Disclosed is a system comprising a physical memory, a processor and a software component. The software component includes a policy/domain handler configured to receive data and a policy associated with the data; a hypervisor; and a file management module. The file management module is configured to receive a request from a third-party application to interact with a data file containing the data; send an authorization and tag request to the policy/domain handler to check if the user and application are permitted to access the data, and if permitted, to generate hardware tags for the data file; and send a secure data request to the hypervisor to create a secure data compartment for the data file and the hardware tags. Based on the authorization and tag request, and the security policy associated with the data, the policy/domain handler generates the hardware tags for the data file. Based on the secure data request, the hypervisor creates in the physical memory a secure data compartment containing the data file and the hardware tags, the hypervisor associating the hardware tags with the data in the secure data compartment. As the data is operated upon and moved to other memory areas, the hardware tags are propagated with the data according to tag propagation rules, and checked before performing operations that may lead to security breaches.

Also disclosed is a method performed by a system comprising a physical memory and a processor. The method includes the steps of receiving data and a policy associated with the data; intercepting a request from an application to interact with the data; checking if access is allowed to the data, and if so, generating a plurality of hardware tags for the data based on the policy; creating in the physical memory a secure data compartment for the data and the plurality of hardware tags; associating the protected data with the plurality of hardware tags in the secure data compartment; and propagating the tags with the data as it is used or moved to other memory locations; and checking the hardware tags before performing operations that may lead to security breaches.

Also disclosed is a method for reducing the amount of false positives in a naïve data information flow tracking system performed by a computer system comprising a memory and a processor. The method includes: setting a counter value to a maximum value based on determining a tagged conditional execution; decreasing the counter value by one each time a tagged branch instruction is executed; and based on determining the counter value reaches a zero value, clearing the counter value.