Instruction set adapted for security risk monitoring

US 8,955,111 B2
Filed: 09/24/2011
Issued: 02/10/2015
Est. Priority Date: 09/24/2011
Status: Active Grant

First Claim

Patent Images

1. A processor operable to execute instructions of a defined instruction set architecture comprising:

one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, a single instruction of the one or more instructions specified in the instruction set architecture to access data from one or more sources and to receive a taint indicator indicative of potential security risk associated with the data;

one or more taint storage elements configured to update in response to receipt of the taint indicator; and

logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and

responding to the security risk condition.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processor is adapted to manage security risk by updating and monitoring a taint storage element in response to receipt of taint indicators, and responding to predetermined taint conditions detecting by the monitoring. The processor can be operable to execute instructions of a defined instruction set architecture and comprises an instruction of the instruction set architecture operable to access data from a source and operable to receive a taint indicator indicative of potential security risk associated with the data. The processor can further comprise a taint storage element operable for updating in response to receipt of the taint indicator and logic. The logic can be operable to update the taint storage element, process the taint storage element, determine a security risk condition based on the processing of the taint storage element, and respond to the security risk condition.

162 Citations

39 Claims

1. A processor operable to execute instructions of a defined instruction set architecture comprising:
- one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, a single instruction of the one or more instructions specified in the instruction set architecture to access data from one or more sources and to receive a taint indicator indicative of potential security risk associated with the data;
  
  one or more taint storage elements configured to update in response to receipt of the taint indicator; and
  
  logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
  
  responding to the security risk condition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 2. The processor according to claim 1 wherein:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to access data from one or more sources and to receive a taint indicator indicative of potential security risk associated with the data is configured to perform at least one operation of operations selected from reading, moving, performing arithmetic operations, performing logical operations, inputting, comparing, popping, rotating, shifting.
  - 3. The processor according to claim 1 wherein:
    - the one or more sources include at least one of a memory element, a memory page, memory block, a register, a port receiving data from a remote source, and a stack.
  - 4. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to pass the data to one or more destinations and associate one or more taint indicator aspects based at least partially on the taint indicator and/or the processed one or more taint storage elements with the destination.
  - 5. The processor according to claim 4 wherein:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to pass the data is configured to perform at least one operation including storing, writing, moving, and outputting.
  - 6. The processor according to claim 4 wherein:
    - the of one or more destinations includes at least one of a memory element, a memory page, memory block, a register, a port for sending to a remote destination, and a stack.
  - 7. The processor according to claim 1 wherein the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements;
    - and responding to the security risk condition further includes;
      
      logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition by trapping to software.
  - 8. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to store to a predetermined memory address that stores to a hash of the predetermined memory address.
  - 9. The processor according to claim 1 further comprising:
    - a memory taint hash table; and
      
      logic configured in hardware on the processor to execute the single instruction by using the memory taint hash table to indicate a level of taint per memory block.
  - 10. The processor according to claim 9 further comprising:
    - logic configured in hardware on the processor to execute the single instruction by performing at least accessing the memory taint hash table, and indicating a level of taint per memory block using the memory taint hash table.
  - 11. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to operate on data at one or more destinations that passes a taint indicator aspect based at least partially on the taint indicator and/or the processed one or more taint storage elements associated with the one or more destinations.
  - 12. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to operate on data including performing at least one operation selected from storing, writing, moving, and outputting.
  - 13. The processor according to claim 11 wherein:
    - the one or more destinations includes at least one of a memory element, a memory page, memory block, a register, a port for sending to a remote destination, and a stack.
  - 14. The processor according to claim 1 wherein:
    - the one or more taint storage elements are configured for updating in response to receipt of a plurality of taint indicators indicative of potential security risk associated with information used by the processor.
  - 15. The processor according to claim 1 wherein:
    - the one or more taint storage elements are configured for updating in response to receipt of a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to accumulate the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions and assess the security risk condition according to a risk assessment function that is cumulative of the plurality of taint indicators.
  - 16. The processor according to claim 15 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to accumulate the plurality of taint indicators on a basis selected from a group consisting of per-source, per-data, overall, and combination.
  - 17. The processor according to claim 15 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to assess whether information from a particular source or entity is trusted based at least partially on assessment of the security risk condition.
  - 18. The processor according to claim 15 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to accumulate the plurality of taint indicator independently using at least one accumulation function selected from among;
      
      comparing one or more of the accumulated plurality of taint indicator to at least one predetermined threshold;
      
      performing power law analysis;
      
      performing a race function;
      
      counting a number of taints;
      
      counting a number of taints per memory unit;
      
      counting a number of instructions tainted;
      
      counting a number of tainted instructions;
      
      counting a number of instructions written as a result of a taint;
      
      counting a number of data loads and stores;
      
      counting a number of memory accesses;
      
      counting a number of calls;
      
      counting a number of returns;
      
      counting a number of branches;
      
      counting a number of integer overflows;
      
      counting a number of network input/output events;
      
      counting a number of null pointer references;
      
      counting a number of buffer overruns/overflows; and
      
      counting a number of repeated attempts to access a key.
  - 19. The processor according to claim 15 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least initiating accumulation the plurality of taint indicators including counting taint indicators affiliated with a plurality of entities per affiliation and merging a low level for a plurality of affiliations up to a higher level.
  - 20. The processor according to claim 1 wherein:
    - one or more taint storage elements are configured for use in a federated system a including at least a first entity and a second entity for updating in response to receipt of a plurality of taint indicators; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to imitate tracking of at least one of the plurality of taint indicators of the first entity against at least one of the plurality of taint indicators of the second entity.
  - 21. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least defining a plurality of pathways through a federated system, initiating tracking of sources of information through the federated system, and passing information of a specified pathway of the plurality of pathways through a validator.
  - 22. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least initiating forming of a trust profile using the accumulated plurality of taint indicators, dynamically raising and lowering trust level of the trust profile based at least partially on the accumulated plurality of taint indicators, and responding to security risk in response to the trust level.
  - 23. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to initiating tracking of a taint indicator characterized by a range of taintedness from potentially suspicious to definite taints.
  - 24. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to receive the taint indicator indicative of potential security risk from a tagged system call associated with accessing information from a web page wherein an operating system injects a label indicating originating from a browser at an identified site.
  - 25. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to allocate taints at a selected granularity selected from at least one of;
      
      allocating taints by memory page;
      
      allocating taints by byte;
      
      allocating taints by word;
      
      allocating taints by memory block;
      
      allocating taints by hardware process identifier (PID);
      
      allocating taints to enable a cross-thread taint;
      
      allocating taints among hardware devices;
      
      allocating taints by component; and
      
      allocating taints by software component.
  - 26. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least tracking taints using hardware devices, and inserting initial taint notifications using software components.
  - 27. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least determining whether to ignore one or more taint indicator, and logging occurrences of the ignored one or more taint indicator in a ignore problems taint vector.
  - 28. The processor according to claim 1 wherein:
    - the one or more taint storage elements a plurality of bit fields of a taint vector corresponding to plurality of sources, events, activities, and/or conditions; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is further configured to perform at least assigning a plurality of taint indicators indicative of potential security risk to the bit fields of the taint vector, and monitoring the plurality of sources, events, activities, and/or conditions over time using the taint vector.
  - 29. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to receive a plurality of taint indicators from a plurality of distinct sources at distinct times;
      
      whereinthe logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least initiating accumulation of the plurality of taint indicators in the bit fields of the taint vector independently using a corresponding plurality of distinct accumulation functions, and assessing the security risk condition according to a risk assessment function that is cumulative of the plurality of taint indicators.
  - 30. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to monitor comparisons using at least one selected from;
      
      determining whether any elements are greater than a predetermined threshold;
      
      determining whether all elements are greater than a predetermined threshold;
      
      determining whether the sum of some elements is greater than a predetermined threshold; and
      
      determining whether the sum of all elements is greater than a predetermined threshold.
  - 31. The processor according to claim 1 further comprising:
    - one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to specify a plurality of decay options corresponding to a plurality of taint indicators according to information type; and
      
      a decay control element configured to control delay of the plurality of taint indicators according the specified decay options;
      
      wherein;
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to apply the decay options to the bit fields of the taint vector.
  - 32. The processor according to claim 31 wherein:
    - the one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, the single instruction of the one or more instructions specified in the instruction set architecture to specify at least one of a multiple decay options selected from;
      
      applying decay after a predetermined number of operations to avoid triggering on outlying events;
      
      setting decay to account for rare and spurious events with a probability of occurrence by chance during long term monitoring;
      
      incrementing/decrementing using a single vector;
      
      subtracting a predetermined number;
      
      shifting a taint vector in an interval of time;
      
      shifting a taint vector at a predetermined instruction count;
      
      shifting a taint vector at a predetermined processor cycle count;
      
      copying a taint vector periodically to memory to maintain an old version while incrementing/decrementing to enable restoration following an invalid or error condition;
      
      imposing decay that balances accumulation;
      
      applying decay periodically;
      
      applying decay with a varying period that varies based at least partially on a sensitivity meter;
      
      applying decay with a varying period that varies based at least partially on environment;
      
      applying decay with a varying period that varies based at least partially on activity type; and
      
      applying decay according to a programmable parameter at a programmable rate.
  - 33. The processor according to claim 1 wherein:
    - the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is configured to perform at least detecting at least one security risk event as a result of monitoring a plurality of sources, events, activities, and/or conditions;
      
      and responding to security risk in response to determination of the at least one security risk event.
  - 34. The processor according to claim 1 further comprising:
    - logic configured to respond to determination of the at least one security risk event with a at least one response selected from;
      
      ignoring the at least one security risk event;
      
      logging the at least one security risk event;
      
      displaying a notification;
      
      displaying a warning message;
      
      generating an alarm;
      
      preventing a memory and/or register write;
      
      modifying operating frequency;
      
      modifying operating voltage;
      
      modifying an operating parameter;
      
      performing a system call;
      
      calling a trap and/or exception;
      
      terminating operation of selected resources; and
      
      activating a system shutdown.
  - 35. The processor according to claim 1 further comprising:
    - at least one taint vector including a plurality of vector fields operated upon one or more instructions in parallel to track at least one taint of the plurality of taints; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is further configured to perform at least incrementing the at least one taint vector upon detection of a predetermined taint condition wherein a predetermined condition of data is indicated, and responding to a predetermined taint condition.
  - 36. The processor according to claim 1 further comprising:
    - at least one taint vector including a plurality of vector fields operated upon one or more instructions in parallel to track at least one taint of the plurality of taints; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing at least updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is further configured to perform at least incrementing the at least one taint vector upon detection of a predetermined taint condition wherein a predetermined condition of data is indicated, and responding to a predetermined taint condition by trapping to a software process based at least partly on determination of a suspicious condition.
  - 37. The processor according to claim 1 further comprising:
    - at least one taint vector including a plurality of vector fields operated upon one or more instructions in parallel to track at least one taint of the plurality of taints; and
      
      the logic configured in hardware on the processor to execute the single instruction by performing combined actions of updating the one or more taint storage elements, processing the one or more taint storage elements, determining a security risk condition based at least partially on the processing of the one or more taint storage elements; and
      
      responding to the security risk condition is further configured to perform combined actions of incrementing the at least one taint vector upon detection of a predetermined taint condition wherein a predetermined condition of data is indicated, and responding to a predetermined taint condition by trapping to a software process based at least partly on determination of a network input/output condition of an attempt of malware to communicate to a malware operator.

38. A processor operable to execute instructions of a defined instruction set architecture comprising:
- one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, a single instruction of the one or more instructions specified in the instruction set architecture to store to one or more predetermined memory addresses that store to a hash of the one or more predetermined memory addresses; and
  
  logic configured in hardware on the processor to execute the single instruction by performing at least computing a hash of the one or more predetermined memory addresses and storing to the hash of the one or more predetermined memory addresses.

39. A processor operable to execute instructions of a defined instruction set architecture comprising:
- one or more instructions configured to execute directly in hardware on the processor in machine code defined for the defined instruction set architecture, a single instruction of the one or more instructions specified in the instruction set architecture to operate on data at one or more destinations that pass one or more taint indicator aspects associated with the one or more destinations;
  
  one or more taint storage elements configured to update in response to receipt of one or more taint indicators; and
  
  logic configured in hardware on the processor to the single instruction by performing at least processing the taint storage element, deriving the one or more taint indicator aspects based at least partially on the one or more taint indicators and/or the one or more processed taint storage elements associated with the one or more destinations, and passing the one or more taint indicator aspects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Elwha LLC (Intellectual Ventures LLC)
Inventors
Tegreene, Clarence T., Gerrity, Daniel A., Glew, Andrew F.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/200,547
Publication Number

US 20130081134A1
Time in Patent Office

1,235 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/577 Assessing vulnerabilities a...

Instruction set adapted for security risk monitoring

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

162 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Instruction set adapted for security risk monitoring

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links