Patent application number | Description | Published |
20100186086 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of: sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 07-22-2010 |
20110091454 | METHODS AND SYSTEMS FOR ANNOTATING BIOMOLECULAR SEQUENCES - Polypeptide sequences and polynucleotide sequences are provided. Also provided are annotative information concerning such sequences and uses for these sequences. | 04-21-2011 |
20120167212 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 06-28-2012 |
Patent application number | Description | Published |
20110072867 | KEY, LOCK AND LOCKING MECHANISM - A key blank comprises a shaft and a head connected to the shaft, the shaft including first and second surface that are oppositely facing, wherein the surfaces are configured to include combination elements to operate a lock and a pair of coaxial operating elements, wherein one element of the pair is operative from the first surface of the shaft and the other element of the pair is operative from the second surface of the shaft, and wherein at least one of the operative elements is a resilient element mounted inside a bore provided in the shaft, wherein the resilient element is operative to exert a compressive force on a pin mechanism of the lock in response to the operative engagement and thereby release the pin mechanism from a lock position, without requiring any pressure on the coaxial element on the other side. | 03-31-2011 |
20110072868 | CYLINDER PROTECTIVE SYSTEM - A substantially burglary-proof lock, comprises a housing formed with a cylindrical bore defining an inner cylindrical surface, and a cylinder within said bore carrying locking elements movable to locking and unlocking positions with respect to said housing, said cylinder having an outer diameter equal to the diameter of said bore so as to be rotatable when the locking elements are in unlocking position with respect to said housing, said cylinder being formed with a keyway for receiving a proper key in order to move said locking elements to their locking and unlocking positions with respect to said housing, characterized in that said cylinder carries at least one insert of a hard material configured, dimensioned and located such as to prevent pull-out of the cylinder from the housing by a pull-out force applied to the cylinder, and/or by drilling through the locking elements. | 03-31-2011 |
20120038478 | LOCKING MECHAMISM WITH SABBATH CONTROL UNIT - A lock mechanism for locking a door or the like with a Sabbath control unit comprises a Sabbath control unit comprising an optical device including a light beam emitter and detector spaced apart with a line of sight path between them, the optical device operative to provide output indicating if a light beam emitted by the emitter is received by the detector, and a locking mechanism comprising a moving member operative to be displaced between a locked state position wherein the door is locked and an unlocked state position wherein the door is unlocked, wherein the moving member is operative to block the line of sight path while in the locked state position and to clear the line of site path while in the unlocked state position, and wherein the Sabbath control unit is operative to activate an electronic device in response to output indicating that the light beam emitted by the emitter has not been received by the detector. | 02-16-2012 |
Patent application number | Description | Published |
20110217295 | TREATMENT OF LUPUS ARTHRITIS USING LAQUINIMOD - This invention provides a method of treating a subject afflicted with active lupus arthritis comprising periodically administering to the subject an amount of laquinimod or pharmaceutically acceptable salt thereof effective to treat the subject. This invention also provides laquinimod or pharmaceutically acceptable salt thereof for use in treating a subject afflicted with active lupus arthritis. This invention further provides a pharmaceutical composition comprising an amount of laquinimod or pharmaceutically acceptable salt thereof for use in treating a subject afflicted with lupus arthritis. | 09-08-2011 |
20110218179 | TREATMENT OF LUPUS NEPHRITIS USING LAQUINIMOD - This invention provides a method of treating a subject afflicted with active lupus nephritis comprising periodically administering to the subject an amount of laquinimod or pharmaceutically acceptable salt thereof effective to treat the subject. This invention also provides laquinimod or pharmaceutically acceptable salt thereof for use in treating a subject afflicted with active lupus nephritis. This invention further provides a pharmaceutical composition comprising an amount of laquinimod or pharmaceutically acceptable salt thereof for use in treating a subject afflicted with active lupus nephritis. | 09-08-2011 |
20130203807 | USE OF LAQUINIMOD FOR TREATING CROHN'S DISEASE PATIENTS WHO FAILED FIRST-LINE ANTI-TNF THERAPY - This application provides for a method of treating a human patient afflicted with anti-TNFα refractory Crohn's disease, of treating a human patient afflicted with non-fibrostenotic Crohn's disease, and of treating a human patient whose Crohn's disease had not been surgically treated, the method comprising periodically administering to the patient an amount of laquinimod or pharmaceutically acceptable salt thereof effective to treat the patient. This application also provides for a method of inducing or maintaining clinical remission in a human patient afflicted with Crohn's disease comprising periodically administering to the patient an amount of laquinimod effective to induce or maintain clinical remission in the patient, which amount of laquinimod is less than 0.5 mg/day. | 08-08-2013 |
20140057883 | TREATMENT OF CROHN'S DISEASE WITH LAQUINIMOD - This application provides for a method of treating a subject suffering from Crohn's disease, the method comprising periodically administering to the subject an amount of laquinimod or pharmaceutically acceptable salt thereof effective to treat the subject. This application provides for use of laquinimod in the manufacture of a medicament for treating a subject suffering from Crohn's disease. This application also provides for a pharmaceutical composition comprising laquinimod for use in treating a subject suffering from Crohn's disease. | 02-27-2014 |
20150359788 | USE OF LAQUINIMOD FOR TREATING CROHN'S DISEASE PATIENTS WHO FAILED FIRST-LINE ANTI-TNF THERAPY - This application provides for a method of treating a human patient afflicted with anti-TNFα refractory Crohn's disease, of treating a human patient afflicted with non-fibrostenotic Crohn's disease, and of treating a human patient whose Crohn's disease had not been surgically treated, the method comprising periodically administering to the patient an amount of laquinimod or pharmaceutically acceptable salt thereof effective to treat the patient. This application also provides for a method of inducing or maintaining clinical remission in a human patient afflicted with Crohn's disease comprising periodically administering to the patient an amount of laquinimod effective to induce or maintain clinical remission in the patient, which amount of laquinimod is less than 0.5 mg/day. | 12-17-2015 |
Patent application number | Description | Published |
20100169880 | VIRTUAL INPUT-OUTPUT CONNECTIONS FOR MACHINE VIRTUALIZATION - A computing method includes specifying a virtual computer system including at least one virtual or physical compute node, which produces data packets having respective source attributes. At least one Virtual Input-Output Connection (VIOC) that is uniquely associated with the values of the source attributes is defined. A policy specifying an operation to be performed with regard to the VIOC is defined. The virtual computer system is implemented on a physical computer system, which includes at least one physical packet switching element. The physical packet switching element is configured to identify the data packets whose source attributes have the values that are associated with the VIOC and to perform the operation on the identified data packets, so as to enforce the policy on the VIOC. | 07-01-2010 |
20110004457 | SERVICE-ORIENTED INFRASTRUCTURE MANAGEMENT - A method for computing includes specifying a data processing system using a logical system definition, which defines logical system components having respective functionalities and a topology for interconnecting the logical system components. The logical system components are represented using respective logical objects in a hierarchical object model. Physical resources of a grid computer system are represented using physical objects in the hierarchical object model. The logical objects are automatically mapped to at least some of the physical objects, so as to allocate the physical resources to carry out the respective functionalities of the logical system components. The allocated physical resources are configured and activated so as to cause the grid computer system to function as the data processing system, in accordance with the logical system definition. | 01-06-2011 |
20120185853 | Virtual Input-Output Connections for Machine Virtualization - A computing method includes specifying a virtual computer system including at least one virtual or physical compute node, which produces data packets having respective source attributes. At least one Virtual Input-Output Connection (VIOC) that is uniquely associated with the values of the source attributes is defined. A policy specifying an operation to be performed with regard to the VIOC is defined. The virtual computer system is implemented on a physical computer system, which includes at least one physical packet switching element. The physical packet switching element is configured to identify the data packets whose source attributes have the values that are associated with the VIOC and to perform the operation on the identified data packets, so as to enforce the policy on the VIOC. | 07-19-2012 |
20140185615 | SWITCH FABRIC SUPPORT FOR OVERLAY NETWORK FEATURES - A method for communication in a packet data network including a subnet containing multiple nodes having respective ports. The method includes assigning respective local identifiers to the ports in the subnet, such that each port receives a respective local identifier that is unique within the subnet to serve as an address for traffic within the subnet that is directed to the port. In addition to the local identifiers, respective port identifiers are assigned to the ports, such that at least one of the port identifiers is shared by a plurality of the ports, but not by all the ports, in the subnet. The plurality of the ports are addressed collectively using the at least one of the port identifiers. | 07-03-2014 |
20140379836 | OFFLOADING NODE CPU IN DISTRIBUTED REDUNDANT STORAGE SYSTEMS - A network interface includes a host interface for communicating with a node, and circuitry which is configured to communicate with one or more other nodes over a communication network so as to carry out, jointly with one or more other nodes, a redundant storage operation that includes a redundancy calculation, including performing the redundancy calculation on behalf of the node. | 12-25-2014 |
20150261434 | STORAGE SYSTEM AND SERVER - A data storage system includes a storage server, including non-volatile memory (NVM) and a server network interface controller (NIC), which couples the storage server to a network. A host computer includes a host central processing unit (CPU), a host memory and a host NIC, which couples the host computer to the network. The host computer runs a driver program that is configured to receive, from processes running on the host computer, commands in accordance with a protocol defined for accessing local storage devices connected to a peripheral component interface bus of the host computer, and upon receiving a storage access command in accordance with the protocol, to initiate a remote direct memory access (RDMA) operation to be performed by the host and server NICs so as to execute on the storage server, via the network, a storage transaction specified by the command. | 09-17-2015 |
20150261720 | ACCESSING REMOTE STORAGE DEVICES USING A LOCAL BUS PROTOCOL - A method for data storage includes configuring a driver program on a host computer to receive commands in accordance with a protocol defined for accessing local storage devices connected to a peripheral component interface bus of the host computer. When the driver program receives, from an application program running on the host computer a storage access command in accordance with the protocol, specifying a storage transaction, a remote direct memory access (RDMA) operation is performed by a network interface controller (NIC) connected to the host computer so as to execute the storage transaction via a network on a remote storage device. | 09-17-2015 |
Patent application number | Description | Published |
20100146068 | DEVICE, SYSTEM, AND METHOD OF ACCESSING STORAGE - Device, system, and method of accessing storage. For example, a server includes: a Solid-State Drive (SSD) to store data; a memory mapper to map at least a portion of a storage space of the SSD into a memory space of the server; and a network adapter to receive a Small Computer System Interface (SCSI) read command incoming from a client device, to map one or more parameters of the SCSI read command into an area of the memory space of the server from which data is requested to be read by the client device, said area corresponding to a storage area of the SSD, and to issue a Remote Direct Memory Access (RDMA) write command to copy data directly to the client device from said area of the memory space corresponding to the SSD. | 06-10-2010 |
20110213854 | Device, system, and method of accessing storage - Device, system, and method of accessing storage. For example, a server includes: a Solid-State Drive (SSD) to store data; a memory mapper to map at least a portion of a storage space of the SSD into a memory space of the server; and a network adapter to receive a Small Computer System Interface (SCSI) read command incoming from a client device, to map one or more parameters of the SCSI read command into an area of the memory space of the server from which data is requested to be read by the client device, said area corresponding to a storage area of the SSD, and to issue a Remote Direct Memory Access (RDMA) write command to copy data directly to the client device from said area of the memory space corresponding to the SSD. | 09-01-2011 |
Patent application number | Description | Published |
20110131656 | IDENTIFYING SECURITY VULNERABILITY IN COMPUTER SOFTWARE - Identifying a security vulnerability in a computer software application by identifying at least one source in a computer software application, identifying at least one sink in the computer software application, identifying at least one input to any of the sinks, determining whether the input derives its value directly or indirectly from any of the sources, determining a set of possible values for the input, and identifying a security vulnerability where the set of possible values for the input does not match a predefined specification of legal values associated with the sink input. | 06-02-2011 |
20110321016 | INJECTION CONTEXT BASED STATIC ANALYSIS OF COMPUTER SOFTWARE APPLICATIONS - Embodiments of the invention generally relate to injection context based static analysis of computer software applications. Embodiments of the invention may include selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions. | 12-29-2011 |
20120023486 | Verification of Information-Flow Downgraders - A method includes determining grammar for output of an information-flow downgrader in a software program. The software program directs the output of the information-flow downgrader to a sink. The method includes determining whether the grammar of the output conforms to one or more predetermined specifications of the sink. The method includes, in response to a determination the grammar of the output conforms to the one or more predetermined specifications of the sink, determining the information-flow downgrader is verified for the sink, wherein determining grammar, determining whether the grammar, and determining the information-flow downgrader are performed via static analysis of the software program. Apparatus and computer program products are also disclosed. An apparatus includes a user interface providing a result of whether or not output of an information-flow downgrader in the software program conforms to one or more predetermined specifications of a sink in the software program. | 01-26-2012 |
20120102474 | STATIC ANALYSIS OF CLIENT-SERVER APPLICATIONS USING FRAMEWORK INDEPENDENT SPECIFICATIONS - Systems and methods are provided for statically analyzing a software application that is based on at least one framework. According to the method, source code of the software application and a specification associated with the software application are analyzed. The specification includes a list of synthetic methods that model framework-related behavior of the software application, and a list of entry points indicating the synthetic methods and/or application methods of the software application that can be invoked by the framework. Based on the source code and the specification, intermediate representations for the source code and the synthetic methods are generated. Based on the intermediate representations and the specification, call graphs are generated to model which application methods of the software application invoke synthetic methods or other application methods of the software application. The software application is statically analyzed based on the call graphs and the intermediate representations so as to generate analysis results for the software application. | 04-26-2012 |
20120110551 | SIMULATING BLACK BOX TEST RESULTS USING INFORMATION FROM WHITE BOX TESTING - Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium. | 05-03-2012 |
20120198417 | Static Analysis of Computer Software Applications Having A Model-View-Controller Architecture - Preparing a computer software application for static analysis by identifying a control flow within a model portion of a computer software application having a model-view-controller architecture, where the control flow passes a value to a controller portion of the computer software application, analyzing a declarative specification of the controller portion of the computer software application to identify a view to which the controller portion passes control based on the value, and synthesizing a method within the computer software application, where the method calls the view. | 08-02-2012 |
20120216177 | Generating Sound and Minimal Security Reports Based on Static Analysis of a Program - A method is disclosed that includes, using a static analysis, analyzing a software program to determine a number of paths from sources accepting information to sinks using that information or a modified version of that information and to determine multiple paths from the number of paths. The determined multiple paths have a same transition from an application portion of the software program to a library portion of the software program and require a same downgrading action to address a vulnerability associated with source-sink pairs in the multiple paths. The analyzing includes determining the multiple paths using a path-sensitive analysis. The method includes, for the determined multiple paths, grouping the determined multiple paths into a single representative indication of the determined multiple paths. The method includes outputting the single representative indication. Computer program products and apparatus are also disclosed. | 08-23-2012 |
20130007885 | BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION - Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions. | 01-03-2013 |
20130007887 | BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION - Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions. | 01-03-2013 |
20130111449 | STATIC ANALYSIS WITH INPUT REDUCTION | 05-02-2013 |
20130111594 | DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES | 05-02-2013 |
20130111595 | DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES | 05-02-2013 |
20140215431 | STATIC ANALYSIS OF COMPUTER SOFTWARE APPLICATIONS HAVING A MODEL-VIEW-CONTROLLER ARCHITECTURE - Preparing a computer software application for static analysis by identifying a control flow within a model portion of a computer software application having a model-view-controller architecture, where the control flow passes a value to a controller portion of the computer software application, analyzing a declarative specification of the controller portion of the computer software application to identify a view to which the controller portion passes control based on the value, and synthesizing a method within the computer software application, where the method calls the view. | 07-31-2014 |
Patent application number | Description | Published |
20110087892 | Eliminating False Reports of Security Vulnerabilities when Testing Computer Software - A system for eliminating false reports of security vulnerabilities when testing computer software, including a taint analysis engine configured to identify a tainted variable v in a computer application, a data mapping identification engine configured to identify a variable x within the application that holds data derived from v, where x is in a different format than v, an AddData identification engine configured to identify an AddData operation within the application that is performed on x, a signature identification engine configured to identify a Sign operation within the application that is performed on the results of the AddData operation on x, a signature comparison identification engine configured to identify an operation within the application that compares the results of the Sign operation with another value | 04-14-2011 |
20110126282 | System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies - Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions. | 05-26-2011 |
20120215757 | WEB CRAWLING USING STATIC ANALYSIS - A crawler including a document retriever configured to retrieve a first computer-based document, a link identifier configured to identify an actual string within the computer-based document as being a hyperlink-type string, and a static analyzer configured to perform static analysis of an operation on a variable within the first computer-based document to identify a possible string value of the variable as being a hyperlink-type string, where any of the strings indicate a location of at least a second computer-based document. | 08-23-2012 |
20120304161 | DETERMINING SUITABLE INSERTION POINTS FOR STRING SANITIZERS IN A COMPUTER CODE - A method of determining suitable insertion points for inserting string sanitizers in a computer code is provided herein. The method includes the following stages: obtaining: (i) a computer code associated with a data flow of externally supplied data, from one or more sources to one or more sinks, (ii) locations of the sources, and (iii) locations of the sinks; building a graph representing control paths, data paths and semantic relationships between the control paths and the data paths of the computer code; associating all tainted data paths on the graph, being data paths that go from sources to sinks and do not include a sanitizer; and determining, on the tainted data paths, potential control paths suitable for sanitizer insertion. | 11-29-2012 |
20130191691 | IMPORTANCE-BASED CALL GRAPH CONSTRUCTION - Call graph construction systems that utilize computer hardware are presented including: a processor a candidate pool configured for representing a number of calls originating from a root node of a computer software application; an importance value assigner configured for assigning an importance value for any of the number of calls represented in the candidate pool; a candidate selector configured for selecting from the number of calls represented in the candidate pool for inclusion in a call graph based on a sufficient importance value; and an importance value adjuster configured for adjusting the importance value of any call represented in the call graph. | 07-25-2013 |
20150089637 | System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies - Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions. | 03-26-2015 |