Computing systems and methods for tracking protected data

By introducing the is_protected and read_protected flags into the memory, and using hardware-based tags to track protected data, the problem that existing DLP technologies cannot effectively protect encrypted data is solved, and reliable protection of sensitive data and identification of memory defects are achieved without affecting performance.

CN122397016APending Publication Date: 2026-07-14HUAWEI CLOUD COMPUTING TECHNOLOGIES CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUAWEI CLOUD COMPUTING TECHNOLOGIES CO LTD
Filing Date
2024-01-03
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing data leakage prevention (DLP) technologies cannot effectively protect encrypted sensitive data and have shortcomings in areas such as memory leaks, use-after-free, and read-before-write, making it difficult to track sensitive data in on-premises systems, cloud-based locations, and endpoint devices.

Method used

By introducing the is_protected and read_protected flags into memory, hardware-based tags are used to mark and track protected data, eliminating memory-related defects, ensuring data tamper-proof capability and security, and identifying memory defects without affecting performance.

Benefits of technology

It achieves reliable protection of sensitive data, avoids unauthorized access, reduces the complexity of transitioning to new architectures, expands integration with external virtual hardware, and ensures the performance of computing systems and data security in virtualized environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122397016A_ABST
    Figure CN122397016A_ABST
Patent Text Reader

Abstract

A computing system 102 for tracking protected data in a memory 104, the computing system 102 including the memory 104 and one or more memory controllers 106A-106N for accessing the memory. The memory 104 includes an is_protected flag 110 indicating whether the memory 104 is protected. The computing system 102 also includes a read_protected flag 108 associated with a process, the read_protected flag 108 indicating whether the process is allowed to read the protected data. The one or more memory controllers 106A-106N are to receive data. The one or more memory controllers 106A-106N are to store the data in the memory 104. The one or more memory controllers 106A-106N are to determine whether the data is protected, and the one or more memory controllers 106A-106N are to set the is_protected flag 110 of the memory 104 to indicate that the memory 104 is protected if the data is protected.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention generally relates to tracking protected data, and more specifically, to a computing system for tracking protected data in memory, and a method for tracking protected data in said computing system. Background Technology

[0002] Data leakage prevention (DLP) is a security solution used to identify and prevent the insecure or inappropriate sharing, transmission, or use of sensitive data (i.e., an organization's protected data or information). DLP monitors and protects an organization's sensitive data across on-premises systems, cloud-based locations, and endpoint devices. DLP ensures that organizations comply with various rules and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). However, DLP cannot effectively protect encrypted sensitive data. Because DLP is software-based, it may be vulnerable to being bypassed by attackers.

[0003] Furthermore, DLP faces difficulties in addressing flaws such as memory leaks, use-after-free, and read-before-write because (i) these flaws lead to vulnerabilities and security issues, and (ii) it is well known that flaws are extremely difficult to track an organization's sensitive data across on-premises systems, cloud-based locations, and endpoint devices. Existing programming tools for memory debugging, memory leak detection, and performance analysis are used to detect these flaws. However, these existing tools are extremely slow and unsuitable for any purpose outside of development. Using these existing tools on large projects is challenging due to their performance impact.

[0004] Therefore, it is necessary to address the aforementioned technical problems / deficiencies in tracking protected data. Summary of the Invention

[0005] The object of this invention is to provide a computing system and method for tracking protected data in memory while avoiding one or more drawbacks of existing methods.

[0006] This objective is achieved through the features of the independent claim. Other implementations are apparent in the dependent claims, the specification, and the drawings.

[0007] According to a first aspect, there exists a computing system for tracking protected data, the computing system including a memory and one or more memory controllers for accessing the memory. The memory includes an `is_protected` flag indicating whether the memory is protected. The computing system also includes a `read_protected` flag associated with a process, indicating whether the process is allowed to read the protected data. The one or more memory controllers are configured to (i) receive data; (ii) store the data in the memory; (iii) determine whether the data is protected; and (iv) if protected, set the `is_protected` flag of the memory to indicate that the memory is protected.

[0008] Computing systems implement data leakage prevention (DLP) to protect sensitive data (i.e., protected data) from unauthorized access by eliminating memory-related defects such as use-after-free and read-before-write. Computing systems mark data as protected by adding an "is_protected" flag to the data in memory for tracking purposes. Computing systems use hardware-based tagging to mark data as protected. Hardware-based tagging enhances the tamper-proof nature of data, ensuring consistent application of security measures, leaving no circumventable vulnerabilities, and providing reliable defense against potential vulnerabilities. Computing systems can use user-space software that can remain unchanged because it does not require modification. This means that the user-space software can run on the computing system, which (i) implements new instructions without any adjustments, reducing the complexity of transitioning to a new architecture, and (ii) keeps the old instruction set as is, while the introduction of new instructions requires modification. Computing systems facilitate the integration of external virtual hardware (e.g., network devices and file systems), which expands the range of applications that interact with the computing system. The computing system identifies memory defects without introducing performance impact, thus ensuring the reliability of the computing system's performance. The computer processing unit (CPU) architecture of the computing system can be used in cloud architectures and virtual machines (VMs) to implement DLP on tenant VMs, thereby ensuring reliable protection of sensitive data in virtualized environments. The CPU architecture can be implemented in emulators such as Quick Emulator, QEMU, and TinyEmu, or in VMs such as WebAssembly, WASM, and JAVA, to implement DLP or memory defect tracking.

[0009] Optionally, the one or more memory controllers are configured to: (i) receive the data by receiving a file, and (ii) determine whether the file is protected by determining whether the is_protected flag of the file indicates that the file is protected.

[0010] Optionally, the one or more memory controllers are configured to: (i) receive the data by receiving a memory page, and (ii) determine whether the data is protected by determining whether the is_protected flag of the memory page indicates that the memory page is protected.

[0011] Optionally, the one or more memory controllers are configured to: (i) receive the data by receiving the contents of a CPU register, and (ii) determine whether the data is protected by determining whether the is_protected flag of the CPU register indicates that the CPU register is protected.

[0012] Optionally, the one or more memory controllers are configured to: (i) store the data in the memory by storing the data in a memory page of the memory, and (ii) set the is_protected flag by setting the is_protected flag of the memory page.

[0013] Optionally, the one or more memory controllers are configured to set the is_protected flag of the memory page for a portion of the memory page.

[0014] Optionally, the memory includes a CPU register. The one or more memory controllers are configured to: (i) store the data in the memory by storing the data in the CPU register of the memory, and (ii) set the is_protected flag by setting the is_protected flag of the CPU register.

[0015] Optionally, the computing system includes a network connection. The one or more memory controllers are configured to receive the data via the network connection.

[0016] Optionally, the one or more memory controllers are configured to: (i) receive a memory instruction for the second data; (ii) determine whether to set the is_protected flag for the second data; (iii) if set, determine whether to set the read_protected flag, and if set, execute the memory instruction.

[0017] Optionally, the one or more memory controllers are configured to: perform exception handling when it is determined that the is_protected flag is set for the second data and the read_protected flag is not set.

[0018] Optionally, the memory instruction is a READ instruction. The one or more memory controllers are configured to: (i) read the second data from the memory into the CPU register; and (ii) set the is_protected flag of the CPU register to be equal to the is_protected flag of the second data.

[0019] Optionally, the memory instruction is a WRITE instruction. The one or more memory controllers are configured to: (i) write the second data into the CPU register; (ii) set the is_protected flag of the CPU register to be equal to the is_protected flag of the second data.

[0020] Optionally, the memory instruction is a WRITE instruction. The one or more memory controllers are configured to: (i) write the second data to the memory page; (ii) determine whether to set the is_protected flag for the second data, and if so, set the is_protected flag of the memory page.

[0021] Optionally, the exception handling includes interruption.

[0022] Optionally, the exception handling includes writing log data.

[0023] Optionally, when the is_protected flag is used for the memory page and the memory page has an address stored in an address field, the address field includes additional bits for the address not used for the memory page. These additional bits include the is_protected flag.

[0024] Optionally, when the is_protected flag is used with the CPU register and the CPU register has an address stored in the address field, the address field includes additional bits for the address not used with the CPU register. These additional bits include the is_protected flag.

[0025] Optionally, the is_protected flag indicates whether the device is protected.

[0026] Optionally, the is_protected flag indicates whether the device is protected at the first level, protected at the second level, or unprotected.

[0027] Optionally, the first level indicates a first set of permitted operations, and the second level indicates a second set of permitted operations.

[0028] Optionally, the is_protected flag is a hardware flag.

[0029] According to a second aspect, a method is provided for a computing system including memory. The memory includes an `is_protected` flag indicating whether the memory is protected. The computing system also includes a `read_protected` flag associated with a process, indicating whether the process is allowed to read protected data. The method includes: (i) receiving data; (ii) storing the data in the memory; (iii) determining whether the data is protected; and (iv) if protected, setting the `is_protected` flag of the memory to indicate that the memory is protected.

[0030] This method implements data leakage prevention (DLP) to protect sensitive data (i.e., protected data) from unauthorized access by eliminating memory-related defects such as use-after-free and read-before-write. It tracks protected data by marking it as protected by adding an "is_protected" flag to the data in memory. This method uses hardware-based tagging to mark data as protected. Hardware-based tagging enhances the tamper-proof nature of data, ensuring consistent application of security measures, leaving no circumventable vulnerabilities, and providing reliable defense against potential vulnerabilities. This method can use user-space software that remains unchanged because it requires no modification. This means that the user-space software can run on a computing system that (i) implements new instructions without any adjustments, reducing the complexity of transitioning to a new architecture, and (ii) keeps the old instruction set as is, while the introduction of new instructions requires modification. This method facilitates the integration of external virtual hardware (e.g., network devices and file systems), which expands the scope of applications interacting with the computing system. This method identifies memory defects without introducing performance impact, thus ensuring the reliability of computing system performance. The computer processing unit (CPU) architecture of the computing system can be used in cloud architectures and virtual machines (VMs) to implement DLP on tenant VMs, thereby ensuring reliable protection of sensitive data in virtualized environments. The CPU architecture can be implemented in emulators such as Quick Emulator, QEMU, and TinyEmu, or in VMs such as Web Assembly, WASM, and JAVA to implement DLP or memory defect tracking.

[0031] According to a third aspect, a computer program product includes program instructions for performing the method when executed by one or more processors in a computing system.

[0032] Therefore, unlike existing solutions, a computing system and method for tracking protected data in memory achieves data leakage prevention (DLP) of data in memory by eliminating memory-related defects (such as use after release, read before write, etc.) to protect sensitive data from unauthorized access.

[0033] These and other aspects of the invention will be apparent from one or more implementations described below. Attached Figure Description

[0034] The implementation of the present invention will now be described by way of example only, with reference to the accompanying drawings, wherein: Figure 1 This is a block diagram illustrating a computing system for tracking protected data provided in an implementation of the present invention; Figure 2A This is a block diagram provided by an implementation of the present invention, which shows the addition of an is_protected bit or an is_protected flag to the CPU registers and global CPU flags within the central processing unit (CPU). Figure 2B This is a block diagram provided by an implementation of the present invention, which shows the addition of the is_protected bit to a memory mapping table representing a memory page; Figure 3 This is a block diagram illustrating data transmission from a source machine to a destination machine, provided by an implementation of the present invention. Figure 4A and Figure 4B This is a flowchart illustrating a method for a computing system provided by an implementation of the present invention, the computing system including a memory for tracking protected data; Figure 5 It is a diagram of a computer system (e.g., a computing system, a memory, and one or more memory controllers) in which various architectures and functions of various prior implementations can be implemented. Detailed Implementation

[0035] The present invention provides a computing system and method for tracking protected data in a memory.

[0036] To enable those skilled in the art to more easily understand the present invention, the following implementation of the present invention is described in conjunction with the accompanying drawings.

[0037] The terms “first,” “second,” “third,” and “fourth” (if any) used in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a particular sequence or order. It should be understood that such terms are interchangeable where appropriate, for example, to allow implementations of the invention described herein to be implemented in sequences other than those shown or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to the steps or units expressly listed, but may include other steps or units not expressly listed or inherent to such processes, methods, products, or apparatuses.

[0038] Figure 1This is a block diagram illustrating a computing system 102 for tracking protected data according to an implementation of the present invention. The computing system 102 includes a memory 104 and one or more memory controllers 106A to 106N for accessing the memory 104. The memory 104 includes an is_protected flag 110 indicating whether the memory 104 is protected. The computing system 102 also includes a read_protected flag 108 associated with a process, indicating whether a process is allowed to read protected data. The one or more memory controllers 106A to 106N are used to receive data. The one or more memory controllers 106A to 106N are used to store data in the memory 104. The one or more memory controllers 106A to 106N are used to determine whether the data is protected, and if protected, to set the is_protected flag 110 of the memory 104 to indicate that the memory 104 is protected if the data is protected.

[0039] Computing system 102 implements data leakage prevention (DLP) to protect sensitive data (i.e., protected data) from unauthorized access by eliminating memory-related defects (e.g., use-after-free, read-before-write). Computing system 102 tracks protected data by marking it as protected by adding an "is_protected" flag to the data in memory. Computing system 102 uses hardware-based tagging to mark data as protected. Hardware-based tagging enhances the tamper-proof capability of the data, ensuring consistent application of security measures, leaving no circumventable vulnerabilities, and providing reliable defense against potential vulnerabilities. Computing system 102 can use user-space software that can remain unchanged because no modification is required. This means that the user-space software can run on computing system 102, which (i) implements new instructions without any adjustments, reducing the complexity of transitioning to a new architecture, and (ii) keeps the old instruction set unchanged while the introduction of new instructions requires modification. The computing system 102 facilitates the integration of external virtual hardware (such as network devices and file systems), which expands the range of applications that interact with the computing system 102. The computing system 102 identifies memory defects without introducing performance impact, thus ensuring the reliability of its performance. The computer processing unit (CPU) architecture of the computing system 102 can be used in cloud architectures and virtual machines (VMs) to implement DLP on tenant VMs, thereby ensuring reliable protection of sensitive data in virtualized environments. The CPU architecture can be implemented in emulators such as Quick Emulator, QEMU, and TinyEmu, or in VMs such as Web Assembly, WASM, and JAVA, to implement DLP or memory defect tracking.

[0040] Optionally, one or more memory controllers 106A to 106N are used to: (i) receive data by receiving a file, and (ii) determine whether a file is protected by determining whether the file's is_protected flag 110 indicates that the file is protected.

[0041] Optionally, the computing system 102 includes a network connection. One or more memory controllers 106A to 106N are used to receive data via the network connection.

[0042] Optionally, one or more memory controllers 106A to 106N are configured to: (i) receive memory instructions for second data; (ii) determine whether to set the is_protected flag for the second data; and (iii) if set, determine whether to set the read_protected flag, and if set, execute the memory instructions.

[0043] Optionally, one or more memory controllers 106A to 106N are configured to: perform exception handling when it is determined that the is_protected flag is set for the second data and the read_protected flag is not set.

[0044] Optionally, the is_protected flag indicates whether the device is protected.

[0045] Optionally, the is_protected flag indicates whether the device is protected at the first level, protected at the second level, or unprotected.

[0046] Optionally, the first level indicates a first set of permitted operations, and the second level indicates a second set of permitted operations.

[0047] Optionally, the is_protected flag is a hardware flag.

[0048] Figure 2A This is a block diagram provided by an implementation of the present invention, illustrating the addition of an is_protected bit or is_protected flag to the CPU register 204 and global CPU flag 206 within a central processing unit (CPU) 202. The CPU register 204 includes register a extended (RAX), register c extended (RCX), register d extended (RDX), register b extended (RBX), register destination index (RDI), and register source index (RSI). The global CPU flag 206 includes overflow and zero. The CPU 202 may include one or more memory controllers and memories. Optionally, the memories include the CPU register 204.

[0049] Optionally, one or more memory controllers are configured to: (i) receive data by receiving the contents of CPU register 204, and (ii) determine whether the data is protected by determining whether the is_protected flag of the CPU register indicates that CPU register 204 is protected. Optionally, one or more memory controllers are configured to: (i) store data in memory by storing the data in CPU register 204, and (ii) set the is_protected flag by setting the is_protected flag of CPU register 204. This means that when a relevant CPU operation is performed on CPU register 204, the "is_protected" bit or the "is_protected" flag is applied to CPU register 204. The CPU operation can be a memory read or a memory write. CPU 202 is controlled by the operating system (OS). Optionally, the OS is configured to determine which memory, binary files, and external resources should be protected by setting or writing the "is_protected" bit of CPU register 204, global CPU flag 206, and external resources. The "is_protected" bit can be a logical bit. External resources can be files or networks. Each logical bit in the CPU register indicates the protection status of the data within CPU register 204. Optionally, when the is_protected flag is used on a CPU register and the CPU register has an address stored in the address field, the address field includes additional bits for marking the "is_protected" flag on the data.

[0050] Optionally, one or more memory controllers add logical bits to each general-purpose register or the entire CPU register 204 to indicate the protection status of the data by creating a separate register, namely the "is_protected" register shown at 208, for tracking the protection status of the data. The "is_protected" register may include one bit for each general-purpose register to indicate whether the data in each general-purpose register is protected.

[0051] One or more memory controllers integrate the "is_protected" global flag into CPU 202 as global CPU flag 206, and add corresponding instructions for setting and resetting the "is_protected" global flag to the instruction set of CPU 202. This means that when the "is_protected" global flag is set to global CPU flag 206, CPU 202 reads memory marked as "is_protected" and operates on CPU register 204 marked as protected. If the "is_protected" global flag is not set, CPU 202 triggers a "protection fault" when reading protected memory or protected CPU registers. Optionally, the protection fault behaves similarly to a memory page fault. A protection fault may occur when CPU 202 sets the "is_protected" global flag to global CPU flag 206 in user space, which allows the OS to use cryptographic means to verify the integrity of the binary file containing protected data to prevent unauthorized tampering. Optionally, the OS provides a method to set the "is_protected" global flag for trusted processes externally without requiring direct modification, thereby improving overall data security. The global CPU flag 206 can be updated during context switches or transitions from one task to another or process. This task can be an application, service, or thread.

[0052] A network can be marked as "is_protected" in an infrastructure-dependent manner. For example, a network can be protected by: (i) using bits in the encapsulated header (e.g., Internet Protocol Security (IPsec) in a Virtual Extensible Local Area Network (VXLAN) or Virtual Private Network (VPN) in a cloud environment), (ii) dedicated bits in the Ethernet header, (iii) virtual LANs (VLANs), and (iv) flags on memory pages that include buffers containing network packets to indicate a protected state. Alternatively, the process of protecting a network can be extended to encompass all input / output and I / O operations.

[0053] Figure 2BThis is a block diagram provided by an implementation of the present invention, illustrating the addition of an is_protected bit to a memory mapping table 210 representing a memory page. The memory mapping table 210 is managed by a memory management unit (MMU). Memory pages are used to manage virtual memory. The MMU is a hardware component used to translate virtual memory addresses into physical memory addresses. The MMU adds a logical bit to each memory page. The logical bit is either an "is_protected" bit or an "is_protected" flag. Optionally, one or more memory controllers are configured to: (i) receive data by receiving memory pages, and (ii) determine whether data is protected by determining whether the is_protected flag of a memory page indicates that the memory page is protected. Optionally, one or more controllers are configured to: (i) store data in memory by storing data in memory pages, and (ii) set the is_protected flag by setting the is_protected flag of a memory page. Optionally, one or more memory controllers are configured to set the is_protected flag of a memory page for a portion of the memory page.

[0054] One or more memory controllers add an "is_protected" bit to memory pages to protect data or files in memory. The "is_protected" bit serves as a flag indicating whether the corresponding memory page contains protected data. This means that each memory page has a flag indicating whether it is protected. The "is_protected" bit can be a single bit or multiple bits, i.e., a more complex bit sequence. For example, a more complex bit sequence could be bit 0 for readability, bit 1 for writeability, bit 2 for executeability, and bit 3 for "is_protected". The MMU allocates specific bits to the OS for reading protected data. This means that the "is_protected" flag can be a dedicated bit specifically used to indicate whether a memory page corresponding to protected data is protected. The OS can set or reset the memory page "is_protected" bit. This means that one or more memory controllers use the OS to set and reset the "is_protected" flag or "is_protected" bit for each memory page. The OS may set the protected flag to allow page reuse, in which case the same memory page can be used by multiple applications. Optionally, the OS allows an application or its user to protect data on a memory page by setting a protected flag on the memory page.

[0055] The OS can be ring 0 or a Linux kernel. Optionally, the OS has the right to set or reset the "is_protected" bit of any memory page, any register, or CPU global flag. This allows the OS's Linux kernel space to set a buffered memory page to "protected" in a "read" command if data or a file is considered "protected." If a network packet indicates that the network packet includes protected data, the Linux kernel space can set a buffered memory page to protected in a "recv" command. The "is_protected" flag can be updated on a per-process basis.

[0056] Optionally, a specific method can be used to mark a file or data as "is_protected" within the OS. For example, in Linux+SELinux, the metadata key-value pair indicating protection can be placed in the file's extended attributes. When data marked as "protected" is written to a file, the OS automatically marks that file as "protected." The OS extends this protection to the memory where data is read when reading protected files. Optionally, writes to protected files can be restricted unless a protected CPU flag is set.

[0057] CPU 202 utilizes multiple bits to achieve finer-grained memory protection. These multiple bits can operate within the protection bit space constraints of the MMU. For example, multiple bits can be used to specify the type, source, or level of protected data. Multiple bits are used to identify specific segments within each memory page that are marked as protected.

[0058] When the OS reads from memory, one or more memory controllers set the "is_protected" register 208 of CPU register 204 to match the "is_protected" bit of the memory page. When the OS writes to memory, CPU 202 performs an OR operation between the "is_protected" register 208 of CPU register 204 and the "is_protected" bit of the memory page. This means that if the "is_protected" bit of the memory page or the "is_protected" register 208 of CPU register 206 is set, then the "is_protected" bit of the memory page is set.

[0059] Optionally, one or more memory controllers are configured to: (i) receive memory instructions for the second data; (ii) determine whether to set the "is_protected" flag for the second data; and (iii) if set, determine whether to set the read_protected flag, and if set, execute the memory instructions.

[0060] Optionally, one or more memory controllers are configured to: perform exception handling when it is determined that the is_protected flag is set for the second data and the read_protected flag is not set.

[0061] Optionally, the memory instruction is a READ instruction. One or more memory controllers are configured to: (i) read second data from memory into CPU register 204; (ii) set the "is_protected" flag of CPU register 204 to be equal to the "is_protected" flag of the second data.

[0062] Optionally, the memory instruction is a WRITE instruction. One or more memory controllers are configured to: (i) write the second data to CPU register 204; (ii) set the is_protected flag of CPU register 204 to be equal to the is_protected flag of the second data.

[0063] Optionally, the memory instruction is a WRITE instruction. One or more memory controllers are configured to: (i) write the second data to a memory page; (ii) determine whether the is_protected flag is set for the second data, and if so, set the is_protected flag of the memory page.

[0064] Optionally, exception handling includes interruption.

[0065] Optionally, exception handling includes writing log data.

[0066] Optionally, when the is_protected flag is used on a memory page and the memory page has an address stored in the address field, the address field includes additional bits for marking the "is_protected" flag.

[0067] Figure 3This is a block diagram 300 illustrating data transmission from a source machine 302 to a destination machine 304, provided as an implementation of the present invention. Block diagram 300 includes: a source machine 302 including protected data 306 and memory 308; a network interface card (NIC) 312; a destination machine 304 including memory 310; and a NIC 314. NICs 312 and 314 are hardware components that allow the source machine 302 to communicate with the destination machine 304 over a network. NICs 312 and 314 are used to send and receive data packets over the network. When a file is marked as protected, the source machine 302 reads data from the protected data 306 into the source machine 302's memory 308. If the memory 308 of source machine 302 is modified by an application, the "is_protection" bit of the file is transferred from the memory 308 of source machine 302. This means that if an application writes new data to the memory 308 of source machine 302 that stores protected data 306, the "is_protection" bit associated with the memory 308 of source machine 302 remains unchanged. For example, if an application encrypts protected data 306 in the memory 308 of source machine 302, the file remains protected even if the protected data 306 is modified by an application. Source machine 302 sends the memory 308 of source machine 302 containing protected data 306 to its NIC 312. NIC 312 transmits the memory 308 containing protected data 306 as a network packet to the NIC 314 of destination machine 304. When protected data 306 is transmitted over the network from source machine 302 to destination machine 304, NIC 312 marks the network packet as protected. NIC 312 is used to encapsulate protected data 306 into a network packet. NIC 314 of destination machine 304 receives the network packet and places it in memory 310 of destination machine 304 because the network packet is marked as protected.

[0068] Figure 4A and Figure 4B This is a flowchart illustrating a method for a computing system including memory provided by an implementation of the present invention. The memory includes an is_protected flag indicating whether the memory is protected. The computing system also includes a read_protected flag associated with a process, indicating whether the process is allowed to read protected data. In step 402, data is received. In step 404, the data is stored in the memory. In step 406, it is determined whether the data is protected or unprotected. In step 408, the is_protected flag of the memory is set to indicate that the memory is protected if the data is protected.

[0069] This method implements data leakage prevention (DLP) to protect sensitive data (i.e., protected data) from unauthorized access by eliminating memory-related defects such as use-after-free and read-before-write. It tracks protected data by marking it as protected by adding an "is_protected" flag to the data in memory. This method uses hardware-based tagging to mark data as protected. Hardware-based tagging enhances the tamper-proof nature of data, ensuring consistent application of security measures, leaving no circumventable vulnerabilities, and providing reliable defense against potential vulnerabilities. This method can use user-space software that remains unchanged because it requires no modification. This means that the user-space software can run on a computing system that (i) implements new instructions without any adjustments, reducing the complexity of transitioning to a new architecture, and (ii) keeps the old instruction set as is, while the introduction of new instructions requires modification. This method facilitates the integration of external virtual hardware (e.g., network devices and file systems), which expands the scope of applications interacting with the computing system. This method identifies memory defects without introducing performance impact, thus ensuring the reliability of computing system performance. The computer processing unit (CPU) architecture of the computing system can be used in cloud architectures and virtual machines (VMs) to implement DLP on tenant VMs, thereby ensuring reliable protection of sensitive data in virtualized environments. The CPU architecture can be implemented in emulators such as Quick Emulator, QEMU, and TinyEmu, or in VMs such as Web Assembly, WASM, and JAVA to implement DLP or memory defect tracking.

[0070] In one implementation, a computer program product includes program instructions for performing the method when executed by one or more processors in a computing system.

[0071] Figure 5This is an illustration of a computer system (e.g., a computing system, memory, and one or more memory controllers) in which various architectures and functions of various prior implementations can be implemented. As shown, computer system 500 includes at least one processor 504 connected to bus 502. Computer system 500 can be implemented using any suitable protocol, such as Peripheral Component Interconnect, PCI-Express, Accelerated Graphics Port (AGP), Hyper Transport, or any other bus or point-to-point communication protocol. Computer system 500 also includes memory 506.

[0072] The control logic (software) and data are stored in memory 506, which may take the form of random-access memory (RAM). In this invention, a single semiconductor platform can refer to a unique integrated circuit or chip based on a single semiconductor. It should be noted that the term "single semiconductor platform" can also refer to a multi-chip module with increased connectivity, which simulates on-chip operation with increased connectivity and represents a substantial improvement over implementations using a conventional central processing unit (CPU) and bus. Of course, depending on the user's expectations, various modules can also be placed individually or in various combinations of semiconductor platforms.

[0073] Computer system 500 may also include auxiliary storage 510. Auxiliary storage 510 includes hard disk drives and removable storage drives, such as floppy disk drives, magnetic tape drives, compact disk drives, digital versatile disk (DVD) drives, recording devices, universal serial bus (USB) flash memory, etc. The removable storage drives read from and / or write to the removable storage unit in a well-known manner.

[0074] Computer programs or computer control logic algorithms may be stored in at least one of the memory 506 and the auxiliary memory 510. When these computer programs are executed, they enable the computer system 500 to perform the various functions described above. Memory 506, auxiliary memory 510, and any other memory are possible examples of computer-readable media.

[0075] In one implementation, the architecture and functionality described in the various previous figures can be implemented in the context of processor 504, a graphics processor coupled to communication interface 512, an integrated circuit (not shown) capable of having at least a portion of the capabilities of both processor 504 and graphics processor, and a chipset (i.e., a set of integrated circuits designed to operate and be sold as units performing related functions, etc.).

[0076] Furthermore, the architectures and functions described in the various previously described figures can be implemented within the context of general-purpose computer systems, circuit board systems, game console systems dedicated to entertainment purposes, and application-specific systems. For example, computer system 500 can take the form of a desktop computer, a laptop computer, a server, a workstation, a game console, or an embedded system.

[0077] Furthermore, the computer system 500 can take the form of various other devices, including but not limited to personal digital assistant (PDA) devices, mobile phone devices, smartphones, televisions, etc. Additionally, although not shown, the computer system 500 can be coupled to a network (e.g., telecommunications network, local area network (LAN), wireless network, wide area network (WAN) such as the Internet, peer-to-peer network, cable network, etc.) for communication via I / O interface 508.

[0078] It should be understood that the arrangement of components shown in the described figures is exemplary and other arrangements are possible. It should also be understood that the various system components (and modules) defined by the following claims and shown in the various block diagrams represent components in some systems configured according to the subject matter disclosed herein. For example, one or more of these system components (and modules) may be implemented wholly or partially by at least some of the components shown in the arrangements shown in the described figures.

[0079] Furthermore, while at least one of these components is implemented at least partially as an electronic hardware component and thus constitutes a machine, the other components may be implemented in software, which, when included in the execution environment, constitutes a machine, hardware, or a combination of software and hardware.

[0080] While the invention and its advantages have been described in detail, it should be understood that various changes, substitutions and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. A computing system (102), characterized in that, The computing system (102) includes a memory (104) and one or more memory controllers (106A to 106N) for accessing the memory (104), wherein the computing system (102) is characterized in that... The memory (104) includes an is_protected flag (110), which indicates whether the memory (104) is protected, wherein The computing system (102) also includes a read_protected flag (108) associated with a process, the read_protected flag (108) indicating whether the process is allowed to read protected data, and wherein The one or more memory controllers (106A to 106N) are used for Receive data; The data is stored in the memory (104); Determine whether the data is protected; if so, then Set the is_protected flag (110) of the memory (104) to indicate that the memory (104) is protected.

2. The computing system (102) according to claim 1, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is received by receiving the file, and the file is determined to be protected by determining whether the is_protected flag (110) of the file indicates that the file is protected.

3. The computing system (102) according to claim 1, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is received by receiving a memory page, and the data is determined to be protected by determining whether the is_protected flag (110) of the memory page indicates that the memory page is protected.

4. The computing system (102) according to claim 1, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is received by receiving the contents of the CPU register, and the data is determined to be protected by determining whether the CPU register is protected by checking whether the is_protected flag (110) of the CPU register indicates that the CPU register is protected.

5. The computing system (102) according to any one of the preceding claims, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is stored in the memory (104) by storing the data in a memory page of the memory (104), and the is_protected flag (110) is set by setting the is_protected flag (110) of the memory page.

6. The computing system (102) according to any one of claims 1, 3 or 4, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used to set the is_protected flag (110) of the memory page for a portion of the memory page.

7. The computing system (102) according to any one of claims 1, 3 or 4, characterized in that, The memory includes CPU registers, and the computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is stored in the memory (104) by storing the data in the CPU register of the memory (104), and the is_protected flag (110) is set by setting the is_protected flag (110) of the CPU register.

8. The computing system (102) according to any one of the preceding claims, characterized in that, The computing system (102) includes a network connection, and wherein the computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: The data is received through the network connection.

9. The computing system (102) according to any one of the preceding claims, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: Memory instruction to receive the second data; Determine whether to set the is_protected flag for the second data (110); If set, then determine whether to set the read_protected flag (108). If set, then Execute the memory instructions.

10. The computing system (102) according to claim 9, characterized in that, The computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used for: When it is determined that the is_protected flag (110) is set for the second data and the read_protected flag (108) is not set, exception handling is performed.

11. The computing system (102) according to claim 9 or 10, characterized in that, The memory instruction is a READ instruction, and the computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used to: The second data is read from the memory (104) into the CPU register; Set the is_protected flag (110) of the CPU register to be equal to the is_protected flag (110) of the second data.

12. The computing system (102) according to any one of claims 9, 10 or 11, characterized in that, The memory instruction is a WRITE instruction, and the computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used to: Write the second data into the CPU register; Set the is_protected flag (110) of the CPU register to be equal to the is_protected flag (110) of the second data.

13. The computing system (102) according to any one of claims 9, 10, 11 or 12, characterized in that, The memory instruction is a WRITE instruction, and the computing system (102) is further characterized in that the one or more memory controllers (106A to 106N) are used to: Write the second data into the memory page; Determine whether to set the is_protected flag (110) for the second data; if so, then Set the is_protected flag (110) of the memory page.

14. The computing system (102) according to any one of claims 10 to 13, characterized in that, The exception handling includes interruption.

15. The computing system (102) according to any one of claims 10 to 14, characterized in that, The exception handling includes writing log data.

16. The computing system (102) according to any one of the preceding claims, characterized in that, The computing system (102) is further characterized in that, when the is_protected flag (110) is used for the memory page and the memory page has an address stored in the address field, the address field includes additional bits of the address not used for the memory page, wherein the additional bits include the is_protected flag (110).

17. The computing system (102) according to any one of the preceding claims, characterized in that, The computing system (102) is further characterized in that, when the is_protected flag (110) is used in the CPU register and the CPU register has an address stored in the address field, the address field includes additional bits of the address not used in the CPU register, wherein the additional bits include the is_protected flag (110).

18. The computing system (102) according to any one of the preceding claims, characterized in that, The is_protected flag (110) indicates whether the device is protected.

19. The computing system (102) according to any one of the preceding claims, characterized in that, The is_protected flag (110) indicates whether the device is protected at the first level, protected at the second level, or unprotected.

20. The computing system (102) according to claim 18 or 19, characterized in that, The first level indicates a first set of permitted operations, and the second level indicates a second set of permitted operations.

21. The computing system (102) according to any one of the preceding claims, characterized in that, The is_protected flag (110) is a hardware flag.

22. A method for a computing system (102) including a memory (104), characterized in that, The method is characterized in that, The memory (104) includes an is_protected flag (110), which indicates whether the memory (104) is protected, wherein The computing system (102) also includes a read_protected flag (108) associated with a process, the read_protected flag (108) indicating whether the process is allowed to read protected data, and wherein The method includes: Receive data; The data is stored in the memory (104); Determine whether the data is protected; if so, then Set the is_protected flag (110) of the memory (104) to indicate that the memory (104) is protected.

23. A computer program product, characterized in that, Includes program instructions for performing the method of claim 18 when executed by one or more processors in the computing system (102).