Patents by Inventor Jia Jun Brandon Lum
Jia Jun Brandon Lum has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11677549Abstract: A processor may generate one or more encrypted policies associated with a policy creator. A processor may generate token metadata associated with a user utilizing the one or more encrypted policies. A processor may encrypt the token metadata to form encrypted token metadata. A processor may send the one or more encrypted policies and the encrypted token metadata to a policy evaluator. The policy evaluator may evaluate the one or more encrypted policies and the encrypted token metadata. The processor may return a response. The response may be based on the evaluation by the policy evaluator.Type: GrantFiled: March 30, 2021Date of Patent: June 13, 2023Assignee: International Business Machines CorporationInventors: Jia Jun Brandon Lum, Mariusz Sabath, Alaa S. Youssef
-
Patent number: 11652631Abstract: Techniques regarding the use of digital identity tokens describing a computer application to obtain authorization to confidential data based on one or more policies are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.Type: GrantFiled: June 27, 2019Date of Patent: May 16, 2023Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mariusz Sabath, Jia Jun Brandon Lum, Malgorzata Steinder, Daniel Pittner
-
Publication number: 20220321335Abstract: A processor may generate one or more encrypted policies associated with a policy creator. A processor may generate token metadata associated with a user utilizing the one or more encrypted policies. A processor may encrypt the token metadata to form encrypted token metadata. A processor may send the one or more encrypted policies and the encrypted token metadata to a policy evaluator. The policy evaluator may evaluate the one or more encrypted policies and the encrypted token metadata. The processor may return a response. The response may be based on the evaluation by the policy evaluator.Type: ApplicationFiled: March 30, 2021Publication date: October 6, 2022Inventors: JIA JUN BRANDON LUM, Mariusz Sabath, Alaa S. Youssef
-
Patent number: 11409880Abstract: Techniques facilitating security hardening systems that host containers are provided. In one example, a system comprises: a memory that stores computer executable components; and a processor that executes computer executable components stored in the memory. The computer executable components comprise: a boot component performs a portion of a trusted boot sequence to securely boot the system to a defined secure state wherein one or more types of administrative access to a container memory are deactivated. The computer executable components also comprise: a core service component started as a part of the trusted boot sequence and that securely obtains one or more decryption keys for use with the container memory; and a runtime decryption component that uses the one or more decryption keys to perform runtime decryption of one or more files accessed by a container associated with the container memory.Type: GrantFiled: July 11, 2019Date of Patent: August 9, 2022Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hai Huang, Jia Jun Brandon Lum, Sahil Suneja, Ricardo Andrei Koller Jemio, Malgorzata Steinder
-
Patent number: 11170105Abstract: Verifying authenticity of software updates is provided. An update executable and an update behavior profile corresponding to a software update are hashed using a cryptographic hash function. A hash of the update executable and the update behavior profile is signed using a private key to form a hashed update digital signature.Type: GrantFiled: February 28, 2019Date of Patent: November 9, 2021Assignee: International Business Machines CorporationInventors: Jia Jun Brandon Lum, Alaa S. Youssef
-
Patent number: 11030072Abstract: Aspects of the invention include creating and starting fast-start container images. A preview image of a container is received at a host computer. The preview image includes a subset of an original image of the container. The preview image of the container is executed, at the host computer, for a workload. Based at least in part on detecting a fault during the executing of the preview image of the container, one of the original image of the container and a portion of the original image not included in the preview image of the container is accessed for continuing execution of the workload.Type: GrantFiled: November 1, 2018Date of Patent: June 8, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Hai Huang, Jia Jun Brandon Lum, Alaa Youssef
-
Patent number: 10985916Abstract: An apparatus receives a signal to perform secure erasure of a storage medium. The apparatus, responsive to reception of the signal, erases the storage medium by performing at least the following operations. An encryption key is erased. The encryption key is stored on the storage medium and is used to encrypt data on the storage medium. The apparatus generates a fake encryption key that is different from the encryption key and stores storing the fake encryption key on the storage medium. The encryption key and/or fake encryption key may be stored on the medium in multiple parts. The encryption key may be generated using random data from the medium. The apparatus may be the storage medium or a computer system that access the storage medium. The erasure can be performed in response to a request by a user. The medium may be an erasure-resistant storage medium.Type: GrantFiled: October 31, 2017Date of Patent: April 20, 2021Assignee: International Business Machines CorporationInventors: Diana Arroyo, Jia Jun Brandon Lum, Alaa Youssef
-
Patent number: 10897497Abstract: Aspects of the invention include selecting a node for an infrastructure update. The selected node is included in a cluster of nodes executing workloads that include containers. A future workload is prevented from being scheduled on the selected node. A workload currently executing on the selected node is migrated to another node included in the cluster of nodes. Infrastructure code on the selected node is updated, and in response to the updating, the ability to schedule a future workload on the selected node is enabled.Type: GrantFiled: November 13, 2018Date of Patent: January 19, 2021Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Mariusz Sabath, Jia Jun Brandon Lum, Alaa Youssef, Malgorzata Steinder, Asser Nasreldin Tantawi
-
Publication number: 20210012011Abstract: Techniques facilitating security hardening systems that host containers are provided. In one example, a system comprises: a memory that stores computer executable components; and a processor that executes computer executable components stored in the memory. The computer executable components comprise: a boot component performs a portion of a trusted boot sequence to securely boot the system to a defined secure state wherein one or more types of administrative access to a container memory are deactivated. The computer executable components also comprise: a core service component started as a part of the trusted boot sequence and that securely obtains one or more decryption keys for use with the container memory; and a runtime decryption component that uses the one or more decryption keys to perform runtime decryption of one or more files accessed by a container associated with the container memory.Type: ApplicationFiled: July 11, 2019Publication date: January 14, 2021Inventors: Hai Huang, Jia Jun Brandon Lum, Sahil Suneja, Ricardo Andrei Koller Jemio, Malgorzata Steinder
-
Publication number: 20200412540Abstract: Techniques regarding the use of digital identity tokens describing a computer application to obtain authorization to confidential data based on one or more policies are provided. For example, one or more embodiments described herein can comprise a system, which can comprise a memory that can store computer executable components. The system can also comprise a processor, operably coupled to the memory, and that can execute the computer executable components stored in the memory. The computer executable components can comprise a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.Type: ApplicationFiled: June 27, 2019Publication date: December 31, 2020Inventors: Mariusz Sabath, Jia Jun Brandon Lum, Malgorzata Steinder, Daniel Pittner
-
Publication number: 20200279044Abstract: Verifying authenticity of software updates is provided. An update executable and an update behavior profile corresponding to a software update are hashed using a cryptographic hash function. A hash of the update executable and the update behavior profile is signed using a private key to form a hashed update digital signature.Type: ApplicationFiled: February 28, 2019Publication date: September 3, 2020Inventors: Jia Jun Brandon Lum, Alaa S. Youssef
-
Patent number: 10733306Abstract: A secure filesystem provides write-only access with limited read. The filesystem stores data as an encrypted block on a user machine using a symmetric (active) key, along with metadata including a read condition. While the read condition is valid, local applications can read the data using the active key. When the read condition becomes invalid, the active key is deleted so local applications no longer have access. However, the filesystem encrypts the active key to yield an inactive key, using an RSA public key. The corresponding private key is sent to an authorized party machine, but deleted from the user machine. Thus the user machine is unable to decrypt the inactive key, but the authorized party machine can still read the data by first decrypting the inactive key using the private key to regenerate the active key, and then decrypting the encrypted block using the regenerated active key.Type: GrantFiled: March 7, 2018Date of Patent: August 4, 2020Assignee: International Business Machines CorporationInventors: Jia Jun Brandon Lum, Alaa Youssef, Diana J. Arroyo
-
Publication number: 20200153898Abstract: Aspects of the invention include selecting a node for an infrastructure update. The selected node is included in a cluster of nodes executing workloads that include containers. A future workload is prevented from being scheduled on the selected node. A workload currently executing on the selected node is migrated to another node included in the cluster of nodes. Infrastructure code on the selected node is updated, and in response to the updating, the ability to schedule a future workload on the selected node is enabled.Type: ApplicationFiled: November 13, 2018Publication date: May 14, 2020Inventors: Mariusz Sabath, Jia Jun Brandon Lum, Alaa Youssef, Malgorzata Steinder, Asser Nasreldin Tantawi
-
Publication number: 20200142801Abstract: Aspects of the invention include creating and starting fast-start container images. A preview image of a container is received at a host computer. The preview image includes a subset of an original image of the container. The preview image of the container is executed, at the host computer, for a workload. Based at least in part on detecting a fault during the executing of the preview image of the container, one of the original image of the container and a portion of the original image not included in the preview image of the container is accessed for continuing execution of the workload.Type: ApplicationFiled: November 1, 2018Publication date: May 7, 2020Inventors: Hai Huang, Jia Jun Brandon Lum, Alaa Youssef
-
Publication number: 20190278916Abstract: A secure filesystem provides write-only access with limited read. The filesystem stores data as an encrypted block on a user machine using a symmetric (active) key, along with metadata including a read condition. While the read condition is valid, local applications can read the data using the active key. When the read condition becomes invalid, the active key is deleted so local applications no longer have access. However, the filesystem encrypts the active key to yield an inactive key, using an RSA public key. The corresponding private key is sent to an authorized party machine, but deleted from the user machine. Thus the user machine is unable to decrypt the inactive key, but the authorized party machine can still read the data by first decrypting the inactive key using the private key to regenerate the active key, and then decrypting the encrypted block using the regenerated active key.Type: ApplicationFiled: March 7, 2018Publication date: September 12, 2019Inventors: Jia Jun Brandon Lum, Alaa Youssef, Diana J. Arroyo
-
Publication number: 20190132125Abstract: An apparatus receives a signal to perform secure erasure of a storage medium. The apparatus, responsive to reception of the signal, erases the storage medium by performing at least the following operations. An encryption key is erased. The encryption key is stored on the storage medium and is used to encrypt data on the storage medium. The apparatus generates a fake encryption key that is different from the encryption key and stores storing the fake encryption key on the storage medium. The encryption key and/or fake encryption key may be stored on the medium in multiple parts. The encryption key may be generated using random data from the medium. The apparatus may be the storage medium or a computer system that access the storage medium. The erasure can be performed in response to a request by a user. The medium may be an erasure-resistant storage medium.Type: ApplicationFiled: October 31, 2017Publication date: May 2, 2019Inventors: Diana Arroyo, Jia Jun Brandon Lum, Alaa Youssef