Method and system for protecting data flow at a mobile device

US 9,047,463 B2
Filed: 10/24/2012
Issued: 06/02/2015
Est. Priority Date: 06/29/2012
Status: Active Grant

First Claim

Patent Images

1. A data flow policy evaluation system for a mobile computing device embodied as executable instructions in one or more non-transitory machine-accessible storage media, the data flow policy evaluation system comprising:

one or more computing devices; and

executable by the one or more computing devices;

a system call monitor to monitor system calls made by a plurality of security-wrapped software applications during execution of the security-wrapped software applications at the mobile computing device; and

a data flow policy engine to generate policy decisions to enable the security-wrapped software applications to prevent the execution of system calls that would violate a data flow policy, wherein the data flow policy defines security labels, associates data flow policies with the security labels, and assigns the security labels to data objects, and the data flow policy engine is configured to;

cause an executing process of a security-wrapped software application to inherit a security label of a data object when the process accesses the data object to which the security label is assigned;

when the process inherits a security label of a data object, apply a policy associated with the security label of the data object to a future activity of the executing process that does not involve the data object; and

as a result of the security label of the data object being inherited by the process, associate another executing process with the security label of the data object accessed by the process when the other executing process is in communication with the executing process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for evaluating and enforcing a data flow policy at a mobile computing device includes a data flow policy engine to evaluate data access requests made by security-wrapped software applications running on the mobile device and prevent the security-wrapped software applications from violating the data flow policy. The data flow policy defines a number of security labels that are associated with data objects. A software application process may be associated with a security label if the process accesses data having the security label or the process is in communication with another process that has accessed data having the security label.

303 Citations

23 Claims

1. A data flow policy evaluation system for a mobile computing device embodied as executable instructions in one or more non-transitory machine-accessible storage media, the data flow policy evaluation system comprising:
- one or more computing devices; and
  
  executable by the one or more computing devices;
  
  a system call monitor to monitor system calls made by a plurality of security-wrapped software applications during execution of the security-wrapped software applications at the mobile computing device; and
  
  a data flow policy engine to generate policy decisions to enable the security-wrapped software applications to prevent the execution of system calls that would violate a data flow policy, wherein the data flow policy defines security labels, associates data flow policies with the security labels, and assigns the security labels to data objects, and the data flow policy engine is configured to;
  
  cause an executing process of a security-wrapped software application to inherit a security label of a data object when the process accesses the data object to which the security label is assigned;
  
  when the process inherits a security label of a data object, apply a policy associated with the security label of the data object to a future activity of the executing process that does not involve the data object; and
  
  as a result of the security label of the data object being inherited by the process, associate another executing process with the security label of the data object accessed by the process when the other executing process is in communication with the executing process.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, comprising an access interceptor configured to prevent the security-wrapped software application from executing any system call that would violate the data flow policy.
  - 3. The system of claim 1, wherein the other executing process is a software application process invoked by the executing process.
  - 4. The system of claim 1, wherein the data flow policy engine associates the other executing process with the security label when the other executing process reads data from memory to which data has been written by the executing process.

5. A system for evaluating data access requests at a mobile computing device, embodied as executable instructions in one or more non-transitory machine-accessible storage media, the system comprising:
- one or more computing devices; and
  
  executable by the one or more computing devices;
  
  a system call monitor to monitor system calls relating to data accesses made by an instance of a security-wrapped software application executing on the mobile computing device; and
  
  a data flow policy engine to;
  
  associate data access tracking data with the instance of the security-wrapped software application, wherein the data access tracking data relates to data objects accessed by the instance and security labels assigned to the data objects, and the security labels indicate conflicts of interest between or among the data objects; and
  
  generate data flow policy decisions based on the data access tracking data, wherein the policy decisions are based on;
  
  (i) one or more current and one or more previous data accesses made by the instance and (ii) one or more security labels assigned to the data objects and inherited by the instance as a result of the previous data accesses, wherein when the instance inherits a security label of a data object, the data flow policy engine applies a policy associated with the inherited security label to a future activity of the instance that does not involve the data object; and
  
  as a result of the security label of the data object being inherited by the instance, associate another executing instance with the security label of the data object accessed by the instance when the other executing instance is in communication with the executing instance.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The system of claim 5, wherein the data flow policy engine stores data access tracking data associated with each instance of the security-wrapped software application.
  - 7. The system of claim 5, wherein the data access tracking data indicates data that has been read by the executing instance of the security-wrapped software application, data that is currently being read by the instance, and data that has been written by the instance.
  - 8. The system of claim 7, wherein the data flow policy engine separately associates data access tracking data with each instance of the security-wrapped software application.
  - 9. The system of claim 7, wherein the system permits the executing instance of the security-wrapped software application to read data associated with a security label only when the instance has not read data associated with another security label that is in conflict with the security label.
  - 10. The system of claim 7, wherein the system permits the executing instance of the security-wrapped software application to read data associated with a plurality of security labels only when the instance is authorized to read data associated with each of security labels.
  - 11. The system of claim 7, wherein the system permits the executing instance of the security-wrapped software application to read data associated with a plurality of security labels even when the instance is not authorized to read data associated with each of the security labels, when the instance is authorized to read data associated with at least one of the security labels.
  - 12. The system of claim 7, wherein the system permits the executing instance of the security-wrapped software application to write data associated with a plurality of security labels only when:
    - the instance is authorized to read data associated with each of the security labels; and
      
      the instance has not written data associated with another security label that is in conflict with any of the security labels.
  - 13. The system of claim 7, wherein the system permits the executing instance of the security-wrapped software application to write data associated with one or more security labels only when:
    - the instance is not currently reading data associated with another security label that is in conflict with any of the security labels; and
      
      the instance has not written data associated with another security label that is in conflict with any of the one or more security labels.
  - 14. The system of claim 5, wherein the data flow policy engine defines each security label as either public or private.
  - 15. The system of claim 14, wherein the system permits the executing instance of the security-wrapped software application to write data associated with a public security label only when:
    - the security-wrapped software application has not read data associated with a private security label; and
      
      the security-wrapped software application has not written data associated with the private security label.

16. A system for enforcing a data flow policy at a mobile computing device, embodied as executable instructions in one or more non-transitory machine-accessible storage media, the system comprising:
- one or more computing devices; and
  
  executable by the one or more computing devices;
  
  a system call monitor to monitor system calls made by an instance of a security-wrapped software application executing on the mobile computing device;
  
  a data flow policy engine to;
  
  analyze the system calls using a data flow policy, wherein the data flow policy assigns security labels to data objects and the security labels indicate conflicts of interest between or among data objects;
  
  assign a security label to a data object when the data object is produced by a data source having the security label or when the data object is created by a software application process that has inherited the security label from another data object, wherein when the software application process has inherited the security label from another data object, the system applies a policy associated with the inherited security label to a future activity of the software application process that does not involve the another data object; and
  
  as a result of the security label of the another data object being inherited by the instance, associate another executing instance with the security label of the another data object accessed by the instance when the other executing instance is in communication with the executing instance; and
  
  associate the instance with the security label when the instance accesses the data object and the security label is assigned to the data object; and
  
  a data flow policy enforcer to prevent the instance from executing a system call that violates the data flow policy.
- View Dependent Claims (17)
- - 17. The system of claim 16, wherein the data object may be associated with more than one security label.

18. data flow policy engine for a mobile computing device, embodied as executable instructions in one or more non-transitory machine-accessible storage media, the data flow policy engine configured to:
- evaluate system calls made by instances of security-wrapped software applications executing on the mobile computing device;
  
  cause an instance of a security-wrapped software application to inherit a security label when the instance reads a data object to which the security label is assigned, writes to a data object to which the security label is assigned, or connects to a data source to which the security label is assigned;
  
  wherein the security label indicates that the data object or data source has a conflict of interest with at least one other data object or data source, and wherein when the instance inherits a security label of a data object, the data flow policy engine applies a policy associated with the inherited security label to a future activity of the instance that does not involve the data object; and
  
  as a result of the security label of the data object being inherited by the instance, associate another executing instance with the security label of the data object accessed by the instance when the other executing instance is in communication with the executing instance; and
  
  generate a data flow policy decision usable by the security-wrapped software application to prevent the execution of any system call that would result in a conflict of interest.
- View Dependent Claims (19, 20)
- - 19. The data flow policy engine of claim 18, wherein the data flow policy engine is configured to evaluate system calls made by the instances of security-wrapped software applications by interfacing with an access interceptor of each of the security-wrapped software applications.
  - 20. The data flow policy engine of claim 18, wherein a data object or data source having the security label has a conflict of interest with another object or data source when the data object or data source having the security label cannot be mixed with the other data object or data source.

21. The data flow policy engine of 18, wherein the security label is defined as either public or private.

22. The data flow policy engine of 21, wherein in response to the executing instance of the security-wrapped software application attempting to perform a write operation on a data object having a public security label after reading another data object having a private security label, the data flow policy engine is configured to:
- generate a copy of the data object;
  
  allow the write operation to be performed on the copy of the data object;
  
  deny the write operation on the data object; and
  
  associate the copy of the data object with the security label.

23. The data flow policy engine of 22, wherein the data flow policy engine is configured to:
- associate a data access by another executing instance of the security-wrapped software application with the copy of the data object when the other instance is associated with the security label; and
  
  associate the data access by the other instance with the data object when the other instance is not associated with the security label.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Porras, Phillip A.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US13/659,680
Publication Number

US 20140007184A1
Time in Patent Office

951 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Method and system for protecting data flow at a mobile device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

303 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for protecting data flow at a mobile device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

303 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links