Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include multiple image files having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may encrypt the code and provide it to a computing device comprising a hardware enclave. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave. The computing device may request a decryption key from an authentication server using a hash of the hardware enclave signed by a processor. The authentication server may provide the decryption key if it verifies the signature and the hash. The computing device may decrypt the code and mark the hardware enclave as non-readable.

Abstract: A program is executed using a call stack and shadow stack. The call stack includes frames having respective return addresses. The frames may also store variables and/or parameters. The shadow stack stores duplicates of the return addresses in the call stack. The call stack and the shadow stack are maintained by, (i) each time a function is called, adding a corresponding stack frame to the call stack and adding a corresponding return address to the shadow stack, and (ii) each time a function is exited, removing a corresponding frame from the call stack and removing a corresponding return address from the shadow stack. A backtrace of the program's current call chain is generated by accessing the return addresses in the shadow stack. The outputted backtrace includes the return addresses from the shadow stack and/or information about the traced functions that is derived from the shadow stack's return addresses.

Abstract: Debugging systems are configured to resolve both memory aliasing conditions in which a write instruction is directed to an unknown destination address, and concurrency conditions in which control flow information is collected for multiple, concurrently executing threads. Recorded state values corresponding to an application's prior execution and control flow information are both obtained.

Abstract: Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

Abstract: Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions and/or other detections, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network. Lateral movement determination across a computer network may be divided into two subproblems: forensic analysis and general detection. With forensic analysis, given a malicious node, possible lateral movement leading into or out of the node is identified. General detection identifies previously unknown malicious lateral movement on a network using a remote file execution detector, and/or other detectors, and a rare path anomaly detection algorithm.

Abstract: Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk.

Abstract: A system described herein includes a receiver component that receives source code from a computer-readable medium of a computing device and a static analysis component that executes a points-to analysis algorithm over the source code to cause generation of a points-to graph, wherein the points-to graph is a directed graph that comprises a plurality of nodes and a plurality of edges, wherein nodes of the points-to graph represent pointers in the source code and edges represent inclusion relationships in the source code. The system also includes an inference component that infers target types for generic pointers in the source code based at least in part upon known type definitions and global variables in the source code.

Abstract: Methods and compositions for the optimization of production of influenza viruses suitable as influenza vaccines are provided.

Abstract: Described is a technology by which the identity of a person (e.g., a customer in a commercial transaction) is determinable without active identification effort, via biometric data is obtained without action by the person. Machine processing of the biometric data over a set of possible persons, determined from secondary proximity sensing, is used to determine or assist in determining the identity of the person.

Abstract: Described is a technology by which the identity of a person (e.g., a customer in a commercial transaction) is determinable without active identification effort, via biometric data is obtained without action by the person. Machine processing of the biometric data over a set of possible persons, determined from secondary proximity sensing, is used to determine or assist in determining the identity of the person.

Abstract: A method, system, and computer-readable storage medium for application monitoring through continuous record and replay are described herein. The method includes continuously recording execution traces including external non-deterministic input data for an application at a user device and analyzing the recorded execution traces to identify relevant execution traces for determining a behavior of the application. The method also includes reporting the relevant execution traces to a server, wherein the server is configured to replay the relevant execution traces to determine whether the behavior of the application is as expected.

Abstract: Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk.

Abstract: Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk.

Abstract: Systems and methods for automatically reverse engineering an input data format using dynamic data flow analysis. Combining input data with a simulated execution of the binary program using the input data and analyzing the use of the data by the program to generate a BNL-like grammar representing the input data format. The input data can be application level protocols, network protocols or formatted files.

Abstract: A method, system, and computer-readable storage medium for application monitoring through continuous record and replay are described herein. The method includes continuously recording execution traces including external non-deterministic input data for an application at a user device and analyzing the recorded execution traces to identify relevant execution traces for determining a behavior of the application. The method also includes reporting the relevant execution traces to a server, wherein the server is configured to replay the relevant execution traces to determine whether the behavior of the application is as expected.

Abstract: The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.

Abstract: A “Demand-Driven Pointer Analyzer” (DDPA) provides a “demand-driven” field-sensitive pointer analysis process. This process rapidly and accurately identifies alias sets for selected pointers in software modules or programs of any size, including large-scale C/C++ programs such as a complete operating system (OS). The DDPA formulates the pointer analysis task as a Context-Free Language (CFL) reachability problem that operates using a Program Expression Graph (PEG) automatically constructed from the program code. The PEG provides a node and edge-based graph representation of all expressions and assignments in the program and allows the DDPA to rapidly identify aliases for pointers in the program by traversing the graph as a CFL reachability problem to determine pointer alias sets. In various embodiments, the DDPA is also context-sensitive.

Abstract: Technologies pertaining to detecting accesses to monitored regions of memory and transmitting data to a protection system responsive to the detecting are described herein. A region of memory that includes objects in an object graph utilized by an operating system to determine which processes to execute and an order to execute such processes is monitored. If a process executing on a processor attempts to write to an object in the object graph, a field that is being written to is identified, and a determination is made regarding whether the field includes a pointer. Based upon whether the field includes a pointer, a type of write desirably undertaken by the object is ascertained, and an object event is transmitted to the protection system that informs the protection system of the type of write.

Abstract: Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.

Abstract: Described is a technology by which the identity of a person (e.g., a customer in a commercial transaction) is determinable without active identification effort, via biometric data is obtained without action by the person. Machine processing of the biometric data over a set of possible persons, determined from secondary proximity sensing, is used to determine or assist in determining the identity of the person.