Patents by Inventor Christoph L. Schuba
Christoph L. Schuba has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8413241Abstract: Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris™, OpenSolaris™), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features.Type: GrantFiled: November 24, 2009Date of Patent: April 2, 2013Inventors: John E. Weeks, Christoph L. Schuba
-
Patent number: 8356285Abstract: Some embodiments provide a system that manages the execution of a software component in a virtualized environment. During operation, the system monitors the execution of the software component from an external location to the virtualized environment. Next, the system assesses an integrity of the software component by comparing the monitored execution to an expected operation of the software component, wherein the expected operation is determined based on source code for the software component. Finally, the system uses the assessed integrity of the software component to facilitate the execution of the software component.Type: GrantFiled: March 31, 2009Date of Patent: January 15, 2013Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Tim P. Marsland
-
Patent number: 8260910Abstract: A system that determines whether a pattern of data elements was observed in a stream of data. During operation, the system receives a query which seeks to determine whether the pattern of data elements was observed in the stream of data. In response to the query, the system performs a number of lookups in an enhanced Bloom filter to determine whether the pattern of data elements was observed in the stream of data, wherein the enhanced Bloom filter includes multiple instances of a Bloom filter, and wherein each instance of the Bloom filter is associated with a different time interval. If so, the system generates a notification that the pattern of data elements was observed.Type: GrantFiled: September 19, 2006Date of Patent: September 4, 2012Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Hal L. Stern
-
Patent number: 8260909Abstract: A system that determines whether a data element exists within a set of data elements observed from a stream of data. During operation, the system receives a query which seeks to determine whether the data element exists within a set of data elements observed from a stream of data. In response to the query, the system performs a lookup in an enhanced Bloom filter to determine whether the pattern of data elements was observed in the stream of data, wherein the enhanced Bloom filter includes multiple instances of a Bloom filter, and wherein each instance of the Bloom filter is associated with a different time interval. If so, the system generates a notification that the data element was observed.Type: GrantFiled: September 19, 2006Date of Patent: September 4, 2012Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Hal L. Stern
-
Patent number: 8225086Abstract: A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.Type: GrantFiled: November 13, 2007Date of Patent: July 17, 2012Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, James P. Hughes
-
Patent number: 8195980Abstract: Some embodiments provide a system that manages the execution of a virtual machine. During operation, the system takes a series of snapshots of the virtual machine during execution of the virtual machine. If an abnormal operation of the virtual machine is detected, the system spawns a set of snapshot instances from one of the series of snapshots, wherein each of the snapshot instances is executed with one of a set of limitations. Next, the system determines a source of the abnormal operation using a snapshot instance from the snapshot instances that does not exhibit the abnormal operation. Finally, the system updates a state of the virtual machine using the snapshot instance.Type: GrantFiled: March 31, 2009Date of Patent: June 5, 2012Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Tim P. Marsland
-
Patent number: 8064606Abstract: A system that securely registers components in a first system is presented. During operation, the first system receives a request from an intermediary system to obtain configuration information related to the components in the first system. In response to the request, the first system: (1) encrypts configuration information for the first system using a first encryption key; (2) encrypts the first encryption key using a second encryption key; and (3) sends the encrypted configuration information and the encrypted first encryption key to the intermediary system so that the intermediary system can forward the encrypted configuration information and the encrypted first encryption key to the second system, whereby the encrypted configuration information is cryptographically opaque to the intermediary system. Next, the second system uses the configuration information to register the components in the first system.Type: GrantFiled: November 13, 2007Date of Patent: November 22, 2011Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, James P. Hughes, Daniel E. Smith
-
Patent number: 8037279Abstract: A method for sharing data between a first domain and a second domain, including issuing a first request for data from a storage pool by the first domain, receiving the first request by a control domain driver in a control domain, obtaining the data by the control domain driver, storing a first copy of the data in shared memory at a first physical address, updating a hypervisor page map to include an entry associating a first pseudo-physical page number with the first physical address, notifying the first domain that the first request has been completed, issuing a second request for the data by the second domain, receiving the second request by the control domain driver, determining that the first copy of the data is present in the shared memory, and updating the hypervisor page map to include an entry associating the second pseudo-physical page number with the first physical address.Type: GrantFiled: June 12, 2008Date of Patent: October 11, 2011Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, John B. Levon
-
Patent number: 8028336Abstract: Techniques have been developed whereby dynamic kernel/user-level tracing may be employed to efficiently characterize runtime behavior of production code. Using dynamic tracing techniques, user space or kernel instruction sequences between system calls may be instrumented without access to source code. In some realizations, instrumentation may be interactively specified on a host system. In some realizations, instrumentation specifications may be supplied as functional definitions (e.g., as scripts and/or probe definitions) for installation on a host system. Using the developed techniques, data states, parameters passed and/or timing information may be sampled to provide more detailed insight into actual program behavior. In signature-oriented exploitations, more powerful intrusion signatures are possible. In anomaly-oriented exploitations, a more detailed “sense of self” may be developed to discriminate between normal and anomalous program behavior.Type: GrantFiled: November 8, 2005Date of Patent: September 27, 2011Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Dwight Hare, Hal Stern
-
Publication number: 20110067107Abstract: Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris, OpenSolaris), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features.Type: ApplicationFiled: November 24, 2009Publication date: March 17, 2011Applicant: SUN MICROSYSTEMS, INC.Inventors: John E. Weeks, Christoph L. Schuba
-
Patent number: 7865608Abstract: One embodiment of the present invention provides a system that classifies elements in a structured data stream. Upon receiving an element from the structured data stream, the system applies a hash function to the element to generate a single hash value. Next, the system divides the single hash value into multiple sections, and uses the multiple sections as inputs to a Bloom filter to determine if a node for the element exists in an associated lookup structure. If so, the system looks up the node for the element in the associated lookup structure. Note that using the Bloom filter in this way prevents unnecessary lookups. Furthermore, using multiple sections of a single hash value as inputs to the Bloom filter eliminates the need to compute multiple hash values.Type: GrantFiled: January 21, 2005Date of Patent: January 4, 2011Assignee: Oracle America, Inc.Inventors: Christoph L. Schuba, Sumantra R. Kundu, Jason L. Goldschmidt
-
Publication number: 20100251004Abstract: Some embodiments provide a system that manages the execution of a virtual machine. During operation, the system takes a series of snapshots of the virtual machine during execution of the virtual machine. If an abnormal operation of the virtual machine is detected, the system spawns a set of snapshot instances from one of the series of snapshots, wherein each of the snapshot instances is executed with one of a set of limitations. Next, the system determines a source of the abnormal operation using a snapshot instance from the snapshot instances that does not exhibit the abnormal operation. Finally, the system updates a state of the virtual machine using the snapshot instance.Type: ApplicationFiled: March 31, 2009Publication date: September 30, 2010Applicant: SUN MICROSYSTEMS, INC.Inventors: Christoph L. Schuba, Tim P. Marsland
-
Publication number: 20100251238Abstract: Some embodiments provide a system that manages the execution of a software component in a virtualized environment. During operation, the system monitors the execution of the software component from an external location to the virtualized environment. Next, the system assesses an integrity of the software component by comparing the monitored execution to an expected operation of the software component, wherein the expected operation is determined based on source code for the software component. Finally, the system uses the assessed integrity of the software component to facilitate the execution of the software component.Type: ApplicationFiled: March 31, 2009Publication date: September 30, 2010Applicant: SUN MICROSYSTEMS, INC.Inventors: Christoph L. Schuba, Tim P. Marsland
-
Patent number: 7765581Abstract: Methods and systems consistent with the present invention provide dynamic security policies that change the granularity of the security at the node level, process level, or socket level. Specifically, a channel number and virtual address are associated with various processes included in a process table. Since a security policy is required for all processes, secure and insecure processes located on the same channel may communicate with one another. Moreover, processes located on different channels may communicate with one another by a gateway that connects both channels. This scalable blanketing security approach provides an institutionalized method for securing any process, node or socket by providing a unique mechanism for policy enforcement at runtime or by changing the security policies.Type: GrantFiled: December 10, 1999Date of Patent: July 27, 2010Assignee: Oracle America, Inc.Inventors: Germano Caronni, Amit Gupta, Sandeep Kumar, Tom R. Markson, Christoph L. Schuba, Glenn C. Scott
-
Patent number: 7760730Abstract: A flow manager may receive prioritized packet flow rules from one or more network services where each rule may include a packet filter and prioritized actions. Each action of a packet flow rule may be either terminating or non-terminating. A flow manager may generate a unified rule set according to the received packet flow rules and may additionally validate the unified rule set to identity errors. When validating the unified rule set, a flow manager may compare the unified rule set against one or more defined policies. Alternatively, a flow manager may apply the unified rule set to either captured or manually specified simulated network packets. A flow manager may also identity extraneous rules or actions. Further, a flow manager may present the unified rule set for manual verification and may receive input identifying errors and specifying modification to correct the errors.Type: GrantFiled: June 15, 2004Date of Patent: July 20, 2010Assignee: Oracle America, Inc.Inventors: Jason L. Goldschmidt, Christoph L. Schuba, Michael F. Speer
-
Patent number: 7685309Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.Type: GrantFiled: August 11, 2005Date of Patent: March 23, 2010Assignee: Sun Microsystems, Inc.Inventors: Germano Caronni, Amit Gupta, Sandeep Kulmar, Tom R. Markson, Christoph L. Schuba, Glenn C. Scott
-
Patent number: 7647637Abstract: A patch or set of patches may be deployed, often to a subset of potentially vulnerable systems, to address a particular vulnerability while providing a facility to monitor and, in some cases, characterize post-patch exploit attempts. Often, such a patch will check for an exploit signature and, if an exploit attempt is detected or suspected, take an appropriate action. For example, the patch may include code to log indicative data or trigger such logging. In some exploitations, the patch may generate or contribute to a warning or advisory regarding an additional target (or targets) of the exploit and, if appropriate, initiate a patch or protective measure for the additional target(s). In some exploitations, the patch may simulate responses or behaviors suggestive (to an attacker) of unpatched code. In some exploitations, the patch may direct an exploit attempt to a service (or simulated service) hosted or executing in an isolated protection domain.Type: GrantFiled: August 19, 2005Date of Patent: January 12, 2010Assignee: Sun Microsystems, Inc.Inventors: Christoph L. Schuba, Dwight F. Hare, Gabriel E. Montenegro
-
Publication number: 20090313446Abstract: A method for sharing data between a first domain and a second domain, including issuing a first request for data from a storage pool by the first domain, receiving the first request by a control domain driver in a control domain, obtaining the data by the control domain driver, storing a first copy of the data in shared memory at a first physical address, updating a hypervisor page map to include an entry associating a first pseudo-physical page number with the first physical address, notifying the first domain that the first request has been completed, issuing a second request for the data by the second domain, receiving the second request by the control domain driver, determining that the first copy of the data is present in the shared memory, and updating the hypervisor page map to include an entry associating the second pseudo-physical page number with the first physical address.Type: ApplicationFiled: June 12, 2008Publication date: December 17, 2009Applicant: Sun Microsystems, Inc.Inventors: Christoph L. Schuba, John B. Levon
-
Publication number: 20090122988Abstract: A system that securely registers components in a first system is presented. During operation, the first system receives a request from an intermediary system to obtain configuration information related to the components in the first system. In response to the request, the first system: (1) encrypts configuration information for the first system using a first encryption key; (2) encrypts the first encryption key using a second encryption key; and (3) sends the encrypted configuration information and the encrypted first encryption key to the intermediary system so that the intermediary system can forward the encrypted configuration information and the encrypted first encryption key to the second system, whereby the encrypted configuration information is cryptographically opaque to the intermediary system. Next, the second system uses the configuration information to register the components in the first system.Type: ApplicationFiled: November 13, 2007Publication date: May 14, 2009Applicant: SUN MICROSYSTEMS, INC.Inventors: Christoph L. Schuba, James P. Hughes, Daniel F. Smith
-
Publication number: 20090125715Abstract: A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.Type: ApplicationFiled: November 13, 2007Publication date: May 14, 2009Applicant: SUN MICROSYSTEMS, INC.Inventors: Christoph L. Schuba, James P. Hughes