Taint tracking mechanism for computer security

US 8,510,827 B1
Filed: 09/29/2006
Issued: 08/13/2013
Est. Priority Date: 05/18/2006
Status: Active Grant

First Claim

Patent Images

1. A virtualization system comprising:

a hardware processor configured to execute instructions; and

an information flow tracking mechanism that;

maintains and propagates a taint status for memory locations in correspondence with information flows of instructions executed by the hardware processor,transitions, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code,augments the relevant subset of executable code with a set of additional instructions to propagate the taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintains the instrumented mode of execution at least until the register storage in the register context is untainted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by maintaining and propagating taint status for memory locations in correspondence with information flows of instructions executed by a computing system, it is possible to provide a security response if and when a control transfer (or other restricted use) is attempted based on tainted data. In some embodiments, memory management facilities and related exception handlers can be exploited to facilitate taint status propagation and/or security responses. Taint tracking through registers of a processor (or through other storage for which access is not conveniently mediated using a memory management facility) may be provided using an instrumented execution mode of operation. For example, the instrumented mode may be triggered by an attempt to propagate tainted information to a register. In some embodiments, an instrumented mode of operation may be more generally employed. For example, data received from an untrusted source or via an untrusted path is often transferred into a memory buffer for processing by a particular service, routine, process, thread or other computational unit. Code that implements the computational unit may be selectively executed in an instrumented mode that facilitates taint tracking. In general, instrumented execution modes may be supported using a variety of techniques including a binary translation (or rewriting) mode, just-in-time (JIT) compilation/re-compilation, interpreted mode execution, etc. Using an instrumented execution mode and/or exception handler techniques, modifications to CPU hardware can be avoided if desirable.

311 Citations

42 Claims

1. A virtualization system comprising:
- a hardware processor configured to execute instructions; and
  
  an information flow tracking mechanism that;
  
  maintains and propagates a taint status for memory locations in correspondence with information flows of instructions executed by the hardware processor,transitions, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code,augments the relevant subset of executable code with a set of additional instructions to propagate the taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintains the instrumented mode of execution at least until the register storage in the register context is untainted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The virtualization system of claim 1, wherein the relevant subset of executable code includes execution sequences of instructions that are subsequently executed by one or more processes or threads that access the taint status in the register storage.
  - 3. The virtualization system of claim 1, further comprising:
    - a fault generating mechanism that triggers an exception handler for at least some instructions that access a memory location marked as tainted.
  - 4. The virtualization system of claim 3, wherein the exception handler consults an inventory of tainted locations to determine whether the triggering instruction actually propagates information from the tainted memory location.
  - 5. The virtualization system of claim 3, wherein, if the triggering instruction is a control transfer instruction having a control flow target that is based on the tainted memory location, the exception handler triggers a security action.
  - 6. The virtualization system of claim 3, wherein the exception handler initiates the instrumented mode of execution if the triggering instruction actually propagates information from the tainted memory location to the register storage.
  - 7. The virtualization system of claim 3, wherein the fault generating mechanism includes an unmapped page corresponding to the tainted memory location.
  - 8. The virtualization system of claim 3, wherein the exception handler consults an inventory of tainted locations to determine whether to propagate the taint or an untainted status to a target of the triggering instruction.
  - 9. The virtualization system of claim 3, wherein the exception handler determines whether the triggering instruction is a control transfer instruction.
  - 10. The virtualization system of claim 1, wherein the instrumented mode of execution includes one or more of:
    - execution of translated code produced using runtime binary translation;
      
      execution of derived code produced using runtime compiler;
      
      execution of original code in a stepped mode of execution; and
      
      interpreted mode execution of the original code.
  - 11. The virtualization system of claim 1, wherein the information flow tracking mechanism includes a DMA handler that marks as tainted, at least those memory locations to which information is transferred from an untrusted device.
  - 12. The virtualization system of claim 1, wherein the virtualization system propagates the taint status based on a time-to-live value.
  - 13. The virtualization system of claim 1, wherein the relevant subset of executable code includes execution sequences of instructions that are subsequently executed by one or more processes or threads that access the tainted information.
  - 14. The virtualization system of claim 1, wherein the information flow tracking mechanism is embodied as software in a non-transitory computer readable medium.
  - 15. The virtualization system of claim 1, wherein the virtualization system includes virtualization software that presents a virtual machine to a guest operating system.
  - 16. The virtualization system of claim 1, wherein propagation of the taint status conforms to a rule stating that instructions that write results that are modified forms of their source operands untaint their destination, even if one of their source operands is tainted.

17. A security method for a computational system, the security method comprising:
- initially marking as tainted, those memory locations to which information is transferred from an untrusted source; and
  
  employing an instrumented mode of execution for an instruction sequence executed by the computational system upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the instruction sequence, wherein the instrumented execution mode is configured to;
  
  augment the instruction sequence with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintain the instrumented mode of execution at least until the register storage in the register context is untainted.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The method of claim 17, wherein the triggering instruction corresponds to code identified as a consumer of information stored in those memory locations initially marked as tainted.
  - 19. The method of claim 17, wherein the marking as tainted includes:
    - updating memory management status for one or more memory storage groups that include the transferred-to memory locations; and
      
      updating ancillary storage to identify the transferred-to memory locations, the ancillary storage accessible to an exception handler triggered on execution of an instruction that accesses memory within the one or more memory storage groups based on the updated memory management status.
  - 20. The method of claim 19,wherein the memory storage groups include memory pages;
    - wherein the updating of memory management status includes unmapping a corresponding memory page; and
      
      wherein the triggered exception handler includes a page fault handler.
  - 21. The method of claim 19, wherein the exception handler evaluates taint-status of a source memory location of the triggering instruction and selectively propagates the taint-status to one or more target memory locations of the triggering instruction.
  - 22. The method of claim 21, wherein the selective propagation includes further updating memory management status for the one or more target memory locations at least if the triggering instruction copies data from the memory location to the one or more target memory locations.
  - 23. The method of claim 19, wherein the exception handler evaluates taint-status of a source memory location of the triggering instruction and initiates the instrumented mode of execution if the triggering instruction copies data from the memory location to the register storage.
  - 24. The method of claim 17, further comprising:
    - upon execution of control flow instructions having control flow targets that are based on a storage location marked as tainted, performing a security action.
  - 25. The method of claim 24, wherein the security action includes one or more of blocking the control transfer, logging an event, forcing an exception, forking off a honeypot virtual machine, and reverting to a checkpoint state.
  - 26. The method of claim 17, wherein the initial marking as tainted is performed under control of a DMA handler.
  - 27. The method of claim 17, wherein taint propagation conforms to a rule stating that instructions that write results that are modified forms of their source operands untaint their destination, even if one of their source operands is tainted.
  - 28. The method of claim 17, wherein untrusted status of the untrusted source is based on one or more of source device type, source location or protocol, and conveying program, service or system call.
  - 29. The method of claim 17, wherein the instrumented mode of operation uses runtime binary translation facilities of a virtualization system that includes virtualization software that presents a virtual machine to a guest operating system.

30. A computational system comprising:
- at least one hardware processor, together with register and memory storage accessible thereby, wherein those locations in the memory storage to which information is transferred from an untrusted source are marked as tainted;
  
  an exception handler triggerable upon access to tainted ones of the memory storage locations, the exception handler selectively propagating taint status to an additional storage location in correspondence with information flows of an instruction that triggered the exception handler;
  
  virtual machine software executable on the hardware processor, the virtual machine software supporting an instrumented mode of execution that is invoked by the exception handler when the taint status is propagated from a tainted memory location to register storage,wherein the computational system augments with additional instructions, in the instrumented execution mode, at least those instruction sequences for which a current register context includes tainted register storage to propagate the taint status through registers of the current register context at least until the taint status is removed from the register storage in the current register context.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The computational system of claim 30, wherein instructions are directly executed on the hardware processor, wherein the exception handler initiates the instrumented mode of execution if the additional storage location is in the register storage.
  - 32. The computational system of claim 30, wherein taint propagation conforms to a rule stating that instructions that write results that are modified forms of their source operands untaint their destination, even if one of their source operands is tainted.
  - 33. The computational system of claim 30,wherein a memory management status is updated for one or more storage groups that include the transferred-to memory storage locations;
    - andwherein ancillary storage is updated to identify the transferred-to memory locations, the ancillary storage accessible to the exception handler.
  - 34. The computational system of claim 30, wherein the instrumented mode of execution uses runtime binary translation facilities of the virtual machine software.

35. A computational system comprising:
- one or more hardware processors, together with register and memory storage accessible thereby; and
  
  a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more hardware processors to;
  
  mark as tainted, those locations in the memory storage to which information is transferred from an untrusted source,transition, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code,augment the relevant subset of executable code with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintain the instrumented mode of execution at least until the register storage in the register context is untainted.

36. A non-transitory computer program product containing instructions, that when executed by a hardware processor, control a computer system to:
- maintain and propagate a taint status for storage locations in correspondence with information flows of instruction sequences executed by the hardware processor,transition, only for a relevant subset of executable code, to an instrumented mode of execution upon execution of a triggering instruction that attempts to propagate tainted information from a tainted memory location to register storage in a register context associated with the relevant subset of executable code,augment the relevant subset of executable code with a set of additional instructions to propagate a taint status through the register storage in the register context or untaint the register storage in the register context based on a set of rules, andmaintain the instrumented mode of execution at least until the register storage in the register context is untainted.
- View Dependent Claims (37, 38, 39, 40, 41, 42)
- - 37. The non-transitory computer program product of claim 36, further comprising:
    - an exception handler executable on the hardware processor in response to access, by a non-instrumented one of the instruction sequences, to the a tainted memory location, the exception handler selectively propagates taint status in correspondence with information flows of the non-instrumented instruction sequence.
  - 38. The non-transitory computer program product of claim 37, wherein the exception handler initiates the instrumented mode of operation for the relevant subset of executable code for which the register context includes tainted register storage.
  - 39. The non-transitory computer program product of claim 36, wherein the instrumented mode of execution uses runtime binary translation facilities of the virtual machine software.
  - 40. The non-transitory computer program product of claim 36, wherein the instructions, when executed by the hardware processor, control the computer system to initiate a security action upon attempted execution of a control flow instruction having a control flow target that is based on the tainted memory location.
  - 41. The non-transitory computer program product of claim 36, wherein the instructions, when executed by the hardware processor, control the computer system to initially mark as tainted, those ones of the memory storage locations to which information is transferred from an untrusted source.
  - 42. The non-transitory computer program product of claim 36, wherein propagation of the taint status conforms to a rule stating that instructions that write results that are modified forms of their source operands untaint their destination, even if one of their source operands is tainted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Leake, Edward N., Pike, Geoffrey
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US11/529,796
Time in Patent Office

2,510 Days
Field of Search

726 22- 26
US Class Current

726/22
CPC Class Codes

G06F 12/1416   by checking the object acce...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

Taint tracking mechanism for computer security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

311 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

Taint tracking mechanism for computer security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others