1. Field of the Invention
The present invention relates to a technology for tracking information flow, and more particularly, to a method for tracking information flow in which a task of tracking information flow is divided into two parts that are executed by two procedures and a computer system for executing the method.
2. Description of Related Art
Following the development of network technology, data transmission between computers is becoming more and more popular, such that most computers have been connected to the Internet. This is also accompanied by the risk of network attack. That is, a computer may receive untrust data and execution of the untrust data may result in confidential data of this computer system being stolen or the computer being used for further network attack. There are two conventional methods for addressing this issue. In one method, the computer system is installed with software for detection of malicious program, which can effectively detect various statuses in the computer system (e.g. execution of the instructions or usage of the memory). However, the detection software is closely coupled with the computer system, such that the malicious program can easily bypass the detection software. The other method is to execute the detection software outside the computer system and block all network connecting operations in this computer system. This method can prevent the malicious program from bypassing the detection software but has a poor idea of the statuses in the computer system. Each method has its own advantages and shortcomings. However, a further method has also been proposed, in which a virtual machine is installed in the computer system and an operating system is executed on the virtual machine. The detection software is executed at the virtual machine monitor (VMM) level. As such, the detection software is able to get a whole idea of the status of any malicious program in the operating system without being detected and bypassed by the malicious program.
However, the method of executing the detection software in the VMM system has a performance issue. The detection software must completely emulate the execution of every instruction in the operating system to detect a register, memory or hard disk that is tainted by the malicious program. That is, one instruction may be executed twice, with one time for normal execution, and the other time for emulating the instruction and tracking the information flow of this instruction. Therefore, what is concerned by researchers in this area is how to effectively track the information flow.