Abstract: The disclosed embodiments provide a system that enables access to a resource. During operation, the system obtains, from a first service, a request for access to the resource on a second service by a user using the first service. Next, the system provides, in a response to the request, an intent token for accessing the resource by the user to the first service. Upon receiving the intent token from an authorized user on the second service, the system enables access to the resource on the second service for the user on the first service.

Abstract: Client-side endpoint configuration can be accomplished by allowing a client to include as part of an API request, a desired endpoint for subsequent notifications from a server. The endpoint can be an endpoint identifier, such as a Uniform Resource Identifier (URI) or a domain name. When a web service receives the API request from a client device, the web service can generate a response to the request and send the response to the endpoint identified in the request. The API request can asynchronously communicate with the client device whenever the response is completed.

Abstract: A method and apparatus are for automatically accessing a social network account that provides member information about each of a plurality of social network members. The member information about at least one of the social network members, denoted as a particular member, includes a network detection portion and a security portion. The network detection portion is retrieved from the social network for at least the particular member. A detection is made that the wireless device is within range of a secure wireless network associated with the particular member. The detection uses the network detection portion of the particular member as an input. The security portion of the member information of the particular member is retrieved from the social network. The security portion is used to derive access credentials for the secure wireless network. The derived access credentials are used to securely access the secure wireless network.

Abstract: A mobile computing system for providing a high-security execution environment is provided. The mobile computing system separates execution environments in the same mobile device on the basis of virtualization technology and manages user-specific execution environments using the same hardware security module, thereby facilitating protection of personal privacy.

Abstract: A method and system for evaluating and enforcing a data flow policy at a mobile computing device includes a data flow policy engine to evaluate data access requests made by security-wrapped software applications running on the mobile device and prevent the security-wrapped software applications from violating the data flow policy. The data flow policy defines a number of security labels that are associated with data objects. A software application process may be associated with a security label if the process accesses data having the security label or the process is in communication with another process that has accessed data having the security label.

Abstract: Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a priority value can be assigned to each policy attached to a policy subject via the policy's corresponding policy attachment metadata file. These priority values can be taken into account when determining whether one policy should be given precedence over another, conflicting policy attached to the same policy subject. In certain embodiments, as part of this determination, the priority value of a policy can be given greater weight than the scope at which the policy is attached.

Abstract: An electronic apparatus includes a secure unit to store public key information, an input unit to receive user authentication information and a data searching word, a user authenticating unit to perform user authentication with the inputted user authentication information, an encryption generating unit to generate a searching word encryption to use in data search, and a control unit to control generating the searching word encryption using the previously-stored public key information, the inputted user authentication information, and the data searching word.

Abstract: A method and system for evaluating and enforcing a data flow policy at a mobile computing device includes a data flow policy engine to evaluate data access requests made by security-wrapped software applications running on the mobile device and prevent the security-wrapped software applications from violating the data flow policy. The data flow policy defines a number of security labels that are associated with data objects. A software application process may be associated with a security label if the process accesses data having the security label or the process is in communication with another process that has accessed data having the security label.

Abstract: A bus monitoring security device is connected to a bus, which includes a tool side bus having a tool connection terminal and an ECU side bus. The ECU side bus is coupled with an ECU, and the tool side bus is coupled with a tool capable of communicating with the ECU via the tool connection terminal. The tool side bus and the ECU side bus are separately coupled with the bus monitoring security device. The bus monitoring security device includes: a controller for determining whether the tool being to access the ECU is connected to the ECU side bus, and for restricting transmission and reception of data between the tool and the ECU when the controller determines that the tool is connected to the ECU side bus.

Abstract: An example method includes identifying a transport layer security (TLS) session between a client and a server, parsing one or more TLS messages to identify a session ticket associated with the session, transforming the session ticket into a fixed size session token, and managing the session using the session token to identify the session. The transforming may include computing a hash value of the session ticket using a hashing algorithm. If any of the TLS messages is spread across more than one TLS protocol record, the method can include computing a hash value of a portion of the session ticket encountered in a TLS protocol record using a hashing algorithm, incrementally computing another hash value of another portion of the session ticket encountered in a subsequent TLS protocol record from the previously computed hash value, and repeating the incremental computing until portions of the session ticket have been processed.

Abstract: Embodiments of the invention relate to password management of one or more data storage devices. A set of passwords are employed to manage access to the storage devices, with authentication of both passwords enabling access to the subject storage device(s) for read and/or write operation privileges. The first password is known by the user and is used as an initial input string. The second password is not known by the user and is authenticated with the subject storage device(s) through BIOS and without input from the user.