Patents by Inventor Luca Compagna
Luca Compagna has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11973787Abstract: Various examples are directed to systems and methods for detecting vulnerabilities in a web application. A testing utility may direct a plurality of request messages to a web application. The testing utility may be executed at a first computing device and the web application may be executed at a second computing device. The testing utility may determine that a first request message of the plurality of test messages describes a state changing request. The determining may be based at least in part on the first request message and a first response message generated by the web application in response to the first request message. The testing utility may generate a first tampered request message based at least in part on the first request message and direct the first tampered request message to the web application.Type: GrantFiled: March 13, 2019Date of Patent: April 30, 2024Assignee: SAP SEInventors: Luca Compagna, Alessandro Pezze
-
Patent number: 11575687Abstract: Data is received that characterizes a computing architecture including at least one web-based server and an associated cryptographic web protocol to be implemented on such computing architecture according to a desired formal specification. Thereafter, a plurality of inattentive variants complying with the web protocol are generated without associated security checks. Messages to and from each inattentive variant are then monitored while executing the associated security checks. At least one security monitor is generated based on the monitored messages that is configured to address security vulnerabilities in the computing architecture relative to the formal specification. At least one generated security monitor can be later deployed in the computing architecture. Related apparatus, systems, techniques and articles are also described.Type: GrantFiled: February 9, 2021Date of Patent: February 7, 2023Assignee: SAP SEInventors: Luca Compagna, Lorenzo Veronese, Stefano Calzavara
-
Publication number: 20220255951Abstract: Data is received that characterizes a computing architecture including at least one web-based server and an associated cryptographic web protocol to be implemented on such computing architecture according to a desired formal specification. Thereafter, a plurality of inattentive variants complying with the web protocol are generated without associated security checks. Messages to and from each inattentive variant are then monitored while executing the associated security checks. At least one security monitor is generated based on the monitored messages that is configured to address security vulnerabilities in the computing architecture relative to the formal specification. At least one generated security monitor can be later deployed in the computing architecture. Related apparatus, systems, techniques and articles are also described.Type: ApplicationFiled: February 9, 2021Publication date: August 11, 2022Inventors: Luca Compagna, Lorenzo Veronese, Stefano Calzavara
-
Publication number: 20200296126Abstract: Various examples are directed to systems and methods for detecting vulnerabilities in a web application. A testing utility may direct a plurality of request messages to a web application. The testing utility may be executed at a first computing device and the web application may be executed at a second computing device. The testing utility may determine that a first request message of the plurality of test messages describes a state changing request. The determining may be based at least in part on the first request message and a first response message generated by the web application in response to the first request message. The testing utility may generate a first tampered request message based at least in part on the first request message and direct the first tampered request message to the web application.Type: ApplicationFiled: March 13, 2019Publication date: September 17, 2020Inventors: Luca Compagna, Alessandro Pezze
-
Patent number: 9811668Abstract: An input handler receives an exploit test request specifying at least one exploit to be tested against at least one application in at least one execution environment. A deployment engine deploys the at least one execution environment including instantiating a container providing a virtual machine image and configured based on the exploit test request, the instantiated container including the at least one application. A scheduler schedules execution of the at least one execution environment within at least one execution engine, including scheduling an injection of the at least one exploit as specified in the exploit test request. A report generator generates an exploit test report characterizing a result of the at least one exploit being injected into the at least one execution environment of the at least one execution engine.Type: GrantFiled: April 21, 2015Date of Patent: November 7, 2017Assignee: SAP SEInventors: Antonino Sabetta, Luca Compagna, Serena Ponta, Stanislav Dashevskyi, Daniel Dos Santos, Fabio Massacci
-
Publication number: 20170300701Abstract: At design time, a process designer may generate a workflow model of a process associated with in-memory database. The workflow model include tasks and authorization constraints. The authorization constraints are task based constraints, associated with the workflow model. The workflow model is translated into transition system format to generate a reachability graph including possible workflow execution paths. The reachability graph may be translated in a database query format to generate a monitor. At runtime, when a request is received from a process participant to execute a specific task in the workflow model, the monitor is able to enforce authorization constraints and authorization policies received at the runtime, and ensure secure and compliant execution of processes.Type: ApplicationFiled: April 13, 2016Publication date: October 19, 2017Inventors: SERENA PONTA, Luca Compagna, Daniel Dos Santos, Silvio Ranise
-
Patent number: 9715592Abstract: A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi-Party Web Applications (MPWAs). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation.Type: GrantFiled: October 16, 2015Date of Patent: July 25, 2017Assignee: SAP SEInventors: Luca Compagna, Avinash Sudhodanan, Roberto Carbone, Alessandro Armando
-
Publication number: 20170109534Abstract: A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi-Party Web Applications (MPWAs). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation.Type: ApplicationFiled: October 16, 2015Publication date: April 20, 2017Inventors: Luca Compagna, Avinash Sudhodanan, Roberto Carbone, Alessandro Armando
-
Patent number: 9565201Abstract: Embodiments provide apparatuses and methods supporting software development teams in identifying potential security threats, and then testing those threats against under-development scenarios. At design-time, embodiments identify potential threats by providing sequence diagrams enriched with security annotations. Security information captured by the annotations can relate to topics such as security goals, properties of communications channels, environmental parameters, and/or WHAT-IF conditions. The annotated sequence diagram can reference an extensible catalog of functions useful for defining message content. Once generated, the annotated sequence diagram can in turn serve as a basis for translation into a formal model of system security. At run-time, embodiments support development teams in testing, by exploiting identified threats to automatically generate and execute test-cases against the up and running scenario. The security annotations may facilitate detection of subtle flaws in security logic, e.g.Type: GrantFiled: March 24, 2015Date of Patent: February 7, 2017Assignee: SAP SEInventors: Luca Compagna, Serena Ponta
-
Publication number: 20160314302Abstract: An input handler receives an exploit test request specifying at least one exploit to be tested against at least one application in at least one execution environment. A deployment engine deploys the at least one execution environment including instantiating a container providing a virtual machine image and configured based on the exploit test request, the instantiated container including the at least one application. A scheduler schedules execution of the at least one execution environment within at least one execution engine, including scheduling an injection of the at least one exploit as specified in the exploit test request. A report generator generates an exploit test report characterizing a result of the at least one exploit being injected into the at least one execution environment of the at least one execution engine.Type: ApplicationFiled: April 21, 2015Publication date: October 27, 2016Inventors: Antonino Sabetta, Luca Compagna, Serena Ponta, Stanislav Dashevskyi, Daniel Dos Santos, Fabio Massacci
-
Publication number: 20160285902Abstract: Embodiments provide apparatuses and methods supporting software development teams in identifying potential security threats, and then testing those threats against under-development scenarios. At design-time, embodiments identify potential threats by providing sequence diagrams enriched with security annotations. Security information captured by the annotations can relate to topics such as security goals, properties of communications channels, environmental parameters, and/or WHAT-IF conditions. The annotated sequence diagram can reference an extensible catalog of functions useful for defining message content. Once generated, the annotated sequence diagram can in turn serve as a basis for translation into a formal model of system security. At run-time, embodiments support development teams in testing, by exploiting identified threats to automatically generate and execute test-cases against the up and running scenario. The security annotations may facilitate detection of subtle flaws in security logic, e.g.Type: ApplicationFiled: March 24, 2015Publication date: September 29, 2016Inventors: Luca Compagna, Serena Ponta
-
Patent number: 9098693Abstract: The embodiments provide an apparatus for detecting configuration options including an option detector configured to receive a basic model of a security protocol and a set of options, where each option is a variation of the basic model. The option detector is configured to detect which options are configured in an implementation of at least one at least one security protocol entity based on the basic model and the set of options.Type: GrantFiled: July 5, 2012Date of Patent: August 4, 2015Assignee: SAP SEInventors: Giancarlo Pellegrino, Keqin Li, Luca Compagna
-
Publication number: 20140278724Abstract: A computer-implemented method provides remote Security Validation as a Service (SVaaS) to one or more business process modeler clients. The method includes receiving on a cloud-based server, from a remote business process modeler client, a request for validation of a business process model and related information for a business process compliance problem including the business process work flow and security-related aspects of the business process. The method further includes sending the business process compliance problem from the server to a model checker for validation and receiving, at the server, validation results from the model checker and making the validation results available to the remote business process modeler client. The method can include enhancing the remote client with a connector module that is configured to collect information on the business process compliance problem and to communicate such information to the server.Type: ApplicationFiled: March 15, 2013Publication date: September 18, 2014Inventors: Luca Compagna, Serena Ponta
-
Publication number: 20140013382Abstract: The embodiments provide an apparatus for detecting configuration options including an option detector configured to receive a basic model of a security protocol and a set of options, where each option is a variation of the basic model. The option detector is configured to detect which options are configured in an implementation of at least one at least one security protocol entity based on the basic model and the set of options.Type: ApplicationFiled: July 5, 2012Publication date: January 9, 2014Applicant: SAP AGInventors: Giancarlo Pellegrino, Keqin Li, Luca Compagna
-
Publication number: 20120117656Abstract: Implementations of methods of the present disclosure include providing a process model based on the process, the process model comprising a plurality of tasks, receiving user input at a computing device, the user input specifying one or more security requirements, the user input relating each of the one or more security requirements to at least one task of the plurality of tasks, generating, using the computing device, a formal model of the process based on the process model and the one or more security requirements, the formal model being based on a specification meta-language, processing the formal model using a model checker that is executed on the computing device to determine whether violation of at least one of the one or more security requirements occurs in the process, generating an analysis result based on the processing, and displaying the analysis result on a display.Type: ApplicationFiled: November 10, 2010Publication date: May 10, 2012Applicant: SAP AGInventors: Wihem Arsac, Luca Compagna