Metadata processing

US 10,545,760 B2
Filed: 06/07/2018
Issued: 01/28/2020
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of obtaining control flow information for an application, comprising:

executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader that includes one or more instructions configured to trigger metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag;

executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of enforcing a set of security policies may comprise executing, by a first processor, a first set of processor instructions directed to conventional tasks, and executing, by a second processor, a second set of processor instructions directed to manipulating metadata. The executing by the second processor may comprise (i) evaluating a current instruction being executed by the first processor, along with a metadata tag associated with the current instruction, (ii) identifying a rule in a rule cache that is applicable to the current instruction and the associated metadata tag, and (iii) applying a policy decision to the current instruction according to the rule.

194 Citations

6 Claims

1. A method of obtaining control flow information for an application, comprising:
- executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader that includes one or more instructions configured to trigger metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag;
  
  executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein each corresponding source metadata tag of each allowable source location is unique and included in a first set of source metadata tags for the application, wherein the first set is a unique set of source metadata tags generated from a control flow generator tag.
  - 3. The method of claim 2, wherein the control flow generator tag is generated from an initial control flow generator tag derived from an initial bootstrap tag.
  - 4. The method of claim 3, wherein the initial control flow generator tag is used to generate a plurality of additional control flow generator tags and wherein each of the additional control flow generator tags is used to generate a set of unique source metadata tags for a different application.

5. A system comprising:
- a processor; and
  
  a memory comprising code stored thereon that, when executed, performs a method of obtaining control flow information for an application comprising;
  
  executing a loader that loads the application for execution by a processor, wherein executing the loader comprises executing a first code portion of the loader including one or more instructions that triggers metadata processing of a first set of one or more rules in a metadata processing domain, the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag; and
  
  executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.

6. A non-transitory computer readable medium comprising code stored thereon that, when executed, performs a method of obtaining control flow information for an application comprising:
- executing a loader that loads the application for execution by a processor, wherein executing the loader includes executing a first code portion of the loader including one or more instructions that triggers metadata processing of a first set of one or more rules in a metadata processing domain, wherein the metadata processing of the first set of one or more rules includes collecting and storing the control flow information for the application as application metadata accessible to the metadata processing domain and inaccessible to a code execution domain, wherein collecting and storing the control flow information further comprises tagging, by the metadata processing domain, a first target location with first metadata identifying a set of one or more allowable source locations that are allowed to transfer control to the first target location and storing the first metadata as a portion of the control flow information, wherein each allowable source location of the set is further tagged with a corresponding source metadata tag; and
  
  executing instructions of the application in the code execution domain, wherein executing the instructions of the application triggers metadata processing of a second set of rules that use at least a portion of the control flow information including the first metadata to determine whether to allow a transfer of control from a first source location to the first target location based on whether the first source location is included in the set of one or more allowable source locations, wherein the second set of rules corresponds to a control flow policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Charles Stark Draper Laboratory Incorporated
Original Assignee
Charles Stark Draper Laboratory Incorporated
Inventors
DeHon, Andre'
Primary Examiner(s)
Lynch, Sharon S

Application Number

US16/002,957
Publication Number

US 20180336033A1
Time in Patent Office

600 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 12/1408   by using cryptography for d...

G06F 12/1458   by checking the subject acc...

G06F 15/78   comprising a single central...

G06F 16/23   Updating

G06F 21/52   during program execution, e...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 9/30072   to perform conditional oper...

G06F 9/30098   Register arrangements

G06F 9/30101   Special purpose registers

G06F 9/3867   using instruction pipelines

Metadata processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

194 Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

Metadata processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links