Abstract: In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with the access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether the user space application is authorized to access the file utilizing access rules stored in the database.

Abstract: Methods and systems for establishing secure TCP/IP communications for individual network connections include the steps of intercepting a conventional TCP SYN packet prior to transmission from a source node to a destination node, embedding unique identifiers into standard fields of the packet header, wherein the unique identifiers are associated with the specific connection attempt and wherein the unique identifiers identify the user account and/or the computer hardware initiating the communication attempt, then forwarding the modified TCP SYN packet to the destination node and intercepting the modified TCP SYN packet prior to arrival, determining whether secure communications are required based on the unique identifiers extracted from the packet headers, based on other TCP/IP information, and based on predefined rules associated with the same. If secure communications are required, such requirement is communicated within either an RST or a SYN-ACK back to the source node.

Abstract: Methods and systems for establishing secure TCP/IP communications for individual network connections include the steps of intercepting a conventional TCP SYN packet prior to transmission from a source node to a destination node, embedding unique identifiers into standard fields of the packet header, wherein the unique identifiers are associated with the specific connection attempt and wherein the unique identifiers identify the user account and/or the computer hardware initiating the communication attempt, then forwarding the modified TCP SYN packet to the destination node and intercepting the modified TCP SYN packet prior to arrival, determining whether secure communications are required based on the unique identifiers extracted from the packet headers, based on other TCP/IP information, and based on predefined rules associated with the same. If secure communications are required, such requirement is communicated within either an RST or a SYN-ACK back to the source node.

Abstract: A system and method for installing applications in a trusted environment is disclosed. The method comprises enabling selection of an application from one or more applications; enabling dragging of a graphical representation of the selected application towards a graphical representation of a compartment of the trusted operating system; and enabling dropping of the graphical representation of the application on the graphical representation of the compartment. In response to the dropping of the graphical representation of the selected application, automatically installing the selected application in the selected compartment.

Abstract: A system and method are disclosed which enable management of compartments implemented by an OS for defining containment in a system. In one embodiment, a method of administering a processor-based system is disclosed, which comprises implementing at least one compartment for containing at least one process, and providing at least one command-line utility executable to manipulate the compartment(s). A system is also disclosed that comprises an operating system that implements compartment(s) to which process(es) can be associated. The system further includes at least one configuration file defines the compartment(s), and means for performing management of the compartment(s) without requiring that a user edit the configuration file(s). A computer-readable medium is also disclosed that comprises a library of software functions for managing compartment(s) implemented by an operating system. Such library includes at least one command-line utility executable to manipulate the compartment(s).

Abstract: A system and method are disclosed which enable generation of output that includes collected audit data formatted in a desired manner. Such collected audit data relates to the execution of a routine. In one embodiment, a processor-based system is disclosed that comprises an operating system that includes at least one routine capable of being invoked. The operating system may also operable to collect audit data for invoked operating system routines. The system further comprises software code executable to receive collected audit data and generate output that includes at least a portion of the collected audit data in a desired format that is defined by a template. A library of functions is also disclosed that enable accessing collected audit data, accessing a template, and generating output formatted according to the template.

Abstract: In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with said access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether said user space application is authorized to access said file utilizing access rules stored in said database.

Abstract: In one embodiment, the present invention is directed to a system and method in which a wrapper function is placed in memory. Additionally, address information is written into an entry of a system call table, said address information being associated with said wrapper function. Further, processing control is transferred to said wrapper function. The wrapper function transfers processing control to a system call routine, retrieves parameters associated with the system call routine, utilizes the parameters to generate audit data, and writes the audit data to a buffer.