US20160196129A1 - Method and system to dynamically alter application functionality at runtime in a constrained and secure manner - Google Patents

Method and system to dynamically alter application functionality at runtime in a constrained and secure manner Download PDF

Info

Publication number
US20160196129A1
US20160196129A1 US14/912,023 US201414912023A US2016196129A1 US 20160196129 A1 US20160196129 A1 US 20160196129A1 US 201414912023 A US201414912023 A US 201414912023A US 2016196129 A1 US2016196129 A1 US 2016196129A1
Authority
US
United States
Prior art keywords
application
agent
code fragments
cloud service
dynamic code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/912,023
Inventor
Ahmad Zaid AL HAMAMI
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Trend Micro Inc
Original Assignee
Immun IO Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Immun IO Inc filed Critical Immun IO Inc
Priority to US14/912,023 priority Critical patent/US20160196129A1/en
Assigned to Immun.io Inc. reassignment Immun.io Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: AL HAMAMI, Ahmad Zaid
Publication of US20160196129A1 publication Critical patent/US20160196129A1/en
Assigned to TREND MICRO INCORPORATED reassignment TREND MICRO INCORPORATED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Immun.io Inc.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to methods and systems for dynamically altering application functionality, and is particularly concerned with using dynamic and in-application components.
  • updating software functionality requires the updating of the source code, and in some cases compiling the source code to produce a new artifact. In both cases, this will require a new release of the software unto the target machine. There are scenarios where it may be desirable to be able to update the functionality without needing this release step.
  • An object of the present invention is to provide a method and system for dynamic application updates at runtime, in a constrained and safe manner. Furthermore, the dynamic alteration of functionality can be constrained to only allowable operations/features such that certain security guarantees can be made.
  • an agent library to be included into an application, either by the developer or at runtime by the runtime environment.
  • the agent library is able to hook into various interfaces between the application and the different components in the environment, including custom defined interfaces.
  • interfaces can vary significantly.
  • such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as an email server.
  • the interfaces include but are not limited to the local datastore operations on the mobile device, the networking interface, or even an in-application custom defined interface (e.g. hook around user performing a certain operation). Each hook around an interface is able to call a chain of dynamic code fragments.
  • hooks are placed around the Camera's interface (the “save picture” functionality), and those hooks call functions (dynamic code fragments) to perform post processing on the photo just taken, before it is stored to the device.
  • the hooking mechanism is capable of working in cases where the runtime does not provide an instrumentation API.
  • the hooking mechanism may use “monkey patching” techniques or utilize a plugin/middleware mechanism provided by the language, framework or runtime of the particular application.
  • code fragments to be dynamic. That is, the code/logic implementing the functions (code fragments), which in turn are called by the hooks around particular interfaces can be modified at runtime without intervention by the developer.
  • code fragments which in turn are called by the hooks around particular interfaces can be modified at runtime without intervention by the developer.
  • These functions are generated by the service side of the platform, and delivered via a secure channel to the agent library, where they are implemented.
  • the present disclosure also contains guarantees to certain security constraints.
  • these code fragments are dynamic (i.e. modifiable at runtime without installation/restart/intervention)—there are constraints placed on what these fragments can do.
  • a virtual machine and runtime can execute said dynamic code fragments. The virtual machine and runtime will exclude the necessary operations to conduct input/output operations—for example.
  • new post processing effects and filters can be added dynamically by altering these dynamic code fragments.
  • Communication also flows in the other direction, from the agent library to the cloud service, and allows for the agent library to provide information to the cloud service.
  • data about the geographic location of where the picture is taken can be sent to the cloud service.
  • a system for dynamically updating components comprising a cloud service for generating dynamic code fragments and receiving data, an agent manager in communication with the agent library sending dynamic code fragments to the agent library and passing data thereto, and an in-application agent in communication with the agent manager for receiving dynamic code fragments there from and passing reports thereto for dynamically updating an application in which the in-application agent is embedded.
  • FIG. 1 illustrates a system for dynamically updating an application's functionality in a dynamic manner accordance with an embodiment of the present disclosure
  • FIG. 2 illustrates the in-application agent of FIG. 1 in further detail
  • FIG. 3 illustrates in a flowchart a method of dynamically updating an application's functionality in accordance with another embodiment of the present disclosure
  • FIG. 4 illustrates in a flowchart another method of updating an application's functionality in accordance with another embodiment of the present disclosure.
  • FIG. 5 illustrates in a flowchart another method updating an application's functionality in accordance with another embodiment of the present disclosure.
  • the present invention provides a technique for injecting dynamic code fragments into an application
  • a dynamic code fragment is a set of instructions (a part of a software program) to be executed by an agent library.
  • a cloud service is a set of remote servers exposing an endpoint that collects relevant data from authenticated agent libraries via a secure channel, and generates dynamic code fragments to be executed by the virtual machine in the agent library.
  • An agent library (also known as in-application agent) is a software component that is included by the developer into the application directly or by the runtime environment, that provides the base functionality on the agent side to receive and execute dynamic code fragments, and is able to send requested information to the cloud service.
  • a report is any data communicated back from the agent library to the agent manager.
  • FIG. 1 there is illustrated a system for dynamically updating an application's functionality (e.g. of a web application or other non-web application) in accordance with a first embodiment of the present disclosure.
  • FIG. 1 provides an overview of the system components.
  • the system 100 includes a cloud service 110 coupled to a real-time web dashboard 120 and in communication with an agent manager 130 .
  • the agent manager 130 communicates via the Internet 140 with an in-app agent 150 disposed in a web application 160 .
  • the in-app agent 150 is either included as a library by the developer or may be injected into the application 160 via the runtime environment. For example, this may be done by wrapping the application or by injecting the library directly into the application via available runtime methods.
  • the in-app agent 150 receives dynamic code fragments 170 from the cloud service 110 via the agent manager 130 .
  • the dynamic code fragments 170 provide the new or modified functionality for the application.
  • the in-app agent 150 also sends reports 180 to the agent manager 130 .
  • the agent manager 130 is responsible for the communications between the cloud service 110 and the application 160 .
  • the real-time web dashboard 120 is provided to give the application developer or user an insight into any aspect of the dynamic code execution, for example_the performance of the application (to observe the effects of the dynamic code fragments on the application performance).
  • the real-time web dashboard 120 also provides an interface for creating, editing, modifying, selecting and/or scheduling the delivery of the dynamic code fragments.
  • the cloud service 110 receives the reports 180 from the various agent managers 130 (only one shown in FIG. 1 ), as well as other sources, for example third party feeds and new algorithms developed by others and generates new dynamic code fragments to be deployed to the in-app agents 150 via the agent manager 130 .
  • FIG. 2 shows the components of the in-app agent 150 .
  • the in-app agent 150 includes a link manager 200 , an in-app library 210 for storing the dynamic code fragments 170 and a fragment processor 220 for applying, adding, compiling or integrating the dynamic code fragments 170 into the application and for generating reports 180 .
  • the agent library 210 uses a middleware mechanism 230 to hook into various points of the application 160 and the web application framework.
  • the hooks 240 allow the processor 220 to inject dynamic code fragments 170 , that it received from the cloud service 110 via the link manager 130 into these points in the program (application).
  • these dynamic code fragments 170 allow reports 180 to be generated by the fragment processor 220 and to be sent by the in-app agent 150 back to the agent manager 130 , who forwards these reports 180 to the cloud service 110 for the creation of new dynamic code fragments where necessitated or desirable.
  • the dynamic code fragments 170 may be used for updates, security patches, bug fixes or any other purpose.
  • the dynamic code fragments are executable code that does not require the application to be shut down and restarted.
  • the method 300 begins with embedding the in-app agent 150 at step 310 . Once embedded, the in-app agent 150 receives dynamic code fragments from the cloud service 110 , via the agent manager 130 , at step 320 . The in-app agent 150 then adds the dynamic code fragments to the web application at step 330 . The in-app agent 150 monitors performance/activity of the application with the added code fragments at step 340 . The in-app agent 150 generates a report and sends it to the cloud service 110 via the agent manager 130 at step 350 .
  • the cloud service analyzes the report and generates new dynamic code fragments to extend the functionality of the application at step 360 and sends the new dynamic code fragments to the in-app agent 150 , via the agent manager 130 , at step 370 . Finally, the in-app agent adds the new dynamic code fragments to the application at step 380 .
  • the method 400 begins with embedding the in-app agent 150 at step 410 .
  • the in-app agent 150 receives dynamic code fragments from the cloud service 110 , via the agent manager 130 , at step 420 .
  • the in-app agent 150 then injects the dynamic code fragments into the application at step 430 .
  • the cloud service 110 may then receive new information from one or more external sources at step 440 . In this scenario there is no tripwire event in the in-app agent, rather, there is an update to the dynamic code fragments deriving from a source external to the application.
  • the cloud service Based on this new external information, the cloud service generates new dynamic code fragments at step 450 .
  • the cloud service sends the new dynamic code fragments to the in-application agent at step 460 .
  • the in-app agent adds the new dynamic code fragments to the application at step 470 .
  • the dynamic nature of the method provides for altering the functionality of an application by injecting dynamic code fragments into the application based on what the cloud service 110 believes is most effective. Consequently, the cloud service is injecting new code (representing a new algorithm, feature, tool or functionality) into the in-app agents, which changes how each respective application behaves. This injection of code is automatic in the sense that it is done without developer intervention.
  • the in-app agent provides an empty container at certain interfaces within the application to be filled (injected) with dynamic code fragments that are generated dynamically cloud side.
  • FIG. 5 is a flowchart illustrating by way of example the operation of the in-app agent 150 .
  • the operation 500 begins with embedding the in-app agent 150 as represented by step 510 .
  • the application is started at step 520 .
  • the In-App Agent 150 injects hooks into the various interfaces: for example, it injects code (hook) into the database interface layer (DB API) that allows it to process requests before the DB API call is made.
  • the In-App agent 150 inserts the dynamic code fragments via the hooks into these various interfaces at step 540 .
  • the In-App agent 150 requests updated dynamic code fragments for these interfaces at step 550 .
  • the In-App agent 150 receives dynamic code fragments the from cloud service 110 at step 560 .
  • the in-app agent 150 adds the new dynamic code fragments to the application.
  • the application may be a web application.
  • the application may be any type of application, not just a web application.
  • the system may include a sandboxing mechanism to constrain the dynamic code fragments that may be executed.
  • the agent library disables all input/output operations such that dynamic code fragments are injected into the application cannot be compromised by a malicious agent to perform undesirable operations or export data.
  • the agent library may selectively disable some operations (such as input/output operations) to sandbox the new dynamic code fragments injected into the application.
  • the dynamic code fragments are executed by an agent library, which places such constraints on the dynamic code fragments.
  • This sandboxing effect can be achieved by use of a scripting engine, or alternatively, a full virtual machine and runtime environment with a restricted instruction set.
  • each server is a computing device having a processor coupled to a memory and to a data communication port (e.g. modem, network adapter, etc.) for data communication with a network to which the server is connected.
  • the server may include various input/output (I/O) devices and peripherals.
  • the processor and memory cooperate to execute instructions in the form of software code for causing the computing device (server, cluster or cloud service as the case may be) to perform the acts or operations of the novel methods described herein.
  • any of the methods disclosed herein may be implemented in hardware, software, firmware or any combination thereof.
  • the method steps, acts or operations may be programmed or coded as computer-readable instructions and recorded electronically, magnetically or optically on a non-transitory computer-readable medium, computer-readable memory, machine-readable memory or computer program product.
  • the computer-readable memory or computer-readable medium comprises instructions in code which when loaded into a memory and executed on a processor of a computing device cause the computing device to perform one or more of the foregoing method(s).
  • a computer-readable medium can be any means, memory device or medium that contains, records, or stores a computer program or application to be executed or run by a processor (or microprocessor) of a computer (or computing device or other instruction-execution apparatus).
  • the computer-readable medium may be electronic, magnetic, optical, electromagnetic, infrared or any semiconductor system or device.
  • computer executable code to perform the methods disclosed herein may be tangibly recorded on a non-transitory computer-readable medium including, but not limited to, a floppy-disk, a CD-ROM, a DVD, RAM, ROM, EPROM, Flash Memory or any suitable memory card, etc.
  • the method may also be at least partially implemented in hardware.
  • a hardware implementation might employ discrete logic circuits having logic gates for implementing logic functions on data signals, an application-specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array (PGA), a field programmable gate array (FPGA), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

The present disclosure provides a method and system for dynamically updating an application functionality in a secure and constrained manner comprising a cloud service for generating dynamic code fragments and receiving reports, an agent manager in communication with the cloud service receiving code fragments from the cloud service and passing reports thereto, and an in-application agent in communication with the agent manager for receiving dynamic code fragments therefrom and passing reports thereto for dynamically updating the application functionality in which the in-application agent is embedded.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application claims priority from U.S. Provisional Patent Application 61/866,191 filed Aug. 15, 2013.
    • TECHNICAL FIELD
  • The present invention relates to methods and systems for dynamically altering application functionality, and is particularly concerned with using dynamic and in-application components.
    • BACKGROUND
  • In almost all scenarios, updating software functionality requires the updating of the source code, and in some cases compiling the source code to produce a new artifact. In both cases, this will require a new release of the software unto the target machine. There are scenarios where it may be desirable to be able to update the functionality without needing this release step.
  • For example, some algorithms may need to be improved over time, certain classes of security bugs need to be fixed, or even certain features introduced or disabled. There is a need in the industry for a method and the system that allow for the above examples to be addressed without requiring a software release (installation/application restart) step.
  • Furthermore, there is a need to be able to perform said alterations, without compromising system security.
    • SUMMARY
  • An object of the present invention is to provide a method and system for dynamic application updates at runtime, in a constrained and safe manner. Furthermore, the dynamic alteration of functionality can be constrained to only allowable operations/features such that certain security guarantees can be made.
  • In the present disclosure there is provided method and system for an agent library to be included into an application, either by the developer or at runtime by the runtime environment. The agent library is able to hook into various interfaces between the application and the different components in the environment, including custom defined interfaces.
  • These interfaces can vary significantly. In the case of a web application, such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as an email server. In the case of a mobile app, the interfaces include but are not limited to the local datastore operations on the mobile device, the networking interface, or even an in-application custom defined interface (e.g. hook around user performing a certain operation). Each hook around an interface is able to call a chain of dynamic code fragments. For example, in a mobile application that processes photos taken with the mobile device, hooks are placed around the Camera's interface (the “save picture” functionality), and those hooks call functions (dynamic code fragments) to perform post processing on the photo just taken, before it is stored to the device.
  • The hooking mechanism is capable of working in cases where the runtime does not provide an instrumentation API. For example, the hooking mechanism may use “monkey patching” techniques or utilize a plugin/middleware mechanism provided by the language, framework or runtime of the particular application.
  • The present disclosure provides for these code fragments to be dynamic. That is, the code/logic implementing the functions (code fragments), which in turn are called by the hooks around particular interfaces can be modified at runtime without intervention by the developer. These functions are generated by the service side of the platform, and delivered via a secure channel to the agent library, where they are implemented.
  • The present disclosure also contains guarantees to certain security constraints. Specifically, while these code fragments are dynamic (i.e. modifiable at runtime without installation/restart/intervention)—there are constraints placed on what these fragments can do. For example, it may be desirable to eliminate generic input/output operations from such fragments. This can be accomplished by, but not limited to, use of a scripting engine to execute the code fragments, with said limitations in place. Alternatively, a virtual machine and runtime can execute said dynamic code fragments. The virtual machine and runtime will exclude the necessary operations to conduct input/output operations—for example.
  • Such a design will allow for the safe execution of dynamic code fragments within acceptable constraints: constraints that are by design sufficient to guarantee non-violation of security of operation.
  • In the example of the mobile device and picture processing application, new post processing effects and filters, for example, can be added dynamically by altering these dynamic code fragments.
  • There are constraints placed in the engine that prevent the accidental or malicious redirection of pictures to a remote server. For example, this could be accomplished by the use of a virtual machine runtime that exclude the network input/output operations. Specifically, only basic computation operations are allowed (load value from memory, store value to memory, all arithmetic operations). Hence, utilizing this invention, we are able to restrict the features of the processing filters to the nature of such filters: mathematical transformations on data structures.
  • Communication also flows in the other direction, from the agent library to the cloud service, and allows for the agent library to provide information to the cloud service.
  • In the example of the mobile device and the picture processing application, data about the geographic location of where the picture is taken can be sent to the cloud service.
  • In accordance with an aspect of the present disclosure there is provided a system for dynamically updating components comprising a cloud service for generating dynamic code fragments and receiving data, an agent manager in communication with the agent library sending dynamic code fragments to the agent library and passing data thereto, and an in-application agent in communication with the agent manager for receiving dynamic code fragments there from and passing reports thereto for dynamically updating an application in which the in-application agent is embedded.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be further understood from the following detailed description with reference to the drawings in which:
  • FIG. 1 illustrates a system for dynamically updating an application's functionality in a dynamic manner accordance with an embodiment of the present disclosure;
  • FIG. 2 illustrates the in-application agent of FIG. 1 in further detail;
  • FIG. 3 illustrates in a flowchart a method of dynamically updating an application's functionality in accordance with another embodiment of the present disclosure;
  • FIG. 4 illustrates in a flowchart another method of updating an application's functionality in accordance with another embodiment of the present disclosure; and
  • FIG. 5 illustrates in a flowchart another method updating an application's functionality in accordance with another embodiment of the present disclosure.
    •  DETAILED DESCRIPTION
  • In general, the present invention provides a technique for injecting dynamic code fragments into an application
    • Definitions
  • A dynamic code fragment is a set of instructions (a part of a software program) to be executed by an agent library.
  • A cloud service is a set of remote servers exposing an endpoint that collects relevant data from authenticated agent libraries via a secure channel, and generates dynamic code fragments to be executed by the virtual machine in the agent library.
  • An agent library (also known as in-application agent) is a software component that is included by the developer into the application directly or by the runtime environment, that provides the base functionality on the agent side to receive and execute dynamic code fragments, and is able to send requested information to the cloud service.
  • A report is any data communicated back from the agent library to the agent manager.
  • Referring to FIG. 1 there is illustrated a system for dynamically updating an application's functionality (e.g. of a web application or other non-web application) in accordance with a first embodiment of the present disclosure. FIG. 1 provides an overview of the system components. The system 100 includes a cloud service 110 coupled to a real-time web dashboard 120 and in communication with an agent manager 130. The agent manager 130 communicates via the Internet 140 with an in-app agent 150 disposed in a web application 160. The in-app agent 150 is either included as a library by the developer or may be injected into the application 160 via the runtime environment. For example, this may be done by wrapping the application or by injecting the library directly into the application via available runtime methods.
  • In operation, the in-app agent 150 receives dynamic code fragments 170 from the cloud service 110 via the agent manager 130. The dynamic code fragments 170 provide the new or modified functionality for the application. The in-app agent 150 also sends reports 180 to the agent manager 130. The agent manager 130 is responsible for the communications between the cloud service 110 and the application 160.
  • The real-time web dashboard 120 is provided to give the application developer or user an insight into any aspect of the dynamic code execution, for example_the performance of the application (to observe the effects of the dynamic code fragments on the application performance). The real-time web dashboard 120 also provides an interface for creating, editing, modifying, selecting and/or scheduling the delivery of the dynamic code fragments.
  • The cloud service 110 receives the reports 180 from the various agent managers 130 (only one shown in FIG. 1), as well as other sources, for example third party feeds and new algorithms developed by others and generates new dynamic code fragments to be deployed to the in-app agents 150 via the agent manager 130.
  • Referring to FIG. 2, there is illustrated the in-app agent of FIG. 1 in further detail. FIG. 2 shows the components of the in-app agent 150. The in-app agent 150 includes a link manager 200, an in-app library 210 for storing the dynamic code fragments 170 and a fragment processor 220 for applying, adding, compiling or integrating the dynamic code fragments 170 into the application and for generating reports 180.
  • In an example of the present disclosure, in operation, the agent library 210 uses a middleware mechanism 230 to hook into various points of the application 160 and the web application framework. The hooks 240 allow the processor 220 to inject dynamic code fragments 170, that it received from the cloud service 110 via the link manager 130 into these points in the program (application). In turn, these dynamic code fragments 170 allow reports 180 to be generated by the fragment processor 220 and to be sent by the in-app agent 150 back to the agent manager 130, who forwards these reports 180 to the cloud service 110 for the creation of new dynamic code fragments where necessitated or desirable.
  • The dynamic code fragments 170 may be used for updates, security patches, bug fixes or any other purpose. The dynamic code fragments are executable code that does not require the application to be shut down and restarted.
  • Referring to FIG. 3 there is illustrated in a flowchart a method of dynamically updating an application's functionality in accordance with another embodiment of the present disclosure. The method 300 begins with embedding the in-app agent 150 at step 310. Once embedded, the in-app agent 150 receives dynamic code fragments from the cloud service 110, via the agent manager 130, at step 320. The in-app agent 150 then adds the dynamic code fragments to the web application at step 330. The in-app agent 150 monitors performance/activity of the application with the added code fragments at step 340. The in-app agent 150 generates a report and sends it to the cloud service 110 via the agent manager 130 at step 350. The cloud service analyzes the report and generates new dynamic code fragments to extend the functionality of the application at step 360 and sends the new dynamic code fragments to the in-app agent 150, via the agent manager 130, at step 370. Finally, the in-app agent adds the new dynamic code fragments to the application at step 380.
  • Referring to FIG. 4 there is illustrated in a flowchart a method of dynamically updating a functionality of an application in accordance with a further embodiment of the present disclosure. The method 400 begins with embedding the in-app agent 150 at step 410. Once embedded, the in-app agent 150 receives dynamic code fragments from the cloud service 110, via the agent manager 130, at step 420. The in-app agent 150 then injects the dynamic code fragments into the application at step 430. The cloud service 110 may then receive new information from one or more external sources at step 440. In this scenario there is no tripwire event in the in-app agent, rather, there is an update to the dynamic code fragments deriving from a source external to the application. Based on this new external information, the cloud service generates new dynamic code fragments at step 450. The cloud service sends the new dynamic code fragments to the in-application agent at step 460. Finally, the in-app agent adds the new dynamic code fragments to the application at step 470.
  • The dynamic nature of the method provides for altering the functionality of an application by injecting dynamic code fragments into the application based on what the cloud service 110 believes is most effective. Consequently, the cloud service is injecting new code (representing a new algorithm, feature, tool or functionality) into the in-app agents, which changes how each respective application behaves. This injection of code is automatic in the sense that it is done without developer intervention. Thus, the in-app agent provides an empty container at certain interfaces within the application to be filled (injected) with dynamic code fragments that are generated dynamically cloud side.
  • FIG. 5 is a flowchart illustrating by way of example the operation of the in-app agent 150. The operation 500 begins with embedding the in-app agent 150 as represented by step 510. The application is started at step 520. The In-App Agent 150 injects hooks into the various interfaces: for example, it injects code (hook) into the database interface layer (DB API) that allows it to process requests before the DB API call is made. The In-App agent 150 inserts the dynamic code fragments via the hooks into these various interfaces at step 540. The In-App agent 150 requests updated dynamic code fragments for these interfaces at step 550. The In-App agent 150 receives dynamic code fragments the from cloud service 110 at step 560. Finally, at step 570, the in-app agent 150 adds the new dynamic code fragments to the application. As an example only, the application may be a web application. However, it should be clearly understood that the application may be any type of application, not just a web application.
  • From the foregoing, it is apparent that the system may include a sandboxing mechanism to constrain the dynamic code fragments that may be executed. As an example, it may not be desirable to allow the dynamic code fragments to contain generic input/output operations, for security reasons, and to be restricted to computation algorithms only. As such, in an embodiment, the agent library disables all input/output operations such that dynamic code fragments are injected into the application cannot be compromised by a malicious agent to perform undesirable operations or export data. In other embodiments, the agent library may selectively disable some operations (such as input/output operations) to sandbox the new dynamic code fragments injected into the application.
  • The dynamic code fragments are executed by an agent library, which places such constraints on the dynamic code fragments. This sandboxing effect can be achieved by use of a scripting engine, or alternatively, a full virtual machine and runtime environment with a restricted instruction set.
  • Although the foregoing technology is best implemented using a cloud service 110, in other embodiments the cloud service may be replaced by a server cluster or even a single server. Each server is a computing device having a processor coupled to a memory and to a data communication port (e.g. modem, network adapter, etc.) for data communication with a network to which the server is connected. The server may include various input/output (I/O) devices and peripherals. The processor and memory cooperate to execute instructions in the form of software code for causing the computing device (server, cluster or cloud service as the case may be) to perform the acts or operations of the novel methods described herein.
  • Any of the methods disclosed herein may be implemented in hardware, software, firmware or any combination thereof. Where implemented as software, the method steps, acts or operations may be programmed or coded as computer-readable instructions and recorded electronically, magnetically or optically on a non-transitory computer-readable medium, computer-readable memory, machine-readable memory or computer program product. In other words, the computer-readable memory or computer-readable medium comprises instructions in code which when loaded into a memory and executed on a processor of a computing device cause the computing device to perform one or more of the foregoing method(s).
  • A computer-readable medium can be any means, memory device or medium that contains, records, or stores a computer program or application to be executed or run by a processor (or microprocessor) of a computer (or computing device or other instruction-execution apparatus). The computer-readable medium may be electronic, magnetic, optical, electromagnetic, infrared or any semiconductor system or device. For example, computer executable code to perform the methods disclosed herein may be tangibly recorded on a non-transitory computer-readable medium including, but not limited to, a floppy-disk, a CD-ROM, a DVD, RAM, ROM, EPROM, Flash Memory or any suitable memory card, etc. The method may also be at least partially implemented in hardware. A hardware implementation might employ discrete logic circuits having logic gates for implementing logic functions on data signals, an application-specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array (PGA), a field programmable gate array (FPGA), etc.
  • This invention has been described in terms of specific embodiments, implementations and configurations which are intended to be exemplary only. Persons of ordinary skill in the art will appreciate, having read this disclosure, that many obvious variations, modifications and refinements may be made without departing from the inventive concept(s) presented herein. The scope of the exclusive right sought by the Applicant(s) is therefore intended to be limited solely by the appended claims.

Claims (13)

1. A system for dynamically updating application functionality, the system comprising:
an in-application agent for executing code fragments for dynamically updating the application functionality in which the in-application agent is embedded and for generating reports characterizing the application functionality;
a cloud service for generating dynamic code fragments and receiving the reports;
an agent manager in communication with the cloud service for receiving the dynamic code fragments from the cloud service and passing the dynamic code fragments received to the in-application agent and for receiving reports from the in-application agent and passing the reports received to the cloud service.
2. The system of claim 1 wherein the in-application agent includes a link manager for communications with the agent manager.
3. The system of claim 1 wherein the in-application agent includes hooks into the web application.
4. The system of claim 1 wherein the cloud service generates and updates the dynamic code fragments in response to application level and external data sources.
5. The system of claim 1 wherein upon receiving the new dynamic code fragments, the in-application agent updates a configuration to use the new dynamic code fragments.
6. The system of claim 1 wherein the in-application agent uses hooks to execute the code fragments.
7. The system of claim 1 wherein the in-application agent generates the reports locally.
8. A method of dynamically updating an application functionality, the method comprising:
embedding an in-application agent into an application;
generating dynamic code fragments in a cloud service;
providing these generated fragments to the in-application agent;
the in-application agent receiving these fragments for updating the functionality in which the in-application agent is embedded.
9. The method of claim 8 further comprising:
the in-application agent executing new code fragments;
generating a report; and
sending it to the cloud service.
10. The method of claim 9 further comprising the step of the cloud service, upon receiving the report, having the possibility of generating a new code fragment and sending the new code fragment to the in-application agent.
11. The method of claim 8 further comprising:
the cloud service receiving new information;
generating new code fragments; and
sending the new code fragments to the in-application agent; and
the in-application agent executing the new code fragment.
12. A non-transitory computer readable medium comprising instructions in code which when stored in a memory of a computing device and executed by a processor of the computing device cause the computing device to:
execute an in-application agent embedded in an application, the in-application agent including:
an in-app library for storing dynamic code fragments;
a fragment processor for adding the dynamic code fragments to the application and for generating one or more reports;
a link manager for receiving new dynamic code fragments from a cloud service generated in response to the one or more reports;
one or more hooks in the application enabling the processor to inject the new dynamic code fragments into the web application.
13. The computer readable medium of claim 12 wherein the link manager communicates with the cloud service by communicating via an encrypted link with an agent manager.
US14/912,023 2013-08-15 2014-08-15 Method and system to dynamically alter application functionality at runtime in a constrained and secure manner Abandoned US20160196129A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/912,023 US20160196129A1 (en) 2013-08-15 2014-08-15 Method and system to dynamically alter application functionality at runtime in a constrained and secure manner

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201361866191P 2013-08-15 2013-08-15
PCT/CA2014/050774 WO2015021555A1 (en) 2013-08-15 2014-08-15 Method and system to dynamically alter application functionality at runtime in a constrained and secure manner
US14/912,023 US20160196129A1 (en) 2013-08-15 2014-08-15 Method and system to dynamically alter application functionality at runtime in a constrained and secure manner

Publications (1)

Publication Number Publication Date
US20160196129A1 true US20160196129A1 (en) 2016-07-07

Family

ID=52467819

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/461,021 Abandoned US20150052607A1 (en) 2013-08-15 2014-08-15 Method and system for protecting web applications against web attacks
US14/912,023 Abandoned US20160196129A1 (en) 2013-08-15 2014-08-15 Method and system to dynamically alter application functionality at runtime in a constrained and secure manner
US15/899,937 Active US10623440B2 (en) 2013-08-15 2018-02-20 Method and system for protecting web applications against web attacks

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/461,021 Abandoned US20150052607A1 (en) 2013-08-15 2014-08-15 Method and system for protecting web applications against web attacks

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/899,937 Active US10623440B2 (en) 2013-08-15 2018-02-20 Method and system for protecting web applications against web attacks

Country Status (5)

Country Link
US (3) US20150052607A1 (en)
EP (2) EP2951955B1 (en)
CA (2) CA2920908A1 (en)
IL (2) IL237953A0 (en)
WO (2) WO2015021554A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10326864B2 (en) * 2017-02-15 2019-06-18 Sap Se Dynamic orchestration of microservices

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10805331B2 (en) 2010-09-24 2020-10-13 BitSight Technologies, Inc. Information technology security assessment system
US9438615B2 (en) 2013-09-09 2016-09-06 BitSight Technologies, Inc. Security risk management
US9465714B1 (en) 2015-09-22 2016-10-11 International Business Machines Corporation Adaptive runtime for a multiprocessing API
US10191831B2 (en) * 2016-06-08 2019-01-29 Cylance Inc. Macro-script execution control
US10425380B2 (en) 2017-06-22 2019-09-24 BitSight Technologies, Inc. Methods for mapping IP addresses and domains to organizations using user activity data
US10257219B1 (en) 2018-03-12 2019-04-09 BitSight Technologies, Inc. Correlated risk in cybersecurity
US10812520B2 (en) 2018-04-17 2020-10-20 BitSight Technologies, Inc. Systems and methods for external detection of misconfigured systems
US10735291B2 (en) * 2018-07-27 2020-08-04 Centurylink Intellectual Property Llc Method and system for implementing high availability (HA) web application firewall (WAF) functionality
US11200323B2 (en) 2018-10-17 2021-12-14 BitSight Technologies, Inc. Systems and methods for forecasting cybersecurity ratings based on event-rate scenarios
US10521583B1 (en) * 2018-10-25 2019-12-31 BitSight Technologies, Inc. Systems and methods for remote detection of software through browser webinjects
US11729176B2 (en) * 2018-12-28 2023-08-15 Imperva Inc. Monitoring and preventing outbound network connections in runtime applications
US10726136B1 (en) 2019-07-17 2020-07-28 BitSight Technologies, Inc. Systems and methods for generating security improvement plans for entities
US11956265B2 (en) 2019-08-23 2024-04-09 BitSight Technologies, Inc. Systems and methods for inferring entity relationships via network communications of users or user devices
US10848382B1 (en) 2019-09-26 2020-11-24 BitSight Technologies, Inc. Systems and methods for network asset discovery and association thereof with entities
US11032244B2 (en) 2019-09-30 2021-06-08 BitSight Technologies, Inc. Systems and methods for determining asset importance in security risk management
US10893067B1 (en) 2020-01-31 2021-01-12 BitSight Technologies, Inc. Systems and methods for rapidly generating security ratings
US11635972B2 (en) * 2020-02-12 2023-04-25 Cisco Technology, Inc. Multi-tenant java agent instrumentation system
US11023585B1 (en) 2020-05-27 2021-06-01 BitSight Technologies, Inc. Systems and methods for managing cybersecurity alerts
US11122073B1 (en) 2020-12-11 2021-09-14 BitSight Technologies, Inc. Systems and methods for cybersecurity risk mitigation and management

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030101431A1 (en) * 2001-11-29 2003-05-29 Evelyn Duesterwald System and method for dynamically replacing code
US20040107416A1 (en) * 2002-12-02 2004-06-03 Microsoft Corporation Patching of in-use functions on a running computer system
US20040261059A1 (en) * 2003-06-18 2004-12-23 Sam Spencer System and method for creating, managing and using code segments
US20050149922A1 (en) * 2004-01-06 2005-07-07 International Business Machines Corporation Dynamic software update system, method and program product
US20060025384A1 (en) * 2002-11-12 2006-02-02 Guocheng Wang New crystal form of adefovir dipivoxil and its composition
US20060265702A1 (en) * 2005-05-19 2006-11-23 Isaacson Scott A System for creating a customized software distribution based on user requirements
US20090008976A1 (en) * 2005-02-02 2009-01-08 Schukra Geraetebau Ag Lumbar Support and Method for Manufacturing a Lumbar Support
US20090260004A1 (en) * 2008-04-10 2009-10-15 Palm, Inc. Computer program updates for mobile computing device
US20110271266A1 (en) * 2010-04-28 2011-11-03 General Electric Company Systems, methods, and apparatus for deploying application code change configurations for multiple target controllers
US20130026308A1 (en) * 2011-07-25 2013-01-31 Holm-Quist Designs Llc Mounting bracket means for solar arrays and the like
US20130254755A1 (en) * 2012-03-22 2013-09-26 Shenol YOUSOUF Dynamically updating on-demand runtime platforms executing business applications
US20130263088A1 (en) * 2012-03-27 2013-10-03 Microsoft Corporation Dynamic plugin(s) for cloud application(s)
US20140189668A1 (en) * 2013-01-03 2014-07-03 International Business Machines Corporation Processing proposed program code libraries in a networked computing environment
US20150040112A1 (en) * 2013-08-01 2015-02-05 Qualcomm Incorporated Enabling Interoperability Between Software Applications By Utilizing Partial Binaries

Family Cites Families (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5732275A (en) * 1996-01-11 1998-03-24 Apple Computer, Inc. Method and apparatus for managing and automatically updating software programs
US6553507B1 (en) * 1998-09-30 2003-04-22 Intel Corporation Just-in-time software updates
US20030023857A1 (en) * 2001-07-26 2003-01-30 Hinchliffe Alexander James Malware infection suppression
US8127359B2 (en) * 2003-04-11 2012-02-28 Samir Gurunath Kelekar Systems and methods for real-time network-based vulnerability assessment
US7975306B2 (en) * 2004-06-04 2011-07-05 Hewlett-Packard Development Company, L.P. Apparatus and method for monitoring secure software
US7849448B2 (en) * 2005-06-01 2010-12-07 Crosscheck Networks Technique for determining web services vulnerabilities and compliance
WO2006133222A2 (en) * 2005-06-07 2006-12-14 Vmware, Inc. Constraint injection system for immunizing software programs against vulnerabilities and attacks
US8566919B2 (en) * 2006-03-03 2013-10-22 Riverbed Technology, Inc. Distributed web application firewall
US8286238B2 (en) * 2006-09-29 2012-10-09 Intel Corporation Method and apparatus for run-time in-memory patching of code from a service processor
KR20080036706A (en) * 2006-10-24 2008-04-29 박재철 Web security module using regulation expression of web attack and include function of script language
US9027039B2 (en) * 2007-01-29 2015-05-05 Intel Corporation Methods for analyzing, limiting, and enhancing access to an internet API, web service, and data
ATE467970T1 (en) * 2007-08-09 2010-05-15 Sap Ag INPUT AND OUTPUT VALIDATION TO PROTECT DATABASE SERVERS
US8271836B2 (en) * 2007-09-27 2012-09-18 Microsoft Corporation Capturing diagnostics in web browser applications
US8849985B1 (en) * 2007-12-03 2014-09-30 Appcelerator, Inc. On-the-fly instrumentation of Web applications, Web-pages or Web-sites
US8527860B1 (en) * 2007-12-04 2013-09-03 Appcelerator, Inc. System and method for exposing the dynamic web server-side
US8806630B2 (en) * 2008-05-13 2014-08-12 At&T Intellectual Property, I, L.P. Methods and apparatus for intrusion protection in systems that monitor for improper network usage
US9473457B2 (en) * 2009-10-22 2016-10-18 International Business Machines Corporation Interactive management of web application firewall rules
EP2513793B1 (en) * 2009-12-15 2018-11-14 Synopsys, Inc. Method and system of runtime analysis
US8458798B2 (en) * 2010-03-19 2013-06-04 Aspect Security Inc. Detection of vulnerabilities in computer systems
US9461996B2 (en) * 2010-05-07 2016-10-04 Citrix Systems, Inc. Systems and methods for providing a single click access to enterprise, SAAS and cloud hosted application
US9282097B2 (en) * 2010-05-07 2016-03-08 Citrix Systems, Inc. Systems and methods for providing single sign on access to enterprise SAAS and cloud hosted applications
US8839441B2 (en) * 2010-06-28 2014-09-16 Infosys Limited Method and system for adaptive vulnerability scanning of an application
KR101005927B1 (en) * 2010-07-05 2011-01-07 펜타시큐리티시스템 주식회사 Method for detecting a web application attack
JP5325177B2 (en) * 2010-08-09 2013-10-23 株式会社日立製作所 Web application operation recording method and system
US20130019314A1 (en) * 2011-07-14 2013-01-17 International Business Machines Corporation Interactive virtual patching using a web application server firewall
CN103067344B (en) * 2011-10-24 2016-03-30 国际商业机器公司 The noninvasive method of automatic distributing safety regulation and equipment in cloud environment
WO2013063474A1 (en) * 2011-10-28 2013-05-02 Scargo, Inc. Security policy deployment and enforcement system for the detection and control of polymorphic and targeted malware
JPWO2013111547A1 (en) 2012-01-24 2015-05-11 日本電気株式会社 Route control device, control information generation method, and program
US9009534B2 (en) * 2012-05-24 2015-04-14 Sap Se Runtime configuration checks for composite applications
US8869287B2 (en) * 2012-12-31 2014-10-21 International Business Machines Corporation Hybrid analysis of vulnerable information flows
AU2014205389A1 (en) * 2013-01-11 2015-06-04 Db Networks, Inc. Systems and methods for detecting and mitigating threats to a structured data storage system
US9658941B2 (en) * 2013-01-28 2017-05-23 Rackspace Us, Inc. Methods and systems of function-specific tracing
US9111091B2 (en) * 2013-01-29 2015-08-18 International Business Machines Corporation Automatic extraction, modeling, and code mapping of application user interface display screens and components
US9361085B2 (en) * 2013-03-18 2016-06-07 Cloudmask Systems and methods for intercepting, processing, and protecting user data through web application pattern detection
US9043458B2 (en) * 2013-03-19 2015-05-26 Cognizant Technology Solutions India Pvt. Ltd. Framework for facilitating implementation of multi-tenant SaaS architecture
CA2913930A1 (en) * 2013-05-30 2014-12-04 Ryan O'BOYLE Systems and methods for remote analysis of software applications
WO2015001535A1 (en) * 2013-07-04 2015-01-08 Auditmark S.A. System and method for web application security
US10284570B2 (en) * 2013-07-24 2019-05-07 Wells Fargo Bank, National Association System and method to detect threats to computer based devices and systems
US9363190B2 (en) * 2013-07-31 2016-06-07 Manjrasoft Pty. Ltd. System, method and computer program product for energy-efficient and service level agreement (SLA)-based management of data centers for cloud computing

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030101431A1 (en) * 2001-11-29 2003-05-29 Evelyn Duesterwald System and method for dynamically replacing code
US20060025384A1 (en) * 2002-11-12 2006-02-02 Guocheng Wang New crystal form of adefovir dipivoxil and its composition
US20040107416A1 (en) * 2002-12-02 2004-06-03 Microsoft Corporation Patching of in-use functions on a running computer system
US20040261059A1 (en) * 2003-06-18 2004-12-23 Sam Spencer System and method for creating, managing and using code segments
US20050149922A1 (en) * 2004-01-06 2005-07-07 International Business Machines Corporation Dynamic software update system, method and program product
US20090008976A1 (en) * 2005-02-02 2009-01-08 Schukra Geraetebau Ag Lumbar Support and Method for Manufacturing a Lumbar Support
US20060265702A1 (en) * 2005-05-19 2006-11-23 Isaacson Scott A System for creating a customized software distribution based on user requirements
US20090260004A1 (en) * 2008-04-10 2009-10-15 Palm, Inc. Computer program updates for mobile computing device
US20110271266A1 (en) * 2010-04-28 2011-11-03 General Electric Company Systems, methods, and apparatus for deploying application code change configurations for multiple target controllers
US20130026308A1 (en) * 2011-07-25 2013-01-31 Holm-Quist Designs Llc Mounting bracket means for solar arrays and the like
US20130254755A1 (en) * 2012-03-22 2013-09-26 Shenol YOUSOUF Dynamically updating on-demand runtime platforms executing business applications
US20130263088A1 (en) * 2012-03-27 2013-10-03 Microsoft Corporation Dynamic plugin(s) for cloud application(s)
US20140189668A1 (en) * 2013-01-03 2014-07-03 International Business Machines Corporation Processing proposed program code libraries in a networked computing environment
US20150040112A1 (en) * 2013-08-01 2015-02-05 Qualcomm Incorporated Enabling Interoperability Between Software Applications By Utilizing Partial Binaries

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10326864B2 (en) * 2017-02-15 2019-06-18 Sap Se Dynamic orchestration of microservices

Also Published As

Publication number Publication date
EP3033673A1 (en) 2016-06-22
IL237953A0 (en) 2015-05-31
CA2920908A1 (en) 2015-02-19
EP2951955A4 (en) 2016-07-20
WO2015021554A1 (en) 2015-02-19
US20150052607A1 (en) 2015-02-19
US20180189052A1 (en) 2018-07-05
US10623440B2 (en) 2020-04-14
WO2015021555A1 (en) 2015-02-19
CA2884321C (en) 2015-06-30
CA2884321A1 (en) 2015-02-19
EP3033673A4 (en) 2017-03-08
EP2951955A1 (en) 2015-12-09
IL244092A0 (en) 2016-04-21
EP2951955B1 (en) 2017-11-15

Similar Documents

Publication Publication Date Title
US20160196129A1 (en) Method and system to dynamically alter application functionality at runtime in a constrained and secure manner
US9027075B2 (en) Enforcing security rules at runtime
US20170085591A1 (en) Fetching a policy definition library from a policy server at mobile device runtime of an application package to control access to mobile device resources
CN110110522B (en) Kernel repairing method and device
CN104731625B (en) A kind of method, apparatus and mobile terminal loading plug-in unit
US8893222B2 (en) Security system and method for the android operating system
Arden et al. Sharing mobile code securely with information flow control
US20110093950A1 (en) Program-based authorization
US20170192773A1 (en) Mobile applications
US9871800B2 (en) System and method for providing application security in a cloud computing environment
US11550568B1 (en) Automatically deploying artifacts
US20170352115A1 (en) Mobile application licensing tool
CN104834541B (en) Function module hanging method, carry system and the method for updating carry system
Vanhoef et al. Stateful declassification policies for event-driven programs
US11328065B1 (en) Architectures, systems, and methods for building trusted and secure artifacts
CN106487815A (en) A kind of container operation safety verification processing method based on white list and system
KR20200090784A (en) How to start an application, startup device and computer readable storage medium
US11645086B2 (en) System and method for implementing a filesystem agent management solution
US11726896B2 (en) Application monitoring using workload metadata
US20190018953A1 (en) Methods and systems for tenant aware behavior injection in content metadata service
CN107193667B (en) Method and device for updating webpage permission
US10122758B2 (en) Dynamic management of enterprises policies
CN109933355B (en) Application program upgrading method and device
Bos A Review of Attacks Against Language-Based Package Managers
WO2018023368A1 (en) Enhanced security using scripting language-based hypervisor

Legal Events

Date Code Title Description
AS Assignment

Owner name: IMMUN.IO INC., CANADA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AL HAMAMI, AHMAD ZAID;REEL/FRAME:037753/0273

Effective date: 20140812

AS Assignment

Owner name: TREND MICRO INCORPORATED, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:IMMUN.IO INC.;REEL/FRAME:044777/0462

Effective date: 20180128

STCV Information on status: appeal procedure

Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER

STCV Information on status: appeal procedure

Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED

STCV Information on status: appeal procedure

Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS

STCV Information on status: appeal procedure

Free format text: BOARD OF APPEALS DECISION RENDERED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION