DATA TRACKING IN USER SPACE

摘要

A way to track data from an untrusted source as it moves through memory in original or modified form. A probe is placed on a data reception call of a program. When the probe is triggered by execution of the data reception call for a piece of data, a location where the piece of data is to be stored is marked. When a program instruction requests access to the marked location, instrumentation code is injected subsequent to the program instruction to track the flow of the piece of data. When the instrumentation code is executed, the next location where the piece of data will be stored is determined and marked as well. A threat analyzer is invoked to analyze the marked locations for threats.

主权项

1. A computer-implemented method carried out by a machine using machine logic comprising:
configuring a probe on a data reception call of a program, the probe to be triggered based on an execution of the data reception call for a piece of data; responsive to the probe being triggered, determining a first location, in a memory, where the piece of data is to be stored and marking the first location; responsive to receiving a program instruction, of an instruction execution stream, to access the marked first location, injecting instrumentation code into the instruction execution stream subsequent to the program instruction, the instrumentation code being injected to facilitate tracking flow of the piece of data; responsive to execution of the instrumentation code, determining a second location, in the memory, where the piece of data is to be stored and marking the second location; analyzing the marked locations as a single entity for threats; and responsive to a threat being found, generating an alert and/or initiating one or more defensive measures.