Intrusion detection using taint accumulation
First Claim
Patent Images
1. A method operable in one or more processing devices for handling security risk comprising:
- receiving at least one of an incoming instruction or data from one or more sources; and
executing one or more instructions on the one or more processing devices to perform one or more operations including at least;
detecting one or more potential taint indicators indicative of activities or events occurring during execution associated with the at least one of the incoming instruction or data received from the one or more sources, the activities or events occurring during the execution of the instructions including at least one of a null pointer reference, an integer overflow, a buffer overflow, one or more attempts to access a memory element according to a predetermined restriction, or one or more attempts to access processor element according to a predetermined restriction;
assigning at least one of the one or more potential taint indicators to at least one taint vector including vector fields operated upon by the one or more instructions, the vector fields including at least one taint indicator field associated with the one or more potential taint indicators, at least one source field associated with the one or more sources, and at least one accumulator field corresponding to the at least one taint indicator field and the at least one source field;
accumulating, in response to the receipt of the data from one or more sources, one or more taints in the at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field according to one or more taint accumulation functions based at least in part on the one or more potential taint indicators and the associated one or more sources; and
assessing security risk based at least partially on the accumulation in the at least one accumulator field of the at least one taint vector according to a risk assessment function that is cumulative of the one or more taints and assesses whether at least one of the one or more cumulative taints is indicative of potential security risk for the one or more potential taint indicators and the associated one or more sources, wherein at least one of the receiving, the detecting, the assigning, the accumulating, or the assessing is at least partially implemented using the one or more processing devices.
9 Assignments
0 Petitions
Accused Products
Abstract
A method operable in a computing device adapted for handling security risk can use taint accumulation to detect intrusion. The method can comprise receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times, and accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions. Security risk can be assessed according to a risk assessment function that is cumulative of the plurality of taint indicators.
-
Citations
42 Claims
-
1. A method operable in one or more processing devices for handling security risk comprising:
-
receiving at least one of an incoming instruction or data from one or more sources; and executing one or more instructions on the one or more processing devices to perform one or more operations including at least; detecting one or more potential taint indicators indicative of activities or events occurring during execution associated with the at least one of the incoming instruction or data received from the one or more sources, the activities or events occurring during the execution of the instructions including at least one of a null pointer reference, an integer overflow, a buffer overflow, one or more attempts to access a memory element according to a predetermined restriction, or one or more attempts to access processor element according to a predetermined restriction; assigning at least one of the one or more potential taint indicators to at least one taint vector including vector fields operated upon by the one or more instructions, the vector fields including at least one taint indicator field associated with the one or more potential taint indicators, at least one source field associated with the one or more sources, and at least one accumulator field corresponding to the at least one taint indicator field and the at least one source field; accumulating, in response to the receipt of the data from one or more sources, one or more taints in the at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field according to one or more taint accumulation functions based at least in part on the one or more potential taint indicators and the associated one or more sources; and assessing security risk based at least partially on the accumulation in the at least one accumulator field of the at least one taint vector according to a risk assessment function that is cumulative of the one or more taints and assesses whether at least one of the one or more cumulative taints is indicative of potential security risk for the one or more potential taint indicators and the associated one or more sources, wherein at least one of the receiving, the detecting, the assigning, the accumulating, or the assessing is at least partially implemented using the one or more processing devices.
-
-
2. A method operable in one or more processing devices for handling security risk comprising:
-
detecting one or more potential taint indicators indicative of activities or events occurring during execution of instructions associated with the at least one of an incoming instructions or data received from the one or more sources, the activities or events occurring during execution including at least one of a null pointer reference, an integer overflow, a buffer overflow, one or more attempts to access a memory element according to a predetermined restriction, or one or more attempts to access processor element according to a predetermined restriction; specifying three or more bit fields of at least one taint vector including three or more vector fields operated upon by the one or more instructions, the three or more vector fields including at least one taint indicator field associated with the one or more potential taint indicators, at least one source field associated with the one or more sources, and at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field and the at least one source field; and executing the one or more instructions on the one or more processing devices including at least; accumulating one or more taints in the at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field according to one or more taint accumulation functions based at least in part on the one or more potential taint indicators and the associated one or more sources; and responding to at least one taint indicative of potential security risk to one or more resources based at least partially on the accumulation in the at least one accumulator field of the at least one taint vector of the one or more taints according to the one or more taint accumulation functions.
-
-
3. A computing system comprising:
-
at least one interface configured at least partially in hardware to receive at least one of an incoming instruction or data from one or more sources; and one or more processors configured to execute one or more instructions on one or more processing devices to perform one or more operations including at least; detecting one or more potential taint indicators indicative of activities or events occurring during execution associated with the at least one of the incoming instruction or data received from the one or more sources, the activities or events occurring during the execution of the instructions including at least one of a null pointer reference, an integer overflow, a buffer overflow, one or more attempts to access a memory element according to a predetermined restriction, or one or more attempts to access processor element according to a predetermined restriction; assigning at least one of the one or more potential taint indicators to at least one taint vector including vector fields operated upon by the one or more instructions, the vector fields including at least one taint indicator field associated with the one or more potential taint indicators, at least one source field associated with the one or more sources, and at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field and the at least one source field; accumulating, in response to the receipt of the data from one or more sources, one or more taints in the at least one accumulator field of the at least one taint vector corresponding to the at least one taint indicator field according to one or more taint accumulation functions based at least in part on the one or more potential taint indicators and the associated one or more sources; and assessing security risk based at least partially on the accumulation in the at least one accumulator field of the at least one taint vector according to a risk assessment function that is cumulative of the one or more taints and assesses whether at least one of the one or more cumulative taints is indicative of potential security risk to one or more resources for the one or more potential taint indicators and the associated one or more sources. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification