Abstract: Malware may be identified based on attempts to use tainted data in certain ways, such as by attempting to execute the tainted data, by attempting to modify execution control based on tainted data, or by attempting to apply an existing function to the tainted data. A data's taint is determined based on the location from which the data originates. When data from a tainted source is moved to an otherwise non-tainted destination, the taint may be propagated from the source to the destination, to indicate that the destination is now of unknown safety. A component may be used to observe the operation of a process, in order to determine what data is being moved with respect to the process, and how that data is being used.

Abstract: The behavior of a system call may be modified. A modification component may pre-processes and/or post-process a system call to change the behavior of the system call. Pre-processing may involve modifying arguments to the system call, replacing one system call with another, intercepting the system call, etc. Post-processing may involve modifying results and/or side effects of a system call. The modification component may pre-process and/or post-process the system call without changes to the underlying kernel service routine that is normally invoked in response to the system call. Modifying the system call's behavior may be used to implement quality of service (QoS) constraints, to allow one operating system to emulate another, to provide information about memory layout to an application, or to serve other goals.

Abstract: Malware may be identified based on attempts to use tainted data in certain ways, such as by attempting to execute the tainted data, by attempting to modify execution control based on tainted data, or by attempting to apply an existing function to the tainted data. A data's taint is determined based on the location from which the data originates. When data from a tainted source is moved to an otherwise non-tainted destination, the taint may be propagated from the source to the destination, to indicate that the destination is now of unknown safety. A component may be used to observe the operation of a process, in order to determine what data is being moved with respect to the process, and how that data is being used.