Patents by Inventor Yinnon Avraham Haviv
Yinnon Avraham Haviv has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9836608Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: GrantFiled: October 20, 2016Date of Patent: December 5, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
-
Patent number: 9607154Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: GrantFiled: September 22, 2013Date of Patent: March 28, 2017Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
-
Publication number: 20170039375Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: ApplicationFiled: October 20, 2016Publication date: February 9, 2017Inventors: Paolina CENTONZE, Yinnon Avraham HAVIV, Roee HAY, Marco PISTOIA, Adi SHARABANI, Omer TRIPP
-
Patent number: 9208055Abstract: Call graph construction systems that utilize computer hardware are presented including: a processor; a candidate pool configured for representing a number of calls originating from a root node of a computer software application; an importance value assigner configured for assigning an importance value for any of the number of calls represented in the candidate pool; a candidate selector configured for selecting from the number of calls represented in the candidate pool for inclusion in a call graph based on a sufficient importance value; and an importance value adjuster configured for adjusting the importance value of any call represented in the call graph.Type: GrantFiled: January 4, 2013Date of Patent: December 8, 2015Assignee: International Business Machines CorporationInventors: Stephen Fink, Yinnon Avraham Haviv, Marco Pistoia, Omer Tripp, Omri Weisman
-
Publication number: 20150089637Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: ApplicationFiled: September 22, 2013Publication date: March 26, 2015Inventors: Paolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
-
Patent number: 8635602Abstract: A method includes determining grammar for output of an information-flow downgrader in a software program. The software program directs the output of the information-flow downgrader to a sink. The method includes determining whether the grammar of the output conforms to one or more predetermined specifications of the sink. The method includes, in response to a determination the grammar of the output conforms to the one or more predetermined specifications of the sink, determining the information-flow downgrader is verified for the sink, wherein determining grammar, determining whether the grammar, and determining the information-flow downgrader are performed via static analysis of the software program. Apparatus and computer program products are also disclosed. An apparatus includes a user interface providing a result of whether or not output of an information-flow downgrader in the software program conforms to one or more predetermined specifications of a sink in the software program.Type: GrantFiled: July 26, 2010Date of Patent: January 21, 2014Assignee: International Business Machines CorporationInventors: Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Takaaki Tateishi, Omer Tripp, Omri Weisman
-
Patent number: 8584246Abstract: A system for eliminating false reports of security vulnerabilities when testing computer software, including a taint analysis engine configured to identify a tainted variable v in a computer application, a data mapping identification engine configured to identify a variable x within the application that holds data derived from v, where x is in a different format than v, an AddData identification engine configured to identify an AddData operation within the application that is performed on x, a signature identification engine configured to identify a Sign operation within the application that is performed on the results of the AddData operation on x, a signature comparison identification engine configured to identify an operation within the application that compares the results of the Sign operation with another value.Type: GrantFiled: October 13, 2009Date of Patent: November 12, 2013Assignee: International Business Machines CorporationInventors: Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Takaaki Tateishi, Omer Tripp, Omri Weisman
-
Patent number: 8572727Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: GrantFiled: November 23, 2009Date of Patent: October 29, 2013Assignee: International Business Machines CorporationInventors: Paolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
-
Patent number: 8539466Abstract: A method of determining suitable insertion points for inserting string sanitizers in a computer code is provided herein. The method includes the following stages: obtaining: (i) a computer code associated with a data flow of externally supplied data, from one or more sources to one or more sinks, (ii) locations of the sources, and (iii) locations of the sinks; building a graph representing control paths, data paths and semantic relationships between the control paths and the data paths of the computer code; associating all tainted data paths on the graph, being data paths that go from sources to sinks and do not include a sanitizer; and determining, on the tainted data paths, potential control paths suitable for sanitizer insertion.Type: GrantFiled: May 23, 2011Date of Patent: September 17, 2013Assignee: International Business Machines CorporationInventors: Aharon Abadi, Jonathan Bnayahu, Ran Ettinger, Yishai Abraham Feldman, Yinnon Avraham Haviv, Adi Sharabani
-
Patent number: 8375371Abstract: A system and method for importance-based call graph construction, including a) analyzing a computer software application to identify a plurality of calls within the computer software application, b) assigning an importance value to any of the calls in accordance with a predefined importance rule, c) selecting any of the calls for inclusion in a call graph in accordance with a predefined inclusion rule, d) representing the call in the call graph, e) adjusting the importance value of any call represented in the call graph in accordance with a predefined importance adjustment rule, and f) iteratively performing any of steps a)-e) until a predefined termination condition is met.Type: GrantFiled: May 8, 2009Date of Patent: February 12, 2013Assignee: International Business Machines CorporationInventors: Stephen Fink, Yinnon Avraham Haviv, Marco Pistoia, Omer Tripp, Omri Weisman
-
Patent number: 8365280Abstract: A computer-implemented method, program product, and system for determining the validity of a string generated by a computer programming language program. The method includes: abstracting a constraint between variables extracted from a source code for a programming language, describing the constraint in M2L, and storing the constraint; and evaluating the validity of the string on an M2L solver on the basis of the constraint and a M2L specification to determine whether the string is safe or unsafe.Type: GrantFiled: June 29, 2010Date of Patent: January 29, 2013Assignee: International Business Machines CorporationInventors: Yinnon Avraham Haviv, Marco Pistoia, Naoshi Tabuchi, Takaaki Tateishi
-
Publication number: 20120304161Abstract: A method of determining suitable insertion points for inserting string sanitizers in a computer code is provided herein. The method includes the following stages: obtaining: (i) a computer code associated with a data flow of externally supplied data, from one or more sources to one or more sinks, (ii) locations of the sources, and (iii) locations of the sinks; building a graph representing control paths, data paths and semantic relationships between the control paths and the data paths of the computer code; associating all tainted data paths on the graph, being data paths that go from sources to sinks and do not include a sanitizer; and determining, on the tainted data paths, potential control paths suitable for sanitizer insertion.Type: ApplicationFiled: May 23, 2011Publication date: November 29, 2012Applicant: International Business Machines CorporationInventors: Aharon Ahadi, Jonathan Bnayahu, Ran Ettinger, Yishai Abraham Feldman, Yinnon Avraham Haviv, Adi Sharabani
-
Publication number: 20120215757Abstract: A crawler including a document retriever configured to retrieve a first computer-based document, a link identifier configured to identify an actual string within the computer-based document as being a hyperlink-type string, and a static analyzer configured to perform static analysis of an operation on a variable within the first computer-based document to identify a possible string value of the variable as being a hyperlink-type string, where any of the strings indicate a location of at least a second computer-based document.Type: ApplicationFiled: February 22, 2011Publication date: August 23, 2012Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Omri Weisman, Yinnon Avraham Haviv, Adi Sharabani, Omer Tripp, Marco Pistoia, Takaaki Tateishi, Guy Podjarny
-
Publication number: 20110126282Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.Type: ApplicationFiled: November 23, 2009Publication date: May 26, 2011Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Paolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
-
Publication number: 20110087892Abstract: A system for eliminating false reports of security vulnerabilities when testing computer software, including a taint analysis engine configured to identify a tainted variable v in a computer application, a data mapping identification engine configured to identify a variable x within the application that holds data derived from v, where x is in a different format than v, an AddData identification engine configured to identify an AddData operation within the application that is performed on x, a signature identification engine configured to identify a Sign operation within the application that is performed on the results of the AddData operation on x, a signature comparison identification engine configured to identify an operation within the application that compares the results of the Sign operation with another valueType: ApplicationFiled: October 13, 2009Publication date: April 14, 2011Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Yinnon Avraham HAVIV, Roee HAY, Marco PISTOIA, Adi SHARABANI, Takaaki TATEISHI, Omer TRIPP, Omri WEISMAN
-
Publication number: 20100284527Abstract: A system and method for importance-based call graph construction, including a) analyzing a computer software application to identify a plurality of calls within the computer software application, b) assigning an importance value to any of the calls in accordance with a predefined importance rule, c) selecting any of the calls for inclusion in a call graph in accordance with a predefined inclusion rule, d) representing the call in the call graph, e) adjusting the importance value of any call represented in the call graph in accordance with a predefined importance adjustment rule, and f) iteratively performing any of steps a)-e) until a predefined termination condition is met.Type: ApplicationFiled: May 8, 2009Publication date: November 11, 2010Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Stephen Fink, Yinnon Avraham Haviv, Marco Pistoia, Omer Tripp, Omri Weisman