System and method for blocking the transmission of sensitive data using dynamic data tainting

US 9,489,515 B2
Filed: 06/09/2011
Issued: 11/08/2016
Est. Priority Date: 06/11/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

in response to determining that a data structure object is a first type, tainting the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data;

tracking, at a gateway device, execution of computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device, the tracking including identifying that the computer code performs an operation on the tainted first data;

when the operation on the tainted first data results in second data, tainting the second data;

detecting that the computer code attempts a network transmission to the non-trusted entity; and

when the attempted network transmission includes at least one of the tainted first data or the tainted second data, blocking transmission of the at least one of the tainted first data or the tainted second data.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Blocking transmission of tainted data using dynamic data tainting is described. For example, sensitive information is stored on a client device as tainted data. The client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and the network. The gateway receives computer code from the non-trusted entity via the network. The gateway executes the computer code. The gateway tracks the execution of the computer code to determine whether the computer code attempts to access tainted data and transmit the tainted data to an outside entity. The gateway blocks the transmission of the tainted data to the outside entity responsive to determining that the computer code has attempted to access tainted data and transmit the tainted data to an outside entity.

Citations

20 Claims

1. A computer-implemented method comprising:
- in response to determining that a data structure object is a first type, tainting the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data;
  
  tracking, at a gateway device, execution of computer code received from a non-trusted entity via a network, the computer code received by the gateway when sent by the non-trusted entity to a client device in response to a request from the client device, the tracking including identifying that the computer code performs an operation on the tainted first data;
  
  when the operation on the tainted first data results in second data, tainting the second data;
  
  detecting that the computer code attempts a network transmission to the non-trusted entity; and
  
  when the attempted network transmission includes at least one of the tainted first data or the tainted second data, blocking transmission of the at least one of the tainted first data or the tainted second data.
- View Dependent Claims (2, 3, 4, 5, 6, 15, 16)
- - 2. The computer-implemented method of claim 1, further including:
    - generating a virtual container; and
      
      storing the computer code in the virtual container prior to execution of the computer code, the execution of the computer code and the tracking of the executed computer code occurring while the computer code is stored in the virtual container.
  - 3. The computer-implemented method of claim 2, further including:
    - determining whether the computer code includes dynamic content; and
      
      storing the computer code in the virtual container when the computer code includes the dynamic content.
  - 4. The computer-implemented method of claim 3, wherein the dynamic content includes at least one of JavaScript, Flash Application, HyperText Markup Language, Visual Basic Scripting Edition, Cascading Style Sheet, Extensible Markup Language, or Portable Document Format.
  - 5. The computer-implemented method of claim 2, wherein the virtual container blocks the computer code from accessing the network.
  - 6. The computer-implemented method of claim 1 further including, analyzing a source of data requested by the computer code.
  - 15. The computer-implemented method of claim 1, wherein the first type is at least one of a form object, a document object, an input element object, a history object, an image object, and option object, a location object, a link object, a plug-in object, or a window object.
  - 16. The computer-implemented method of claim 1, further including, when the attempted network transmission includes the at least one of the first data or the second data, determining the computer code is malicious.

7. A tangible computer readable storage device or storage disc comprising instructions that, when executed, cause a gateway to at least:
- in response to determining that a data structure object is a first type, taint the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first datatrack execution of computer code received from a non-trusted entity via a network, the computer code sent by the non-trusted entity in response to a request from a client device, to track the execution of the computer code, the instructions cause the gateway to identify that the computer code performs an operation on the tainted first data;
  
  when the operation on the tainted first data results in second data, taint the second data;
  
  detect that the computer code attempts a network transmission to the non-trusted entity; and
  
  when the attempted network transmission includes at least one of the tainted first data or the tainted second data, block transmission of the at least one of the tainted first data or the tainted second data.
- View Dependent Claims (8, 9, 17, 18)
- - 8. The tangible computer readable storage device or storage disc of claim 7, wherein the instructions further cause the gateway to:
    - generate a virtual container; and
      
      store the computer code in the virtual container prior to execution of the computer code, the execution of the computer code and the tracking of the executed computer code occurring while the computer code is stored in the virtual container.
  - 9. The tangible computer readable storage device or storage disc of claim 8, wherein the instructions further cause the gateway to:
    - determine whether the computer code includes dynamic content; and
      
      store the computer code in the virtual container when that the computer code includes the dynamic content.
  - 17. The tangible computer readable storage device or storage disc of claim 7, wherein the first type is at least one of a form object, a document object, an input element object, a history object, an image object, and option object, a location object, a link object, a plug-in object, or a window object.
  - 18. The tangible computer readable storage device or storage disc of claim 7, wherein the instructions further cause the gateway to determine that the computer code is malicious when the attempted network transmission includes the at least one of the first data or the second data.

10. A gateway comprising:
- an initial tainting engine to, in response to determining that a data structure object is a first type, taint the data structure object by modifying a taint bit of a property field of the data structure object, the data structure object included in first data;
  
  a content type engine to analyze computer code received from a web application, wherein the property field of the data structure object has been modified by the tainting engine prior to the content type engine analyzing the computer code;
  
  a sandbox module to execute the received computer code; and
  
  a detection engine to;
  
  identify that the computer code performs an operation on the tainted first data;
  
  when the operation on the tainted first data results in second data, taint the second data;
  
  detect that the computer code attempts a network transmission to a non-trusted entity; and
  
  when the attempted network transmission includes at least one of the tainted first data or the tainted second data, block transmission of the at least one of the tainted first data or the tainted second data.
- View Dependent Claims (11, 12, 13, 14, 19, 20)
- - 11. The gateway of claim 10, wherein the sandbox module is to generate a virtual container and store the computer code in the virtual container prior to executing the computer code, the sandbox module to execute the computer code in the virtual container and the detection engine to detect the the attempted network transmission while the computer code is in the virtual container.
  - 12. The gateway of claim 11, wherein the content type engine is to determine whether the computer code includes dynamic content and the sandbox module is to store the computer code in the virtual container if the computer code includes dynamic content.
  - 13. The gateway of claim 12, wherein the dynamic content includes at least one of JavaScript, Flash Application, HyperText Markup Language, Visual Basic Scripting Edition, Cascading Style Sheet, Extensible Markup Language, or Portable Document Format.
  - 14. The gateway of claim 11, wherein the virtual container is to block the computer code from accessing a network.
  - 19. The gateway of claim 10, wherein the first type is at least one of a form object, a document object, an input element object, a history object, an image object, and option object, a location object, a link object, a plug-in object, or a window object.
  - 20. The gateway of claim 10, wherein the detection engine is to determine that the computer code is malicious when the attempted network transmission includes the at least one of the first data or the second data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Original Assignee
Trustwave Holdings Incorporated (Singapore Telecommunications Limited)
Inventors
Yermakov, Alexander, Kaplan, Mark
Primary Examiner(s)
Abrishamkar, Kaveh
Assistant Examiner(s)
Ho, Thomas

Application Number

US13/156,952
Publication Number

US 20110307951A1
Time in Patent Office

1,979 Days
Field of Search

713/164, 726/26, 726/27, 726/30
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 40/154   Tree transformation for tre...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/168   above the transport layer

System and method for blocking the transmission of sensitive data using dynamic data tainting

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for blocking the transmission of sensitive data using dynamic data tainting

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links