Abstract: Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof.

Abstract: Described is a technology, such as implemented in an operating system security system, by which a resource's metadata (e.g., including data properties) is evaluated against an audit rule or audit rules associated with that resource (e.g., object). The audit rule may be associated with all such resources corresponding to a resource manager, and/or by a resource-specific audit rule. When a resource is accessed, each audit rule is processed against the metadata to determine whether to generate an audit event for that rule. The audit rule may be in the form of one or more conditional expressions. Audit events may be maintained and queried to obtain audit information for various usage scenarios.

Abstract: A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium.

Abstract: A method for dynamic reservation of cloud and on premises resources for software execution is disclosed. The method may be comprised of: receiving the specification for the resources needed for the software, evaluating the availability of resources and reserving the resources for the software. The method may include a protocol to discover, evaluate availability, negotiate terms and create a reservation contract for software execution resources based on the required specification. This can be implemented using resource agent modules that represent available software execution resources (e.g.: CPU, memory, storage, network . . . ) and reservation agent modules that are used for communicating with the resource agent modules for reserving software execution resources. In addition, monitoring agent modules are used to monitor the actual software execution reservation contract.

Abstract: Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.

Abstract: A method for documenting and viewing human experiences is disclosed. The method may include enabling people to record experiences starting at a decision that needs to be taken (decision point) and providing the relevant data points for the decision followed by the action taken and the consequences. These consequences can then be further linked to a new experience. Further, this method may allow multiple people to enter their experiences for the same decision point creating a per decision point inclusive repository of the various data points, actions and consequences as experienced by multiple people.

Abstract: Described is caching classification-related metadata for a file in an alternate data stream of that file. When a file is classified (e.g., for data management), the classification properties are cached in association with the file, along with classification-related metadata that indicates the state of the file at the time of caching. The classification-related metadata in the alternate data stream is then useable in determining whether the classification properties are valid and up-to-date when next accessed, or whether the file needs to be reclassified. If the properties are valid and up-to-date, they may be used without requiring the computationally costly steps of reclassification. Also described is using more than one alternate data stream for the cache, and extending the classification-related metadata through a defined extension mechanism.

Abstract: Described is a technology in which data items (e.g., files) are processed through an extensible data processing pipeline, including a classification pipeline, to facilitate management of the data items based upon their classifications. A discovery module locates data items to process. An independent classification pipeline obtains metadata (properties) associated with each discovered data item, and one or more classifiers classify the data item based on the metadata. An independent policy module applies policy to each data item based upon its classification. Multiple classifiers may be invoked, based upon various criteria. Predefined ordering of the classifiers, authoritative classifiers and/or an aggregation mechanism handle any classification conflicts. Different types of classifiers may be provided, and each classifier may correspond to automatic classification rules; the classifier may directly change a property, (e.g.

Abstract: An assembly (14, 16) for securing two juxtaposed panels (64, 66) to a structure (74), each panel including a joining flange (68, 70) located at, or adjacent to, respective juxtaposed edges thereof. The assembly includes a retaining member (14) having a substantially planar surface (24) supporting at opposite edges thereof respective first flanges (26, 28) and a clamping member (16) having two spaced-apart legs (48, 40) depending from a web (36). Second flanges (46, 48) are each supported on a facing internal surface of a respective one of the legs so as to extend away from the web. Each leg engages a respective exposed surface of an adjacent joining flange, the first and second flanges being oriented in opposite directions so as to interlock when the clamping member is mounted on the retaining member and thereby limit lateral separation of the legs.

Abstract: Software is governed by a digital license that specifies a certificate that must be present in order for the software (or certain features thereof) to be used. A root authority authorizes a license server to issue certificates that are called for in the digital license for an item of software. The software and the digital license are installed on a machine, and the machine enrolls with the license server to obtain the certificate. When the software is run, an enforcement component evaluates the license to determine what certificate is required, and then evaluates the certificate to determine whether it meets the requirements of a license. If the certificate is invalid, the enforcement component may disable the software, or may disable certain features of the software.

Abstract: A panel unit (2) for constructional purposes has at least two joining flanges (10, 12) on opposite surfaces (4, 4) located at, or adjacent to, a common edge of the panel unit, and projecting in mutually opposite directions. Two such panel units (2) may be juxtaposed end to end and secured by a two-part connector (17) having a base portion (18) that is adapted for attaching to a fixed structural element (20) and for anchoring to the flanges (12) on a first surface (4) of the panel units 2, and a cap (19) adapted for anchoring to the flanges (10) on an opposite surface (4) of the panel units (2) and for anchoring to the base portion.

Abstract: Presented is an anti-tampering method that validates and protects specific sections of a binary file. In one embodiment, this method permits a proxy engine to execute (via emulation by a virtual machine) the protected code on behalf of the binary in kernel mode upon successful completion of an integrity check. The integrity check can optionally check only the specific parts of code that the developer wishes to validate. The integrity check can cross binary boundaries. Moreover, the integrity check can be done on a hard drive or in memory. Furthermore, since the encrypted code is executed by the proxy engine in kernel mode, hackers are further deterred from modifying the code. Additionally, a method of creating a protected binary file is described herein.

Abstract: A system and methods for carrying out point-to-point intracluster communications between hosts is provided. The disclosed system enables communication protocol layer components of hosts within a cluster to continue to operate in a cluster mode while facilitating such point-to-point communications. Initially, address discovery provides the non-cluster mode address for a target host. Thereafter, an initiating/source host issues a message including the non-cluster mode address of the target host. A network load balancing layer, or any other suitable component within the target host, intercepts the message and substitutes a cluster address for the non-cluster mode address within the message destination field before the message is presented to the communication protocol layer of the target host.

Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.

Abstract: Multiple virtual addresses map to the same physical location in memory if it has been determined that they are all intended to access the same data. In one embodiment, such virtual addresses are identified, and correspondence information (such as from a translation table) is changed in order to ensure that they all correspond to the same physical location, thus freeing up memory and preventing problems such as undue swapping. A memory request servicer and translation table are used in one embodiment in order to properly respond to two requests, using different virtual addresses, both of which store identical data, by accessing the same location in physical memory. In one embodiment, code rebasing for a code page is only performed if it has not been performed before; if it has, a reference to the already rebased code page is returned. Physical memory which has more than one use (e.g. physical memory referred to by multiple virtual addresses) is designated read-only.

Abstract: A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium.

Abstract: A method of validating software is disclosed. The method may include receiving, at a first function, a first hash and a first version. The first function may validate a second function according to the first hash and first version. The second function may receive a second hash and a second version, and the second function may validate a third function according to the second hash and second version. The first version and first hash may be stored within the first function, for example. The first version and first hash may be stored within a manifest, for example. In another embodiment, a method of validating software may include storing a plurality of functions and storing a version and hash for each function. Each function may be verified according to the respective version and hash, and each function may verify at least one other function.

Abstract: A method for generating Bursting-messages on the window of a user's Web-terminal while browsing a Web-site. Indication related to the connection of the user to the Web-site is provided. Data that is required for generating a Burst-message on the Web-terminal is sent to the Web-terminal of the identified user and a Burst-message is generated on the Web-terminal using the data. Interaction means are provided to the user in the Burst-message, for the interaction of the user with the Burst-message and/or with the Web-site. The Burst-message may be generated by dynamically writing an HTML layer and/or JavaScript and/or VBScript.

Abstract: In an example embodiment, executable files are individually encrypted utilizing a symmetric cryptographic key. For each user to be given access to the obfuscated file, the symmetric cryptographic key is encrypted utilizing a public key of a respective public/private key pair. A different public key/private key pair is utilized for each user. Obfuscated files are formed comprising the encrypted executable files and a respective encrypted symmetric cryptographic key. The private keys of the public/private key pairs are stored on respective smart cards. The smart cards are distributed to the users. When a user wants to invoke the functionality of an obfuscated file, the user provides the private key via his/her smart card. The private key is retrieved and is utilized to decrypt the appropriate portion of the obfuscated file. The symmetric cryptographic key obtained therefrom is utilized to decrypt the encrypted executable file.

Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.