Abstract: Data items such as files or database records associated with particular applications (such as messaging applications and other applications) can be stored in one or more remote locations, such as a cloud storage system, and synchronized with other devices. The remote storage can be configured such that each application executing on a client device can only view data items stored at the remote location to which the application has permission to access. An access manager on each client device enforces application specific access policies. Storage at the remote location can be secured for each application associated with a user or user account, for example, using isolated containers. The cloud storage of data can be anonymized and anonymous group data can be stored in the cloud storage.

Abstract: One embodiment provides for a computer-implemented method comprising receiving a request to compile a set of program instructions coded in a high-level language, the set of program instructions including a pointer to a virtual memory address, the pointer having a pointer encoding including a base address and a length; while compiling the set of program instructions, decoding the base address and length from the pointer, wherein the base address specifies a first boundary for a memory allocation, the length defines a second boundary for the memory allocation and the length is an encoding of a size of the memory allocation; and generating a set of compiled instructions which, when executed, enable access to a physical address associated with a virtual address between the first boundary and the second boundary.

Abstract: One embodiment provides for a computer-implemented method comprising receiving a request to compile a set of program instructions coded in a high-level language, the set of program instructions including a pointer to a virtual memory address, the pointer having a pointer encoding including a base address and a length; while compiling the set of program instructions, decoding the base address and length from the pointer, wherein the base address specifies a first boundary for a memory allocation, the length defines a second boundary for the memory allocation and the length is an encoding of a size of the memory allocation; and generating a set of compiled instructions which, when executed, enable access to a physical address associated with a virtual address between the first boundary and the second boundary.

Abstract: Methods and systems for securely executing untrusted software are described. In one embodiment, two virtual memory mappings are used (one readable/writeable-RW and the other readable/executable-RX). In one embodiment, compiled software is used at run time through pointers to the RX virtual memory space and a compiler causes the storage of the compiled software in the RW virtual memory space through the use of an executable function (e.g. a memory copy like function) stored in an executable only memory region.

Abstract: Methods and systems for securely executing untrusted software are described. In one embodiment, two virtual memory mappings are used (one readable/writeable-RW and the other readable/executable-RX). In one embodiment, compiled software is used at run time through pointers to the RX virtual memory space and a compiler causes the storage of the compiled software in the RW virtual memory space through the use of an executable function (e.g. a memory copy like function) stored in an executable only memory region.

Abstract: Methods and apparatus are disclosed for detecting illegitimate or spoofed links on a web page. Illegitimate links can be detected by receiving a web link that includes link text and a link address, generating normalized link text based upon the link text, wherein characters in the link text that are visually similar are represented by a single normalized character identifier in the normalized text, determining whether the normalized link text is in the format of a link address, and determining that the text is safe when the normalized link text is not in the format of a link address. The techniques disclosed herein further involve determining whether the normalized link text matches the link address, determining that the text is safe when the normalized link text matches the link address, and determining that the text is unsafe when the normalized link text does not match the link address.

Abstract: Methods and apparatus are disclosed for detecting illegitimate or spoofed links on a web page. Illegitimate links can be detected by receiving a web link that includes link text and a link address, generating normalized link text based upon the link text, wherein characters in the link text that are visually similar are represented by a single normalized character identifier in the normalized text, determining whether the normalized link text is in the format of a link address, and determining that the text is safe when the normalized link text is not in the format of a link address. The techniques disclosed herein further involve determining whether the normalized link text matches the link address, determining that the text is safe when the normalized link text matches the link address, and determining that the text is unsafe when the normalized link text does not match the link address.

Abstract: A method, apparatus and machine readable medium are described for managing entitlements on a computing device. For example, one embodiment of a method comprises: loading a first application into a system memory of a computing device; for each library value/symbol pair referenced by the first application, determining whether the first application has a correct entitlement to be linked with the library value/symbol pair; wherein if the application does not have the correct entitlement associated with the library value/symbol pair, then denying linking to the library value/symbol pair and/or linking the application to an alternate library value/symbol pair which does not have the entitlement associated therewith; and if the application has the correct entitlement associated with the library value/symbol pair, then linking the application to the library value/symbol pair with the entitlement in the system memory.

Abstract: Methods and apparatus are disclosed for detecting illegitimate or spoofed links on a web page. Illegitimate links can be detected by receiving a web link that includes link text and a link address, generating normalized link text based upon the link text, wherein characters in the link text that are visually similar are represented by a single normalized character identifier in the normalized text, determining whether the normalized link text is in the format of a link address, and determining that the text is safe when the normalized link text is not in the format of a link address. The techniques disclosed herein further involve determining whether the normalized link text matches the link address, determining that the text is safe when the normalized link text matches the link address, and determining that the text is unsafe when the normalized link text does not match the link address.

Abstract: A method and an apparatus for runtime compilation that generates non-deterministic and unpredictable code to protect against un-trusted code attacks are described. The runtime compilation may be based on heuristic rules without requiring deterministic behavior reduction operations for all the code generated. The heuristic rules may include estimations on, for example, runtime overhead or cost incurred for code protection, amount of code protection required and/or other applicable factors and their relationships.

Abstract: Methods and apparatus are disclosed for detecting illegitimate or spoofed links on a web page. Illegitimate links can be detected by receiving a web link that includes link text and a link address, generating normalized link text based upon the link text, wherein characters in the link text that are visually similar are represented by a single normalized character identifier in the normalized text, determining whether the normalized link text is in the format of a link address, and determining that the text is safe when the normalized link text is not in the format of a link address. The techniques disclosed herein further involve determining whether the normalized link text matches the link address, determining that the text is safe when the normalized link text matches the link address, and determining that the text is unsafe when the normalized link text does not match the link address.

Abstract: A method, apparatus and machine readable medium are described for managing entitlements on a computing device. For example, one embodiment of a method comprises: loading a first application into a system memory of a computing device; for each library value/symbol pair referenced by the first application, determining whether the first application has a correct entitlement to be linked with the library value/symbol pair; wherein if the application does not have the correct entitlement associated with the library value/symbol pair, then denying linking to the library value/symbol pair and/or linking the application to an alternate library value/symbol pair which does not have the entitlement associated therewith; and if the application has the correct entitlement associated with the library value/symbol pair, then linking the application to the library value/symbol pair with the entitlement in the system memory.

Abstract: A method and an apparatus for runtime compilation that generates non-deterministic and unpredictable code to protect against un-trusted code attacks are described. The runtime compilation may be based on heuristic rules without requiring deterministic behavior reduction operations for all the code generated. The heuristic rules may include estimations on, for example, runtime overhead or cost incurred for code protection, amount of code protection required and/or other applicable factors and their relationships.