Abstract: Systems and methods are provided for implementing a multi-persona launcher for a computing device. After a user has authenticated himself or herself to the computing device, embodiments of the present disclosure provide the user with the ability to launch applications under a variety of personas. For example, a mobile handset can detect a “dwell” event for a particular icon and can then display an option to launch the application associated with the icon under a variety of personas. The user can select to launch the application under either persona without having to log in again.

Abstract: A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.

Abstract: A system, method, and apparatus that efficiently and stringently analyze messages are provided. A message's properties are encoded into a bitwise representation of fixed length, which is compared to a binary representation of each rule from a release policy to determine if the rule is satisfied. This process is efficient and allows near real time comparisons and decisions.

Abstract: A one-way router combines benefits of a network diode and router, and thus can route data between networks of varying confidentiality and/or integrity in a secure, one-way fashion. Secure routing is provided transparently so that the router is compatible with standard network applications by synthesizing responses for standard network protocols to provide many-to-many network connections while preventing bidirectional data flow. Separate network stacks are provided for each connected network, and the network stacks are separated from each other by data diodes that enforce one-way data flow. The one-way router can be implemented in hardware or software, and provides architectural flexibility to customize levels of assurance, performance, reliability, and cost.

Abstract: Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.

Abstract: The present invention provides secure inter-process communications, and applications thereof. In an embodiment, a shared memory and a message queue are used to provide a secure communication channel between a first computer process and a second computer process. The shared memory provides a path for high-bandwidth data transfer in a forward direction. The message queue provides a path for controlling the data transfer in the forward direction, while limiting data transfer in the reverse direction. A third computer process creates the message queue that is used by the first computer process and the second computer process to control the passage of data. Access to the shared memory and the message queue are enforced using a mandatory access control security policy.

Abstract: Provided are systems and methods for implementing mandatory access control in a computer, and applications thereof. An embodiment provides a security policy generator that generates security policies for one or more machines of a network based on a single set of enterprise configuration parameters. This single set of enterprise configuration parameters comprises relatively few lines of text compared to a typical security policy file. The present invention makes it possible to easily configure, change, and adapt mandatory access control security policies to enforce application-specific security goals across many networked systems to create a single, distributed, secure enterprise. With the present invention, a network administrator, for example, can set familiar network and file configuration options that automatically result in security changes without requiring extensive knowledge of the operating system kernel or how to develop a mandatory access control security policy.

Abstract: Presented herein are systems and methods for configuring a mandatory access control security policy in a computer, and applications thereof. An embodiment provides a security configuration program. The security configuration program configures a security policy based on user input. For example, a user may provide input regarding ranges of values corresponding to a resource, such as ports and/or Internet protocol (IP) addresses, to which a process is to be granted access. The security configuration program configures the security policy to allow the process access to the specified ranges of values for the resource. In this way, a security configuration program in accordance with an embodiment of the present invention allows a user to configure and extend a security policy without special knowledge of the security policy language.