System and Method for Self-Protecting Data

US 20150058997A1
Filed: 08/20/2014
Published: 02/26/2015
Est. Priority Date: 08/20/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising a physical memory and a processor, the processor including:

a policy/domain handler configured to receive data and a policy associated with the data;

a hypervisor; and

a file management module configured toreceive a request from a third-party application to interact with a data file containing the data;

send an authorization and tag request to the policy/domain handler to generate hardware tags for the data file; and

send a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags;

wherein, based on the tag request, the policy/domain handler generates the hardware tags for the data file, if the authorization check succeeds, andwherein, based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system comprising a physical memory, a processor and a software component. The software component includes a policy/domain handler for receiving data and a policy associated with the data; a hypervisor; and a file management module. The file management module receives a request from a third-party application to interact with a data file containing the data; sends an authorization and tag request to the policy/domain handler to check if the user and application are permitted to access the data, and if permitted, to generate hardware tags for the data file; and sends a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags. Based on the authorization and tag request, and the security policy associated with the data, the policy/domain handler generates the hardware tags for the data file. Based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment. As the data is operated upon and moved to other memory areas, the hardware tags are propagated with the data according to tag propagation rules, and checked before performing operations that may lead to security breaches.

Citations

40 Claims

1. A system comprising a physical memory and a processor, the processor including:
- a policy/domain handler configured to receive data and a policy associated with the data;
  
  a hypervisor; and
  
  a file management module configured toreceive a request from a third-party application to interact with a data file containing the data;
  
  send an authorization and tag request to the policy/domain handler to generate hardware tags for the data file; and
  
  send a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags;
  
  wherein, based on the tag request, the policy/domain handler generates the hardware tags for the data file, if the authorization check succeeds, andwherein, based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the hardware tags are associated with each word of data in the secure data compartment.
  - 3. The system of claim 1, wherein the policy/domain handler generates the hardware tags based on the policy.
  - 4. The system of claim 3, wherein the policy/domain handler generates the hardware tags based on a domain context, the domain context including at least one of session and/or user properties, data properties, or system and/or environment properties.
  - 5. The system of claim 1, wherein the secure data compartment is created by associating the hardware tags with plaintext data in the physical memory.
  - 6. The system of claim 1, wherein the third-party application is able to use the data without the system modifying the third-party application.
  - 7. The system of claim 1, wherein the processor includes a plurality of policy/domain handlers, each of the plurality of policy/domain handlers being responsible for one of a plurality information domains.
  - 8. The system of claim 1, wherein, after the third-party application processes the data, the hypervisor re-encrypts the data, removes the hardware tags from the secure data compartment, and deletes the secure data compartment.

9. A method performed by a system comprising a physical memory and a processor, the method including:
- receiving data and a policy associated with the data;
  
  intercepting a request from a third-party application to interact with a data file containing the data;
  
  generating a plurality of hardware tags for the data based on the policy;
  
  creating in the physical memory a secure data compartment for the data file and the plurality of hardware tags; and
  
  associating the protected data with the plurality of hardware tags in the secure data compartment.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein associating the protected data comprises associating each word of the protected data with one of the plurality of hardware tags in the secured data compartment.
  - 11. The method of claim 9, wherein creating the secure data compartment is performed by a hypervisor of the system.
  - 12. The method of claim 9, wherein generating the plurality of hardware tags comprises generating the plurality of hardware tags based on a domain context, the domain context including at least one of session and/or user properties, data properties, or system and/or environment properties.
  - 13. The method of claim 9, wherein creating the secure data compartment includes associating the hardware tags with plaintext data in the physical memory.
  - 14. The method of claim 9, further comprising allowing the third-party application to use the data without modifying the third-party application.
  - 15. The method of claim 9, wherein the generating of the plurality of hardware tags is performed by one of a plurality of policy/domain handlers, each of the plurality of policy/domain handlers being responsible for one of a plurality of information domains.
  - 16. The method of claim 15, wherein one of the policy/domain handlers requests a hypervisor to create in the physical memory the secure data compartment and associate the protected data with the plurality of hardware tags in the secure data compartment.

17. A system comprising hardware that includes a physical memory and a processor, the processor including a software component that is configured to:
- receive data and a policy associated with the data;
  
  intercept requests from an application to interact with the data;
  
  generate hardware tags for the data, andassociate the hardware tags with the data in the physical memory.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 39, 40)
- - 18. The system of claim 17, wherein the hardware tags are generated based on the policy associated with the data.
  - 19. The system of claim 17, wherein the application is unchanged.
  - 20. The system of claim 17, wherein the hardware tracks and propagates the hardware tags associated with the data for every operation using the data to detect any explicit or implicit information flow from the data.
  - 21. The system of claim 17, wherein the software component includes a policy/domain handler, a file management module and a hypervisor.
  - 22. The system of claim 17, wherein the hardware tags are associated with each word of data in a secure data compartment.
  - 23. The system of claim 21, wherein the policy/domain handler generates the hardware tags based on the policy.
  - 24. The system of claim 21, wherein the policy/domain handler generates the hardware tags based on a domain context, the domain context including at least one of session and/or user properties, data properties, or system and/or environment properties.
  - 25. The system of claim 22, wherein the secure data compartment is created by associating the hardware tags with plaintext data in the physical memory.
  - 26. The system of claim 17, wherein the application is able to use the data without the system modifying the application.
  - 27. The system of claim 21, wherein the processor includes a plurality of policy/domain handlers, each of the plurality of policy/domain handlers being responsible for one of a plurality information domains.
  - 28. The system of claim 22, wherein, after the application processes the data, the software components re-encrypts the data, removes the hardware tags from the secure data compartment, and deletes the secure data compartment.
  - 39. The computer implemented method of claim 17, further comprising saving and restoring register file tags based on determining the processor changes a privilege level.
  - 40. The method of claim 17 when the terminating of tag propagation can also be done by a software-inserted instruction.

29. A method performed by a system comprising a physical memory and a processor, the method including:
- receiving data and a policy associated with the data;
  
  intercepting requests from an application to interact with the data;
  
  generating a plurality of hardware tags for the data based on the policy;
  
  associating in the physical memory the data with the hardware tags;
  
  tracking and propagating the hardware tags when the data is used or operated upon; and
  
  preventing security breaches based on the hardware tags.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The method of claim 29, wherein associating the data comprises associating each word of the protected data with one of the plurality of hardware tags in a secured data compartment.
  - 31. The method of claim 29, further comprising creating a secure data compartment in the physical memory.
  - 32. The method of claim 29, wherein generating the plurality of hardware comprises generating the plurality of hardware tags based on a domain context, the domain context including at least one of session and/or user properties, data properties, or system and/or environment properties.
  - 33. The method of claim 31, wherein creating the secure data compartment includes associating the hardware tags with plaintext data in the physical memory.
  - 34. The method of claim 29, further comprising allowing the application to use the data without modifying the application.
  - 35. The method of claim 29, wherein the generating of the plurality of hardware tags is performed by one of a plurality of policy/domain handlers, each of the plurality of policy/domain handlers being responsible for one of a plurality of information domains.
  - 36. The method of claim 29, wherein one of the policy/domain handlers requests a hypervisor to create in the physical memory a secure data compartment and associate the protected data with the plurality of hardware tags in the secure data compartment.

37. A method for reducing the amount of false positives in a dynamic information flow tracking system performed by a computer system comprising a memory and a processor, the method including:
- setting a counter value to a maximum value based on determining a tagged conditional branch execution;
  
  propagating the tag to the instructions executed following a tagged conditional branch execution;
  
  decreasing the counter value by one each time an instruction following a tagged branch instruction is executed; and
  
  based on determining the counter value reaches a zero value, clearing the counter value and terminating the tag propagation to subsequent instructions.
- View Dependent Claims (38)
- - 38. The computer implemented method of claim 37, further comprising;
    - after clearing the counter value, again setting the counter value to the maximum value based on determining a second tagged conditional execution;
      
      again decreasing the counter value by one each time a tagged branch instruction is executed; and
      
      based on determining the counter value again reaches the zero value, again clearing the counter value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Coresecure Technologies, LLC
Original Assignee
Teleputers, LLC
Inventors
Lee, Ruby B., Chen, Yu-Yuan, Jamkhedkar, Pramod A.

Granted Patent

US 10,185,584 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 21/6227   where protection concerns t...

G06F 21/6281   at program execution time, ...

G06F 9/45558   Hypervisor-specific managem...

System and Method for Self-Protecting Data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Self-Protecting Data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links