Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.

Abstract: A method for verifying a set of policy instructions to be used by a policy decision point (PDP) in adjudicating access requests to protected resources. The policy instructions are in the form of Horn clauses or conditional tag-expressions that are validated against a known test policy or desired outcome. The policy instructions are then compiled into aggregate form. When a plurality of policy instructions creates a conflict, the policy instructions are hierarchically organized to resolve said conflict.

Abstract: A system for controlling file access on a mobile computing device. Policy conditions are held at a policy decision point (PDP) and can be dynamically modified at run-time. Access requests to a file or set of files are intercepted by an agent that subsequently brokers the adjudication of said request via a secure, encrypted and hidden back-channel where the requestor is never allowed access to or knowledge of either the adjudication process or the parameters associated with adjudication. The PDP then returns either an access approval or denial based on said policy conditions.

Abstract: Systems and methods are described for utilizing a secure environment on a mobile computing device for applying policy-based decision management in response to access requests from untrusted areas. A policy decision processor (PDP) within the secure environment provides a policy decision in response to an access query. A decision cache within the secure environment can be used to store policy decisions for faster resolution of access requests. Policy enforcement points (PEPs) are placed between external devices that are trying to access the device and the secured environment, where the PEPs are used to enforce the policy-based decision, and can be located either inside or outside the secure environment. Decision certificates can be formulated using validity information and timestamps, and used for validation policy certificates. Memory in non-secure areas can also be marked (colored) for use in performing trusted operations in order to optimize system resource usage.

Abstract: A system for performing coincident boot of computing devices having non-volatile memory and secure and non-secure partitions on the same System on Chip (SoC) or on a similarly capable computing device with secure division and separation of sensitive memory resources, secure protection of intellectual property during boot and post-boot, and support for secure interoperations between secure and non-secure states. The system packages components of the boot loader into a single signed and encrypted package. That package is loaded into the non-secure memory where it is verified before being extracted to the secure partition.

Abstract: A system and method for secure access to computing services in trusted computing environments. The present invention facilitates the execution of services in a secure environment by unsecure requestors where the requestor has no visibility into the secure environment. A remote service creates an encrypted data bundle (EDB) consisting of the request and associated data and transmits the EDB to the unsecure requestor. The EDB is then transmitted to the Trusted Service Receiver (TSR) in the secure environment that decrypts the EDB and determines if the request is valid and permissible. If valid and permissible, the TSR determines what secure service will be required and Trusted Services (TS) are invoked. TSR then collects results from each TS invoked and transmits the result according to the instructions in the request.

Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.

Abstract: A system for policy-managed secure code execution and messaging for computing devices where each trusted application is managed independently of others and is not visible to unauthorized inspection or execution. If a file bundle received by the system contains metadata concerning the context of the file or its execution, the metadata is decrypted if necessary. If the file bundle containing the executable code is encrypted, its key is stored in a policy server to await adjudication of the request to execute. If the policy server allows execution of the executable code, the key stored in the policy server is used to decrypt the file bundle and the resulting executable code is stored as a trusted application in secure memory. Future requests to execute the trusted application are adjudicated by the policy server and enforced by the exclusive policy execution point associated with that trusted application in secure memory.

Abstract: A system and method for policy-based active Data Loss Prevention (DLP) using a two-step process to first determine if an attempt to access a data object is governed by DLP policy, and if so, then applying the DLP policy to either allow or deny access. Attempts by an agent to access, create, modify, or distribute a data object are trapped by a policy execution point. A first query determines if DLP policies govern that access request. If they do, then the metadata is decrypted to form a second query to a policy decision point to adjudicate the access request. If the access request is allowed, then a second key is provided to decrypt the data object for further processing. The system further provides for the encryption of unencrypted data objects to protect them for all future access queries.

Abstract: Systems and methods for secure, policy-based, access control and management of mobile computing devices, including policy decision enforcement mechanisms, device and private network presence testing, aspects of file system controls, policy set sanity checking algorithms, performance optimizations.

Abstract: An autonomous and adaptive method and system for secure, policy-based control of remote and locally controlled computing devices. The invention uses a policy-based access control mechanism to achieve adaptive and dynamic behavior modification based on the context of the local operating environment of the computing device. The modification system assesses the desirability of actions or outcomes as determined by the policy rules and modifies them accordingly, thus altering the behavior of the computing device. The system can utilize a machine learning technique, pattern matching and heuristic evaluation. When applied to the control of robotic and autonomous devices, the system allows the robot to offload adjudication to a remote system and also facilitates cooperative behaviors between robots operating in dynamic environments.

Abstract: A system for policy-managed secure code execution and messaging for computing devices where each trusted application is managed independently of others and is not visible to unauthorized inspection or execution. If a file bundle received by the system contains metadata concerning the context of the file or its execution, the metadata is decrypted if necessary. If the file bundle containing the executable code is encrypted, its key is stored in a policy server to await adjudication of the request to execute. If the policy server allows execution of the executable code, the key stored in the policy server is used to decrypt the file bundle and the resulting executable code is stored as a trusted application in secure memory. Future requests to execute the trusted application are adjudicated by the policy server and enforced by the exclusive policy execution point associated with that trusted application in secure memory.

Abstract: Systems and methods are described for utilizing a secure environment on a mobile computing device for applying policy-based decision management in response to access requests from untrusted areas. A policy decision processor (PDP) within the secure environment provides a policy decision in response to an access query. A decision cache within the secure environment can be used to store policy decisions for faster resolution of access requests. Policy enforcement points (PEPs) are placed between external devices that are trying to access the device and the secured environment, where the PEPs are used to enforce the policy-based decision, and can be located either inside or outside the secure environment. Decision certificates can be formulated using validity information and timestamps, and used for validation policy certificates. Memory in non-secure areas can also be marked (colored) for use in performing trusted operations in order to optimize system resource usage.

Abstract: A system and method for policy-based active Data Loss Prevention (DLP) using a two-step process to first determine if an attempt to access a data object is governed by DLP policy, and if so, then applying the DLP policy to either allow or deny access. Attempts by an agent to access, create, modify, or distribute a data object are trapped by a policy execution point. A first query determines if DLP policies govern that access request. If they do, then the metadata is decrypted to form a second query to a policy decision point to adjudicate the access request. If the access request is allowed, then a second key is provided to decrypt the data object for further processing. The system further provides for the encryption of unencrypted data objects to protect them for all future access queries.

Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.

Abstract: Systems and methods for using Near Field Communications1 (NFC) m\d other short-range wireless communications technologies in mobile device management and security. Uses of NFC devices of both passive and active types are presented herein, as “policy control points” (PCPs) within a policy-based system for mobile handset management, in situations where granular control of handset capabilities is required. Certain location-based, as well as non-location-specific variants of the invention are presented as examples.

Abstract: An autonomous and adaptive method and system for secure, policy-based control of remote and locally controlled computing devices. The invention uses a policy-based access control mechanism to achieve adaptive and dynamic behavior modification based on the context of the local operating environment of the computing device. The modification system assesses the desirability of actions or outcomes as determined by the policy rules and modifies them accordingly, thus altering the behavior of the computing device. The system can utilize a machine learning technique, pattern matching and heuristic evaluation. When applied to the control of robotic and autonomous devices, the system allows the robot to offload adjudication to a remote system and also facilitates cooperative behaviors between robots operating in dynamic environments.

Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.

Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.

Abstract: A preferred contact group centric interface for a communication device can be used to facilitate communications by a user. The user interface can be arranged to activate from a user's “home page” on the display, from an idle screen that is accessed after a timeout period expires, or any other appropriate mechanism that activates the preferred contact group centric experience. A user selects the preferred contact group from among an array of the user's contacts. Once the contact group is configured, a minimal number of navigation/selection features is necessary to activate any number of communication modes available to the contacts. The contact group is configured such that simple and quick navigation between the contact members is achieved. The contact group can be presented in 2D and 3D arrangements, in any number of list or geometric configurations. A pricing plan can optionally be tied to each member of the contact group.