System and Method for Self-Protecting Data
First Claim
1. A system comprising a physical memory and a processor, the processor including:
- a policy/domain handler configured to receive data and a policy associated with the data;
a hypervisor; and
a file management module configured toreceive a request from a third-party application to interact with a data file containing the data;
send an authorization and tag request to the policy/domain handler to generate hardware tags for the data file; and
send a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags;
wherein, based on the tag request, the policy/domain handler generates the hardware tags for the data file, if the authorization check succeeds, andwherein, based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system comprising a physical memory, a processor and a software component. The software component includes a policy/domain handler for receiving data and a policy associated with the data; a hypervisor; and a file management module. The file management module receives a request from a third-party application to interact with a data file containing the data; sends an authorization and tag request to the policy/domain handler to check if the user and application are permitted to access the data, and if permitted, to generate hardware tags for the data file; and sends a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags. Based on the authorization and tag request, and the security policy associated with the data, the policy/domain handler generates the hardware tags for the data file. Based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment. As the data is operated upon and moved to other memory areas, the hardware tags are propagated with the data according to tag propagation rules, and checked before performing operations that may lead to security breaches.
-
Citations
40 Claims
-
1. A system comprising a physical memory and a processor, the processor including:
-
a policy/domain handler configured to receive data and a policy associated with the data; a hypervisor; and a file management module configured to receive a request from a third-party application to interact with a data file containing the data; send an authorization and tag request to the policy/domain handler to generate hardware tags for the data file; and send a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags; wherein, based on the tag request, the policy/domain handler generates the hardware tags for the data file, if the authorization check succeeds, and wherein, based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method performed by a system comprising a physical memory and a processor, the method including:
-
receiving data and a policy associated with the data; intercepting a request from a third-party application to interact with a data file containing the data; generating a plurality of hardware tags for the data based on the policy; creating in the physical memory a secure data compartment for the data file and the plurality of hardware tags; and associating the protected data with the plurality of hardware tags in the secure data compartment. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising hardware that includes a physical memory and a processor, the processor including a software component that is configured to:
-
receive data and a policy associated with the data; intercept requests from an application to interact with the data; generate hardware tags for the data, and associate the hardware tags with the data in the physical memory. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 39, 40)
-
-
29. A method performed by a system comprising a physical memory and a processor, the method including:
-
receiving data and a policy associated with the data; intercepting requests from an application to interact with the data; generating a plurality of hardware tags for the data based on the policy; associating in the physical memory the data with the hardware tags; tracking and propagating the hardware tags when the data is used or operated upon; and preventing security breaches based on the hardware tags. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
-
-
37. A method for reducing the amount of false positives in a dynamic information flow tracking system performed by a computer system comprising a memory and a processor, the method including:
-
setting a counter value to a maximum value based on determining a tagged conditional branch execution; propagating the tag to the instructions executed following a tagged conditional branch execution; decreasing the counter value by one each time an instruction following a tagged branch instruction is executed; and based on determining the counter value reaches a zero value, clearing the counter value and terminating the tag propagation to subsequent instructions. - View Dependent Claims (38)
-
Specification