Nondestructive interception of secure data in transit

US 8,495,367 B2
Filed: 02/22/2007
Issued: 07/23/2013
Est. Priority Date: 02/22/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of intercepting encrypted data in transit comprising:

locating a database access process in a host computer system, the database access process operable as an endpoint of an encrypted sequence of data in transit and including at least decryption of the encrypted sequence;

identifying, in the database access process, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data;

replacing the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data;

intercepting the decrypted data for analysis by a database monitor; and

returning processing control of the host computer system from the interception to the database access process along with unhindered decrypted data returned from the cryptographic operation.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form.

183 Citations

29 Claims

1. A computer-implemented method of intercepting encrypted data in transit comprising:
- locating a database access process in a host computer system, the database access process operable as an endpoint of an encrypted sequence of data in transit and including at least decryption of the encrypted sequence;
  
  identifying, in the database access process, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data;
  
  replacing the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data;
  
  intercepting the decrypted data for analysis by a database monitor; and
  
  returning processing control of the host computer system from the interception to the database access process along with unhindered decrypted data returned from the cryptographic operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1 wherein identifying the transfer of processing control further comprises:
    - identifying a call signature to the cryptographic operation to invoke a decrypt operation for received data;
      
      substituting the identified call signature with an interception signature to forward the decrypted data to a database monitor operation; and
      
      returning control to a return from the invocation to the identified call signature with the decrypted data.
  - 3. The computer-implemented method of claim 2 wherein intercepting further comprises transferring control to an interception operation, the interception operation operable to:
    - receive decrypted data returned from the cryptographic operation;
      
      invoke analysis of the decrypted data by a database monitor application; and
      
      return the decrypted data in an unmodified form for further processing by the database access process.
  - 4. The computer-implemented method of claim 2 wherein intercepting further comprises:
    - intercepting the decrypted data for analysis by a database monitor application;
      
      returning the decrypted data as the result of the identified call signature;
      
      sending an intercepted copy of the data to the database monitor, the database monitor operable to scrutinize database access statements; and
      
      forwarding the decrypted data to an intended destination.
  - 5. The computer-implemented method of claim 1 wherein returning further comprises relinquishing the transfer of control to the database monitor back to the database access process at a successive point in a control flow such that the interception processing is undetectable to a receiver of the decrypted data.
  - 6. The computer-implemented method of claim 1 wherein intercepting further comprises:
    - watching system calls operable to access an IPC mechanism;
      
      identifying a call to an interprocess communication (IPC) mechanism for receiving an access request; and
      
      performing a read on the identified IPC mechanism to supercede preexisting application calls for receiving a database access request.
  - 7. The computer-implemented method of claim 1 wherein locating the database access process further comprising locating a database access process operable to:
    - identify data access statements in the sequence of data;
      
      receive the data access statements in a data access request as encrypted units; and
      
      invoke cryptographic operations for decrypting the data access statements into plaintext data from within the database access process.
  - 8. The computer-implemented method of claim 1 wherein replacing the transfer of processing control further comprises:
    - examining an executable image to identify machine instructions operable to branch to the cryptographic operation; and
      
      overwriting the identified machine instructions with machine instructions to call a function for communicating a database access request to a database monitor application.
  - 9. The computer-implemented method of claim 8 wherein the identified machine instructions are opcodes operable to perform a stack call to the cryptographic operation.

10. A system for monitoring secure data in transit in a database environment comprising:
- a host computer system including at least one processor configured for;
  
  identifying a transition of encrypted to decrypted data indicated by a transfer of control of the host computer system in a processing sequence to a cryptographic operation;
  
  determining an appropriate interception sequence operable to receive plaintext data returned from the cryptographic operation;
  
  replacing the identified transfer of control of the host computer system with the determined interception sequence, the interception sequence operable to forward plaintext data from the cryptographic operation to a database monitor application; and
  
  return the transfer of control of the host computer system and the plaintext data in an unmodified form to the processing sequence.
- View Dependent Claims (11)
- - 11. The system of claim 10 wherein identifying the transfer of control includes identifying at least one of:
    - operating system calls to an interprocess communication (IPC) mechanism;
      
      a dynamically linked library (DLL) call to invoke a decryption operation; and
      
      static linkage to the decryption operation.

12. A computer-implemented method for defining database security comprising:
- identifying a stream of encrypted data in transit from a client to a host;
  
  determining a transition from encrypted data to decrypted data within the host, the transition indicated by an invocation of a cryptographic operation by the host to generate decrypted data from the encrypted data;
  
  determining an interception point following the determined transition in the host; and
  
  selecting, based on the cryptographic invocation, a manner of accessing the decrypted data in the host at the determined interception point.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-implemented method of claim 12 wherein selecting the manner of accessing includes:
    - identifying availability of plaintext data in a processing sequence of data in transit to a database;
      
      locating a control point from which control is obtainable;
      
      inserting a control branch to direct the plaintext data to a database monitor, the database monitor operable to intercept the plaintext data; and
      
      allowing control to resume in the processing sequence unhindered from the control point following interception of the plaintext data.
  - 14. The computer-implemented method of claim 13 wherein the encrypted data comprises a sequence of data access statements according to a predetermined syntax, the data access statements responsive to a decryption operation for generating a plaintext access request from the encrypted data.
  - 15. The computer-implemented method of claim 14 wherein identifying the control point includes determining usage of at least one of:
    - end to end cryptographic operations statically linked in an executable image;
      
      IPC connections employing a predetermined credential exchange using a certificate; and
      
      agent processes operable to receive ciphertext and generate corresponding plaintext.
  - 16. The computer-implemented method of claim 15 wherein the IPC connections further define a secure interface including at least one of:
    - network ports operable to collect encrypted data in transit; and
      
      encapsulation of encrypted packets in a tunneled framing envelope.

17. A database security monitor for intercepting encrypted data in transit comprising:
- a host computer system including a database monitor agent operable to locate a database access control point in the host computer system, the database access control point operable as an endpoint of an encrypted sequence of data in transit, the database monitor agent configured to identify, based on the database access control point, a transition of encrypted to decrypted data indicated by a transfer of processing control of the host computer system to a cryptographic operation, the cryptographic operation operable to generate decrypted data from the encrypted sequence of data, the database monitor agent further operable to;
  
  replace the transfer of processing control of the host computer system to the cryptographic operation with an interception to extract the decrypted data;
  
  intercept the decrypted data for analysis by a database monitor; and
  
  return processing control of the host computer system from the interception to a database access process of the host computer system along with unhindered decrypted data returned from the cryptographic operation.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The database security monitor of claim 17 wherein the configured database agent is responsive to the transfer of processing control to:
    - identify a call signature to the cryptographic operation to invoke a decrypt operation for received data;
      
      substitute the identified call signature with an interception signature to forward the decrypted data to a database monitor operation; and
      
      return control to a return from the invocation to the identified call signature with the decrypted data.
  - 19. The database security monitor of claim 18 wherein the interception signature is operable to:
    - receive decrypted data returned from the cryptographic operation;
      
      invoke analysis of the decrypted data by a database monitor application; and
      
      return the decrypted data in an unmodified form for further processing by the database access process.
  - 20. The database security monitor of claim 18 wherein the interception signature is operable to relinquish the transfer of control to the database monitor back to the database access process at a successive point in a control flow such that the interception processing is undetectable to a receiver of the decrypted data.
  - 21. The database security monitor of claim 17 wherein the database monitor agent is further operable to:
    - watch system calls operable to access an IPC mechanism;
      
      identify a call to an interprocess communication (IPC) mechanism for receiving an access request; and
      
      perform a read on the identified IPC mechanism to supercede preexisting application calls for receiving a database access request.
  - 22. The database security monitor of claim 17 wherein the database monitor agent is operable to locate database access operations operable to:
    - identify data access statements in the sequence of data;
      
      receive the data access statements in a data access request as encrypted units; and
      
      invoke cryptographic operations for decrypting the data access statements into plaintext data from within the database access process.
  - 23. The database security monitor of claim 22 wherein the database monitor agent is further operable to:
    - examine an executable image to identify machine instructions operable to branch to the cryptographic operation; and
      
      overwrite the identified machine instructions with machine instructions to call a function for communicating the database access request to a database monitor application.
  - 24. The database security monitor of claim 23 wherein the identified machine instructions are opcodes operable to perform a stack call to the cryptographic operation.

25. A computer program product having a computer readable memory device operable to store computer program logic embodied in computer program code encoded thereon for defining database security for encrypted data in transit comprising:
- computer program code for identifying a stream of encrypted data in transit from a client to a host;
  
  computer program code for determining a transition from encrypted data to decrypted data within the host, the transition indicated by invocation of a cryptographic operation by the host to generate decrypted data from the encrypted data;
  
  computer program code for determining an interception point following the determined transition in the host; and
  
  computer program code for selecting, based on the cryptographic invocation, a manner of accessing the decrypted data at the determined interception point, further including;
  
  computer program code for identifying availability of plaintext data in a processing sequence of data in transit to a database;
  
  computer program code for locating a control point from which control is obtainable;
  
  computer program code for inserting a control branch to direct the plaintext data to a database monitor, the database monitor operable to intercept the plaintext data, including computer program code for examining an executable image to identify machine instructions operable to branch to the cryptographic operation, and overwrite the identified machine instructions with machine instructions to call a function for communicating the decrypted data to the database monitor; and
  
  computer program code for allowing control to resume in the processing sequence unhindered from the control point following interception of the plaintext data.

26. A computer-implemented method of intercepting encrypted data in transit comprising:
- identifying in a host computer system a transition from encrypted to decrypted data indicated by an invocation of a cryptographic operation in the host computer system, the invocation performing a transfer of processing control of the host computer system to the cryptographic operation operable to generate decrypted data from the encrypted data in transit, identifying the invocation further comprising;
  
  identifying a cryptographic service responsive to an application receiving the encrypted data in transit; and
  
  identifying a manner of accessing the cryptographic service from the application;
  
  replacing the transfer of processing control of the host processing system to the cryptographic operation with an interception to extract the decrypted data;
  
  intercepting the decrypted data for analysis by a database monitor; and
  
  returning processing control of the host computer system from the interception to a database access process along with undisturbed decrypted data returned from the cryptographic operation.
- View Dependent Claims (27, 28, 29)
- - 27. The computer-implemented method of claim 26 wherein intercepting further comprises:
    - watching system calls operable to access an IPC mechanism for invoking the cryptographic service;
      
      identifying a call to an interprocess communication (IPC) mechanism for receiving an access request; and
      
      performing a read on the identified IPC mechanism to supercede preexisting application calls for receiving a database access request.
  - 28. The computer-implemented method of claim 27 wherein the manner of accessing includes a predetermined port, further comprising watching port activity with respect to the predetermined port to receive decrypted data.
  - 29. The computer-implemented method of claim 28 further comprising:
    - determining the predetermined port employed by the cryptographic operation for transporting plaintext data;
      
      identifying a processing unit assigned to service the cryptographic operation; and
      
      capturing invocations to read the port by the identified processing unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ben-Natan, Ron
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US11/709,516
Publication Number

US 20100131758A1
Time in Patent Office

2,343 Days
Field of Search

713/154, 713/166, 713/189, 719/331
US Class Current

713/166
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

Nondestructive interception of secure data in transit

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

183 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Nondestructive interception of secure data in transit

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links