Conditional security response using taint vector monitoring

US 9,460,290 B2
Filed: 10/31/2011
Issued: 10/04/2016
Est. Priority Date: 07/19/2011
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

one or more input interfaces configured to receive information from a plurality of computing resources;

one or more processors configured to monitor one or more taints associated with the information received from at least one of the plurality of computing resources, the one or more processors including at least;

at least one taint vector including a plurality of vector fields operated upon by one or more instructions in parallel to monitor and respond to at least one of a plurality of taints indicative of potential security risk originating from at least one of the plurality of computing resources, the at least one of the plurality of taints independently associated with the at least one of the plurality of computing resources, wherein the plurality of vector fields of one or more of the at least one taint vector include at least;

at least one vector field identifying at least one of the plurality of computing resources; and

at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources;

at least one taint bias vector; and

response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition in a predetermined manner, wherein the response logic is configured to respond to one or more predetermined instructions in parallel by recursively adding the at least one taint bias vector to the at least one taint vector;

wherein the predetermined manner includes one or more of ignoring a security risk event, logging the at least one security risk event, displaying a notification, displaying a warning message, generating an alarm, raising an exception, preventing writing by or to one or more of the plurality of computing resources, trapping one or more operations attempted by one or more of the plurality of computing resources, modifying operating frequency, modifying operating voltage, modifying an operating parameter, performing a system call, terminating a particular process, or ending one or more operations of one or more of the plurality of computing resources.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment or embodiments of a computing system can conditionally trap based on a taint vector. A computing system can comprise at least one taint vector operable to list at least one of a plurality of taints indicative of potential security risk originating from at least one of a plurality of resources, and response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition.

216 Citations

47 Claims

1. A computing system comprising:
- one or more input interfaces configured to receive information from a plurality of computing resources;
  
  one or more processors configured to monitor one or more taints associated with the information received from at least one of the plurality of computing resources, the one or more processors including at least;
  
  at least one taint vector including a plurality of vector fields operated upon by one or more instructions in parallel to monitor and respond to at least one of a plurality of taints indicative of potential security risk originating from at least one of the plurality of computing resources, the at least one of the plurality of taints independently associated with the at least one of the plurality of computing resources, wherein the plurality of vector fields of one or more of the at least one taint vector include at least;
  
  at least one vector field identifying at least one of the plurality of computing resources; and
  
  at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources;
  
  at least one taint bias vector; and
  
  response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition in a predetermined manner, wherein the response logic is configured to respond to one or more predetermined instructions in parallel by recursively adding the at least one taint bias vector to the at least one taint vector;
  
  wherein the predetermined manner includes one or more of ignoring a security risk event, logging the at least one security risk event, displaying a notification, displaying a warning message, generating an alarm, raising an exception, preventing writing by or to one or more of the plurality of computing resources, trapping one or more operations attempted by one or more of the plurality of computing resources, modifying operating frequency, modifying operating voltage, modifying an operating parameter, performing a system call, terminating a particular process, or ending one or more operations of one or more of the plurality of computing resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 2. The computing system according to claim 1 wherein:
    - the plurality of taints include one or more of a plurality of distinct classes corresponding to a plurality of distinct sources, events, activities, or conditions.
  - 3. The computing system according to claim 1 wherein:
    - one or more of the at least one taint vector include one or more entries selectively allocated to one or more of the plurality of taints.
  - 4. The computing system according to claim 1 wherein:
    - the response logic is configured to trap based at least partly on a current value of an entry of the at least one taint vector.
  - 5. The computing system according to claim 1 wherein:
    - the response logic is configured to accumulate taints in at least one entry of the at least one taint vector to trap based at least partly on a current value of an accumulated entry of the at least one taint vector.
  - 6. The computing system according to claim 1 wherein:
    - the response logic is configured accumulate taints in at least one entry of the at least one taint vector to trap based at least partly on a comparison of a current value of an accumulated entry of the at least one taint vector to a threshold.
  - 7. The computing system according to claim 1 wherein:
    - the response logic is configured apply at least one function to the at least one entry of the at least one taint vector.
  - 8. The computing system according to claim 7 wherein:
    - the at least one function is selected from one or more of weights, masks, sums, combinations, arithmetic functions, logical operations, or transforms.
  - 9. The computing system according to claim 1 further comprising:
    - thresholding logic operationally coupled to the response logic and configured to set a threshold for application to at least one entry of the at least one taint vector, wherein;
      
      the response logic is configured to trap based at least partly on a comparison of the at least one entry of the at least one taint vector to the threshold.
  - 10. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set a threshold for application to at least one entry of the at least one taint vector mutually distinctively for a plurality of affiliates, system characteristics, sources, events, activities, or conditions.
  - 11. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set a threshold for application to at least one entry of the at least one taint vector specifically to the at least one entry.
  - 12. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set a threshold for application to at least one entry of the at least one taint vector uniformly for application to similar affiliates.
  - 13. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set a threshold for application to at least one entry of the at least one taint vector universally wherein all entries are compared to the threshold for a plurality of affiliates, system characteristics, sources, events, activities, or conditions.
  - 14. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set a threshold for application to a sum of entries of the at least one taint vector.
  - 15. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set or modify a threshold for application to at least one entry of the at least one taint vector based on variation of tolerance level by application of a predetermined weight function.
  - 16. The computing system according to claim 9 wherein:
    - the thresholding logic is configured to set or modify a threshold for application to at least one entry of the at least one taint vector based on a tolerance level selected on the basis of consequences of a security risk event.
  - 17. The computing system according to claim 9 wherein:
    - the response logic is configured to respond to at least one comparison between the at least one entry of the at least one taint vector and a plurality of thresholds.
  - 18. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to monitor taints and create a trust profile based on the monitoring, wherein;
      
      the response logic is configured to trap to a software process based at least partly on determination of a suspicious condition indicated at least in part using the trust profile.
  - 19. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to monitor taints in network input/output operations, wherein;
      
      the response logic is configured to trap to a software process based at least partly on determination of a network input/output condition of an attempt of malware to communicate to a malware operator.
  - 20. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to monitor taints using a hardware device configured to monitor the taints autonomously of software;
      
      wherein;
      
      the response logic is configured to insert initial taint notifications using a software process.
  - 21. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to update the taint vector, process the taint vector, and determine a security risk condition based on the processing of the taint vector;
      
      wherein;
      
      the response logic is configured to trap in response to the security risk condition.
  - 22. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to acquire and monitor a history of the one or more of the at least one taint vector in a feedback loop that correlates taints with responses to the taints.
  - 23. The computing system according to claim 1 further comprising:
    - monitoring logic operationally coupled to the response logic and configured to accumulate the plurality of taints arranged as at least one entry of the at least one taint vector using at least one accumulation function selected from;
      
      comparing one or more of the accumulated plurality of taints to at least one predetermined threshold;
      
      performing power law analysis;
      
      performing a race function;
      
      counting a number of taints;
      
      counting a number of taints per memory unit;
      
      counting a number of instructions tainted;
      
      counting a number of tainted instructions;
      
      counting a number of instructions written as a result of one or more taints;
      
      counting a number of data loads and stores;
      
      counting a number of memory accesses;
      
      counting a number of calls;
      
      counting a number of returns;
      
      counting a number of branches;
      
      counting a number of integer overflows;
      
      counting a number of network input/output events;
      
      counting a number of null pointer references;
      
      counting a number of buffer overruns/overflows;
      
      orcounting a number of repeated attempts to access a key.
  - 24. The computing system according to claim 1 wherein:
    - the response logic is configured to respond to at least one security risk event with at least one response selected from;
      
      ignoring the at least one security risk event;
      
      logging the at least one security risk event;
      
      displaying a notification;
      
      displaying a warning message;
      
      generating an alarm;
      
      preventing a memory or register write;
      
      modifying operating frequency;
      
      modifying operating voltage;
      
      modifying an operating parameter;
      
      performing a system call;
      
      calling a trap or exception;
      
      terminating operation of selected resources;
      
      oractivating a system shutdown.
  - 25. The computing system according to claim 1 wherein one or more of the plurality of taints are selected from:
    - a null pointer reference;
      
      an attempt to access a secured part of a processor;
      
      an attempt to access a secured resource;
      
      a buffer overrun;
      
      an event originating in a region that raises suspicion;
      
      a fault;
      
      an integer overflow;
      
      a plurality of taint indicators that exceeds at least one predetermined threshold;
      
      a taint indicated by power law analysis;
      
      a taint indicated by a race function;
      
      oran attempt to access a key.
  - 26. The computing system according to claim 1 wherein:
    - one or more of the at least one taint vector include a composite taint vector that correlates a taint source and a taint activity type.
  - 27. The computing system according to claim 1 further comprising:
    - a composite taint vector including at least two taint vectors each including a plurality of bits corresponding to at least one of one or more sources, one or more events, one or more activities, one or more conditions, or one or more suspicious activities in association between the at least two taint vectors;
      
      whereinthe at least two taint vectors each correspond to a data source; and
      
      the composite taint vector is configured for monitoring and tracking the associated at least one of one or more sources, one or more events, one or more activities, one or more conditions, or one or more suspicious activities corresponding to the at least two taint vectors.
  - 28. The computing system according to claim 1 further comprising:
    - a composite taint vector including at least two taint vectors each including a plurality of bits corresponding identically to one or more of a plurality of distinct classes for the at least two taint vectors, the at least two taint vectors including at least one taint vector that is decayed over a selected number of operations and at least one taint vector that is maintained for restoration in reaction to an invalid or error condition.
  - 29. The computing system according to claim 1 further comprising:
    - at least one timer register configured to change at a predetermined rate;
      
      wherein the at least one taint vector is configured to update in a predetermined manner in response to receipt of the one or more of the plurality of taint indicators and in response to a predetermined condition of the at least one timer register.
  - 30. The computing system according to claim 1 wherein:
    - the at least one taint vector is configured into a plurality of portions that update independently according to one or more distinct accumulation functions in response to receipt of the one or more of the plurality of taint indicators corresponding selectively to one or more distinct taint conditions and one or more sources.
  - 31. The computing system according to claim 1 further comprising:
    - hardware threading circuitry configured for at least one of simultaneous multithreading (SMT) or hyperthreading;
      
      wherein the at least one taint vector is configured into a plurality of portions that update independently according to one or more distinct accumulation functions in response to receipt of the one or more of the plurality of taint indicators corresponding selectively to one or more distinct threads executing on the hardware threading circuitry.
  - 32. The computing system according to claim 1 wherein the at least one taint vector including a plurality of vector fields operated upon by one or more instructions in parallel to monitor and respond to at least one of a plurality of taints indicative of potential security risk originating from at least one of a plurality of computing resources includes at least:
    - at least one vector field identifying at least one of the plurality of computing resources; and
      
      at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources,the at least one taint vector configured to set a hierarchy of suspicion based at least partially on the at least one of sources, events, conditions, or suspicious activities.
  - 33. The computing system according to claim 1 wherein one or more of the at least one taint vector including a plurality of vector fields operated upon by one or more instructions in parallel to monitor and respond to at least one of a plurality of taints indicative of potential security risk originating from at least one of a plurality of computing resources includes at least:
    - at least one vector field identifying at least one of the plurality of computing resources; and
      
      at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources, wherein the at least one taint vector is configured to respond to one or more predetermined instructions in parallel by applying a hint associated with the at least one of sources, events, conditions, or suspicious activities.
  - 34. The computing system according to claim 1 wherein the response logic operable to monitor the at least one taint vector and respond to a predetermined taint condition comprises:
    - response logic operable to determine the at least one taint bias vector to selectively increase or decrease a level of sensitivity to security risk based at least in part on the at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources.
  - 35. The computing system according to claim 1, wherein the computing resources include:
    - at least one of a network, a system, a processor, memory, a register, hardware, microarchitecture, floating point circuitry, input/output circuitry, video circuitry, audio circuitry, a software system, software, an operating system, a library, a library call, a library function, a software object, a virtual entity, bandwidth, or power.

36. A method operable in a computing device configured at least partially in hardware for handling security risk comprising:
- receiving information from a plurality of computing resources;
  
  monitoring one or more taints associated with the information received from at least one the plurality of computing resources;
  
  providing at least one taint vector including a plurality of vector fields operated upon by one or more instructions;
  
  executing the one or more instructions in parallel to monitor and respond to the at least one taint vector including a plurality of vector fields associated with at least one of a plurality of taints indicative of potential security risk originating from at least one of the plurality of computing resources, wherein the plurality of vector fields of one or more of the at least one taint vector including a plurality of vector fields include at least;
  
  at least one vector field identifying at least one of the plurality of computing resources; and
  
  at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources;
  
  independently associating the at least one of the plurality of taints with the at least one of the plurality of computing resources;
  
  monitoring the at least one taint vector; and
  
  responding to a predetermined taint condition including at least responding to one or more predetermined instructions in a predetermined manner in parallel by recursively adding at least one taint bias vector to the at least one taint vector;
  
  wherein the predetermined manner includes one or more of ignoring a security risk event, logging the at least one security risk event, displaying a notification, displaying a warning message, generating an alarm, raising an exception, preventing writing by or to one or more of the plurality of computing resources, trapping one or more operations attempted by one or more of the plurality of computing resources, modifying operating frequency, modifying operating voltage, modifying an operating parameter, performing a system call, terminating a particular process, or ending one or more operations of one or more of the plurality of computing resources.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 37. The method according to claim 36 further comprising:
    - listing in the at least one taint vector the plurality of taints including one or more of a plurality of distinct classes including one or more of a plurality of distinct sources, events, activities, or conditions.
  - 38. The method according to claim 36 further comprising:
    - selectively allocating one or more of a plurality of entries of the at least one taint vector to one or more of the plurality of taints.
  - 39. The method according to claim 36 further comprising:
    - trapping based at least partly on a current value of an entry of the at least one taint vector.
  - 40. The method according to claim 36 further comprising:
    - accumulating taints in at least one entry of the at least one taint vector; and
      
      trapping based at least partly on a current value of an accumulated entry of the at least one taint vector.
  - 41. The method according to claim 36 further comprising:
    - accumulating taints in at least one entry of the at least one taint vector;
      
      comparing a current value of an accumulated entry of the at least one taint vector to a threshold; and
      
      trapping based at least partly on the comparison.
  - 42. The method according to claim 36 further comprising:
    - applying at least one function to the at least one entry of the at least one taint vector.
  - 43. The method according to claim 42 further comprising:
    - selecting the at least one function from weights, masks, sums, combinations, arithmetic functions, logical operations, or transforms.
  - 44. The method according to claim 36 further comprising:
    - setting a threshold for application to at least one entry of the at least one taint vector;
      
      comparing the at least one entry of the at least one taint vector to the threshold; and
      
      trapping based at least partly on the comparison.
  - 45. The method according to claim 36, wherein the computing resources include:
    - at least one of a network, a system, a processor, memory, a register, hardware, microarchitecture, floating point circuitry, input/output circuitry, video circuitry, audio circuitry, a software system, software, an operating system, a library, a library call, a library function, a software object, a virtual entity, bandwidth, or power.

46. A computing system comprising:
- one or more input interfaces configured to receive information from a plurality of computing resources;
  
  one or more processors configured to monitor one or more taints associated with the information received from at least one of the plurality of computing resources, the one or more processors including at least;
  
  at least one taint vector including a plurality of vector fields operated upon by one or more instructions;
  
  means for executing the one or more instructions in parallel to monitor and respond to the at least one taint vector including a plurality of vector fields associated with at least one of a plurality of taints indicative of potential security risk originating from at least one of the plurality of computing resources, wherein the plurality of vector fields of one or more of the at least one taint vector include at least;
  
  at least one vector field identifying at least one of the plurality of computing resources; and
  
  at least one vector field corresponding to at least one of sources, events, conditions, or suspicious activities associated with the identified at least one of the plurality of computing resources;
  
  means for independently associating the at least one of the plurality of taints with the at least one of the plurality of computing resources;
  
  means for monitoring the at least one taint vector; and
  
  means for responding to a predetermined taint condition in a predetermined manner including at least responding to one or more predetermined instructions in parallel by recursively adding at least one taint bias vector to the at least one taint vector;
  
  wherein the predetermined manner includes one or more of ignoring a security risk event, logging the at least one security risk event, displaying a notification, displaying a warning message, generating an alarm, raising an exception, preventing writing by or to one or more of the plurality of computing resources, trapping one or more operations attempted by one or more of the plurality of computing resources, modifying operating frequency, modifying operating voltage, modifying an operating parameter, performing a system call, terminating a particular process, or ending one or more operations of one or more of the plurality of computing resources.
- View Dependent Claims (47)
- - 47. The computing system according to claim 46, wherein the computing resources include:
    - at least one of a network, a system, a processor, memory, a register, hardware, microarchitecture, floating point circuitry, input/output circuitry, video circuitry, audio circuitry, a software system, software, an operating system, a library, a library call, a library function, a software object, a virtual entity, bandwidth, or power.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Elwha LLC (Intellectual Ventures LLC)
Inventors
Tegreene, Clarence T., Gerrity, Daniel A., Glew, Andrew F.
Primary Examiner(s)
Parry, Chris
Assistant Examiner(s)
STILTNER, WEIWEI YE

Application Number

US13/317,980
Publication Number

US 20130024939A1
Time in Patent Office

1,800 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

Conditional security response using taint vector monitoring

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

216 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional security response using taint vector monitoring

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

216 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links