Intrusion detection using taint accumulation

US 20130024937A1
Filed: 08/26/2011
Published: 01/24/2013
Est. Priority Date: 07/19/2011
Status: Active Grant

First Claim

Patent Images

1. A method operable in a computing device for handling security risk comprising:

receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times;

accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions; and

assessing security risk according to a risk assessment function that is cumulative of the plurality of taint indicators.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method operable in a computing device adapted for handling security risk can use taint accumulation to detect intrusion. The method can comprise receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times, and accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions. Security risk can be assessed according to a risk assessment function that is cumulative of the plurality of taint indicators.

Citations

40 Claims

1. A method operable in a computing device for handling security risk comprising:
- receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times;
  
  accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions; and
  
  assessing security risk according to a risk assessment function that is cumulative of the plurality of taint indicators.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1 wherein receiving the plurality of taint indicators further comprises:
    - receiving the plurality of taint indicators indicative of potential security risk associated with information used by the computing device.
  - 3. The method according to claim 1 wherein accumulating the plurality of taint indicators further comprises:
    - accumulating the plurality of taint indicators on a basis selected from a group consisting of per-source, per-data, overall, and combination.
  - 4. The method according to claim 1 further comprising:
    - determining whether information from a particular source or entity is trusted based on assessment of security risk.
  - 5. The method according to claim 1 wherein ones of the plurality of accumulation functions are selected from a group consisting of:
    - comparing ones of the accumulated plurality of taint indicators to at least one predetermined threshold;
      
      performing power law analysis;
      
      performing a race function;
      
      counting a number of taints;
      
      counting a number of taints per memory unit;
      
      counting a number of instructions tainted;
      
      counting a number of tainted instructions;
      
      counting a number of instructions written as a result of a taint;
      
      counting a number of data loads and stores;
      
      counting a number of memory accesses;
      
      counting a number of calls;
      
      counting a number of returns;
      
      counting a number of branches;
      
      counting a number of integer overflows;
      
      counting a number of network input/output events;
      
      counting a number of null pointer references;
      
      counting a number of buffer overruns/overflows; and
      
      counting a number of repeated attempts to access a key.
  - 6. The method according to claim 1 further comprising:
    - operating the computing device in a federated system comprising a least a first entity and a second entity; and
      
      tracking at least one of the plurality of taint indicators of the first entity against at least one of the plurality of taint indicators of the second entity.
  - 7. The method according to claim 1 further comprising:
    - accumulating the plurality of taint indicators comprising counting taint indicators affiliated with a plurality of entities per affiliation; and
      
      merging a low level for a plurality of affiliations up to a higher level.
  - 8. The method according to claim 1 further comprising:
    - defining a plurality of pathways through a federated system;
      
      tracking sources of information through the federated system; and
      
      passing information of a specified pathway of the plurality of pathways through a validator.
  - 9. The method according to claim 1 further comprising:
    - forming a trust profile using the accumulated plurality of taint indicators;
      
      dynamically raising and lowering trust level of the trust profile based on the accumulated plurality of taint indicators; and
      
      responding to security risk in response to the trust level.

10. A method operable in a computing device for handling security risk comprising:
- specifying a plurality of bit fields of a taint vector corresponding to plurality of sources, events, activities, and/or conditions;
  
  assigning a plurality of taint indicators indicative of potential security risk to the bit fields of the taint vector; and
  
  monitoring the plurality of sources, events, activities, and/or conditions over time using the taint vector.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 11. The method according to claim 10 further comprising:
    - receiving the plurality of taint indicators from a plurality of distinct sources at distinct times;
      
      accumulating the plurality of taint indicators in the bit fields of the taint vector independently using a corresponding plurality of distinct accumulation functions; and
      
      assessing security risk according to a risk assessment function that is cumulative of the plurality of taint indicators.
  - 12. The method according to claim 11 wherein assessing security risk further comprises:
    - monitoring comparisons selected from a group consisting of;
      
      determining whether any elements are greater than a predetermined threshold;
      
      determining whether all elements are greater than a predetermined threshold;
      
      determining whether the sum of some elements is greater than a predetermined threshold; and
      
      determining whether the sum of all elements is greater than a predetermined threshold.
  - 13. The method according to claim 10 further comprising:
    - specifying a plurality of decay options corresponding to the plurality of taint indicators according to information type; and
      
      applying the decay options to the bit fields of the taint vector.
  - 14. The method according to claim 13 further comprising:
    - specifying a plurality of decay options from a group consisting of;
      
      applying decay after a predetermined number of operations to avoid triggering on outlying events;
      
      setting decay to account for rare and spurious events with a probability of occurrence by chance during long term monitoring;
      
      incrementing/decrementing using a single vector;
      
      subtracting a predetermined number;
      
      shifting a taint vector in an interval of time;
      
      shifting a taint vector at a predetermined instruction count;
      
      shifting a taint vector at a predetermined processor cycle count;
      
      copying a taint vector periodically to memory to maintain an old version while incrementing/decrementing to enable restoration following an invalid or error condition;
      
      imposing decay that balances accumulation;
      
      applying decay periodically;
      
      applying decay with a varying period that varies based on a sensitivity meter;
      
      applying decay with a varying period that varies based on environment;
      
      applying decay with a varying period that varies based on activity type; and
      
      applying decay according to a programmable parameter at a programmable rate.
  - 15. The method according to claim 10 further comprising:
    - tracking taint indicators characterized by a range of taintedness from potentially suspicious to definite taints.
  - 16. The method according to claim 10 further comprising:
    - detecting at least one security risk event as a result of monitoring the plurality of sources, events, activities, and/or conditions; and
      
      responding to security risk in response to determination of the at least one security risk event.
  - 17. The method according to claim 16 wherein responding to security risk in response to determination of the at least one security risk event is a response selected from a group consisting of:
    - ignoring the at least one security risk event;
      
      logging the at least one security risk event;
      
      displaying a notification;
      
      displaying a warning message;
      
      generating an alarm;
      
      preventing a memory and/or register write;
      
      modifying operating frequency;
      
      modifying operating voltage;
      
      modifying an operating parameter;
      
      performing a system call;
      
      calling a trap and/or exception;
      
      terminating operation of selected resources; and
      
      activating a system shutdown.
  - 18. The method according to claim 10 further comprising:
    - monitoring the plurality of sources, events, activities, and/or conditions comprising monitoring potentially at least one innocent and/or coincidental event selected from a group consisting of;
      
      null pointer references;
      
      attempts to secure part of a processor; and
      
      innocent and/or coincidental events arising from a region that raises suspicion.
  - 19. The method according to claim 10 further comprising:
    - configuring the bit fields of the taint vector to include primary and secondary criteria corresponding to selected taint indicators and to include information and/or identifiers relating to actions, consequences, and usage.
  - 20. The method according to claim 10 further comprising:
    - configuring the bit fields of the taint vector to set a hierarchy of suspicion based on source, type, and/or identity of an event.
  - 21. The method according to claim 10 further comprising:
    - receiving taint indicators from a tagged system call associated with accessing information from a web page wherein an operating system injects a label indicating originating from a browser at an identified site.
  - 22. The method according to claim 10 further comprising:
    - configuring the bit fields of the taint vector to include tolerances based on questionability of a source and/or event.
  - 23. The method according to claim 10 further comprising:
    - configuring the bit fields of the taint vector at a selected granularity including a taint bit per entry, a taint bit per register, a taint bit per multiple entries, a taint vector per entry, a taint vector per register, and a taint vector allocating multiple entries.
  - 24. The method according to claim 10 further comprising:
    - allocating taints at a selected granularity selected from a group consisting of;
      
      allocating taints by memory page;
      
      allocating taints by byte;
      
      allocating taints by word;
      
      allocating taints by memory block;
      
      allocating taints by hardware process identifier (PID);
      
      allocating taints to enable a cross-thread taint;
      
      allocating taints among hardware devices;
      
      allocating taints by component; and
      
      allocating taints by software component.
  - 25. The method according to claim 10 further comprising:
    - forming a memory taint hash table; and
      
      using the memory taint hash table to indicate a level of taint per memory block.
  - 26. The method according to claim 10 further comprising:
    - accessing a memory taint hash table; and
      
      indicating a level of taint per memory block using the memory taint hash table.
  - 27. The method according to claim 10 further comprising:
    - configuring a taint vector to segregate memory by type.
  - 28. The method according to claim 10 further comprising:
    - configuring a taint vector to segregate memory by type at a selected granularity.
  - 29. The method according to claim 10 further comprising:
    - configuring a taint vector to segregate memory between program code memory and data memory.
  - 30. The method according to claim 10 further comprising:
    - tracking taints using hardware devices; and
      
      inserting initial taint notifications using software components.
  - 31. The method according to claim 10 further comprising:
    - dynamically adjusting rate and period of updating the taint vector using a taint adjustment vector comprising at least one parameter.
  - 32. The method according to claim 31 further comprising:
    - automatically decrementing a set of rates using at least one timer; and
      
      applying at least one parameter of the taint adjustment vector to the taint vector upon expiration of the at least one timer.
  - 33. The method according to claim 32 wherein applying at least one parameter of the taint adjustment vector to the taint vector is applied according to at least one action of actions selected from a group consisting of:
    - adding the taint adjustment vector to the taint vector;
      
      adding a delta of the taint adjustment vector to the taint vector;
      
      adding a predetermined value to the taint vector;
      
      shifting the taint vector as directed by the taint adjustment vector;
      
      shifting and adding to the taint vector as directed by the taint adjustment vector;
      
      multiplying the taint vector as directed by the taint adjustment vector; and
      
      dividing the taint vector as directed by the taint adjustment vector.
  - 34. The method according to claim 10 further comprising:
    - recursively adding a taint bias vector to the taint vector.
  - 35. The method according to claim 11 further comprising:
    - determining whether to ignore one or more taint indicators; and
      
      logging occurrences of the ignored one or more taint indicators in a ignore problems taint vector.

36. A computing system comprising:
- an interface operable to receive a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times; and
  
  logic operable to accumulate the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions and operable to assess security risk according to a risk assessment function that is cumulative of the plurality of taint indicators.
- View Dependent Claims (37, 38, 39)
- - 37. The computing system according to claim 36 wherein:
    - the interface is further operable to receive the plurality of taint indicators indicative of potential security risk associated with information used by the computing device.
  - 38. The computing system according to claim 36 wherein:
    - the logic is further operable to accumulate the plurality of taint indicators on a basis selected from a group consisting of per-source, per-data, overall, and combination.
  - 39. The computing system according to claim 36 wherein:
    - the logic is further operable to determine whether information from a particular source or entity is trusted based on assessment of security risk.

40-74. -74. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Elwha LLC (Intellectual Ventures LLC)
Inventors
Glew, Andrew F., Gerrity, Daniel A., Tegreene, Clarence T.

Granted Patent

US 9,443,085 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/14 for detecting or protecting...

Intrusion detection using taint accumulation

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Intrusion detection using taint accumulation

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links