| 主权项 |
1. A data flow policy evaluation system for a mobile computing device embodied as executable instructions in one or more non-transitory machine-accessible storage media, the data flow policy evaluation system comprising:
one or more computing devices; and executable by the one or more computing devices: a system call monitor to monitor system calls made by a plurality of security-wrapped software applications during execution of the security-wrapped software applications at the mobile computing device; and a data flow policy engine to generate policy decisions to enable the security-wrapped software applications to prevent the execution of system calls that would violate a data flow policy, wherein the data flow policy defines security labels, associates data flow policies with the security labels, and assigns the security labels to data objects, and the data flow policy engine is configured to:
cause an executing process of a security-wrapped software application to inherit a security label of a data object when the process accesses the data object to which the security label is assigned;when the process inherits a security label of a data object, apply a policy associated with the security label of the data object to a future activity of the executing process that does not involve the data object; andas a result of the security label of the data object being inherited by the process, associate another executing process with the security label of the data object accessed by the process when the other executing process is in communication with the executing process. |
