Abstract: System and methods for effecting communications between a trusted management process and one or more managed processes in a distributed computing environment where direct communications between processes via a data communications network is blocked by a firewall or other security system. The method includes a file server that is accessible to all communicating processes. The file server provides a secure mailbox for each managed process. The mailbox is used to hold messages that are stored as individual files. The management and managed processes communicate by writing and reading files in the mailbox of the managed process. The stateless manner of the message-based communications makes it easy to replicate the management process in order to provide scalability and fault-tolerance for the management functions.

Abstract: System and methods for effecting communications between a trusted management process and one or more managed processes in a distributed computing environment where direct communications between processes via a data communications network is blocked by a firewall or other security system. The method includes a file server that is accessible to all communicating processes. The file server provides a secure mailbox for each managed process. The mailbox is used to hold messages that are stored as individual files. The management and managed processes communicate by writing and reading files in the mailbox of the managed process. The stateless manner of the message-based communications makes it easy to replicate the management process in order to provide scalability and fault-tolerance for the management functions.

Abstract: Systems and methods for migrating a server image between any physical, virtual, and cloud servers. The system includes a deploy agent that is run on the target server, a migration manager to control operations, an image library for optional long-term storage of the image, and mailbox-based communications mechanism to support management operations spanning multiple data centers and firewalls. While deploying an image to the target server, the deploy agent automatically adjusts the image to account for changes in server hardware, storage layout, and network infrastructure to ensure that any applications within the image continue to function properly.

Abstract: In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with the access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether the user space application is authorized to access the file utilizing access rules stored in the database.

Abstract: A method and apparatus for maintaining a secure run-time environment in which arbitrary relationships between the subjects and objects of differing sensitivity labels are defined so as to provide for discrete access between arbitrary, normally incomparable sensitivity labels.

Abstract: Systems and methods for group-based network access control systems are provided. The group-based network access control system includes a software process operating on a computer. The software process is configured to communicate a packet through a group-based network protocol stack to a network interface card that includes an interface attribute. A table of network attributes, associated with a session filter module and a network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card. Each network endpoint attribute comprises a primary group identifier and a supplemental group identifier list, and each interface attribute comprises a network group list. The method includes the steps of operating a software process that includes a network endpoint attribute.

Abstract: A method and apparatus for maintaining a secure run-time environment in which arbitrary relationships between the subjects and objects of differing sensitivity labels are defined so as to provide for discrete access between arbitrary, normally incomparable sensitivity labels.

Abstract: A system and method are disclosed which enable generation of output that includes collected audit data formatted in a desired manner. Such collected audit data relates to the execution of a routine. In one embodiment, a processor-based system is disclosed that comprises an operating system that includes at least one routine capable of being invoked. The operating system may also operable to collect audit data for invoked operating system routines. The system further comprises software code executable to receive collected audit data and generate output that includes at least a portion of the collected audit data in a desired format that is defined by a template. A library of functions is also disclosed that enable accessing collected audit data, accessing a template, and generating output formatted according to the template.

Abstract: In one embodiment, the present invention is directed to a system and method in which a wrapper function is placed in memory. Additionally, address information is written into an entry of a system call table, said address information being associated with said wrapper function. Further, processing control is transferred to said wrapper function. The wrapper function transfers processing control to a system call routine, retrieves parameters associated with the system call routine, utilizes the parameters to generate audit data, and writes the audit data to a buffer.

Abstract: Systems and methods for group-based network access control systems are provided. The group-based network access control system includes a software process operating on a computer. The software process is configured to communicate a packet through a group-based network protocol stack to a network interface card that includes an interface attribute. A table of network attributes, associated with a session filter module and a network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card. Each network endpoint attribute comprises a primary group identifier and a supplemental group identifier list, and each interface attribute comprises a network group list. The method includes the steps of operating a software process that includes a network endpoint attribute.