Abstract: A pattern matching access control system determines whether a principal should be granted access to use a resource based on properties of applications comprised by the principal. The principal name may be created when an application is loaded, invokes other applications (or programs) and/or assumes a new role context. Access is provided based on whether, for each application, the publisher is authorized by system policy to grant privilege as requested by the application. When a resource which requires the privilege is requested by a principal, an access control list (ACL) for the resource is expanded with a list of applications that have been authorized through their publisher to assert the privilege. The expanded ACL is compared to the principal name to determine resource access.

Abstract: An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e.g., network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. To generate a host tracking graph, a host is represented. Host representations may be application-dependent. In an implementation, application-level identifiers (IDs) such as user email IDs, messenger login IDs, social network IDs, or cookies may be used. Each identifier may be associated with a human user. These unreliable IDs can be used to track the activity of the corresponding hosts.

Abstract: A device driver includes a kernel stub and a user-mode module. The device driver may access device registers while operating in user-mode to promote system stability while providing a low-latency software response from the system upon interrupts. Upon receipt of an interrupt, the kernel stub may run an interrupt service routine and write information to shared memory. Control is passed to the user-mode module by a reflector. The user-mode module may then read the information from the shared memory to continue servicing the interrupt.

Abstract: A transactional memory system is described for reporting memory access violations which occur when memory accesses made from instructions within a transaction conflict with memory accesses to the same memory location made from a non-transactional instruction. In an embodiment this is achieved by creating two mappings of a physical heap being used by a thread. The thread (which may be part of a multi-threaded process) comprises instructions for both transactional and non-transactional accesses to the physical heap which may execute concurrently as part of that thread. One of the mappings is used for non-transactional memory accesses to the physical heap. The other mapping is used for transactional memory accesses to the physical heap. Access permissions associated with the mappings are controlled to enable attempted memory access violations to be detected and reported.

Abstract: A system to automatically classify types of IP addresses associated with a user. Information, such as user names, machine information, IP address, etc., may be obtained from logs. For each user or host in the logs, home IP addresses are identified from IP addresses where the user or host shows a predetermined level of activity. Travel IP addresses are identified, which are IP addresses at locations greater than a predetermined distance from the home IP addresses, as determined from geolocation data. A pattern analysis may be performed to determine which of the home IP addresses are work IP addresses associated with the user or host. The system may thus provide a classification of a user's or host's associated IP addresses as being one of travel, home, and work IP addresses. From this classification, mobility patterns may be derived, as well as applications to enhance security, advertising, search and network management.

Abstract: Instruction set architecture (ISA) extension support is described for control-flow integrity (CFI) and for XFI memory protection. ISA replaces CFI guard code with single instructions. ISA support is provided for XFI in the form of bounds-check instructions. Compared to software guards, hardware support for CFI and XFI increases the efficiency and simplicity of enforcement. In addition, the semantics for CFI instructions allows more precise static control-flow graph encodings than were possible with a prior software CFI implementation.

Abstract: A verifier performs static checks of machine code to ensure that the code will execute safely. After verification is performed, the code is executed. The code modules generated by the rewriter and verified by the verifier prevent runtime code modifications so that properties established by the verifier cannot be invalidated during execution. Guards ensure that control flows only as expected. Stack data that must be shared within a code module, and which may therefore be corrupted during execution, is placed on a separate data stack. Other stack data remains on the regular execution stack, called the control stack. Multiple memory accesses can be checked by a single memory-range guard, optimized for fast access to the most-frequently used memory.

Abstract: A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.

Abstract: Described herein is an implementation of a technology for the construction, identity, and/or optimization of operating-system processes. At least one implementation, described herein, constructs an operating-system process having the contents as defined by a process manifest. Once constructed, the operating-system process is unalterable.

Abstract: Strong semantics are provided to programs that are correctly synchronized in their use of transactions by using dynamic separation of objects that are accessed in transactions from those accessed outside transactions. At run-time, operations are performed to identify transitions between these protected and unprotected modes of access. Dynamic separation permits a range of hardware-based and software-based implementations which allow non-conflicting transactions to execute and commit in parallel. A run-time checking tool, analogous to a data-race detector, may be provided to test dynamic separation of transacted data and non-transacted data. Dynamic separation may be used in an asynchronous I/O library.

Abstract: Unobservable memory regions, referred to as stealth memory regions, are allocated or otherwise provided to store data whose secrecy is to be protected. The stealth memory is prevented from exposing information about its usage pattern to an attacker or adversary. In particular, the usage patterns may not be deduced via the side-channels.

Abstract: Described herein are one or more implementations that facilitate message-passing over a communication conduit between software processes in a computing environment. More particularly, the implementations described restrict access of one process to another via messages passed over a particular conduit connecting the processes and the access-control restrictions are defined by a contract associated with that particular conduit.

Abstract: An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e.g., network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. To generate a host tracking graph, a host is represented. Host representations may be application-dependent. In an implementation, application-level identifiers (IDs) such as user email IDs, messenger login IDs, social network IDs, or cookies may be used. Each identifier may be associated with a human user. These unreliable IDs can be used to track the activity of the corresponding hosts.

Abstract: An IP (Internet Protocol) address is a directly observable identifier of host network traffic in the Internet and a host's IP address can dynamically change. Analysis of traffic (e.g., network activity or application request) logs may be performed and a host tracking graph may be generated that shows hosts and their bindings to IP addresses over time. A host tracking graph may be used to determine host accountability. This can enable host-based blacklisting instead of the traditional IP address based blacklisting. Host tracking results can be leveraged for forensic analysis to understand an attacker's traces and identify malicious activities in a postmortem fashion. The host tracking information may be used to build a tracklist which can block future attacks.

Abstract: Described herein is an implementation of a technology for the construction, identification, and/or optimization of operating-system processes. At least one implementation, described herein, constructs an operating-system process having the contents as defined by a process manifest. Once constructed, the operating-system process is unalterable.

Abstract: Transactional memory compatibility type attributes are associated with intermediate language code to specify, for example, that intermediate language code must be run within a transaction, or must not be run within a transaction, or may be run within a transaction. Attributes are automatically produced while generating intermediate language code from annotated source code. Default rules also generate attributes. Tools use attributes to statically or dynamically check for incompatibility between intermediate language code and a transactional memory implementation.

Abstract: Runtime checks on a program may be used to determine whether a pointer points to a legitimate target before the pointer is dereferenced. Legitimate addresses, such as address-taken local variables (ATLVs), global variables, heap locations, functions, etc., are tracked, so that the legitimate targets of pointers are known. The program may be transformed so that, prior to dereferencing a pointer, the pointer is checked to ensure that it points to a legitimate address. If the pointer points to a legitimate address, then the dereferencing may proceed. Otherwise, an error routine may be invoked. One example way to keep track of legitimate addresses is to group address-taken variables together within a specific range or ranges of memory addresses, and to check that a pointer has a value within that range prior to dereferencing the pointer. However, addresses may be tracked in other ways.

Abstract: A probabilistic detector is utilized to query a database. Utilization of a probabilistic detector provides assurance with 100 per cent probability that a search expression in the query is not in the database index. The probabilistic detector is implemented in the form of a Bloom filter. The probabilistic detector is created by hashing expressions in the database index and mapping the resulting hash values into the probabilistic detector. Upon receiving a query, expressions of the query are hashed. The probabilistic detector is queried using these hash values. If the results of querying the probabilistic detector indicate that searched for information may be in the database, the database is not queried. If the results of querying the probabilistic detector indicate that the information may be in the database, the database is queried for the information using the original query. This technique is advantageous in mitigating detrimental effects of denial of service attacks.

Abstract: Systems and methods are provided for resource access control in computer systems. Our approach includes new techniques for composing and authenticating principals in an access control system. Our principals may comprise information that identifies the role of the user of a computer system, the mechanism by which the user was authenticated, and program execution history. Thus, when a principal makes a request, access control determinations can be made based on the principal's identity. Access control lists may provide patterns that are used to recognize principals, thereby ensuring a level of security without enumerating precise identifiers for all of the possible principles that may request a particular resource.

Abstract: A transactional memory system is described for reporting memory access violations which occur when memory accesses made from instructions within a transaction conflict with memory accesses to the same memory location made from a non-transactional instruction. In an embodiment this is achieved by creating two mappings of a physical heap being used by a thread. The thread (which may be part of a multi-threaded process) comprises instructions for both transactional and non-transactional accesses to the physical heap which may execute concurrently as part of that thread. One of the mappings is used for non-transactional memory accesses to the physical heap. The other mapping is used for transactional memory accesses to the physical heap. Access permissions associated with the mappings are controlled to enable attempted memory access violations to be detected and reported.