Abstract: In aspect an application may be configured to issue a request to store an object, with the request including an object reference. A delegate may be configured to receive the request to store the object, determine a hosted storage service, from among multiple hosted storage services, and a corresponding access protocol based on the object reference, and store the object in the hosted storage service using the corresponding protocol.

Abstract: A request to store a data object is received at a hosted storage service. The request includes the data object and an associated object reference. The object reference configured to enable retrieval of the data object from the hosted storage service. The data object is stored at the hosted storage service in association with the object reference. The data object is sent from the hosted storage service to a content delivery network node such that the data object is cached in and retrievable from the content delivery network node using the object reference.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: A first access control list method is stored in a hosted storage system and in association with a storage structure. The first access control list is designed to grant permission to write data objects to the storage structure but not designed to grant permission to read objects from the storage structure. The first access control list grants a first user permission to write data objects to the storage structure. A second access control list is stored in the hosted storage system and in association with a first data object stored in the storage structure. The second access control list is designed to grant permission to read the first data object. The second access control list grants a second user permission to read the first data object.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: A request to store a data object is received at a hosted storage service. The request includes the data object and an associated object reference. The object reference configured to enable retrieval of the data object from the hosted storage service. The data object is stored at the hosted storage service in association with the object reference. The data object is sent from the hosted storage service to a content delivery network node such that the data object is cached in and retrievable from the content delivery network node using the object reference.

Abstract: A program or program snippet is rewritten to conform to site-specific properties prior to being executed by a target host. The program or program snippet directed to a target host from a known or unknown source is either intercepted by a server before reaching the target host or can be redirected from the target host to the server to effect its rewriting. The program is parsed in its external representation, converting it to an internal representation that is inspected and analyzed with reference to a site-specific properties database. A summary of the program's properties is then compared to the site-specific properties database by a binary rewriting engine, which produces a rewritten program in an internal representation. If appropriate, the program or program snippet is rewritten to convert it to a format suitable for execution on the target host. Furthermore, certifications may be added to the rewritten program to mark that the rewritten program obeys site-specific constraints.

Abstract: A method and system for identifying sets of instructions within a computer program, execution of which serve as an indicator for processing of a transaction by the computer program and that together comprise a witness set. The witness set may be employed to monitor execution of the computer program and detect processing of the transaction. Witness sets are constructed by iteratively filtering an initial set of instructions based on profile data collected during execution of the computer program.

Abstract: An original software component is modified in accordance with a site's security policy provisions prior to being executed by a component system or computer at the site. The original software component is intercepted by an introspection service running on a server or on the component system prior to execution on the component system. The introspection service analyzes the software component by parsing it, and based on the information it determines, a security policy service instructs an interposition service how to modify the software component so that it conforms to the security policy service requirements. The interposition service thus produces a modified software component by inserting code for security initialization and for imposing security operations on the original component operations.

Abstract: A computer software tool used for automatically identifying code portions and data portions of a binary executable software program in which the code portions include machine instructions that are of arbitrary length. Software products are typically distributed as binary, executable files, which comprise a string of binary values. In general, an executable file has no structure or meaning, except as determined by its behavior when dynamically executed, one instruction at a time, by a digital computer. The software tool determines a set of addresses for any known code and data portions. The tool is then used to disassemble machine instructions, beginning at a starting address for each known code portion, to identify the target addresses of other code portions and other data portions. Other sections of the binary executable software program that could be either code or data are then analyzed to identify additionAL code and data portions.

Abstract: A method and procedure for modifying modules comprising a binary executable software program in such a way that, despite the transformations performed and the creation of new versions of the modules, the transformed program appears (to that program, including all of its components) as if it is running in the identical environment as the original program. The environment includes environment variables, the name of the program, the names of all of the dynamically loaded library (DLL) files that the program references, the directory in which the program resides, and the current directory at the time the program started execution. When the program has been transformed, e.g., for the purposes of monitoring or measurement, the environment also includes the effective addresses of data and instruction references made by the program.