Taint tracking mechanism for computer security
First Claim
1. A virtualization system comprising:
- a hardware processor configured to execute instructions; and
an information flow tracking mechanism that;
maintains and propagates a taint status for memory locations in correspondence with information flows of instructions executed by the hardware processor,transitions, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code,augments the relevant subset of executable code with a set of additional instructions to propagate the taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintains the instrumented mode of execution at least until the register storage in the register context is untainted.
2 Assignments
0 Petitions
Accused Products
Abstract
Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by maintaining and propagating taint status for memory locations in correspondence with information flows of instructions executed by a computing system, it is possible to provide a security response if and when a control transfer (or other restricted use) is attempted based on tainted data. In some embodiments, memory management facilities and related exception handlers can be exploited to facilitate taint status propagation and/or security responses. Taint tracking through registers of a processor (or through other storage for which access is not conveniently mediated using a memory management facility) may be provided using an instrumented execution mode of operation. For example, the instrumented mode may be triggered by an attempt to propagate tainted information to a register. In some embodiments, an instrumented mode of operation may be more generally employed. For example, data received from an untrusted source or via an untrusted path is often transferred into a memory buffer for processing by a particular service, routine, process, thread or other computational unit. Code that implements the computational unit may be selectively executed in an instrumented mode that facilitates taint tracking. In general, instrumented execution modes may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc. Using an instrumented execution mode and/or exception handler techniques, modifications to CPU hardware can be avoided if desirable.
311 Citations
42 Claims
-
1. A virtualization system comprising:
-
a hardware processor configured to execute instructions; and an information flow tracking mechanism that; maintains and propagates a taint status for memory locations in correspondence with information flows of instructions executed by the hardware processor, transitions, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code, augments the relevant subset of executable code with a set of additional instructions to propagate the taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, and maintains the instrumented mode of execution at least until the register storage in the register context is untainted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A security method for a computational system, the security method comprising:
-
initially marking as tainted, those memory locations to which information is transferred from an untrusted source; and employing an instrumented mode of execution for an instruction sequence executed by the computational system upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the instruction sequence, wherein the instrumented execution mode is configured to; augment the instruction sequence with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, and maintain the instrumented mode of execution at least until the register storage in the register context is untainted. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A computational system comprising:
-
at least one hardware processor, together with register and memory storage accessible thereby, wherein those locations in the memory storage to which information is transferred from an untrusted source are marked as tainted; an exception handler triggerable upon access to tainted ones of the memory storage locations, the exception handler selectively propagating taint status to an additional storage location in correspondence with information flows of an instruction that triggered the exception handler; virtual machine software executable on the hardware processor, the virtual machine software supporting an instrumented mode of execution that is invoked by the exception handler when the taint status is propagated from a tainted memory location to register storage, wherein the computational system augments with additional instructions, in the instrumented execution mode, at least those instruction sequences for which a current register context includes tainted register storage to propagate the taint status through registers of the current register context at least until the taint status is removed from the register storage in the current register context. - View Dependent Claims (31, 32, 33, 34)
-
-
35. A computational system comprising:
-
one or more hardware processors, together with register and memory storage accessible thereby; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more hardware processors to; mark as tainted, those locations in the memory storage to which information is transferred from an untrusted source, transition, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code, augment the relevant subset of executable code with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, and maintain the instrumented mode of execution at least until the register storage in the register context is untainted.
-
-
36. A non-transitory computer program product containing instructions, that when executed by a hardware processor, control a computer system to:
-
maintain and propagate a taint status for storage locations in correspondence with information flows of instruction sequences executed by the hardware processor, transition, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code, augment the relevant subset of executable code with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, and maintain the instrumented mode of execution at least until the register storage in the register context is untainted. - View Dependent Claims (37, 38, 39, 40, 41, 42)
-
Specification