Abstract: Aspects of the technology described herein can provide enhanced metadata to authentically report the provenance of a file. An exemplary computing device may have a file broker to receive an indication from a first security principal to write a file to a file system. The file broker can use one file utility to write the file, but use another file utility to write an identification of the first security principal and its opinion about the file into metadata associated with the file. Subsequently, the identification of the first security principal and its opinion may be used to authentically report the provenance of the file and applied in other security applications.

Abstract: Aspects of the technology described herein can provide enhanced metadata to authentically report the provenance of a file. An exemplary computing device may have a file broker to receive an indication from a first security principal to write a file to a file system. The file broker can use one file utility to write the file, but use another file utility to write an identification of the first security principal and its opinion about the file into metadata associated with the file. Subsequently, the identification of the first security principal and its opinion may be used to authentically report the provenance of the file and applied in other security applications.

Abstract: Computer-executable instructions that are directed to the performance of consequential actions and automatically elevate to execute at a higher privilege level to do so can perform such consequential actions only after user notification. Doing so can enable monitoring processes to avoid presenting duplicative user notification upon detection of such auto-elevation. In addition, prior to presenting user notification, input from the execution environment can be ignored and access to DLLs for performing consequential actions can be avoided. A static analyzer can identify non-conforming computer-executable instructions. A wrapper can be utilized to provide compliance by otherwise unknown or non-conforming computer-executable instructions.

Abstract: The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user.

Abstract: To protect computer programs against security attacks that attempt to corrupt pointers within the address space of the program, the value of a pointer is encrypted each time the pointer is initialized or modified, and then the value is decrypted before use, i.e., each time the pointer is read. Preferably, the encrypting and decrypting steps are effected by instructions generated by a compiler during compilation of the program. One convenient method of implementing the encrypting and decrypting steps is by XOR'ing the pointer with a predetermined encryption key value, which could be specially selected or selected at random.

Abstract: The reputation of an executable computer program is checked when a user input to a computing device initiates a program launch, thus triggering a check of a local cache of reputation information. If the local cache confirms that the program is safe, it is permitted to launch, typically without notifying the user that a reputation check has been made. If the local cache cannot confirm the safety of the program, a reputation check is made by accessing a reputation service in the cloud. If the reputation service identifies the program as safe, it returns an indication to the computing device and the program is permitted to be launched, again without notifying the user that a reputation check has been made. If the reputation service identifies the program as unsafe or potentially unsafe, or does not recognize it at all, a warning is displayed to the user.

Abstract: Role-based access controls improve user access in a computer system. A profile associated with a role is generated. The profile is enforced with respect to one or more users associated with the role. Optionally, the profile is generated based at least in part on a user interaction.

Abstract: A host application on a computing device displays an icon or other visual representation of a resource of the computing device, and receives a request from one of one or more applications hosted by the host application. The request is a request to access the resource represented by the icon or other visual representation of the resource, and in response to the request the appearance of the icon or other visual representation of the resource is altered. The requesting application is allowed to access the resource only if a user selection of the displayed icon or other visual representation is received.

Abstract: Computer-executable instructions that are directed to the performance of consequential actions and automatically elevate to execute at a higher privilege level to do so can perform such consequential actions only after user notification. Doing so can enable monitoring processes to avoid presenting duplicative user notification upon detection of such auto-elevation. In addition, prior to presenting user notification, input from the execution environment can be ignored and access to DLLs for performing consequential actions can be avoided. A static analyzer can identify non-conforming computer-executable instructions. A wrapper can be utilized to provide compliance by otherwise unknown or non-conforming computer-executable instructions.

Abstract: To protect computer programs against security attacks that attempt to corrupt pointers within the address space of the program, the value of a pointer is encrypted each time the pointer is initialized or modified, and then the value is decrypted before use, i.e., each time the pointer is read. Preferably, the encrypting and decrypting steps are effected by instructions generated by a compiler during compilation of the program. One convenient method of implementing the encrypting and decrypting steps is by XOR'ing the pointer with a predetermined encryption key value, which could be specially selected or selected at random.

Abstract: Techniques, systems, and apparatuses for conveying privilege escalation to a user are disclosed. In some aspects, a privilege escalation request is initiated in a first operating environment. The first operating environment may foreshorten to reveal a second operating environment associated with the privilege escalation. The second operating environment includes a continuous visual presentation to alert the user of the privilege escalation. A user may complete one or more privileged activities in the second operating environment before returning to the first operating environment.

Abstract: Providing access control for an application is disclosed. An application is monitored. An application profile is generated for the application. The application profile is based at least in part on behavior of the application as observed through the monitoring of the application. The application profile defines one or more access controls associated with the application.

Abstract: To protect computer programs against security attacks that attempt to corrupt pointers within the address space of the program, the value of a pointer is encrypted each time the pointer is initialized or modified, and then the value is decrypted before use, i.e., each time the pointer is read. Preferably, the encrypting and decrypting steps are effected by instructions generated by a compiler during compilation of the program. One convenient method of implementing the encrypting and decrypting steps is by XOR'ing the pointer with a predetermined encryption key value, which could be specially selected or selected at random.