METHOD AND SYSTEM FOR PROTECTING DATA FLOW AT A MOBILE DEVICE
First Claim
Patent Images
1. A data flow policy evaluation system for a mobile computing device embodied as executable instructions in one or more machine-accessible storage media, comprising:
- a system call monitor to monitor system calls made by a plurality of security-wrapped software applications during execution of the security-wrapped software applications at the mobile computing device; and
a data flow policy engine to generate policy decisions to enable the security-wrapped software applications to prevent the execution of system calls that would violate a data flow policy, wherein the data flow policy defines security labels, associates data flow policies with the security labels, and associates data objects with the security labels, and the data flow policy engine is configured to;
associate an executing process of a security-wrapped software application with a security label if the process accesses a data object having the security label; and
associate another executing process with the security label if the other executing process is in communication with the executing process.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system for evaluating and enforcing a data flow policy at a mobile computing device includes a data flow policy engine to evaluate data access requests made by security-wrapped software applications running on the mobile device and prevent the security-wrapped software applications from violating the data flow policy. The data flow policy defines a number of security labels that are associated with data objects. A software application process may be associated with a security label if the process accesses data having the security label or the process is in communication with another process that has accessed data having the security label.
-
Citations
17 Claims
-
1. A data flow policy evaluation system for a mobile computing device embodied as executable instructions in one or more machine-accessible storage media, comprising:
-
a system call monitor to monitor system calls made by a plurality of security-wrapped software applications during execution of the security-wrapped software applications at the mobile computing device; and a data flow policy engine to generate policy decisions to enable the security-wrapped software applications to prevent the execution of system calls that would violate a data flow policy, wherein the data flow policy defines security labels, associates data flow policies with the security labels, and associates data objects with the security labels, and the data flow policy engine is configured to; associate an executing process of a security-wrapped software application with a security label if the process accesses a data object having the security label; and associate another executing process with the security label if the other executing process is in communication with the executing process. - View Dependent Claims (2, 3, 4)
-
-
5. A system for evaluating data access requests at a mobile computing device, embodied as executable instructions in one or more machine-accessible storage media, comprising:
-
a system call monitor to monitor system calls relating to data accesses made by an instance of a security-wrapped software application executing on the mobile computing device; and a data flow policy engine to; associate data access tracking data with the instance of the security-wrapped software application, wherein the data access tracking data relates to data objects accessed by the instance and security labels associated with the data objects, and the security labels indicate conflicts of interest between or among the data objects; and generate data flow policy decisions based on the data access tracking data, wherein the policy decisions are based on one or more current and one or more previous data accesses made by the instance. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for enforcing a data flow policy at a mobile computing device, embodied as executable instructions in one or more machine-accessible storage media, the system comprising:
-
a system call monitor to monitor system calls made by an instance of a security-wrapped software application executing on the mobile computing device; a data flow policy engine to; analyze the system calls using a data flow policy, wherein the data flow policy associates security labels with data objects and the security labels indicate conflicts of interest between or among data objects, associate a data object with a security label if the data object is produced by a data source having the security label or if the data object is created by a software application process having the security label, and associate the instance with the security label if the instance accesses the data object and the data object is associated with the security label; and a data flow policy enforcer to prevent the instance from executing a system call that violates the data flow policy. - View Dependent Claims (17)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeSRI International, Inc.
-
Original AssigneeSRI International, Inc.
-
InventorsPorras, Phillip A.
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current1/1
-
CPC Class CodesG06F 21/52 during program execution, e...G06F 21/53 by executing in a restricte...G06F 21/54 by adding security routines...G06F 21/60 Protecting dataG06F 21/62 Protecting access to data v...G06F 21/6209 to a single file or object,...G06F 21/6218 to a system of files or obj...G06F 21/6281 at program execution time, ...H04L 63/10 for controlling access to d...H04L 63/105 Multiple levels of securityH04L 63/1441 Countermeasures against mal...H04L 63/20 for managing network securi...
