Protecting sensitive data in software products and in generating core dumps

US 10,496,839 B2
Filed: 12/08/2017
Issued: 12/03/2019
Est. Priority Date: 02/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of protecting sensitive data when a core dump is generated, said method comprising:

updating, at run-time of an executable file, by one or more processors, a secure data section of a memory of a computer, to include storage information of sensitive data indicating a location of the sensitive data;

scanning, by the one or more processors, the memory of the computer to find the secure data section in the memory;

acquiring, by the one or more processors, the sensitive data, by utilizing the storage information to locate the sensitive data corresponding to the storage information;

processing, by the one or more processors, the sensitive data to hide the sensitive data, wherein hiding the sensitive data is not reversible; and

generating, by the one or more processors, a core dump file, wherein the core dump file does not comprise the sensitive data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensitive data is protected in a software product. A source file of the software product is compiled to generate an object file, in which the source file includes at least one piece of sensitive data marked with a specific identifier. The object file has a secure data section for saving storage information of the at least one piece of sensitive data at compile-time and run-time. The object file is linked to generate an executable file. The executable file updates the secure data section at run-time. Sensitive data is also protected when a core dump is generated.

Citations

20 Claims

1. A method of protecting sensitive data when a core dump is generated, said method comprising:
- updating, at run-time of an executable file, by one or more processors, a secure data section of a memory of a computer, to include storage information of sensitive data indicating a location of the sensitive data;
  
  scanning, by the one or more processors, the memory of the computer to find the secure data section in the memory;
  
  acquiring, by the one or more processors, the sensitive data, by utilizing the storage information to locate the sensitive data corresponding to the storage information;
  
  processing, by the one or more processors, the sensitive data to hide the sensitive data, wherein hiding the sensitive data is not reversible; and
  
  generating, by the one or more processors, a core dump file, wherein the core dump file does not comprise the sensitive data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the storage information includes at least a data type, a memory address and an address offset the sensitive data in the secure data section.
  - 3. The method according to claim 1, wherein the processing of the sensitive data to hide the sensitive data includes hiding the sensitive data by using at least one of a random replacement algorithm and an encryption algorithm.
  - 4. The method according to claim 1, wherein the secure data section includes a header and a record section, wherein a pointer to the secure data section is saved in a file header of an object file, wherein the executable file is generated from the object file, and the header includes an identifier of the secure data section, an amount of the storage information recorded in the record section and a back pointer to the file header.
  - 5. The method according to claim 1, further comprising:
    - prior to scanning the memory, determining by the one or more processors, that a software product executed by the one or more processors has failed.
  - 6. The method according to claim 1, wherein the processing of the sensitive data to hide the sensitive data includes obscuring the sensitive data by using an encryption algorithm.
  - 7. The method according to claim 6, wherein the encryption algorithm comprises a dynamic secret-key algorithm.
  - 8. The method of claim 1, wherein the executable file is generated from an object file, and the object file is generated by compiling a source file, wherein the source file includes the sensitive data, and the object file comprises the secure data section.

9. A system comprising:
- a memory;
  
  one or more processors in communication with the memory; and
  
  program instructions executable by the processor via the memory to perform a method, the method comprising;
  
  updating, at run-time of an executable file, by the one or more processors, a secure data section of a memory of a computer, to include storage information of sensitive data indicating a location of the sensitive data;
  
  scanning, by the one or more processors, the memory of the computer to find the secure data section in the memory;
  
  acquiring, by the one or more processors, the sensitive data, by utilizing the storage information to locate the sensitive data corresponding to the storage information;
  
  processing, by the processor, the sensitive data to hide the sensitive data; and
  
  generating, by the processor, a core dump file, wherein the core dump file does not comprise the sensitive data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system according to claim 9, wherein the storage information includes at least a data type, a memory address and an address offset.
  - 11. The system according to claim 9, wherein the processing comprises hiding the sensitive data by using at least one of a random replacement algorithm and an encryption algorithm.
  - 12. The system according to claim 9, wherein the secure data section includes a header and a record section, wherein a pointer to the secure data section is saved in a file header of an object file, wherein the executable file is generated from the object file, and the header includes an identifier of the secure data section, an amount of the storage information recorded in the record section and a back pointer to the file header.
  - 13. The system according to claim 9, the method further comprising:
    - prior to scanning the memory, determining by the one or more processors, that a software product executed by the one or more processors has failed.
  - 14. The system according to claim 9, wherein the processing of the sensitive data to hide the sensitive data includes obscuring the sensitive data by using an encryption algorithm.
  - 15. The system according to claim 14, wherein the encryption algorithm comprises a dynamic secret-key algorithm.
  - 16. The system of claim 9, wherein the executable file is generated from an object file, and the object file is generated by compiling a source file, wherein the source file includes the sensitive data, and the object file comprises the secure data section.

17. A computer program product comprising:
- a computer readable storage medium readable by one or more processors and storing instructions for execution by the one or more processors for performing a method comprising;
  
  updating, at run-time of an executable file, by the one or more processors, a secure data section of a memory of a computer, to include storage information of sensitive data indicating a location of the sensitive data;
  
  scanning, by the one or more processors, the memory of the computer to find the secure data section in the memory;
  
  acquiring, by the one or more processors, the sensitive data, by utilizing the storage information to locate the sensitive data corresponding to the storage information;
  
  processing, by the processor, the sensitive data to hide the sensitive data; and
  
  generating, by the processor, a core dump file, wherein the core dump file does not comprise the sensitive data.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the storage information includes at least a data type, a memory address and an address offset of the sensitive data in the secure data section.
  - 19. The computer program product of claim 17, wherein the processing of the sensitive data to hide the sensitive data includes hiding the sensitive data by using at least one of a random replacement algorithm and an encryption algorithm.
  - 20. The computer program product of claim 17, wherein the executable file is generated from an object file, and the object file is generated by compiling a source file, wherein the source file includes the sensitive data, and the object file comprises the secure data section.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feng, Rui, Jia, Shuang Shuang, Shi, Da Fei, Wei, Lijun
Primary Examiner(s)
Li, Meng
Assistant Examiner(s)
Lapian, Alexander R

Application Number

US15/835,630
Publication Number

US 20180101692A1
Time in Patent Office

725 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/0778   Dumping, i.e. gathering err...

G06F 11/366   using diagnostics G06F11/07...

G06F 21/6209   to a single file or object,...

G06F 8/41   Compilation

G06F 8/54   Link editing before load time

Protecting sensitive data in software products and in generating core dumps

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting sensitive data in software products and in generating core dumps

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links