Abstract: Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.

Abstract: Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata record that specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container to allow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy.

Abstract: Example implementations relate to determination as to whether a process is infected with malware. For example, in an implementation, information of a process extracted from a snapshot of system memory is obtained. A determination as to whether the process is infected with malware is made based on a process model.

Abstract: Examples relate to snapshots of system memory. In an example implementation, structural information of a process in a snapshot of system memory is compared with hashes or fuzzy hashes of executable regions of the same process in a previous snapshot of system memory to determine whether there is a structural anomaly.

Abstract: Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata record that specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container to allow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy.

Abstract: Example implementations relate to determination as to whether a process is infected with malware. For example, in an implementation, information of a process extracted from a snapshot of system memory is obtained. A determination as to whether the process is infected with malware is made based on a process model.

Abstract: In one implementation, a delegation system authenticates, at a first time, a first user relative to a computing environment, and receives, at a second time after the first time, a request for the first user to act within the computing environment as a second user. The delegation system also determines, in response to the request, whether the first user is authorized to act as the second user within the computing environment.

Abstract: A trusted computing platform includes one or more first logically protected computer environments (or “compartments”) associated with initialization of the system, and one or more second logically protected computing environments (or “compartments”). The one or each second compartment is associated with at least one service or process supported by the said system. The trusted computing platform is loaded with a predetermined security policy including one or more security rules for controlling the operation of each of the compartments such that the security rules relating to the one or each first compartment is loaded onto the trusted computing platform when the system is initialized. The one or more security rules relating to the one or at least one of the second compartments are only loaded onto the trusted computing platform if one or more services or processes associated therewith are enabled.

Abstract: A virtual network has network interfaces coupled by tunnels (100) through a forwarding network (40), each interface having a forwarding address in an address space of the forwarding network, each network interface having a reconfigurable address mapper (320) for determining a forwarding address for a packet, and encapsulating the packet with its forwarding address so that the forwarding network can forward the data packet transparent to its destination address. The network interface automatically configures the address mapper by sending a discovery request for a given virtual network address over the forwarding network, to prompt a response with an indication of the corresponding forwarding address, and to use the indication in such a response to configure the address mapper. This can ease the administrative burden of setting up and maintaining the address mapper and to ease network reconfiguration according to demand or faults for example.

Abstract: A virtual network has virtual machines on physical devices connected to network interfaces each coupled by tunnels (100) through a forwarding network (40), each interface having a forwarding address in an address space of the forwarding network, each network interface having a reconfigurable address mapper (320) for determining a forwarding address for a packet, and encapsulating the packet with its forwarding address so that the forwarding network can deliver the data packet to the remote physical device having that forwarding address. Such encapsulation enables virtual machines on different physical devices to communicate transparently to the underlying forwarding network. Virtual networks can be created to suit their applications yet use or share existing forwarding networks, while protecting the forwarding network from interference by the virtual machines, and maintaining isolation between virtual machines.

Abstract: A virtual network has network interfaces coupled by a multipoint tunnel (100) through a forwarding network (40), each interface having a forwarding address in an address space of the forwarding network, each network interface having a reconfigurable address mapper (320) for determining a forwarding address for a packet, and encapsulating the packet with its forwarding address so that the forwarding network can forward the data packet transparent to its destination address. This makes the virtual network more agile since changes to the virtual network can be achieved by reconfiguring the corresponding forwarding addresses without needing to set up new tunnels new routing to these different tunnels. The forwarding network need not be aware of the virtual network and so no adaptation of the forwarding network or specialised hardware is needed.

Abstract: A system comprising a trusted computing platform including one or more logically protected computing environments, each of which is associated with at least one service or process supported by said system, the system being arranged to load onto said trusted computing platform a predetermined security policy including one or more security rules for controlling the operation of each of said logically protected computing environments, the security rules for at least one of said logically protected computing environments including an execution control rule which defines the security attributes to be applied to a service or process associated with said logically protected computing environment when said service or process is started.

Abstract: A system and method for resolving a rule conflict within a security policy applied to a trusted computing platform, wherein the fileset to which each of the conflicting rules v and s refers (or “scope”) is determined (step 10). It is then determined (at step 12) if the scope of one of the rules s is a complete subset of the scope of rule r. If so, rule s is applied to the accessed file f (at step 14). If not, the conflict is resolved in another way, for example, by determining the most restrictive of rules r and s (at step 16) and applying the result accordingly (step 18).

Abstract: A virtual network has network interfaces coupled by a multipoint tunnel (100) through a forwarding network (40), each interface having a forwarding address in an address space of the forwarding network, each network interface having a reconfigurable address mapper (320) for determining a forwarding address for a packet, and encapsulating the packet with its forwarding address so that the forwarding network can forward the data packet transparent to its destination address. This makes the virtual network more agile since changes to the virtual network can be achieved by reconfiguring the corresponding forwarding addresses without needing to set up new tunnels new routing to these different tunnels. The forwarding network need not be aware of the virtual network and so no adaptation of the forwarding network or specialised hardware is needed.

Abstract: A virtual network has network interfaces coupled by tunnels (100) through a forwarding network (40), each interface having a forwarding address in an address space of the forwarding network, each network interface having a reconfigurable address mapper (320) for determining a forwarding address for a packet, and encapsulating the packet with its forwarding address so that the forwarding network can forward the data packet transparent to its destination address. The network interface automatically configures the address mapper by sending a discovery request for a given virtual network address over the forwarding network, to prompt a response with an indication of the corresponding forwarding address, and to use the indication in such a response to configure the address mapper. This can ease the administrative burden of setting up and maintaining the address mapper and to ease network reconfiguration according to demand or faults for example.

Abstract: A trusted computing platform includes one or more first logically protected computer environments (or “compartments”) associated with initialisation of the system, and one or more second logically protected computing environments (or “compartments”). The one or each second compartment is associated with at least one service or process supported by the said system. The trusted computing platform is loaded with a predetermined security policy including one or more security rules for controlling the operation of each of the compartments such that the security rules relating to the one or each first compartment is loaded onto the trusted computing platform when the system is initialized. The one or more security rules relating to the one or at least one of the second compartments are only loaded onto the trusted computing platform if one or more services or processes associated therewith are enabled.

Abstract: A computer network includes an on-line purchasing system which advertises goods for sale by means of a web-page accessible over the Internet. The web-page is stored on a server which is connected to an XML interface facility in the form of an XSLT file. The server is connected to the Internet by means of a first port. A client terminal is connected to the server by means of the first port. The server also includes a second port for connecting the server to an external authorisation computer via a connection. The server is configured to perform certain data processing operations, such as processing purchase orders sent from a user, forwarding processed purchase orders to a despatch service for effecting delivery etc., but only after an authorisation process has been completed. Initially, the client terminal sends a purchase order, in the form of an XML document, to the server.

Abstract: In a method of establishing a data connection between a client computer and a destination computer over a computer network, a first computer network comprises a local area network (LAN) to which is connected a first, second and third client computer. At the boundary of the first computer network is provided a first firewall computer which is connected to the LAN. The first firewall computer is a secure relay computer. A second computer network comprises a web-site server and a second firewall computer which acts in much the same way as the first firewall computer. The second firewall computer only permits incoming data connections if an SSL data connection is used. The second computer network is connected to the first computer network by means of a public network, in this case the Internet. Each of the first, second and third client computers is able to access a website stored on the web-site server.

Abstract: In a method of establishing a secure data connection, a corporate computer network comprises a LAN to which is connected a first, second and third client computer. At the boundary of the corporate computer network is a firewall computer (hereinafter simply referred to as ‘the firewall’). The firewall is configured to prevent incoming data connections being made to the LAN from outside of the corporate computer network. As well as preventing incoming communications with the LAN, the firewall is also configured to control connections requested from within the corporate computer network to external computers. Indeed, for security purposes, the firewall is configured to require authentication of such requests for an external connection (i.e. to verify who is anally making the request) prior to establishing the external connection. This authentication is performed using the SSL protocol. In this case, the Java Secure Sockets Extension (JSSE) version of SSL is used.