiver receives the downloadable in transit to an intended destination computer, and wherein said processor consults a security policy to determine whether to forward the downloadable to the destination computer if said validating fails.
30. The security system of claim 20, wherein the monitoring program code includes program instructions for said processor to compare actual input parameters to the suspicious computer operations with at least one descriptor of valid input parameters for the suspicious computer operations.
31. The security system of claim 20, wherein the monitoring program code includes program instructions for said processor to compare actual input parameters to the suspicious computer operations with at least one descriptor of invalid input parameters for the suspicious computer operations.
32. The security system of claim 20, wherein said scanner accesses a dictionary of suspicious computer operations.
33. The security system of claim 20, wherein the monitoring program code includes program instructions for said processor to access a dictionary of valid input parameters.
34. The security system of claim 20, wherein the monitoring program code includes program instructions for said processor to access a dictionary of invalid input parameters.
35. The security system of claim 20, wherein the downloadable is JavaScript program code.
36. The security system of claim 20, wherein the downloadable is VBScript program code.
37. The security system of claim 20, wherein the downloadable is Flash object compiled program code, and wherein said scanner de-compiles the program code to derive source code therefrom.
38. The security system of claim 20, wherein the downloadable is applet compiled program code, and wherein said scanner de-compiles the program code to derive source code therefrom.
39. A method for handling suspicious downloadables, comprising:
receiving a downloadable; and
appending monitoring program code to the downloadable thereby generating a modified downloadable, wherein the monitoring program code includes program instructions:
for identifying suspicious computer operations during run-time of the downloadable;
for overwriting the suspicious computer operations with substitute computer operations during run-time of the downloadable; and
for validating input parameters for the suspicious operations during run-time of the downloadable.
40. The method of claim 39, wherein the substitute computer operations validate their input parameters, and indicate if their input parameters are not successfully validated.
41. The method of claim 39, wherein said identifying suspicious computer operations comprises comparing computer operations in the downloadable with a list of pre-designated computer operations.
42. The method of claim 39, wherein said receiving comprises receiving the downloadable in transit to an intended destination computer, the method further comprising transmitting the modified downloadable to the destination computer if said validating is successful.
43. The method of claim 39, wherein the downloadable is JavaScript program code.
44. The method of claim 39, wherein the downloadable is VBScript program code.
45. The method of claim 39, wherein the downloadable is Flash object compiled program code, the method further comprising de-compiling the Flash object compiled program code to derive source code therefrom.
46. The method of claim 39, wherein the downloadable is applet program code, the method further comprising de-compiling the applet program code to derive source code therefrom.
47. A computer security system, comprising:
a receiver for receiving a downloadable;
a code modifier, coupled with said scanner, for appending monitoring program code to the downloadable thereby generating a modified downloadable; and
a processor, coupled with said code modifier, for executing programmed instructions,
wherein the monitoring program code includes program instructions for said processor:
to identify suspicious computer operations during run-time of the downloadable;
to overwrite the suspicious computer operations with substitute computer operations during run-time of the downloadable; and
to validate input parameters for the suspicious computer operations during run time of the downloadable.
48. The security system of claim 47, wherein the substitute computer operations cause said processor to validate their input parameters, and to indicate if their input parameters are not successfully validated.
49. The security system of claim 47, wherein the monitoring program code further includes program instructions for said processor to compare computer operations in the downloadable with a list of pre-designated computer operations.
50. The computer security system of claim 47, wherein said receiver receives the downloadable in transit to an intended destination computer, the system further comprising a transmitter for transmitting the modified downloadable to the destination computer if said processor successfully validates the input parameters for the suspicious computer operations.
51. The computer security system of claim 47, wherein the downloadable is JavaScript program code.
52. The computer security system of claim 47, wherein the downloadable is VBScript program code.
53. The computer security system of claim 47, wherein the downloadable is Flash object compiled program code, and further comprising a de-compiler for de-compiling the Flash object compiled program code to derive source code therefrom.
54. The computer security system of claim 47, wherein the downloadable is applet program code, and further comprising a de-compiler for de-compiling the applet program code to derive source code therefrom.
55. A method for handling suspicious downloadables, comprising:
scanning a downloadable to detect the presence of at least one suspicious computer operation;
dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by said scanning; and
determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
56. A computer security system, comprising:
a scanner for scanning a downloadable to detect the presence of at least one suspicious computer operation; and
a processor that executes programmed instructions:
for dynamically generating during run-time of the downloadable at least one input parameter for the at least one suspicious computer operation detected by said scanner; and
for determining whether or not the dynamically generated at least one input parameter corresponds to a safe input parameter for the at least one suspicious computer operation.
US12/174,592 2005-12-12 2008-07-16 Computer security method and system with input parameter validation Abandoned US20120144485A9 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/174,592 US20120144485A9 (en) 2005-12-12 2008-07-16 Computer security method and system with input parameter validation
US14/482,434 US9294493B2 (en) 2005-12-12 2014-09-10 Computer security method and system with input parameter validation

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US11/298,475 US7757289B2 (en) 2005-12-12 2005-12-12 System and method for inspecting dynamically generated executable code
US11/354,893 US7613918B2 (en) 2006-02-16 2006-02-16 System and method for enforcing a security context on a downloadable
US12/174,592 US20120144485A9 (en) 2005-12-12 2008-07-16 Computer security method and system with input parameter validation

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/354,893 Continuation-In-Part US7613918B2 (en) 2005-12-12 2006-02-16 System and method for enforcing a security context on a downloadable

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/482,434 Continuation US9294493B2 (en) 2005-12-12 2014-09-10 Computer security method and system with input parameter validation

Publications (2)

Publication Number Publication Date
US20090019545A1 true US20090019545A1 (en) 2009-01-15
US20120144485A9 US20120144485A9 (en) 2012-06-07

Family

ID=40254237

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/174,592 Abandoned US20120144485A9 (en) 2005-12-12 2008-07-16 Computer security method and system with input parameter validation
US14/482,434 Active US9294493B2 (en) 2005-12-12 2014-09-10 Computer security method and system with input parameter validation

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/482,434 Active US9294493B2 (en) 2005-12-12 2014-09-10 Computer security method and system with input parameter validation

Country Status (1)

Country Link
US (2) US20120144485A9 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8881278B2 (en) 2010-06-11 2014-11-04 Trustwave Holdings, Inc. System and method for detecting malicious content
US8893278B1 (en) 2011-07-12 2014-11-18 Trustwave Holdings, Inc. Detecting malware communication on an infected computing device
US20150186001A1 (en) * 2013-12-27 2015-07-02 Canon Kabushiki Kaisha Character input apparatus
WO2016108162A1 (en) * 2015-01-01 2016-07-07 Checkmarx Ltd. Code instrumentation for runtime application self-protection
US10387656B2 (en) 2016-03-21 2019-08-20 Checkmarx Ltd. Integrated interactive application security testing
US10469510B2 (en) * 2014-01-31 2019-11-05 Juniper Networks, Inc. Intermediate responses for non-html downloads
US11087002B2 (en) 2017-05-10 2021-08-10 Checkmarx Ltd. Using the same query language for static and dynamic application security testing tools
US11836258B2 (en) 2020-07-28 2023-12-05 Checkmarx Ltd. Detecting exploitable paths in application software that uses third-party libraries

Citations (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5959717A (en) * 1997-12-12 1999-09-28 Chaum; Jerry Motion picture copy prevention, monitoring, and interactivity system
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US5983348A (en) * 1997-09-10 1999-11-09 Trend Micro Incorporated Computer network malicious code scanner
US6018374A (en) * 1996-06-25 2000-01-25 Macrovision Corporation Method and system for preventing the off screen copying of a video or film presentation
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6118487A (en) * 1996-05-08 2000-09-12 Deutsch Thompson-Brandt Gmbh Method and circuit arrangement for the memory-optimized processing of a composite video baseband signal CVBS signal
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6529600B1 (en) * 1998-06-25 2003-03-04 Koninklijke Philips Electronics N.V. Method and device for preventing piracy of video material from theater screens
US20030065926A1 (en) * 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US6615342B1 (en) * 1998-03-26 2003-09-02 Sun Microsystems, Inc. Method and apparatus for object-oriented interrupt system
US20030182572A1 (en) * 2001-12-06 2003-09-25 Cowan Stanley Crispin Pointguard: method and system for protecting programs against pointer corruption attacks
US20040133796A1 (en) * 2003-01-03 2004-07-08 Aladdin Knowledge Systems Ltd. Method for emulating an executable code in order to detect maliciousness
US20040199827A1 (en) * 2003-04-01 2004-10-07 Muttik Igor Garrievich Malware detection uswing external core characteristics
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
US20050108562A1 (en) * 2003-06-18 2005-05-19 Khazan Roger I. Technique for detecting executable malicious code using a combination of static and dynamic analyses
US20050108733A1 (en) * 2000-06-28 2005-05-19 Microsoft Corporation Hooking of replacement and augmented API functions
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US20050198377A1 (en) * 1999-06-01 2005-09-08 Hill Ferguson Method and system for verifying state of a transaction between a client and a service over a data-packet-network
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US20060015940A1 (en) * 2004-07-14 2006-01-19 Shay Zamir Method for detecting unwanted executables
US20060026677A1 (en) * 2000-03-30 2006-02-02 Edery Yigal M Malicious mobile code runtime monitoring system and methods
US20060161985A1 (en) * 2005-01-14 2006-07-20 Trend Micro Incorporated Method and apparatus for performing antivirus tasks in a mobile wireless device
US20070016948A1 (en) * 2005-07-15 2007-01-18 Microsoft Corporation Immunizing HTML browsers and extensions from known vulnerabilities
US20070113282A1 (en) * 2005-11-17 2007-05-17 Ross Robert F Systems and methods for detecting and disabling malicious script code
US20070136811A1 (en) * 2005-12-12 2007-06-14 David Gruzman System and method for inspecting dynamically generated executable code
US20070150957A1 (en) * 2005-12-28 2007-06-28 Microsoft Corporation Malicious code infection cause-and-effect analysis
US7272664B2 (en) * 2002-12-05 2007-09-18 International Business Machines Corporation Cross partition sharing of state information
US20070288729A1 (en) * 2004-12-02 2007-12-13 Erb David J System and Method for Simulating Hardware Interrupts
US20080016570A1 (en) * 2006-05-22 2008-01-17 Alen Capalik System and method for analyzing unauthorized intrusion into a computer network
US20080072053A1 (en) * 2006-09-15 2008-03-20 Halim Budi S Web-based authentication system and method
US20080072325A1 (en) * 2006-09-14 2008-03-20 Rolf Repasi Threat detecting proxy server
US20080133540A1 (en) * 2006-12-01 2008-06-05 Websense, Inc. System and method of analyzing web addresses
US20080282338A1 (en) * 2007-05-09 2008-11-13 Beer Kevin J System and method for preventing the reception and transmission of malicious or objectionable content transmitted through a network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020066022A1 (en) 2000-11-29 2002-05-30 Brad Calder System and method for securing an application for execution on a computer

Patent Citations (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6118487A (en) * 1996-05-08 2000-09-12 Deutsch Thompson-Brandt Gmbh Method and circuit arrangement for the memory-optimized processing of a composite video baseband signal CVBS signal
US6018374A (en) * 1996-06-25 2000-01-25 Macrovision Corporation Method and system for preventing the off screen copying of a video or film presentation
US6154844A (en) * 1996-11-08 2000-11-28 Finjan Software, Ltd. System and method for attaching a downloadable security profile to a downloadable
US6092194A (en) * 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6167520A (en) * 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US5983348A (en) * 1997-09-10 1999-11-09 Trend Micro Incorporated Computer network malicious code scanner
US20050240999A1 (en) * 1997-11-06 2005-10-27 Moshe Rubin Method and system for adaptive rule-based content scanners for desktop computers
US5959717A (en) * 1997-12-12 1999-09-28 Chaum; Jerry Motion picture copy prevention, monitoring, and interactivity system
US6615342B1 (en) * 1998-03-26 2003-09-02 Sun Microsystems, Inc. Method and apparatus for object-oriented interrupt system
US6529600B1 (en) * 1998-06-25 2003-03-04 Koninklijke Philips Electronics N.V. Method and device for preventing piracy of video material from theater screens
US20050198377A1 (en) * 1999-06-01 2005-09-08 Hill Ferguson Method and system for verifying state of a transaction between a client and a service over a data-packet-network
US20060026677A1 (en) * 2000-03-30 2006-02-02 Edery Yigal M Malicious mobile code runtime monitoring system and methods
US20050120242A1 (en) * 2000-05-28 2005-06-02 Yaron Mayer System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US20050108733A1 (en) * 2000-06-28 2005-05-19 Microsoft Corporation Hooking of replacement and augmented API functions
US20030065926A1 (en) * 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US20030182572A1 (en) * 2001-12-06 2003-09-25 Cowan Stanley Crispin Pointguard: method and system for protecting programs against pointer corruption attacks
US7272664B2 (en) * 2002-12-05 2007-09-18 International Business Machines Corporation Cross partition sharing of state information
US20040133796A1 (en) * 2003-01-03 2004-07-08 Aladdin Knowledge Systems Ltd. Method for emulating an executable code in order to detect maliciousness
US20040205411A1 (en) * 2003-03-14 2004-10-14 Daewoo Educational Foundation Method of detecting malicious scripts using code insertion technique
US20040199827A1 (en) * 2003-04-01 2004-10-07 Muttik Igor Garrievich Malware detection uswing external core characteristics
US20050108562A1 (en) * 2003-06-18 2005-05-19 Khazan Roger I. Technique for detecting executable malicious code using a combination of static and dynamic analyses
US20060015940A1 (en) * 2004-07-14 2006-01-19 Shay Zamir Method for detecting unwanted executables
US20070288729A1 (en) * 2004-12-02 2007-12-13 Erb David J System and Method for Simulating Hardware Interrupts
US20060161985A1 (en) * 2005-01-14 2006-07-20 Trend Micro Incorporated Method and apparatus for performing antivirus tasks in a mobile wireless device
US20070016948A1 (en) * 2005-07-15 2007-01-18 Microsoft Corporation Immunizing HTML browsers and extensions from known vulnerabilities
US20070113282A1 (en) * 2005-11-17 2007-05-17 Ross Robert F Systems and methods for detecting and disabling malicious script code
US20070136811A1 (en) * 2005-12-12 2007-06-14 David Gruzman System and method for inspecting dynamically generated executable code
US20070150957A1 (en) * 2005-12-28 2007-06-28 Microsoft Corporation Malicious code infection cause-and-effect analysis
US20080016570A1 (en) * 2006-05-22 2008-01-17 Alen Capalik System and method for analyzing unauthorized intrusion into a computer network
US20080072325A1 (en) * 2006-09-14 2008-03-20 Rolf Repasi Threat detecting proxy server
US20080072053A1 (en) * 2006-09-15 2008-03-20 Halim Budi S Web-based authentication system and method
US20080133540A1 (en) * 2006-12-01 2008-06-05 Websense, Inc. System and method of analyzing web addresses
US20080282338A1 (en) * 2007-05-09 2008-11-13 Beer Kevin J System and method for preventing the reception and transmission of malicious or objectionable content transmitted through a network

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9489515B2 (en) 2010-06-11 2016-11-08 Trustwave Holdings, Inc. System and method for blocking the transmission of sensitive data using dynamic data tainting
US8914879B2 (en) 2010-06-11 2014-12-16 Trustwave Holdings, Inc. System and method for improving coverage for web code
US8881278B2 (en) 2010-06-11 2014-11-04 Trustwave Holdings, Inc. System and method for detecting malicious content
US9081961B2 (en) 2010-06-11 2015-07-14 Trustwave Holdings, Inc. System and method for analyzing malicious code using a static analyzer
US8893278B1 (en) 2011-07-12 2014-11-18 Trustwave Holdings, Inc. Detecting malware communication on an infected computing device
US20150186001A1 (en) * 2013-12-27 2015-07-02 Canon Kabushiki Kaisha Character input apparatus
US9720517B2 (en) * 2013-12-27 2017-08-01 Canon Kabushiki Kaisha Character input apparatus
US10469510B2 (en) * 2014-01-31 2019-11-05 Juniper Networks, Inc. Intermediate responses for non-html downloads
WO2016108162A1 (en) * 2015-01-01 2016-07-07 Checkmarx Ltd. Code instrumentation for runtime application self-protection
US10120997B2 (en) 2015-01-01 2018-11-06 Checkmarx Ltd. Code instrumentation for runtime application self-protection
US10387656B2 (en) 2016-03-21 2019-08-20 Checkmarx Ltd. Integrated interactive application security testing
US11087002B2 (en) 2017-05-10 2021-08-10 Checkmarx Ltd. Using the same query language for static and dynamic application security testing tools
US11836258B2 (en) 2020-07-28 2023-12-05 Checkmarx Ltd. Detecting exploitable paths in application software that uses third-party libraries

Also Published As

Publication number Publication date
US20120144485A9 (en) 2012-06-07
US20150007321A1 (en) 2015-01-01
US9294493B2 (en) 2016-03-22

Similar Documents

Publication Publication Date Title
US9294493B2 (en) Computer security method and system with input parameter validation
US10984097B2 (en) Methods and apparatus for control and detection of malicious content using a sandbox environment
US7757289B2 (en) System and method for inspecting dynamically generated executable code
US8522350B2 (en) System and method for run-time attack prevention
US8850584B2 (en) Systems and methods for malware detection
US7281268B2 (en) System, method and computer program product for detection of unwanted processes
US7613918B2 (en) System and method for enforcing a security context on a downloadable
US8353033B1 (en) Collecting malware samples via unauthorized download protection
US8201245B2 (en) System, method and program product for detecting computer attacks
US8544086B2 (en) Tagging obtained content for white and black listing
Kirda et al. Client-side cross-site scripting protection
US20070113282A1 (en) Systems and methods for detecting and disabling malicious script code
US20100037317A1 (en) Mehtod and system for security monitoring of the interface between a browser and an external browser module
US20090070869A1 (en) Proxy engine for custom handling of web content
US20090070663A1 (en) Proxy engine for custom handling of web content
US9009821B2 (en) Injection attack mitigation using context sensitive encoding of injected input
US8230499B1 (en) Detecting and blocking unauthorized downloads
CN112966274A (en) Web security vulnerability detection method, scanner, storage medium and electronic device
GB2535290B (en) A system and method for detecting and protecting against malicious content

Legal Events

Date Code Title Description
AS Assignment

Owner name: FINJAN SOFTWARE, LTD., ISRAEL

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BEN-ITZHAK, YUVAL;YOSEF, GOLAN;TAUB, ISRAEL;REEL/FRAME:021869/0305

Effective date: 20080916

AS Assignment

Owner name: FINJAN, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FINJAN SOFTWARE, LTD.;REEL/FRAME:023556/0853

Effective date: 20091102

Owner name: FINJAN, INC.,CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:FINJAN SOFTWARE, LTD.;REEL/FRAME:023556/0853

Effective date: 20091102

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION