Abstract: A method and system for protecting an application that implements a communication protocol against exploitation of a communication-based vulnerability is provided. A protection system provides a protection policy that specifies how to recognize messages that expose a specific vulnerability and specifies actions to take when the vulnerability is exposed. A protection policy specifies the sequence of messages and their payload characteristics that expose a vulnerability. The protection system may specify the sequences of messages using a message protocol state machine. A message protocol state machine of an application represents the states that the application transitions through as it receives various messages. The message protocol state machine of the protection policy may be a portion of the message protocol state machine of the application relating to the vulnerability. The protection system uses the message protocol state machine to track the states that lead up to the exposing of the vulnerability.

Abstract: Systems and methods to manage same-origin-policy (SOP) failures that occur in a computing environment are provided. In an illustrative implementation, an exemplary computing environment comprises a lockbox module, and an instruction set comprising at least one instruction directing the lockbox module to process data and/or computing application execution commands representative of and a request for a selected operation/feature according to a selected SOP management paradigm. In the illustrative implementation, the SOP management paradigm comprises one or more instructions to deploy a “lockbox” computing application element allowing for the management, monitoring, and control of computing application features/operations operable under a same origin policy.

Abstract: An active learning framework is provided to extract information from particular fields from a variety of protocols. Extraction is performed in an unknown protocol, in which the user presents the system with a small number of labeled instances. The system then automatically generates an abundance of features and negative examples. A boosting approach is then used for feature selection and classifier combination. The system then displays its results for the user to correct and/or add new examples. The process can be iterated until the user is satisfied with the performance of the extraction capabilities provided by the classifiers generated by the system.

Abstract: Systems and methods for automatically reverse engineering an input data format using dynamic data flow analysis. Combining input data with a simulated execution of the binary program using the input data and analyzing the use of the data by the program to generate a BNL-like grammar representing the input data format. The input data can be application level protocols, network protocols or formatted files.

Abstract: A method and system for identifying a configuration parameter of a “sick” computer system that is at fault for causing an undesired behavior based on analysis of configuration parameters from other computer systems is provided. In one embodiment, a troubleshooting system collects “suspect” values for “suspect” configuration parameters used by a “sick” application when the undesired behavior was exhibited by the sick computer system. The troubleshooting system then compares the suspect values to sample values of the suspect configuration parameters retrieved from sample computer systems. The troubleshooting system uses that comparison to identify one or more suspect configuration parameters that are likely at fault for causing the application to exhibit the undesired behavior.

Abstract: A method and system for aggregating configuration information from friend devices is provided. The aggregation system attempts to foil attacks on the privacy of data contributed to a request by aggregating data from a cluster of friend devices in such a way that it is difficult for a device in the cluster and an attacking device outside the cluster to determine the contribution of an individual device to the data. The aggregation system of an initiator device may also determine the cardinality of a parameter so that the corresponding parameter vector can have a size large enough to support the number of possible values. The aggregation system determines the cardinality by counting nonzero hash values of the actual values that are provided by the devices.

Abstract: The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.

Abstract: The subject disclosure relates to systems and methods that secure anti-virus software through virtualization. Anti-virus systems can be maintained separate from user applications and operating system through virtualization. The user applications and operating system run in a guest virtual machine while anti-virus systems are isolated in a secure virtual machine. The virtual machines are partially interdependent such that the anti-virus systems can monitor user applications and operating systems while the anti-virus systems remain free from possible malicious attack originating from a user environment. Further, the anti-virus system is secured against zero-day attacks so that detection and recovery may occur post zero-day.

Abstract: Computer-executable instructions comprising some or all of a program can be delivered to a client for execution on a real-time basis such that the client receives anew the computer-executable instructions for each new execution of the program. Such an environment enables instrumentation instructions to be inserted into the computer-executable instructions after a request and prior to the delivery of the computer-executable instructions. The inserted instrumentation instructions can be spread across multiple deliveries of the same computer-executable instructions, and they can be modified to account for information received from previously inserted instrumentation instructions. The instrumentation instructions can be inserted as part of the server process, the client process, or as part of a proxy server that can be used at the discretion of the program developer.

Abstract: Computer-executable instructions comprising some or all of a program can be delivered to a client for execution on a real-time basis such that the client receives anew the computer-executable instructions for each new execution of the program. Such an environment enables instrumentation instructions to be inserted into the computer-executable instructions after a request and prior to the delivery of the computer-executable instructions. The inserted instrumentation instructions can be spread across multiple deliveries of the same computer-executable instructions, and they can be modified to account for information received from previously inserted instrumentation instructions. The instrumentation instructions can be inserted as part of the server process, the client process, or as part of a proxy server that can be used at the discretion of the program developer.

Abstract: Computer-executable instructions comprising some or all of a program can be delivered to a client for execution on a real-time basis such that the client receives anew the computer-executable instructions for each new execution of the program. Such an environment enables instrumentation instructions to be inserted into the computer-executable instructions after a request and prior to the delivery of the computer-executable instructions. The inserted instrumentation instructions can be spread across multiple deliveries of the same computer-executable instructions, and they can be modified to account for information received from previously inserted instrumentation instructions. The instrumentation instructions can be inserted as part of the server process, the client process, or as part of a proxy server that can be used at the discretion of the program developer.

Abstract: Processes and techniques for protecting web users from malicious executable code are described. A proxy engine is implemented that intercepts communications between a web browser and a script engine. The proxy engine can invoke a variety of custom event handlers that are configured to handle specific types of events (e.g., script events) that occur in the processing of web content. A script shield event handler detects the presence of script in pre-defined script-free zones and prevents the script from being executed on a user's device.

Abstract: Processes and techniques for protecting web users from malicious executable code are described. A proxy engine is implemented that intercepts communications between a web browser and a script engine. The proxy engine can invoke a variety of custom event handlers that are configured to handle specific types of events (e.g., script events) that occur in the processing of web content. A script shield event handler detects the presence of script in pre-defined script-free zones and prevents the script from being executed on a user's device.

Abstract: A system for automatic inference of message formats from network packets is described. Each network message from a set of network messages is split into one or more tokens based on the types of bytes in the network messages. The set of network messages can then be classified into clusters based on token patterns. The network messages in each cluster can then be further sub-clustered recursively based on the message formats. Further, the messages with a similar message format across the sub-clusters can be merged into a cluster. The set of formatted clusters thus obtained correspond to a set of message formats that can be used further for protocol reverse engineering.

Abstract: Systems and methodologies for accessing resources associated with a Web-based application in accordance with one or more embodiments disclosed herein may include a browser that obtains at least first resources from a first domain and second resources from a second domain and a resource management component that facilitates controlled communication between the first resources and the second resources and prevents the first resources and the second resources from accessing other resources that the first resources and the second resources are not permitted to access. The resource management component may be further operable to contain restricted services in a sandbox containment structure and/or to isolate access-controlled resources in a service instance. In addition, the resource management component may be operable to facilitate the flexible display of resources from disparate domains and/or controlled communication therebetween.

Abstract: A method and system for retrieving data from devices in a way that seeks to preserve privacy and ensure the integrity of the retrieved data is provided. A retrieval system is implemented on a network of devices that communicate with each other via a secure communications link. Each device is directly connected to one or more “friend” devices that it trusts. The retrieval system operates by forwarding a request for data from one friend device to another friend device. Each friend device may optionally add data to the request until all the requested data is added. The request with the retrieved data is returned to the device that initiated the request.

Abstract: A method and system for retrieving data from devices in a way that seeks to preserve privacy and ensure the integrity of the retrieved data is provided. A retrieval system is implemented on a network of devices that communicate with each other via a secure communications link. Each device is directly connected to one or more “friend” devices that it trusts. The retrieval system operates by forwarding a request for data from one friend device to another friend device. Each friend device may optionally add data to the request until all the requested data is added. The request with the retrieved data is returned to the device that initiated the request.

Abstract: An active learning framework is provided to extract information from particular fields from a variety of protocols. Extraction is performed in an unknown protocol, in which the user presents the system with a small number of labeled instances. The system then automatically generates an abundance of features and negative examples. A boosting approach is then used for feature selection and classifier combination. The system then displays its results for the user to correct and/or add new examples. The process can be iterated until the user is satisfied with the performance of the extraction capabilities provided by the classifiers generated by the system.

Abstract: To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

Abstract: To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.