System and method for blocking the transmission of sensitive data using dynamic data tainting
First Claim
1. A computer-implemented method comprising:
- in response to determining that a data structure object is a first type, tainting the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data;
tracking, at a gateway device, execution of computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device, the tracking including identifying that the computer code performs an operation on the tainted first data;
when the operation on the tainted first data results in second data, tainting the second data;
detecting that the computer code attempts a network transmission to the non-trusted entity; and
when the attempted network transmission includes at least one of the tainted first data or the tainted second data, blocking transmission of the at least one of the tainted first data or the tainted second data.
7 Assignments
0 Petitions
Accused Products
Abstract
Blocking transmission of tainted data using dynamic data tainting is described. For example, sensitive information is stored on a client device as tainted data. The client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and the network. The gateway receives computer code from the non-trusted entity via the network. The gateway executes the computer code. The gateway tracks the execution of the computer code to determine whether the computer code attempts to access tainted data and transmit the tainted data to an outside entity. The gateway blocks the transmission of the tainted data to the outside entity responsive to determining that the computer code has attempted to access tainted data and transmit the tainted data to an outside entity.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
in response to determining that a data structure object is a first type, tainting the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data; tracking, at a gateway device, execution of computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device, the tracking including identifying that the computer code performs an operation on the tainted first data; when the operation on the tainted first data results in second data, tainting the second data; detecting that the computer code attempts a network transmission to the non-trusted entity; and when the attempted network transmission includes at least one of the tainted first data or the tainted second data, blocking transmission of the at least one of the tainted first data or the tainted second data. - View Dependent Claims (2, 3, 4, 5, 6, 15, 16)
-
-
7. A tangible computer readable storage device or storage disc comprising instructions that, when executed, cause a gateway to at least:
-
in response to determining that a data structure object is a first type, taint the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data track execution of computer code received from a non-trusted entity via a network, the computer code sent by the non-trusted entity in response to a request from a client device, to track the execution of the computer code, the instructions cause the gateway to identify that the computer code performs an operation on the tainted first data; when the operation on the tainted first data results in second data, taint the second data; detect that the computer code attempts a network transmission to the non-trusted entity; and when the attempted network transmission includes at least one of the tainted first data or the tainted second data, block transmission of the at least one of the tainted first data or the tainted second data. - View Dependent Claims (8, 9, 17, 18)
-
-
10. A gateway comprising:
-
an initial tainting engine to, in response to determining that a data structure object is a first type, taint the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data; a content type engine to analyze computer code received from a web application, wherein the property field of the data structure object has been modified by the tainting engine prior to the content type engine analyzing the computer code; a sandbox module to execute the received computer code; and a detection engine to; identify that the computer code performs an operation on the tainted first data; when the operation on the tainted first data results in second data, taint the second data; detect that the computer code attempts a network transmission to a non-trusted entity; and when the attempted network transmission includes at least one of the tainted first data or the tainted second data, block transmission of the at least one of the tainted first data or the tainted second data. - View Dependent Claims (11, 12, 13, 14, 19, 20)
-
Specification