Abstract: Described are techniques for performing data validation processing. An expected sequence of characters is determined that includes a plurality of groups. Each of the plurality of groups includes a first expected sequence of one or more characters representing encoded information and a second expected sequence of one or more data validation characters determined in accordance with a corresponding portion of the expected sequence. The portion includes at least the first expected sequence of one or more characters of the group. Data validation processing is incrementally performed as data for each of the plurality of groups is received. The data validation processing performed as data for each group is received uses a received sequence of one or more data validation characters corresponding to the second expected sequence of one or more data validation characters of each group.

Abstract: A challenge/response authentication procedure determines whether a response is a correct response, a unique incorrect response, or a non-unique incorrect response, the unique incorrect response and non-unique incorrect response being differentiated by comparing the response value with a store of unique incorrect response values. For the correct response, client access to protected computer system resources is allowed, and the challenge value is discarded so as not to be used again. For the unique incorrect response, (1) when a predetermined limit of unique incorrect responses has not been reached, then the response value is added to the store of unique incorrect response values and the process is repeated with reuse of the challenge value, and (2) when the predetermined limit has been reached, then the client is locked out. For the non-unique incorrect response, the process is repeated with reuse of the challenge value.

Abstract: Providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: Examples are generally directed towards providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: A system is described that analyzes and validates network security policies associated with network devices. The system includes a compiler and a security policy analysis and validation tool. The compiler encodes a security policy associated with a network device into a predicate expressed in bit-vector logic and generates a bit-vector formula based on the predicate. The tool receives the bit-vector formula and applies a Satisfiability Modulo Theories (SMT) solver thereto to identify and enumerate solutions to the bit-vector formula. The enumerated solutions provide information about the validity of the first security policy. The solutions may be compactly enumerated in a as product of intervals or a product of unions of intervals.

Abstract: A system is described that analyzes and validates network security policies associated with network devices. The system includes a compiler and a security policy analysis and validation tool. The compiler encodes a security policy associated with a network device into a predicate expressed in bit-vector logic and generates a bit-vector formula based on the predicate. The tool receives the bit-vector formula and applies a Satisfiability Modulo Theories (SMT) solver thereto to identify and enumerate solutions to the bit-vector formula. The enumerated solutions provide information about the validity of the first security policy. The solutions may be compactly enumerated in a as product of intervals or a product of unions of intervals.

Abstract: A method for producing a suspension, emulsion or dispersion of de-agglomerated particles (advantageously submicron-sized particles) of pyrithione salts comprising contacting agglomerated pyrithione salt particles with a de-agglomerating agent to produce the desired de-agglomerated pyrithione salt particles. Also disclosed is a method for making de-agglomerated submicron-sized particles of pyrithione salts comprising a heating step. Also disclosed are the particles made by the above methods and compositions comprising the particles and a base medium.

Abstract: Assertions for elevated privilege associated with transparent code may be ignored, prohibited, or modified.

Abstract: A system for providing single sign-on (SSO) user names for Web cookies. SSO access to multiple applications is supported in situations where multiple user information directories are deployed, and users may be known by multiple identifiers. Convenient specification is enabled for which of a user's multiple names is to be used in an SSO Web cookie that is passed from application to application to enable SSO operation. The user's SSO Web cookie user name is fully separated conceptually from the user's effective name for any given application within the SSO environment. The SSO Web cookie user name provided by the disclosed system is specified independently from the effective name by which the user is known when operating in the Web application that writes the SSO Web cookie back to the user's computer system. Use of an administratively supplied user name in the SSO Web cookie is facilitated.

Abstract: The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: Performing security sensitive operations with an application security model. Security agnostic code is executed. The security agnostic code is identified as not having authorization to perform a security sensitive operation. Executing the security agnostic code includes calling code identified as security safe critical code. In response to the security agnostic code calling the security safe critical code, the security safe critical code is executed. The security safe critical code includes functionality for performing validity checks. Executing the security safe critical code includes performing an validity check for the security agnostic code. When the security agnostic code passes the validity check, code identified as security critical code is called. In response to the security safe critical code calling the security critical code, the security critical code is executed. The security critical code is authorized to perform the security sensitive operation.

Abstract: The subject disclosure pertains to a domain identification system, comprising a principal that has a key and a mnemonically meaningless identifier, the mnemonically meaningless identifier is used to identify the component in a networked environment. The mnemonically meaningless identifier can be bound to the public key by a binding. The component may be part of a neighborhood of components, and each member component knows the members' binding.

Abstract: A method, system and apparatus for secure password validation can include a local authentication process configured for coupling both to local authentication data and to a remote authentication process. The system also can include a comparator disposed in the local authentication process and programmed to detect an extended password string in the local authentication data. Finally, the system can include a remote authentication handler disposed in the local authentication process and programmed to outsource password validation to the remote authentication process responsive to the comparator detecting an extended password string retrieved for a supplied user identifier. Preferably, the remote authentication handler can be a remote procedure call to the remote authentication process.

Abstract: A system for providing single sign-on (SSO) user names for Web cookies in a multiple user information directory environment. SSO access to multiple applications is supported in situations where multiple user information directories are deployed, and users may be known by multiple identifiers. Convenient specification is enabled for which of a user's multiple names is to be used in an SSO Web cookie that is passed from application to application to enable SSO operation. The user's SSO Web cookie user name is fully separated conceptually from the user's effective name for any given application within the SSO environment. The SSO Web cookie user name provided by the disclosed system is specified independently from the effective name by which the user is known when operating in the Web application that writes the SSO Web cookie back to the user's computer system. Use of an administratively supplied user name in the SSO Web cookie is facilitated.

Abstract: Described is a technology including an evaluation methodology by which a set of privileged code such as a platform's API method may be marked as being security critical and/or safe for being called by untrusted code. The set of code is evaluated to determine whether the code is security critical code, and if so, it is identified as security critical. Such code is further evaluated to determine whether the code is safe with respect to being called by untrusted code, and if so, is marked as safe. To determine whether the code is safe, a determination is made as to whether the first set of code leaks criticality, including by evaluating one or more code paths corresponding to one or more callers of the first set of code, and by evaluating one or more code paths corresponding to one or more callees of the first set of code.

Abstract: A method, system and apparatus for secure password validation can include a local authentication process configured for coupling both to local authentication data and to a remote authentication process. The system also can include a comparator disposed in the local authentication process and programmed to detect an extended password string in the local authentication data. Finally, the system can include a remote authentication handler disposed in the local authentication process and programmed to outsource password validation to the remote authentication process responsive to the comparator detecting an extended password string retrieved for a supplied user identifier. Preferably, the remote authentication handler can be a remote procedure call to the remote authentication process.

Abstract: A method, system and apparatus for secure password validation can include a local authentication process configured for coupling both to local authentication data and to a remote authentication process. The system also can include a comparator disposed in the local authentication process and programmed to detect an extended password string in the local authentication data. Finally, the system can include a remote authentication handler disposed in the local authentication process and programmed to outsource password validation to the remote authentication process responsive to the comparator detecting an extended password string retrieved for a supplied user identifier. Preferably, the remote authentication handler can be a remote procedure call to the remote authentication process.

Abstract: The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for identifying malware in a request to a Web service is provided. One aspect of the present invention is a computer-implemented method for protecting a computer that provides a Web service from malware made in a Web request. When a request is received, an on-demand compilation system compiles high-level code associated with the request into binary code that may be executed. However, before the code is executed, antivirus software designed to identify malware scans the binary code for malware. If malware is identified, the antivirus software prevents the binary code associated with the request from being executed.

Abstract: A method for producing a suspension, emulsion or dispersion of de-agglomerated particles (advantageously submicron-sized particles) of pyrithione salts comprising contacting agglomerated pyrithione salt particles with a de-agglomerating agent to produce the desired de-agglomerated pyrithione salt particles. Also disclosed is a method for making de-agglomerated submicron-sized particles of pyrithione salts comprising a heating step. Also disclosed are the particles made by the above methods and compositions comprising the particles and a base medium.