Sensitive data tracking using dynamic taint analysis
Abstract
A system and method for tracking sensitive data uses dynamic taint analysis to track sensitive data as the data flows through a target application running on a computer system. In general, the system and method for tracking sensitive data marks data as tainted when the data input to the target application is indicated as sensitive. The system and method may then track the propagation of the tainted data as the data is read from and written to memory by the target application to detect if the tainted data is output from the application (e.g., leaked). Dynamic binary translation may be used to provide binary instrumentation of the target application for dynamic taint analysis to track propagation of the tainted data at the instruction level and/or the function level. Of course, many alternatives, variations, and modifications are possible without departing from this embodiment.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 - 20 . (canceled)
21 . One or more non-transitory computer-readable storage media comprising instructions stored thereon which, when executed by at least one processor, result in operations comprising:
maintain a list of memory locations associated with tainted data; track propagation of the tainted data as an application accesses at least one memory location on the list of memory locations and the application reads the tainted data from memory locations on the list of memory locations and writes the tainted data to another memory location; and update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data.
22 . The one or more non-transitory computer-readable storage media of claim 21 , further comprising additional instructions stored thereon, which, when executed by the at least one processor, result in further operations comprising:
monitor an output channel, wherein data is output from the application via the output channel; and determine if tainted data has been propagated to the output channel based, at least in part, on the tracked propagation of the tainted data.
23 . The one or more non-transitory computer-readable storage media of claim 22 , further comprising additional instructions stored thereon, which, when executed by the at least one processor, result in further operations comprising:
responsive to a determination that tainted data has been propagated to the output channel, disable a function responsible for the tainted data being propagated to the output channel.
24 . The one or more non-transitory computer-readable storage media of claim 21 , further comprising additional instructions stored thereon, which, when executed by the at least one processor, result in further operations comprising:
determine if sensitive data has been input to a memory location; and responsive to a determination that sensitive data has been input to a memory location, add the memory location to the list of memory locations.
25 . The one or more non-transitory computer-readable storage media of claim 21 , wherein the instructions resulting in the operation update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data, when executed by the at least one processor, result in further operations comprising:
determine if the tainted data has been written to a memory location not on the list of memory locations; and responsive to a determination that the tainted data has been written to a memory location not on the list of memory locations, add the memory location to the list of memory locations.
26 . A computing device, comprising:
processor circuitry to execute an application; and sensitive data tracker circuitry to:
maintain a list of memory locations associated with tainted data;
track propagation of the tainted data as the application accesses at least one memory location on the list of memory locations and the application reads the tainted data from memory locations on the list of memory locations and writes the tainted data to another memory location; and
update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data.
27 . The computing device of claim 26 , wherein the sensitive data tracker circuitry is further to:
monitor an output channel, wherein data is output from the application via the output channel; and determine if tainted data has been propagated to the output channel based, at least in part, on the tracked propagation of the tainted data.
28 . The computing device of claim 27 , wherein, responsive to a determination that tainted data has been propagated to the output channel, the sensitive data tracker circuitry is further to disable a function responsible for the tainted data being propagated to the output channel.
29 . The computing device of claim 26 , wherein the sensitive data tracker circuitry is further to:
determine if sensitive data has been input to a memory location; and responsive to a determination that sensitive data has been input to a memory location, add the memory location to the list.
30 . The computing device of claim 26 , wherein the sensitive data tracker circuitry to update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data comprises sensitive data tracker circuitry to:
determine if the tainted data has been written to a memory location not on the list of memory locations; and responsive to a determination that the tainted data has been written to a memory location not on the list of memory locations, add the memory location to the list of memory locations.
31 . A method, comprising:
maintaining, via sensitive data tracker circuitry, a list of memory locations associated with tainted data; tracking, via the sensitive data tracker circuitry, propagation of the tainted data as an application accesses at least one memory location on the list of memory locations and the application reads the tainted data from memory locations on the list of memory locations and writes the tainted data to another memory location; and updating, via the sensitive data tracker circuitry, the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data.
32 . The method of claim 31 , further comprising:
monitoring, via the sensitive data tracker circuitry, an output channel, wherein data is output from the application via the output channel; and determining, via the sensitive data tracker circuitry, if tainted data has been propagated to the output channel based, at least in part, on the tracked propagation of the tainted data.
33 . The method of claim 32 , further comprising, responsive to a determination that tainted data has been propagated to the output channel:
disabling, via the sensitive data tracker circuitry, a function responsible for the tainted data being propagated to the output channel.
34 . The method of claim 31 , further comprising:
determining, via the sensitive data tracker circuitry, if sensitive data has been input to a memory location; and responsive to a determination that sensitive data has been input to a memory location, adding, via the sensitive data tracker circuitry, the memory location to the list of memory locations.
35 . The method of claim 31 , further comprising:
determining, via the sensitive data tracker circuitry, if the tainted data has been written to a memory location not on the list of memory locations; and responsive to a determination that the tainted data has been written to a memory location not on the list of memory locations, adding, via the sensitive data tracker circuitry, the memory location to the list of memory locations.
36 . A system, comprising:
processor circuitry to execute an application; memory circuitry to store data, the memory circuitry including a plurality of memory locations; and sensitive data tracker circuitry to:
maintain a list of memory locations of the memory circuitry associated with tainted data;
track propagation of the tainted data as the application accesses at least one memory location on the list of memory locations and the application reads the tainted data from memory locations on the list of memory locations and writes the tainted data to another memory location; and
update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data.
37 . The system of claim 36 , wherein the sensitive data tracker circuitry is further to:
monitor an output channel, wherein data is output from the application via the output channel; and determine if tainted data has been propagated to the output channel based, at least in part, on the tracked propagation of the tainted data.
38 . The system of claim 37 , wherein, responsive to a determination that tainted data has been propagated to the output channel, the sensitive data tracker circuitry is further to disable a function responsible for the tainted data being propagated to the output channel.
39 . The system of claim 36 , wherein the sensitive data tracker circuitry is further to:
determine if sensitive data has been input to a memory location; and responsive to a determination that sensitive data has been input to a memory location, add the memory location to the list.
40 . The system of claim 36 , wherein the sensitive data tracker circuitry to update the list of memory locations associated with tainted data based, at least in part, on the tracked propagation of the tainted data comprises sensitive data tracker circuitry to:
determine if the tainted data has been written to a memory location not on the list of memory locations; and responsive to a determination that the tainted data has been written to a memory location not on the list of memory locations, add the memory location to the list of memory locations.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.