What technology area does this patent fall under?

Primary CPC classification H04L63/20. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Dec 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Self-repair and distributed-repair of applications

US2016378987A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016378987-A1
Application number	US-201514753569-A
Country	US
Kind code	A1
Filing date	Jun 29, 2015
Priority date	Jun 29, 2015
Publication date	Dec 29, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method is provided to instrument applications with an instrumentation policy that is visually configurable and allows for run-time modifications of the policy. Instrumentation is achieved without modifying the source code of the applications. Modification of the instrumentation policy of an application is applied without re-compiling, re-deploying, and re-provisioning the application. The instrumentation tracks the flow of values at run time throughout the execution of an application and fixes any security violation automatically by dynamically modifying any value that violates integrity or confidentiality.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method for self-repair and distributed-repair of applications, the method comprising: providing a visual editor for a first set of policy configurations; instrumenting the first set of policy configuration into a set of application instances corresponding to a set of computers; detecting an information-flow-security violation at run time of a first application instance in the set of application instances corresponding to a first computer of the set of computers; correcting the information-flow-security violation for the first application instance corresponding to the first computer, to establish a corrected information-flow-security violation; establishing a second set of policy configurations for the first application instance corresponding to the first computer based at least in part on the corrected information-flow-security violation; communicating the second set of policy configurations to a monitor agent on a second computer of the set of computers; and establishing by the monitor agent the second set of policy configuration for a subset of application instances in the set of application instances. wherein: at least the step of establishing a second set of policy configurations for the first application instance is performed by computer software running on computer hardware. 2 . The method of claim 1 , further comprising: refining the corrected information-flow-security violation and the second set of policy configurations for the first application instance based on a notification from a second application instance in the set of application instances corresponding to a third computer of the set of computers. 3 . The method of claim 1 , wherein the step of instrumenting the first set of policy configurations into a set of application instances includes: injecting the first set of policy configurations into a source code of the set of application instances. 4 . The method of claim 1 , wherein: the first set of policy configurations is dynamically modified at run time; the first application instance corresponding to the first computer is not redeployed or reprovisioned; and a consent of a user is not requested. 5 . The method of claim 1 , wherein the step of detecting an information-flow-security violation at run time of a first application instance in the set of application instances corresponding to a first computer of the set of computers includes: dynamically tracking a flow of data throughout an execution of the first application instance corresponding to the first computer; and determining whether there exists a flow of untrusted data into a security-sensitive computation. 6 . The method of claim 1 , wherein the step of correcting the information-flow-security violation for the first application instance corresponding to the first computer includes: dynamically modifying a value that breaks an integrity or a confidentiality while the first computer continues to execute the first application instance. 7 . The method of claim 1 , wherein the step of establishing the second set of policy configurations for a subset of application instances in the set of application instances includes: notifying the application instances of a subset of application instances. 8 . The method of claim 1 , wherein the step of instrumenting the first set of policy configurations into a set of application instances includes: injecting the first set of policy configurations into a compiled code of the set of application instances. 9 . The method of claim 1 , wherein the step of detecting an information-flow-security violation at run time of a first application instance corresponding to a first computer of the set of computers includes: dynamically tracking a flow of data throughout an execution of the first application instance corresponding to the first computer; and determining whether there exists a flow of data that releases private data to unauthorized parties. 10 . A computer program product for self-repair and distributed-repair of applications, the computer program product comprising a computer readable storage medium having stored thereon: first program instructions programmed to provide a visual editor for a first set of policy configurations; second program instructions programmed to instrument the first set of policy configuration into a set of application instances corresponding to a set of computers; third program instructions programmed to detect an information-flow-security violation at run time of a first application instance in the set of application instances corresponding to a first computer of the set of computers; fourth program instructions programmed to correct the information-flow-security violation for the first application instance corresponding to the first computer, to establish a corrected information-flow-security violation; fifth program instructions to establish a second set of policy configurations for the first application instance corresponding to the first computer based at least in part on the corrected information-flow-security violation; sixth program instructions to communicate the second set of policy configurations to a monitor agent on a second computer of the set of computers; and seventh program instructions to establish by the monitor agent the second set of policy configuration for a subset of application instances in the set of application instances. wherein: at least the step of establishing a second set of policy configurations for the first application instance is performed by computer software running on computer hardware. 11 . The computer program product of claim 10 , further comprising: eighth program instructions to refine the corrected information-flow-security violation and the second set of policy configurations for the first application instance based on a notification from a second application instance in the set of application instances corresponding to a third computer of the set of computers. 12 . The computer program product of claim 10 , wherein the step of instrumenting the first set of policy configurations into a set of application instances includes: injecting the first set of policy configurations into a source code of the set of application instances. 13 . The computer program product of claim 10 , wherein: the first set of policy configurations is dynamically modified at run time; the first application instance corresponding to the first computer is not redeployed or reprovisioned; and a consent of a user is not requested. 14 . The computer program product of claim 10 , wherein the step of detecting an information-flow-security violation at run time of a first application instance in the set of application instances corresponding to a first computer of the set of computers includes: dynamically tracking a flow of data throughout an execution of the first application instance corresponding to the first computer; and determining whether there exists a flow of untrusted data into a security-sensitive computation. 15 . A computer system for self-repair and distributed-repair of applications, the computer system comprising: a processor(s) set; and a computer readable storage medium; wherein: the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include: first program instructions programmed to provide a visual editor for a first set of policy configurations; second program instructions programmed to instrument the first set of

Assignees

Inventors

Classifications

G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
H04L63/20Primary
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
G06F21/566Primary
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title

Patent family

Related publications grouped by family.

View patent family 57602465

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016378987A1 cover?: A method is provided to instrument applications with an instrumentation policy that is visually configurable and allows for run-time modifications of the policy. Instrumentation is achieved without modifying the source code of the applications. Modification of the instrumentation policy of an application is applied without re-compiling, re-deploying, and re-provisioning the application. The ins…
Who is the assignee on this patent?: IBM
What technology area does this patent fall under?: Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Dec 29 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).