Patents by Inventor Christoph L. Schuba

Christoph L. Schuba has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 8413241
    Abstract: Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris™, OpenSolaris™), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features.
    Type: Grant
    Filed: November 24, 2009
    Date of Patent: April 2, 2013
    Inventors: John E. Weeks, Christoph L. Schuba
  • Patent number: 8356285
    Abstract: Some embodiments provide a system that manages the execution of a software component in a virtualized environment. During operation, the system monitors the execution of the software component from an external location to the virtualized environment. Next, the system assesses an integrity of the software component by comparing the monitored execution to an expected operation of the software component, wherein the expected operation is determined based on source code for the software component. Finally, the system uses the assessed integrity of the software component to facilitate the execution of the software component.
    Type: Grant
    Filed: March 31, 2009
    Date of Patent: January 15, 2013
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Tim P. Marsland
  • Patent number: 8260910
    Abstract: A system that determines whether a pattern of data elements was observed in a stream of data. During operation, the system receives a query which seeks to determine whether the pattern of data elements was observed in the stream of data. In response to the query, the system performs a number of lookups in an enhanced Bloom filter to determine whether the pattern of data elements was observed in the stream of data, wherein the enhanced Bloom filter includes multiple instances of a Bloom filter, and wherein each instance of the Bloom filter is associated with a different time interval. If so, the system generates a notification that the pattern of data elements was observed.
    Type: Grant
    Filed: September 19, 2006
    Date of Patent: September 4, 2012
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Hal L. Stern
  • Patent number: 8260909
    Abstract: A system that determines whether a data element exists within a set of data elements observed from a stream of data. During operation, the system receives a query which seeks to determine whether the data element exists within a set of data elements observed from a stream of data. In response to the query, the system performs a lookup in an enhanced Bloom filter to determine whether the pattern of data elements was observed in the stream of data, wherein the enhanced Bloom filter includes multiple instances of a Bloom filter, and wherein each instance of the Bloom filter is associated with a different time interval. If so, the system generates a notification that the data element was observed.
    Type: Grant
    Filed: September 19, 2006
    Date of Patent: September 4, 2012
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Hal L. Stern
  • Patent number: 8225086
    Abstract: A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.
    Type: Grant
    Filed: November 13, 2007
    Date of Patent: July 17, 2012
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, James P. Hughes
  • Patent number: 8195980
    Abstract: Some embodiments provide a system that manages the execution of a virtual machine. During operation, the system takes a series of snapshots of the virtual machine during execution of the virtual machine. If an abnormal operation of the virtual machine is detected, the system spawns a set of snapshot instances from one of the series of snapshots, wherein each of the snapshot instances is executed with one of a set of limitations. Next, the system determines a source of the abnormal operation using a snapshot instance from the snapshot instances that does not exhibit the abnormal operation. Finally, the system updates a state of the virtual machine using the snapshot instance.
    Type: Grant
    Filed: March 31, 2009
    Date of Patent: June 5, 2012
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Tim P. Marsland
  • Patent number: 8064606
    Abstract: A system that securely registers components in a first system is presented. During operation, the first system receives a request from an intermediary system to obtain configuration information related to the components in the first system. In response to the request, the first system: (1) encrypts configuration information for the first system using a first encryption key; (2) encrypts the first encryption key using a second encryption key; and (3) sends the encrypted configuration information and the encrypted first encryption key to the intermediary system so that the intermediary system can forward the encrypted configuration information and the encrypted first encryption key to the second system, whereby the encrypted configuration information is cryptographically opaque to the intermediary system. Next, the second system uses the configuration information to register the components in the first system.
    Type: Grant
    Filed: November 13, 2007
    Date of Patent: November 22, 2011
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, James P. Hughes, Daniel E. Smith
  • Patent number: 8037279
    Abstract: A method for sharing data between a first domain and a second domain, including issuing a first request for data from a storage pool by the first domain, receiving the first request by a control domain driver in a control domain, obtaining the data by the control domain driver, storing a first copy of the data in shared memory at a first physical address, updating a hypervisor page map to include an entry associating a first pseudo-physical page number with the first physical address, notifying the first domain that the first request has been completed, issuing a second request for the data by the second domain, receiving the second request by the control domain driver, determining that the first copy of the data is present in the shared memory, and updating the hypervisor page map to include an entry associating the second pseudo-physical page number with the first physical address.
    Type: Grant
    Filed: June 12, 2008
    Date of Patent: October 11, 2011
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, John B. Levon
  • Patent number: 8028336
    Abstract: Techniques have been developed whereby dynamic kernel/user-level tracing may be employed to efficiently characterize runtime behavior of production code. Using dynamic tracing techniques, user space or kernel instruction sequences between system calls may be instrumented without access to source code. In some realizations, instrumentation may be interactively specified on a host system. In some realizations, instrumentation specifications may be supplied as functional definitions (e.g., as scripts and/or probe definitions) for installation on a host system. Using the developed techniques, data states, parameters passed and/or timing information may be sampled to provide more detailed insight into actual program behavior. In signature-oriented exploitations, more powerful intrusion signatures are possible. In anomaly-oriented exploitations, a more detailed “sense of self” may be developed to discriminate between normal and anomalous program behavior.
    Type: Grant
    Filed: November 8, 2005
    Date of Patent: September 27, 2011
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Dwight Hare, Hal Stern
  • Publication number: 20110067107
    Abstract: Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris, OpenSolaris), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features.
    Type: Application
    Filed: November 24, 2009
    Publication date: March 17, 2011
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: John E. Weeks, Christoph L. Schuba
  • Patent number: 7865608
    Abstract: One embodiment of the present invention provides a system that classifies elements in a structured data stream. Upon receiving an element from the structured data stream, the system applies a hash function to the element to generate a single hash value. Next, the system divides the single hash value into multiple sections, and uses the multiple sections as inputs to a Bloom filter to determine if a node for the element exists in an associated lookup structure. If so, the system looks up the node for the element in the associated lookup structure. Note that using the Bloom filter in this way prevents unnecessary lookups. Furthermore, using multiple sections of a single hash value as inputs to the Bloom filter eliminates the need to compute multiple hash values.
    Type: Grant
    Filed: January 21, 2005
    Date of Patent: January 4, 2011
    Assignee: Oracle America, Inc.
    Inventors: Christoph L. Schuba, Sumantra R. Kundu, Jason L. Goldschmidt
  • Publication number: 20100251004
    Abstract: Some embodiments provide a system that manages the execution of a virtual machine. During operation, the system takes a series of snapshots of the virtual machine during execution of the virtual machine. If an abnormal operation of the virtual machine is detected, the system spawns a set of snapshot instances from one of the series of snapshots, wherein each of the snapshot instances is executed with one of a set of limitations. Next, the system determines a source of the abnormal operation using a snapshot instance from the snapshot instances that does not exhibit the abnormal operation. Finally, the system updates a state of the virtual machine using the snapshot instance.
    Type: Application
    Filed: March 31, 2009
    Publication date: September 30, 2010
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: Christoph L. Schuba, Tim P. Marsland
  • Publication number: 20100251238
    Abstract: Some embodiments provide a system that manages the execution of a software component in a virtualized environment. During operation, the system monitors the execution of the software component from an external location to the virtualized environment. Next, the system assesses an integrity of the software component by comparing the monitored execution to an expected operation of the software component, wherein the expected operation is determined based on source code for the software component. Finally, the system uses the assessed integrity of the software component to facilitate the execution of the software component.
    Type: Application
    Filed: March 31, 2009
    Publication date: September 30, 2010
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: Christoph L. Schuba, Tim P. Marsland
  • Patent number: 7765581
    Abstract: Methods and systems consistent with the present invention provide dynamic security policies that change the granularity of the security at the node level, process level, or socket level. Specifically, a channel number and virtual address are associated with various processes included in a process table. Since a security policy is required for all processes, secure and insecure processes located on the same channel may communicate with one another. Moreover, processes located on different channels may communicate with one another by a gateway that connects both channels. This scalable blanketing security approach provides an institutionalized method for securing any process, node or socket by providing a unique mechanism for policy enforcement at runtime or by changing the security policies.
    Type: Grant
    Filed: December 10, 1999
    Date of Patent: July 27, 2010
    Assignee: Oracle America, Inc.
    Inventors: Germano Caronni, Amit Gupta, Sandeep Kumar, Tom R. Markson, Christoph L. Schuba, Glenn C. Scott
  • Patent number: 7760730
    Abstract: A flow manager may receive prioritized packet flow rules from one or more network services where each rule may include a packet filter and prioritized actions. Each action of a packet flow rule may be either terminating or non-terminating. A flow manager may generate a unified rule set according to the received packet flow rules and may additionally validate the unified rule set to identity errors. When validating the unified rule set, a flow manager may compare the unified rule set against one or more defined policies. Alternatively, a flow manager may apply the unified rule set to either captured or manually specified simulated network packets. A flow manager may also identity extraneous rules or actions. Further, a flow manager may present the unified rule set for manual verification and may receive input identifying errors and specifying modification to correct the errors.
    Type: Grant
    Filed: June 15, 2004
    Date of Patent: July 20, 2010
    Assignee: Oracle America, Inc.
    Inventors: Jason L. Goldschmidt, Christoph L. Schuba, Michael F. Speer
  • Patent number: 7685309
    Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.
    Type: Grant
    Filed: August 11, 2005
    Date of Patent: March 23, 2010
    Assignee: Sun Microsystems, Inc.
    Inventors: Germano Caronni, Amit Gupta, Sandeep Kulmar, Tom R. Markson, Christoph L. Schuba, Glenn C. Scott
  • Patent number: 7647637
    Abstract: A patch or set of patches may be deployed, often to a subset of potentially vulnerable systems, to address a particular vulnerability while providing a facility to monitor and, in some cases, characterize post-patch exploit attempts. Often, such a patch will check for an exploit signature and, if an exploit attempt is detected or suspected, take an appropriate action. For example, the patch may include code to log indicative data or trigger such logging. In some exploitations, the patch may generate or contribute to a warning or advisory regarding an additional target (or targets) of the exploit and, if appropriate, initiate a patch or protective measure for the additional target(s). In some exploitations, the patch may simulate responses or behaviors suggestive (to an attacker) of unpatched code. In some exploitations, the patch may direct an exploit attempt to a service (or simulated service) hosted or executing in an isolated protection domain.
    Type: Grant
    Filed: August 19, 2005
    Date of Patent: January 12, 2010
    Assignee: Sun Microsystems, Inc.
    Inventors: Christoph L. Schuba, Dwight F. Hare, Gabriel E. Montenegro
  • Publication number: 20090313446
    Abstract: A method for sharing data between a first domain and a second domain, including issuing a first request for data from a storage pool by the first domain, receiving the first request by a control domain driver in a control domain, obtaining the data by the control domain driver, storing a first copy of the data in shared memory at a first physical address, updating a hypervisor page map to include an entry associating a first pseudo-physical page number with the first physical address, notifying the first domain that the first request has been completed, issuing a second request for the data by the second domain, receiving the second request by the control domain driver, determining that the first copy of the data is present in the shared memory, and updating the hypervisor page map to include an entry associating the second pseudo-physical page number with the first physical address.
    Type: Application
    Filed: June 12, 2008
    Publication date: December 17, 2009
    Applicant: Sun Microsystems, Inc.
    Inventors: Christoph L. Schuba, John B. Levon
  • Publication number: 20090122988
    Abstract: A system that securely registers components in a first system is presented. During operation, the first system receives a request from an intermediary system to obtain configuration information related to the components in the first system. In response to the request, the first system: (1) encrypts configuration information for the first system using a first encryption key; (2) encrypts the first encryption key using a second encryption key; and (3) sends the encrypted configuration information and the encrypted first encryption key to the intermediary system so that the intermediary system can forward the encrypted configuration information and the encrypted first encryption key to the second system, whereby the encrypted configuration information is cryptographically opaque to the intermediary system. Next, the second system uses the configuration information to register the components in the first system.
    Type: Application
    Filed: November 13, 2007
    Publication date: May 14, 2009
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: Christoph L. Schuba, James P. Hughes, Daniel F. Smith
  • Publication number: 20090125715
    Abstract: A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.
    Type: Application
    Filed: November 13, 2007
    Publication date: May 14, 2009
    Applicant: SUN MICROSYSTEMS, INC.
    Inventors: Christoph L. Schuba, James P. Hughes