Abstract: Disclosed is a method of generating a structure comprising at least one virtual machine, the method comprising: obfuscating a first virtual machine source code, thereby yielding a first obfuscated virtual machine (OVM) source code; associating a processor identifier with the first OVM source code, thereby yielding a processor-specific first OVM source code; compiling the processor-specific first OVM source code, thereby yielding a processor-specific first OVM. Furthermore, a structure generated by said method is disclosed.

Abstract: A service receives from a sender service a digital message and a corresponding trace, which includes an ordered set of digital signatures of one or more services that participated in causing the service to receive the digital message. The trace may further specify an ordering of the one or more services, which may be generated according to the order of participation of these one or more services. The service may compare the received trace to recorded message paths to determine whether the ordering specified within the trace is valid. If the ordering is valid, the service may use one or more digital certificates to further verify the digital signatures included within the trace. If the service determines that these digital signatures are also valid, the service may process the message.

Abstract: A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.

Abstract: The present invention has the aim of providing a method of an activity information notification service in which a server can receive activity information from a user of a target terminal, depending on his or her privacy setting, and then transmit the received activity information to a selected receiving user, and in which any receiving user can transmit a notification request to a target user in order to receive desired activity information. According to an embodiment of the present invention, a method of an activity information notification service at a server, the method includes steps of receiving activity information from a target terminal; determining a receiving terminal to which the received activity information will be transmitted, depending on a privacy setting of the target terminal stored in a storage unit; and transmitting the activity information to the determined receiving terminal.

Abstract: A system and method are provided for restricting various operations in a file system based on security contexts. An object security context including permissible roles and defining a set of access permissions associated with each of the permissible roles is assigned to a file system object. A user security context is assigned to a user based on authentication information from the user, and the user security context identifies a user role for the user. An executable security context is assigned to an executable program. When the user has launched the executable program, a process is created and assigned the user security context and the executable security context. Responsive to the process attempting to access the file system object, at least one of the user security context and executable security context is verified against the object security context to determine if the attempted access should be allowed.

Abstract: A method of managing an agent by an administrative server is described. The method includes receiving an enrollment request from the agent. The agent is disconnected from a core server, and the core server is periodically connected to the administrative server. The method also includes performing a provisional enrollment procedure with the agent. The method further includes performing an enrollment procedure between the agent and the core server. The method additionally includes performing a configuration procedure between the agent and the core server.

Abstract: Access control for shared computing resources in a hierarchical system is provided herein. An as-needed, “lazy evaluation” approach to access control is described in which an effective access control list for a computing resource is determined after a request is received from a user to access the resource. When resources are shared, access control policies are created and stored in association with the shared resource but are not stored in association with hierarchically related lower-level resources. When an access request for a resource is received, access control policies are collected for levels of a computing resource hierarchy that are higher than the hierarchy level of the resource. An effective access control list is determined based on permissions specified in the collected access control policies. The effective access control list represents an effective propagation of access control policies of higher hierarchy levels to the computing resource.

Abstract: Systems and methods are disclosed for distributing images corresponding to communication endpoints. A system includes one or more servers configured to determine whether image privacy settings corresponding to images of communication endpoints permit the images to be transmitted to others of the communication endpoints for display with contacts lists of the others of the communication endpoints. A method includes transmitting the data corresponding to the images to the others of the communication endpoints as permitted by the image privacy settings. A communication endpoint is configured to present a contacts list displaying the images corresponding to communication endpoints listed in the contacts list to a user, if permitted by the corresponding image privacy settings.

Abstract: In a computing environment a request is received from a computing device associated with a user, requesting access to one or more computing resources. An approximate geographic location of the computing device is determined based on geographic information associated with the computing device. Access to the requested one or more computing resources is allowed based on the approximate geographic location of the computing device and geographic policy information for the user.

Abstract: A sharing service receives a request to store a media item stored on an electronic book reader device for sharing with one or more other content rendering devices. In response, the sharing service associates a pass phrase with the request. The sharing service then provides the media item to those devices (e.g., eBook reader devices) that provide the pass phrase to the sharing service within a predetermined amount of time.

Abstract: The disclosed computer-implemented method for updating possession factor credentials may include (1) detecting a request from a user of a service to designate a new object to be used by the service as a possession factor credential in place of a previously designated object, (2) prior to allowing the user to designate the new object, authenticating the user by proofing the identity of the user to verify that an alleged identity of the user is the actual identity of the user and verifying that the proofed identity of the user had possession of the previously designated object, and (3) in response to verifying that the proofed identity of the user had possession of the previously designated object, designating the new object as the possession factor credential. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Applications running on a mobile device are monitored for suspicious actions utilizing mobile features of the mobile device. Once a suspicious action performed by an application is detected, that suspicious action is suspended. Information about the suspicious action and the application is collected and transmitted to a remote security system over a wireless network. The security system analyzes the suspicious action and the application to determine a security rating of the application, and transmit the security rating back to the mobile device. Whether the application is malware and whether the suspicious action should be allowed to continue are both determined based on the security rating.

Abstract: A system and method are disclosed for securely receiving data from an input device coupled to a computing system. The system includes an interface configured to receive data from an input device, a coprocessor, and a host computer, wherein the host computer includes an input handler and a host processor. The host processor is configured to execute code in a normal mode and in a privileged mode. The host processor switches from the normal mode to the secure mode upon data being available from the interface while the host computer is in a secure input mode. The input handler receives the data from the interface and sends the received data to the coprocessor responsive to receiving the data while operating in the secure mode.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing control word and associated entitlement control message (ECM) functionalities are presented. In some embodiments, a computing device may cache concurrently a first set of control words and a first set of entitlement control messages (ECMs) associated with the first set of control words. The computing device may encrypt a transport stream with a particular control word of the first set of control words. The computing device may insert a particular ECM, of the first set of ECMs, corresponding to the particular control word into the transport stream sent to a device downstream from the computing device. In some embodiments, a computing device may reuse control words and associated ECMs.

Abstract: An information processing system includes a management unit that manages information of an object that determines at least one of a parent and a child of the object, a receiving unit that receives specification of an authority object that is an object with which authority information is associated and a request of processing that is to be executed by using the authority object, and a determining unit that determines whether to accept the request or not on the basis of results of a comparison between information of an owner object that is an object that approves the authority information and information of an object that is a parent of the authority object.

Abstract: Receive, at an access control node (ACN) of a first network enclave, a plurality of data packets inbound to the enclave. The characteristics of each received packet can be communicated from the ACN to a secure access server (SAS) of the enclave. The admissibility, to the first enclave, of each received packet for which characteristics are communicated, can be determined by the first secure access server. For each packet determined to be inadmissible, the technology can communicate, from the SAS to a plurality of ACNs of the first enclave, an instruction to deny admission to packets having the characteristics of the inadmissible packet. At each access control node receiving the instruction, the technology can deny admission to packets having the characteristics of the inadmissible packet based on the instruction to deny admission to packets having the characteristics of the inadmissible packet.

Abstract: A method is provided for protecting a computer system, comprising creating an isolated process, then assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process. Process communications and control within isolated groups is permitted freely, whereas process control by an isolated process for non-isolated processes or isolated processes in different groups is constrained or prohibited.

Abstract: A system and method that includes receiving a first device profile and associating the first device profile with a first application instance that is assigned as an authentication device of a first account; receiving a second device profile for a second application instance, wherein the second application instance is making a request on behalf of the first account; comparing the second device profile to the first device profile; and completing the request of the second application instance according to results of comparing the second device profile and the first device profile.

Abstract: The invention relates to a method for a client device (2) to access to remote secure data on a remote secure device (1), said secure data being associated to a remote service, characterized in that it comprises creating a secure peer to peer channel (3) between a client application (21) of a client device and said remote secure device so as the client device and the remote secure device exchange data (4) securely and bidirectionally.

Abstract: A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software.