Abstract: The current document is directed to methods and subsystems incorporated in computer systems that automatically detect denial-of-service (“DoS”) attacks directed to the computer systems and that deflect the denial-of-service attacks with minimal impact to legitimate network traffic. In the described implementation, an automated subsystem is incorporated into a computer system, such as a server, to automatically detect onset of high inbound network traffic symptomatic of a DoS attack and to automatically deflect the attack at the edge-router interface, or at another similar network boundary, between a distributed computer system and a wide-area network (“WAN”) and/or the Internet. DoS-attack deflection at the network boundary decreases the chance of failure and degradation within the distributed computer system by preserving network bandwidth in internal networks within the distributed computer system.

Abstract: The current document is directed to methods and systems for secure provisioning, publication, distribution, and utilization of public-key certificates. These methods and systems employ domain name system (“DNS”) servers implementing the DNS security extensions (“DNSSEC servers”), a publisher component, and additional client-side and server-side functionalities. Public-key certificates provided by the DNSSEC servers engender a high degree of trust, as their integrity is protected and can be readily authenticated by the cryptographic-digital-signature based chains of trust provided by the DNSSEC. The systems to which the current document is directed employ DNSSEC servers, a publisher component, and additional client-side and server-side functionalities, and are referred to as “Public-key certificate Distribution and Management Systems” (“CDMSs”).

Abstract: Embodiments of the present invention are directed to computationally efficient methods and systems for managing connection-associated and exchange-associated resources within network proxies. In one embodiment of the present invention, a circular connection-switch queue is employed for allocating, de-allocating, and maintaining connection-based or exchange-based data resources within a proxy. The connection-switch queue includes a free pointer that identifies a next connection-switch queue entry for allocation, and an idle pointer that is incremented continuously or at fixed intervals as timers associated with connection-switch entries expire. In an alternate embodiment, the connection-switch queue includes a free pointer, an idle pointer, and a clear pointer.

Abstract: Methods and techniques are provided for implementing a queued, asynchronous application programming interface (API) for network communications. According to one embodiment, the API provides (i) a system abstraction representing a connection between a local machine and a remote machine, and (ii) multiple routines accessible to applications for operating on connections. The connections instantiated by applications based upon the system abstraction are capable of providing full duplex communication channels between their respective local machines and remote machines. The routines define operations and parameters to establish, accept, read, write and close the connections.

Abstract: Operating system methods and techniques for supporting one or more custom execution environments (CE2s) are provided. According to one embodiment, a determination is made with respect to which system resources of a computer system, if any, are to remain under control of a resident operating system of the computer system and which of the system resources are to be placed under control of one or more CE2s. The system resources are then partitioned among the resident operating system and the one or more CE2s by associating one or more partitions of the system resources with the one or more CE2s. Such partitioning may be performed by the resident operating system by employing hardware-based isolation techniques provided by a processor of the computer system, performed by the resident operating system by employing a secure-platform interface, or configured by a system administrator via hardware partitioning capability provided by the computer system platform.

Abstract: Methods and techniques for implementing a custom execution environment (CE2) and a related loader are provided. According to one embodiment, the CE2 includes code and data sections of an application and code and data sections of a set of system services. The set of system services has direct and full control of a set of hardware resources of a computer system containing one or more processors implementing a parallel protected architecture. According to one embodiment, the system services are designed for maximum simplicity, fastest possible speed, and elimination of security vulnerabilities.