Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by scanning an input string for subsequences contained therein and configuring the computational system to generate a fault (or other triggered event) coincident with access to a memory location corresponding to one or more possible interpretations of data contained in the input string, it is possible to detect and/or interdict many forms of attack. For example, some realizations may scan for subsequences susceptible to interpretation as valid, canonical addresses, or as addresses in ranges that contain code, the stack, the heap, and/or system data structures such as the global offset table. Some realizations may scan for subsequences susceptible to interpretation as format strings or as machine code or code (source or otherwise) that could be executed in an execution environment (such as a Java™ virtual machine) or compiled for execution.

Abstract: One embodiment is a method for tracking data correspondences in a computer system including a host hardware platform, virtualization software running on the host hardware platform, and a virtual machine running on the virtualization software, the method including: (a) monitoring one or more data movement operations of the computer system; and (b) storing information regarding the one or more data movement operations in a data correspondence structure, which information provides a correspondence between data before one of the one or more data movement operations and data after the one of the one or more data movement operations. The “monitoring” may comprise monitoring data movement at one or more of an interface between the host hardware platform and the virtualization software, and an interface between the virtual machine and the virtualization software.

Abstract: A system that includes a memory and processor is provided. The processor is programmed to receive input data, determine that the input data is tainted, store the tainted input data in a location in the memory, and based on storing the tainted input data in the location, label the location as a tainted location. The processor is further programmed to assign a triggering event to the tainted location such that an action is initiated when the triggering event has occurred.

Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. Taint status for data accessible by processes is selectively maintained and propagated in correspondence with information flows of instructions executed by a computing system, so that a security (or other appropriate) response can be provided if and when a control transfer (or other restricted use) is attempted based on tainted data. One response that may be triggered is a change in the privilege level (root and guest) that is used to process code executing in a virtual environment, so as to allow remediation to be performed. The triggering events may be specified in a control block.

Abstract: One embodiment is a method for tracking data correspondences in a computer system including a host hardware platform, virtualization software running on the host hardware platform, and a virtual machine running on the virtualization software, the method including: (a) monitoring one or more data movement operations of the computer system; and (b) storing information regarding the one or more data movement operations in a data correspondence structure, which information provides a correspondence between data before one of the one or more data movement operations and data after the one of the one or more data movement operations.

Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by maintaining and propagating taint status for memory locations in correspondence with information flows of instructions executed by a computing system, it is possible to provide a security response if and when a control transfer (or other restricted use) is attempted based on tainted data. In some embodiments, memory management facilities and related exception handlers can be exploited to facilitate taint status propagation and/or security responses. Taint tracking through registers of a processor (or through other storage for which access is not conveniently mediated using a memory management facility) may be provided using an instrumented execution mode of operation. For example, the instrumented mode may be triggered by an attempt to propagate tainted information to a register. In some embodiments, an instrumented mode of operation may be more generally employed.

Abstract: One embodiment is a method for tracking data correspondences in a computer system including a host hardware platform, virtualization software running on the host hardware platform, and a virtual machine running on the virtualization software, the method including: (a) monitoring one or more data movement operations of the computer system; and (b) storing information regarding the one or more data movement operations in a data correspondence structure, which information provides a correspondence between data before one of the one or more data movement operations and data after the one of the one or more data movement operations.

Abstract: In a system where an indirect control flow instruction requires a CPU to consult a first memory address, in addition to what is encoded in the instruction itself, for program execution, a method is provided to determine if the first memory address contains a valid or plausible value. The first memory address is compared to an expected or predicted memory address. A difference between the expected or predicted memory address and the first memory address causes an evaluation of any program code about to be executed. The evaluation of code determines whether or not a malicious attack is occurring, or being attempted, that might affect proper operation of the system or program.

Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. In particular, it has been discovered that, by maintaining and selectively propagating taint status for storage locations in correspondence with information flows of instructions executed by a computing system, it is possible to provide a security (or other appropriate) response if and when a control transfer (or other restricted use) is attempted based on tainted data. By employing aging in decisions to propagate, it is possible limit overheads associated with such tracking. In some embodiments, a decay oriented metric is applied and further propagation of taints is interrupted once aging reaches a predetermined decay threshold. In some embodiments, more generalized labels may be maintained and selectively propagated based on an aging metric. For example, in some embodiments, labels may be employed to code source designation or classification, aging, popularity/frequency of access or taint.

Abstract: In a system where an indirect control flow instruction requires a CPU to consult a first memory address, in addition to what is encoded in the instruction itself, for program execution, a method is provided to determine if the first memory address contains a valid or plausible value. The first memory address is compared to an expected or predicted memory address. A difference between the expected or predicted memory address and the first memory address causes an evaluation of any program code about to be executed. The evaluation of code determines whether or not a malicious attack is occurring, or being attempted, that might affect proper operation of the system or program.

Abstract: One embodiment is a method for tracking data correspondences in a computer system including a host hardware platform, virtualization software running on the host hardware platform, and a virtual machine running on the virtualization software, the method including: (a) monitoring one or more data movement operations of the computer system; and (b) storing information regarding the one or more data movement operations in a data correspondence structure, which information provides a correspondence between data before one of the one or more data movement operations and data after the one of the one or more data movement operations.

Abstract: Mechanisms have been developed for securing computational systems against certain forms of attack. Taint status for data accessible by processes is selectively maintained and propagated in correspondence with information flows of instructions executed by a computing system, so that a security (or other appropriate) response can be provided if and when a control transfer (or other restricted use) is attempted based on tainted data. One response that may be triggered is a change in the privilege level (root and guest) that is used to process code executing in a virtual environment, so as to allow remediation to be performed. The triggering events may be specified in a control block.