SENSITIVE DATA TRACKING USING DYNAMIC TAINT ANALYSIS

US 20110145918A1
Filed: 12/15/2009
Published: 06/16/2011
Est. Priority Date: 12/15/2009
Status: Active Grant

First Claim

Patent Images

1. A method of tracking sensitive data through a target application running on a computer system, the method comprising:

loading a target application for execution by a computer system;

monitoring input data received on at least one input channel of the computer system for a sensitive data indicator;

marking the input data associated with the sensitive data indicator as tainted data when the input data is provided to the target application;

tracking propagation of the tainted data as the target application executes and the tainted data is read from and written to memory locations in the computer system; and

monitoring at least one output channel of the computer system to determine if the tainted data is propagated to the at least one output channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for tracking sensitive data uses dynamic taint analysis to track sensitive data as the data flows through a target application running on a computer system. In general, the system and method for tracking sensitive data marks data as tainted when the data input to the target application is indicated as sensitive. The system and method may then track the propagation of the tainted data as the data is read from and written to memory by the target application to detect if the tainted data is output from the application (e.g., leaked). Dynamic binary translation may be used to provide binary instrumentation of the target application for dynamic taint analysis to track propagation of the tainted data at the instruction level and/or the function level. Of course, many alternatives, variations, and modifications are possible without departing from this embodiment.

Citations

20 Claims

1. A method of tracking sensitive data through a target application running on a computer system, the method comprising:
- loading a target application for execution by a computer system;
  
  monitoring input data received on at least one input channel of the computer system for a sensitive data indicator;
  
  marking the input data associated with the sensitive data indicator as tainted data when the input data is provided to the target application;
  
  tracking propagation of the tainted data as the target application executes and the tainted data is read from and written to memory locations in the computer system; and
  
  monitoring at least one output channel of the computer system to determine if the tainted data is propagated to the at least one output channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein monitoring input data comprises monitoring keystrokes, wherein the sensitive data indicator includes at least one indicator keystroke demarcating sensitive data, and wherein marking the input data as tainted data comprises marking the data demarcated by the at least one indicator keystroke.
  - 3. The method of claim 1 wherein monitoring input data comprises monitoring data files, wherein the sensitive data indicator includes a sensitive data attribute associated with a data file, and wherein marking the input data as tainted data comprises marking the data in a data file with the sensitive data attribute.
  - 4. The method of claim 1 wherein marking data comprises establishing a taint map that maps taint tags to the tainted data in the memory locations, and wherein tracking propagation of the tainted data comprises moving the taint tags in the taint map corresponding to movements of the tainted data between the memory locations.
  - 5. The method of claim 1 wherein tracking propagation of the tainted data comprises performing instrumentation of the target application and performing dynamic taint analysis as the application is executed.
  - 6. The method of claim 5 wherein the instrumentation is performed in response to the sensitive data indicator.
  - 7. The method of claim 5 wherein the dynamic taint analysis is performed using dynamic binary translation.
  - 8. The method of claim 5 wherein performing instrumentation of the target application includes performing at least one generic instruction-level instrumentation of the target application, performing at least one instruction-specific instruction-level instrumentation of the target application, and performing at least one function-level instrumentation of the target application.
  - 9. The method of claim 1 wherein tracking propagation of the tainted data comprises tracking propagation of the tainted data using instruction-level taint tracking such that the tainted data is tracked as instructions of the target application are executed.
  - 10. The method of claim 9 wherein the instruction-level taint tracking comprises generic taint tracking that tracks the tainted data based on the output data of an instruction being executed being dependent upon the input data to the instruction being executed.
  - 11. The method of claim 9 wherein the instruction-level taint tracking comprises instruction-specific taint tracking that tracks the tainted data based on an operation performed by the instruction being executed.
  - 12. The method of claim 1 wherein tracking propagation of the tainted data comprises tracking propagation of the tainted data using function-level taint tracking such that the tainted data is tracked as functions are called by the target application.
  - 13. The method of claim 12 wherein the function-level taint tracking tracks tainted data for system calls to an operating system kernel.
  - 14. The method of claim 1 wherein monitoring input channels and output channels comprises interposing on system calls to functions responsible for passing data from the input channels and to the output channels.
  - 15. The method of claim 1 further comprising displaying a notification when tainted data is propagated to the at least one output channel.
  - 16. The method of claim 1 further comprising blocking data from being output from the at least one output channel when tainted data is propagated to the at least one output channel.

17. A tangible computer-readable medium comprising instructions stored thereon which, when executed by a computer system, cause the computer system to perform the following operations:
- monitoring input data received on at least one input channel of the computer system for a sensitive data indicator;
  
  marking the input data associated with the sensitive data indicator as tainted data when the input data is provided to the target application;
  
  tracking propagation of the tainted data as the target application executes and the tainted data is read from and written to memory locations in the computer system; and
  
  monitoring at least one output channel of the computer system to determine if the tainted data is propagated to the at least one output channel.
- View Dependent Claims (18)
- - 18. The computer of claim 17 wherein tracking propagation of the tainted data comprises performing binary instrumentation of the target application and performing dynamic taint analysis as the application is executed.

19. A system comprising:
- a memory to store a target application and a sensitive data tracker, wherein the sensitive data tracker is configured to monitor input data received on at least one input channel of the computer system for a sensitive data indicator, to mark the input data associated with the sensitive data indicator as tainted data when the input data is provided to the target application, to track propagation of the tainted data as the target application executes and the tainted data is read from and written to memory locations in the computer system, and to monitor at least one output channel of the computer system to determine if the tainted data is propagated to the at least one output channel; and
  
  a processor to execute instructions of the target application and the sensitive data tracker.
- View Dependent Claims (20)
- - 20. The system of claim 19 wherein the sensitive data tracker comprises at least one instrumentation routine configured to instrument the target application and at least one analysis routine configured to perform dynamic taint analysis as the target application executes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Zhu, Yu, Jung, Jaeyeon

Granted Patent

US 8,893,280 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/16   Program or content traceabi...

G06F 21/52   during program execution, e...

G06F 21/552   involving long-term monitor...

G06F 2221/033   Test or assess software

G06F 3/0622   in relation to access

G06F 3/0653   Monitoring storage devices ...

G06F 3/067   Distributed or networked st...

H04L 63/1408   by monitoring network traff...

H04L 67/10   in which an application is ...

SENSITIVE DATA TRACKING USING DYNAMIC TAINT ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SENSITIVE DATA TRACKING USING DYNAMIC TAINT ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links