Abstract: A multi-level security system includes a storage medium partitionable into a plurality of partitions, a file system coupleable to the plurality of partitions, and a plurality of enclaves. Each enclave is assigned a security classification level. Each enclave resides in a different storage partition of the storage medium. Data stored on the storage medium is cryptographically separated at rest on a per-enclave basis. Cryptographic separation occurs at the disk block level, allowing individual blocks to be read and decrypted. The system also includes a reference monitor that enforces a system security policy that governs access to information between the enclaves. The reference monitor allows an enclave having a first classification level to securely read-down to an enclave having a second classification level lower than the first classification level and to write to another enclave having the first classification level.

Abstract: A system is provided for filtering packets. The system includes: a filter for determining, by applying a set of at least one filtering rule, whether a packet is permitted to be routed towards a receiving entity. The system includes a verification element for verifying validity of an authentication token included in a request received by the filtering system and adds, to the set, after receiving an initial request, a so-called top-level filtering rule, permitting the routing, towards the verification element, of at least one packet received via a predetermined communication port of the device, in which the source address is identical to the source address of the initial request, regardless of the source communication port of the subsequent request. A routing element routes a subsequent request including a valid authentication token towards a receiving entity of the subsequent request.

Abstract: The present invention discloses several methods to strengthen the integrity of entities, messages, and processing related to content distribution as defined by the Open Mobile Alliance (OMA) Digital Rights Management (DRM). The methods use techniques related to the Trusted Computing Group (TCG) specifications. A first embodiment uses TCG techniques to verify platform and DRM software integrity or trustworthiness, both with and without modifications to the DRM rights object acquisition protocol (ROAP) and DRM content format specifications. A second embodiment uses TCG techniques to strengthen the integrity of ROAP messages, constituent information, and processing without changing the existing ROAP protocol. A third embodiment uses TCG techniques to strengthen the integrity of the ROAP messages, information, and processing with some changes to the existing ROAP protocol.

Abstract: A social networking system maintains a limited user profile associated with a user of the social networking system who does not satisfy one or more criteria for the social networking system to maintain a user profile. The limited user profile includes information describing the user and allows the user to be associated with limited types of interactions with the social networking system. An administrator is associated with the limited user profile and may modify information associated with the limited user profile as well as authorize or deny interactions involving the limited user profile. When the user satisfies criteria for the social networking system maintaining a user profile, the social networking system generates a user profile based on information in the limited user profile and prior interactions involving the limited user profile.

Abstract: Systems and methods are described herein for authenticating a user device that uses a wireless local area network, determining the location of the device, and complying with wireless guidelines based at least in part on the location. The user device may communicate with a location server to determine the user device's location. The user device will determine which wireless guidelines are applicable to that location and configure the wireless system or any device feature to comply with the guidelines. For example, some locations prohibit the operation of wireless devices with a frequency of greater than 5 GHz. If the location of the user device dictates compliance with that guideline, the user device will not transmit wireless signals with a frequency of greater than 5 GHz.

Abstract: A system and method that identifies and effectuates communication between a connectable client and a wireless human interface device. The wireless human interface device utilizes technologies to abstract the complexities of IP based wired and wireless networks to provide mechanisms to easily discover, associate, utilize and diagnose the wireless human interface device. Through the ensuing abstraction the wireless human interface device can be associated with an unlimited number of connectable networked clients or hosts thus eliminating the requirement of analog switch boxes to connect human interface devices to each connectable host or client, and further providing for the control of local and/or Internet based hosts or clients.

Abstract: In one embodiment, a method includes obtaining at least one packet from a first element on a Universal Serial Bus (USB) bus. The at least one packet is intended for a second element. The method also includes processing the at least one packet to determine whether the at least one packet is associated with unsafe content, and providing the at least one packet to the second element if it is determined that the at least one packet is not associated with the unsafe content. The at least one packet is provided to the second element on the USB bus. Finally, the method includes blocking the at least one packet from being provided to the second element when it is determined that the at least one packet is associated with the unsafe content.

Abstract: The present invention provides for analysis of cyber-physical systems with relation to compliance requirements such as regulatory compliance, maintenance compliance and safety compliance. Generally, the invention provides for a set of paths from an initial state to an end state, and analyzing the paths to determine which ones contain a violation state. Based on the resultant paths test scripts are generated. Additionally, other compliance related procedures can be performed utilizing the path analysis.

Abstract: Embodiments of the present invention provide methods, systems, and computer program products that enable secure network communications with logical partitions. A gateway between a physical network adapter and at least one virtual network trunk adapter receives a packet. The gateway tags the packet with an indication of an origin of the packet. The gateway delivers the tagged packet to an intrusion prevention system for intrusion analysis. When the gateway receives the tagged packet from the intrusion prevention system, the gateway forwards the tagged packet according to the indication of origin of the tagged packet.

Abstract: A method for the protected deposit of event protocol data of a computer system provides access control which prohibits access to event protocol data in the computer system and also performs: reading event protocol data generated in the computer system, sequential assignment of individual data sections of the read event protocol data to one of at least two categories in accordance with predetermined criteria, merging the categorized data sections for each respective category into a sub-file, and separate storage of created sub-files and setting up an access option to access the individual sub-files.

Abstract: In various embodiments, techniques for federated role provisioning are provided. A federated role definition for a resource is constructed and distributed. The federated role definition includes a role hierarchy having role assignments and constraints for dynamically resolving and binding a resource to particular ones of the role assignments. A resource may have role assignments statically bound to its identity and dynamically bound to its identity. Furthermore, some role assignments may be inherited from the role hierarchy.

Abstract: This present disclosure relates to systems and methods for providing a data plane processing tool chain for processing packets that can use OSI layers 4 and above in the data plane without using a hypervisor. The disclosure has multiple processing capabilities, including: packet filtering, resolving DNS packets, generating packets, packet forwarding, performing DNS look up, time-stamping DNS packets, writing packets to disk, load-balancing, and protecting against DDOS attacks.

Abstract: A Link device has a processor connected to an internal Link bus, a non-transitory memory, a digital device ID, one or both of firmware or software executing from non-transitory media, a first communication port enabled to communicate with a vehicle bus coupling computerized devices in a vehicle, and a second communication port enabled to communicate with one or more digital devices external to the vehicle. The firmware or software enables the Link device to communicate with the vehicle bus, and to accomplish a variety of tasks including pulling data from data stores in the vehicle and operating specific vehicle functions, and wherein the firmware or software manages communication with the one or more external digital devices, accepting only requests for cooperation with the Link device using the unique device ID with a request that is cryptographically secure.

Abstract: An exclusion engine for electronic communications in controlled-environment facilities. In some embodiments, a method may include method may include receiving, at one or more computer systems, a request for an electronic communication between a resident and a non-resident of a controlled-environment facility and determining, via the one or more computer systems, whether an exclusion list adopted by the controlled-environment facility allows the non-resident to communicate with the resident, where the exclusion list is of a type selected from the group consisting of: a permissive list, and a restrictive list. For example, a permissive list may identify one or more non-residents that are allowed to communicate with the resident, and a restrictive list may identify one or more non-residents that are not allowed to communicate with the resident.

Abstract: A content screening method, apparatus and system are provided for a content screening component to verify the trust relationship and the categorization standard used by a categorization component. A method includes the following steps: the content screening component receives a categorized content; and when determining that a first categorization component that categorizes the content is trustworthy according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. Another method includes the following step: when determining that the categorization component that categorizes the content uses the same categorization standard as the content screening component according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content.

Abstract: A portable media device (PMD) can produce an isochronous audio/video experience when the PMD provides a digital audio signal to the accessory while displaying analog video on an accessory-independent display. The accessory can communicate audio latency information to the PMD. The PMD can delay a video portion of a presentation, relative to providing the digital audio signal to the accessory, based on the audio latency information communicated by the accessory. As a result, the user may perceive an isochronous presentation of the audio and video portions of the presentation.

Abstract: In particular embodiments, a method includes receiving, by a computing device including an import/export framework, encoded client data. The client data may be encoded by a generic transcoding service. The method includes performing load-balancing based at least in part on the client data, authorizing the client's access of a remote application, and exporting the encoded client data to the remote application.

Abstract: The invention proposes a method and device for protection of data for devices connected in a network such as a local area network or LAN. The method and device can for example be implemented on a gateway, which acts as an interconnecting device between the devices in the LAN network and that can offer these devices an access to an external network such as a wide area network or WAN. The method and device thus offers a protected environment for applications that are executed on the gateway, such as applications downloaded from the WAN. The method and device gives the applications executed on the gateway controlled access to the LAN resources in order to protect the data that the LAN devices share within the LAN, while giving the applications access to the WAN.

Abstract: An encrypted cached content system includes a user IHS, a content provider IHS, and a caching IHS. The caching IHS includes a caching engine that is configured to receive a content request from the user IHS. The caching engine generates a user-side key using content identifying information in the content request, and forwards the content request to the content provider IHS over a network as a content partial information request. In response to receiving a content partial information response from the content provider IHS over a network, the caching engine generates a content-provider-side key using header information in the content partial information response. The caching engine performs a hashing operation on the content request using a combination of the user-side key and the content-provider-side key to produce a hashed content request, and uses the hashed content request to retrieve content from the cache.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).