PROTECTING SENSITIVE DATA IN SOFTWARE PRODUCTS AND IN GENERATING CORE DUMPS

US 20150248564A1
Filed: 02/26/2015
Published: 09/03/2015
Est. Priority Date: 02/28/2014
Status: Active Grant

First Claim

Patent Images

1. A method of protecting sensitive data in a software product, said method comprising:

compiling, by a processor, a source file of the software product to generate an object file, wherein the source file includes at least one piece of sensitive data marked with a specific identifier, and the object file has a secure data section for saving storage information of the at least one piece of sensitive data at compile-time and run-time; and

linking, by the processor, the object file to generate an executable file, wherein the executable file is to update the secure data section at run-time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Sensitive data is protected in a software product. A source file of the software product is compiled to generate an object file, in which the source file includes at least one piece of sensitive data marked with a specific identifier. The object file has a secure data section for saving storage information of the at least one piece of sensitive data at compile-time and run-time. The object file is linked to generate an executable file. The executable file updates the secure data section at run-time. Sensitive data is also protected when a core dump is generated.

22 Citations

View as Search Results

19 Claims

1. A method of protecting sensitive data in a software product, said method comprising:
- compiling, by a processor, a source file of the software product to generate an object file, wherein the source file includes at least one piece of sensitive data marked with a specific identifier, and the object file has a secure data section for saving storage information of the at least one piece of sensitive data at compile-time and run-time; and
  
  linking, by the processor, the object file to generate an executable file, wherein the executable file is to update the secure data section at run-time.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further comprising updating the secure data section at run-time, wherein the updating of the secure data section includes updating a memory address and an address offset of the at least one piece of sensitive data in the secure data section.
  - 3. The method according to claim 2, wherein the secure data section includes a header and a record section, wherein a pointer to the secure data section is saved in a file header of the object file, and the header includes an identifier of the secure data section, an amount of the storage information recorded in the record section and a back pointer to the file header.
  - 4. The method according to claim 1, wherein the compiling of the source file of the software product to generate the object file includes:
    - identifying the at least one piece of sensitive data from the source file based on the specific identifier;
      
      setting up the secure data section;
      
      recording storage information of static sensitive data pertaining to a static variable in the at least one piece of sensitive data into the secure data section, as a static storage record;
      
      generating a machine instruction, the machine instruction to record storage information of dynamic sensitive data pertaining to a dynamic variable in the at least one piece of sensitive data into the secure data section as a dynamic storage record; and
      
      generating the object file having the secure data section.
  - 5. The method according to claim 4, wherein the compiling of the source file of the software product to generate the object file further includes generating a machine instruction for removing corresponding dynamic storage records when the dynamic sensitive data is released.
  - 6. The method according to claim 4, wherein the compiling of the source file of the software product to generate the object file further includes generating a relocation record for relocating addresses of the static storage record and the dynamic storage record in the secure data section based on linking a plurality of object files.
  - 7. The method according to claim 1, wherein the linking of the object file to generate an executable file includes:
    - determining whether there is a plurality of object files;
      
      merging the plurality of object files to provide a merged object file, based on determining there is the plurality of object files;
      
      relocating a new secure data section in the merged object file; and
      
      generating an executable file having the new secure data section.

8. A method of protecting sensitive data when a core dump is generated, said method comprising:
- scanning a memory of a computer to find a secure data section in the memory, wherein the secure data section saves storage information of the sensitive data;
  
  acquiring the sensitive data, according to the storage information of the sensitive data in the found secure data section;
  
  processing the sensitive data to hide the sensitive data; and
  
  generating a core dump file.
- View Dependent Claims (9, 10)
- - 9. The method according to claim 8, wherein the storage information includes at least a data type, a memory address and an address offset.
  - 10. The method according to claim 8, wherein the processing of the sensitive data to hide the sensitive data includes hiding the sensitive data by using at least one of a random replacement algorithm and an encryption algorithm.

11. A device for protecting sensitive data in a software product, said device comprising:
- a compiler executing on a processor, the compiler configured to compile a source file of the software product to generate an object file, wherein the source file includes at least one piece of sensitive data marked with a specific identifier, the object file having a secure data section for saving storage information of the at least one piece of sensitive data at compile-time and run-time; and
  
  a linker configured to link the object file to generate an executable file, the executable file to update the secure data section at run-time.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The device according to claim 11, wherein the compiler includes:
    - an identification module configured to identify the at least one piece of sensitive data from the source file based on the specific identifier;
      
      a setting up module configured to set up the secure data section;
      
      a recording module configured to record storage information of static sensitive data pertaining to a static variable in the at least one piece of sensitive data into the secure data section, as a static storage record;
      
      a machine instruction generation module configured to generate a machine instruction, the machine instruction to record storage information of dynamic sensitive data pertaining to a dynamic variable in the at least one piece of sensitive data into the secure data section as a dynamic storage record; and
      
      an object file generation module configured to generate the object file having the secure data section.
  - 13. The device according to claim 12, wherein the machine instruction generation module is further configured to generate a machine instruction for removing corresponding dynamic storage records when the dynamic sensitive data is released.
  - 14. The device according to claim 12, wherein the compiler further includes a relocation record generation module configured to generate a relocation record for relocating addresses of the static storage record and the dynamic storage record in the secure data section based on linking a plurality of object files.
  - 15. The device according to claim 11, wherein the secure data section includes a header and a record section, wherein a pointer to the secure data section is saved in a file header of the object file, and wherein the header includes an identifier of the secure data section, an amount of the storage information recorded in the record section and a back pointer to the file header.
  - 16. The device according to claim 11, wherein the linker includes:
    - a determination module configured to determine whether there is a plurality of object files;
      
      a merging module configured to merge the plurality of object files to provide a merged object file, based on determining there is the plurality of object files;
      
      a relocation module configured to relocate a new secure data section in the merged object file; and
      
      an executable file generation module configured to generate an executable file having the new secure data section.

17. A device for protecting sensitive data when a core dump is generated, said device comprising:
- a scanning module configured to scan a memory of a computer to find a secure data section in the memory, wherein the secure data section saves storage information of the sensitive data;
  
  a sensitive data acquisition module configured to acquire the sensitive data, according to the storage information of the sensitive data in the found secure data section;
  
  a processing module configured to process the sensitive data to hide the sensitive data; and
  
  a file generation module configured to generate a core dump file.
- View Dependent Claims (18, 19)
- - 18. The device according to claim 17, wherein the storage information includes at least a data type, a memory address and an address offset.
  - 19. The device according to claim 17, wherein the processing module is configured to hide the sensitive data by using at least one of a random replacement algorithm and an encryption algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feng, Rui, Wei, Lijun, Jia, Shuang Shuang, Shi, Da Fei

Granted Patent

US 9,852,303 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/0706   the processing taking place...

G06F 11/0778   Dumping, i.e. gathering err...

G06F 11/366   using diagnostics G06F11/07...

G06F 21/6209   to a single file or object,...

G06F 8/41   Compilation

G06F 8/54   Link editing before load time

PROTECTING SENSITIVE DATA IN SOFTWARE PRODUCTS AND IN GENERATING CORE DUMPS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

PROTECTING SENSITIVE DATA IN SOFTWARE PRODUCTS AND IN GENERATING CORE DUMPS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others