Metadata processing
First Claim
1. A method of obtaining control flow information for an application, comprising:
- executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader that includes one or more instructions configured to trigger metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag;
executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of enforcing a set of security policies may comprise executing, by a first processor, a first set of processor instructions directed to conventional tasks, and executing, by a second processor, a second set of processor instructions directed to manipulating metadata. The executing by the second processor may comprise (i) evaluating a current instruction being executed by the first processor, along with a metadata tag associated with the current instruction, (ii) identifying a rule in a rule cache that is applicable to the current instruction and the associated metadata tag, and (iii) applying a policy decision to the current instruction according to the rule.
-
Citations
6 Claims
-
1. A method of obtaining control flow information for an application, comprising:
-
executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader that includes one or more instructions configured to trigger metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag; executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a processor; and a memory comprising code stored thereon that, when executed, performs a method of obtaining control flow information for an application comprising; executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader including one or more instructions that triggers metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag; and executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.
-
-
6. A non-transitory computer readable medium comprising code stored thereon that, when executed, performs a method of obtaining control flow information for an application comprising:
-
executing a loader that loads the application for execution by a processor, wherein executing the loader includes executing a first code portion of the loader including one or more instructions that triggers metadata processing of a first set of one or more rules in a metadata processing domain, wherein the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag; and executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.
-
Specification