Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: Disclosed are various examples for enforcing firmware profiles. First, it is determined that a device record associated with a client device fails to specify a firmware profile. A firmware profile is then generated for the client device. Subsequently, a command is generated that causes a firmware of the client device to be configured based at least in part on the firmware profile. The firmware profile is then stored in the device record.

Abstract: In various embodiments, a device may include a communications interface configured to receive, from the device management server, an indication to perform an action that requires access to a privileged user space. The device may include a processor configured to use a bridge service to perform the action, where the bridge service runs in a security context that enables the service to operate in the privileged user space. In various embodiments, a server may include a communications interface and a processor. The processor may be configured to receive an indication to perform a management action not within a native device management functionality. The processor may be further configured to invoke a bridge service running on the managed device to perform the action by sending a request via the communications interface, where the bridge service runs in a security context that enables the service to operate in the privileged user space.

Abstract: In various embodiments, a device may include a communications interface configured to receive, from the device management server, an indication to perform an action that requires access to a privileged user space. The device may include a processor configured to use a bridge service to perform the action, where the bridge service runs in a security context that enables the service to operate in the privileged user space. In various embodiments, a server may include a communications interface and a processor. The processor may be configured to receive an indication to perform a management action not within a native device management functionality. The processor may be further configured to invoke a bridge service running on the managed device to perform the action by sending a request via the communications interface, where the bridge service runs in a security context that enables the service to operate in the privileged user space.

Abstract: In various embodiments, a device may include a communications interface configured to receive, from the device management server, an indication to perform an action that requires access to a privileged user space. The device may include a processor configured to use a bridge service to perform the action, where the bridge service runs in a security context that enables the service to operate in the privileged user space. In various embodiments, a server may include a communications interface and a processor. The processor may be configured to receive an indication to perform a management action not within a native device management functionality. The processor may be further configured to invoke a bridge service running on the managed device to perform the action by sending a request via the communications interface, where the bridge service runs in a security context that enables the service to operate in the privileged user space.

Abstract: In various embodiments, a device may include a communications interface configured to receive, from the device management server, an indication to perform an action that requires access to a privileged user space. The device may include a processor configured to use a bridge service to perform the action, where the bridge service runs in a security context that enables the service to operate in the privileged user space. In various embodiments, a server may include a communications interface and a processor. The processor may be configured to receive an indication to perform a management action not within a native device management functionality. The processor may be further configured to invoke a bridge service running on the managed device to perform the action by sending a request via the communications interface, where the bridge service runs in a security context that enables the service to operate in the privileged user space.

Abstract: A server architecture for a digital rights management system that distributes and protects rights in content. The server architecture includes a retail site which sells content items to consumers, a fulfillment site which provides to consumers the content items sold by the retail site, and an activation site which enables consumer reading devices to use content items having an enhanced level of copy protection. An activation site provides an activation certificate and a secure repository executable to consumer content-rendering devices which enables those content rendering devices to render content having an enhanced level of copy-resistance. The activation site “activates” client-reading devices in a way that binds them to a persona, and limits the number of devices that may be activated for a particular persona, or the rate at which such devices may be activated for a particular persona.

Abstract: A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content.

Abstract: A technique for obfuscating code. A list of one-byte instructions for a particular processor is created. Bytes in a function to be obfuscated are randomly selected, and these bytes are replaced with one-byte instructions from the list. A table that identifies the replaced bytes and their original values is inserted into the executable that contains the function. When the function is called, the function is deobfuscated by consulting the table to restore the replaced bytes to their original values.

Abstract: Bifurcated processes, in which a shadow process in a first environment is controlling thread scheduling for a trusted agent in a second, high assurance environment, can be debugged via a two-phase initialization of the debugger. In the first phase, initial set up is accomplished for the trusted agent, but no shadow process will schedule execution for any thread of the trusted agent. The debugger will then be attached. In a second phase, the shadow process will begin scheduling threads for the trusted agent. In order to allow the debugger access to the process memory of the trusted agent or to set or get information regarding a particular thread of the trusted agent, a thread which is either a thread belonging to the trusted agent or belonging to the second execution environment and matched with the trusted agent is used.

Abstract: A method and apparatus for invoking system resources directly from within a mark-up language document. Links referencing a pre-defined system command to be invoked may be embedded within the document. The specific system command may be identified in the link by an alias, such as, for example, a numeric code. By clicking on the link, the system will analyze the contents of the link. If the link calls for invoking a system command, the system will extract the alias, determine the appropriate pre-defined system command referred to by the alias, and execute the system command.

Abstract: A server architecture for a digital rights management system that distributes and protects rights in content. The server architecture includes a retail site which sells content items to consumers, a fulfillment site which provides to consumers the content items sold by the retail site. The fulfillment site includes an asynchronous fulfillment pipeline which logs information about processed transactions using a store-and-forward messaging service. The fulfillment site may be implemented as several server devices, each having a cache which stores frequently downloaded content items, in which case the asynchronous fulfillment pipeline may also be used to invalidate the cache if a change is made at one server that affects the cached content items.

Abstract: A server architecture for a digital rights management system that distributes and protects rights in content. The server architecture includes a retail site which sells content items to consumers, a fulfillment site which provides to consumers the content items sold by the retail site, and an activation site which enables consumer reading devices to use content items having an enhanced level of copy protection. An activation site provides an activation certificate and a secure repository executable to consumer content-rendering devices which enables those content rendering devices to render content having an enhanced level of copy-resistance. The activation site “activates” client-reading devices in a way that binds them to a persona, and limits the number of devices that may be activated for a particular persona, or the rate at which such devices may be activated for a particular persona.

Abstract: A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content.

Abstract: A server architecture for a digital rights management system that distributes and protects rights in content. The server architecture includes a retail site which sells content items to consumers, a fulfillment site which provides to consumers the content items sold by the retail site, and an activation site which enables consumer reading devices to use content items having an enhanced level of copy protection. Each retail site is equipped with a URL encryption object, which encrypts, according to a secret symmetric key shared between the retail site and the fulfillment site, information that is needed by the fulfillment site to process an order for content sold by the retail site. Upon selling a content items, the retail site transmits to the purchase a web page having a link to a URL comprising the address of the fulfillment site and a parameter having the encrypted information.

Abstract: A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and filly-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content.

Abstract: A server architecture for a digital rights management system that distributes and protects rights in content. The server architecture includes a retail site which sells content items to consumers, a fulfillment site which provides to consumers the content items sold by the retail site, and an activation site which enables consumer reading devices to use content items having an enhanced level of copy protection. Each retail site is equipped with a URL encryption object, which encrypts, according to a secret symmetric key shared between the retail site and the fulfillment site, information that is needed by the fulfillment site to process an order for content sold by the retail site. Upon selling a content item, the retail site transmits to the purchaser a web page having a link to a URL comprising the address of the fulfillment site and a parameter having the encrypted information.

Abstract: A digital rights management system for the distribution, protection and use of electronic content. The system includes a client architecture which receives content, where the content is preferably protected by encryption and may include a license and individualization features. Content is protected at several levels, including: no protection; source-sealed; individually-sealed (or “inscribed”); source-signed; and fully-individualized (or “owner exclusive”). The client also includes and/or receives components which permit the access and protection of the encrypted content, as well as components that allow content to be provided to the client in a form that is individualized for the client. In some cases, access to the content will be governed by a rights construct defined in the license bound to the content.