Abstract: A configurable firewall for computing systems is disclosed. The configurable firewall provides a firewall control block that can be used as a mechanism to implement and control access privileges between various components of the computing environment. As such, the firewall control block can be used to determine whether one component (e.g., applet) can access another component in the computing environment. This allows a flexible environment where firewall boundaries can be configured in such a way that each applet can allow access to a desired set of other applets. In addition, the control block can be implemented using a variety of techniques that may be suitable for different system requirements (e.g., processing speed, memory). As such, the configurable firewall is useful for implementing security for various computing systems, especially those that operate with relatively limited processing power and/or provide highly specialized functionality (e.g., smart cards).

Abstract: An authentication system includes a smart access card issued to a user, a client computer, a desktop authentication module configured to prevent a user from accessing resources of the client computer prior to successful completion of a two factor authentication; a card reader interface providing communication between the smart access card and the desktop authentication module; and an enrollment server for enrolling the access card into a server data store. The smart access card has an authentication credential comprising an authentication certificate and a card unique identifier. The enrollment server is in communication with the desktop authentication module via a network connection for receiving the authentication credential from the smart access card and performing two factor authentication for a user, the two factor authentication using the authentication credential prior to the enrolling.

Abstract: Techniques for providing security context and firewalls in computing environments are disclosed. The security context includes cryptographic operations that can further enhance security. A security context block that includes a security context identification (ID) and a cryptographic system is disclosed. The security context identification (ID) can be provided for and assigned to various components of the computing system as means for security identification. Using the cryptographic system, various cryptographic operations can be performed on the security context identification (ID) to further enhance security. For example, security identifiers can be authenticated before it is presented to a firewall. After, successful authentication, the firewall can be used to determine whether the security identifier identifies an associate with access privileges.

Abstract: One embodiment of the present invention provides a system for freeing memory within a computing device. During operation, the system receives a command to free a given segment of memory within the computing device, wherein the command specifies the location of the given segment and the size of the given segment. In response to the command, the system adds the given segment to a free segment table that contains entries for free segments of memory within the computing device. During this process, if the given segment is contiguous with an existing segment in the free segment table, the given segment is concatenated with the existing segment by adding the given segment to an entry for the existing segment in the free segment table.

Abstract: One embodiment of the present invention provides a system for compacting memory within a computing device, wherein the computing device supports transient objects, having a persistent portion stored in a writeable non-volatile memory, and a transient portion stored in a volatile memory. During the compaction process, the system resets the volatile memory so that information in the volatile memory is deleted. Next, the system scans through a list of objects. For each transient object encountered in the list of objects, the system allocates space for the transient object in the volatile memory. The system also updates the persistent portion of the transient object, if necessary, to specify a new location in volatile memory for the transient portion of the transient object.

Abstract: One embodiment of the present invention provides a system for compacting memory within a computing device, wherein the computing device supports transient objects, having a persistent portion stored in a writeable non-volatile memory, and a transient portion stored in a volatile memory. During the compaction process, the system resets the volatile memory so that information in the volatile memory is deleted. Next, the system scans through a list of objects. For each transient object encountered in the list of objects, the system allocates space for the transient object in the volatile memory. The system also updates the persistent portion of the transient object, if necessary, to specify a new location in volatile memory for the transient portion of the transient object.

Abstract: One embodiment of the present invention provides a system for freeing memory within a computing device. During operation, the system receives a command to free a given segment of memory within the computing device, wherein the command specifies the location of the given segment and the size of the given segment. In response to the command, the system adds the given segment to a free segment table that contains entries for free segments of memory within the computing device. During this process, if the given segment is contiguous with an existing segment in the free segment table, the given segment is concatenated with the existing segment by adding the given segment to an entry for the existing segment in the free segment table.