Abstract: Embodiments protect computer applications from code injection attacks. An example embodiment includes a runtime memory protection (RMP) user endpoint agent and an RMP kernel driver component. The RMP user endpoint agent receives, from the RMP kernel driver component, representations of events occurring with respect to memory locations associated with a computer application and processes the received representations to determine if a given event includes at least one of a memory permissions change request, a memory write request, and a thread create request. If the given event is determined to include at least one of a memory permissions change request, a memory write request, and a thread create request, the RMP user endpoint agent declares a code injection attack and sends an alarm indication to the RMP kernel driver component. In response to receiving the alarm indication, the RMP kernel driver component implements a protection action.

Abstract: Embodiments assess security vulnerability of an application. An embodiment runs one or more static and dynamic analysis tools on the application to generate a static vulnerability report and a dynamic vulnerability report. In turn, code of the application is decompiled to identify code of the application that accepts user input. One or more vulnerabilities of the application are determined using the identified code of the application that accepts user input and a vulnerability report is generated that indicates the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input. A final static vulnerability report and a final dynamic vulnerability report are generated based on the static and dynamic vulnerability reports and the generated vulnerability report indicating the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input.

Abstract: Embodiments are directed to systems that attempt to establish trust in relation to operations on a customer endpoint of a computer network. The systems monitor, in real-time, operations to file systems, registries, application processes and threads, and OS kernels at the customer endpoint. The systems maintain compute components affected by the operation in a quarantine state. The systems then attempt to establish trust in the affected compute components (e.g., by applying rule-based policies). The systems remove the affected compute components from the quarantine state, if trust of the one or more affected compute components is established. The systems execute callback routines to mitigate results of the operation, if trust of the affected compute components is not established.

Abstract: A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Abstract: Embodiments assess security vulnerability of an application. An embodiment identifies one or more executables associated with an application and identifies one or more libraries associated with the application. In turn, based on the identified one or more executables and identified one or more libraries, static vulnerability of the application and dynamic vulnerability of the application are determined. Then, an indication of security vulnerability of the application is generated based on the determined static vulnerability and the determined dynamic vulnerability.

Abstract: Embodiments provide functionality to protect computing workloads from script-based attacks. Upon receipt, at a workload, of a command to commence execution of code of a script, an embodiment determines whether (i) permissions of a user issuing the command comply with a permissions security standard, (ii) an identifier of an interpreter supporting the script is included in an approved interpreter list, (iii) an identifier of a selected parameter of the interpreter is included in an approved parameter list, and (iv) an identifier of the script is included in an approved list of executables. If all of the aforementioned checks pass, such an embodiment allows execution of the code of the script; otherwise, execution is denied, thereby protecting the workload in an event of a script-based attack.

Abstract: Embodiments protect computer applications from code injection attacks. An example embodiment includes a runtime memory protection (RMP) user endpoint agent and an RMP kernel driver component. The RMP user endpoint agent receives, from the RMP kernel driver component, representations of events occurring with respect to memory locations associated with a computer application and processes the received representations to determine if a given event includes at least one of a memory permissions change request, a memory write request, and a thread create request. If the given event is determined to include at least one of a memory permissions change request, a memory write request, and a thread create request, the RMP user endpoint agent declares a code injection attack and sends an alarm indication to the RMP kernel driver component. In response to receiving the alarm indication, the RMP kernel driver component implements a protection action.

Abstract: Embodiments determine configuration information pertaining to a compute layer, a virtualization layer, and a service layer of a computing workload. In an example embodiment, a machine learning engine interfaces with a workload deployed upon a network to initially determine file structures of the workload. The machine learning engine then compares the determined file structures of the workload with predefined representations of file structures stored in a classification database. In turn, the machine learning engine identifies configuration information pertaining to the workload based on the comparing.

Abstract: Embodiments protect computer applications from memory deserialization attacks. An example embodiment receives a data object at a server hosting a software application. In turn, an aspect of the received data object is compared with a representation of an expected data object. If the comparison identifies a difference between the aspect of the received data object and the representation of the expected data object, a protection action is executed to limit a property of the received data object, thus protecting the software application from a memory deserialization attack.

Abstract: Embodiments provide improved functionality to monitor processes. One such embodiment is directed to a system that includes a centralized database storing approved file signatures. The system also includes a processor that is configured, in response to a user request to run an executable file, to suspend a process implementing execution of the executable file. In turn, the processor determines a signature of the executable file and compares the determined signature of the executable file to the approved file signatures stored in the centralized database. Then, the processor maintains or stops suspension of the process based on the comparison. In an embodiment, the processor stops suspension if the signatures match and takes a protection action if the signatures do not match.

Abstract: Embodiments create application-aware software asset inventories for software assets deployed upon computer networks associated with organizations. An example embodiment extracts configuration information pertaining to an application installed on a workload deployed upon a network. In turn, an application topology file is constructed from the extracted configuration information. The constructed application topology file serves as an application-aware software asset inventory wherein information pertaining to identities, locations, and configurations of such software assets is organized and stored.

Abstract: Embodiments detect cross site scripting attacks. An embodiment captures a web request and captures a response to the captured web request. In turn, it is determined if one or more elements associated with the captured web request and one or more elements of the captured response, in combination, cause a malicious action. A cross site scripting attack is then declared in response to determining the one or more elements associated with the captured web request and the one or more elements of the captured response, in combination, cause a malicious action. Embodiments can take one or more protection actions in response to declaring a cross site scripting attack.

Abstract: Embodiments identify vulnerabilities in, e.g., a web application. An embodiment first, searches a database to identify payload characteristics for a Hypertext Transfer Protocol (HTTP) request associated with a uniform resource locator (URL) of a web application. In turn, one or more payloads with characteristics corresponding to the identified payload characteristics are obtained. Next, the HTTP request with the obtained one or more payloads is sent to the URL. Then, one or more responses to the HTTP request sent with the obtained one or more payloads are observed to determine if the web application includes one or more vulnerabilities.

Abstract: Embodiments detect security vulnerabilities, e.g., backdoors, in applications. An embodiment reverses object code of a computer application to generate source code of the computer application. In turn, the generated source code is compared to trusted source code of the computer application to detect a security vulnerability in the object code of the computer application. Embodiments can take one or more protection actions, e.g., sending a notification or preventing execution of the object code, amongst other examples, in response to detecting the security vulnerability.

Abstract: Embodiments assess security vulnerability of an application. An embodiment runs one or more static and dynamic analysis tools on the application to generate a static vulnerability report and a dynamic vulnerability report. In turn, code of the application is decompiled to identify code of the application that accepts user input. One or more vulnerabilities of the application are determined using the identified code of the application that accepts user input and a vulnerability report is generated that indicates the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input. A final static vulnerability report and a final dynamic vulnerability report are generated based on the static and dynamic vulnerability reports and the generated vulnerability report indicating the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input.

Abstract: One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

Abstract: Embodiments are directed to systems that attempt to establish trust in relation to operations on a customer endpoint of a computer network. The systems monitor, in real-time, operations to file systems, registries, application processes and threads, and OS kernels at the customer endpoint. The systems maintain compute components affected by the operation in a quarantine state. The systems then attempt to establish trust in the affected compute components (e.g., by applying rule-based policies). The systems remove the affected compute components from the quarantine state, if trust of the one or more affected compute components is established. The systems execute callback routines to mitigate results of the operation, if trust of the affected compute components is not established.

Abstract: Embodiments protect a computer application from being exploited by an attacker, while the application code is executed by a speculative execution engine having vulnerabilities. Embodiments are directed to systems that, prior to execution of the application by a speculative execution engine, locate a sequence of instructions of the application in which the speculative execution engine executes the instructions out of sequence. For example, the sequence of instructions may be an “if-then” code block. The systems determine a disposition that forces the speculative execution engine to execute the instructions in sequence. For example, the disposition may be adding a fence instruction to the sequence of instructions. During execution of the application code by the speculative execution engine, the systems change the sequence of instructions based on the disposition. The systems execute the changed sequence of instructions in place of the located sequence of instructions to prevent an attack on the application.

Abstract: A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Abstract: One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.