Abstract: A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

Abstract: Systems and methods for analyzing structural test data are disclosed. In one embodiment, a method includes applying a sequence of loads to a test article, receiving raw test data indicative of the applied loads from at least one sensor operatively associated with the test article, receiving predicted test data indicative of the predicted loads on the test article, filtering out invalid test data, cycle counting to pair loads in the test data, performing a first fatigue damage computation based on the raw test data, performing a second fatigue damage computation based on the predicted test data, and comparing the first and second fatigue damage computations. The filtering, cycle counting, and performing of the first and second fatigue damage computations, and the comparison of the first and second fatigue damage computations, may be performed simultaneously using a spreadsheet program.

Abstract: The inventive methods and systems provide an approach to protecting unencrypted sensitive information from being paged out to secondary storage, such as a hard disk, during paging operations. In the described embodiment, a key is provided and is maintained in the main memory of a virtual memory system. Measures are taken to protect the key such as page-locking the key in the main memory to ensure that it never gets paged out to the secondary storage. The described key is a desirably large key that is randomly generated by the operating system. When sensitive information is to be placed in the main memory, it is encrypted with the page-locked key. The encrypted sensitive information can then be paged out to secondary storage without concern about its security. When the encrypted sensitive information is needed by a process or application, it is retrieved from secondary storage and decrypted using the page-locked key.

Abstract: The inventive methods and systems provide an approach to protecting unencrypted sensitive information from being paged out to secondary storage, such as a hard disk, during paging operations. In the described embodiment, a key is provided and is maintained in the main memory of a virtual memory system. Measures are taken to protect the key such as page-locking the key in the main memory to ensure that it never gets paged out to the secondary storage. The described key is a desirably large key that is randomly generated by the operating system. When sensitive information is to be placed in the main memory, it is encrypted with the page-locked key. The encrypted sensitive information can then be paged out to secondary storage without concern about its security. When the encrypted sensitive information is needed by a process or application, it is retrieved from secondary storage and decrypted using the page-locked key.

Abstract: A facility for applying a software patch is described. Using an automatic patching agent, the facility receives the software patch. In response to receiving the software patch, without user intervention, the facility performs the following acts: First, the facility identifies an instance of an executable module that is currently loaded, and to which the received software patch pertains. Second, the facility applies the received software patch to the identified loaded executable module instance to modify the behavior of the identified executable module instance.

Abstract: An operating system copies data from memory pages into a paging file on disk, in order to free up space in the memory. A mechanism is disclosed that causes the data to be encrypted as it is copied into the paging file, thereby protecting the paged data from unauthorized (or otherwise undesired) observation. The data that is stored in the paging file is encrypted with a session key, that is generated shortly after the machine on which the paging file exists is started. The session key, which is used both for encryption and decryption of the paging file data, is stored in volatile memory, so that the key is not persisted across boots of the machine. Since the key is not persisted across boots, old paging file data that was stored prior to the most recent boot cannot be recovered in clear text, thereby protecting the data from observation.

Abstract: A system and method for facilitating BIOS integrated encryption is provided. An interface is defined between the operating system and the BIOS. The operating system employs this interface to provide BIOS code information to facilitate decryption of data that is encrypted on the system. In the pre-operating system boot phase, the BIOS employs the decryption information provided from this interface in order to decrypt the data. The decrypted information can be employed to facilitate secure rebooting of a computer system from hibernate mode and/or secure access to device(s).

Abstract: An encrypted file system (EFS) and an underlying file transfer protocol to permit a client to encrypt, decrypt, and transfer file(s) resident on a server are disclosed. A user at a client computer can open, read, and write to encrypted files, including header information associated with encrypted files, and can add users to or remove users from an encrypted file.

Abstract: The present invention provides methods of using compounds having formula (I): 1

Abstract: Systems and related methods enable a web service to map a unique identifier received from a client to the client's user account in a directory service using an authentication protocol and thereby receive permission to access resources for the client in the service's domain or in a distant domain. When the unique identifier is a web service unique identifier (PUID), the PUID is changed to a user principal name (UPN) mappable to the client's user account object in the directory service.

Abstract: A stack allocation system and method is described. In one implementation, an attempt is made to allocate N bytes of data to a stack having a fixed depth. A probe size for the stack is determined. Verification is then made to ascertain whether the probe size and the N bytes of data exceed the fixed depth of the stack, prior to allocating the N bytes of data to the stack. In another implementation, the N bytes of data are allocated to a heap; if the probe size and the N bytes of data exceed the fixed depth of the stack.

Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

Abstract: Upon successfully authenticating a client device with a server system, the client device and server system share auto-reconnect data. Upon subsequently losing and re-establishing communications with the server system, the client sends an auto-authenticate request to the server. The auto-authenticate request includes a session verifier that is based at least in part on the shared auto-reconnect data. The server validates the session verifier. If the validation is successful, the server automatically re-authenticates the client device.

Abstract: The invention provides central storage for core data secrets, referred to as data items. The architecture includes a storage server, a plurality of installable storage providers, and one or more authentication providers. Programming interfaces are exposed so that application programs can utilize the services provided by the invention without having to actually implement the features. When storing a data item using the protected storage services, an application program can specify rules that determine when to allow access to the data item. Access can be limited to specified application programs, to certain classes of application programs, or to application program having certain properties. Such properties for a particular application might include, for example, the publisher of the application and/or the name of the application. These properties might also include properties specified by an authentication certificate associated with the application program.

Abstract: Described herein is a system for protecting data from unauthorized access. The system uses a central service provider with exposed complementary interfaces: a data protect function that accepts clear data and returns an encrypted representation of the data, and a data unprotect function that accepts encrypted data and returns corresponding clear or unencrypted data. In addition, a user-readable description is optionally packaged with the encrypted data. Different encryption providers can be registered to perform actual encryption and decryption. A default encryption provider performs encryption and decryption based on a user logon secret such as a password. The default encryption provider also accepts additional entropy from calling application programs. The default encryption provider utilizes a multi-level key encryption scheme to minimize the amount of encryption that has to be re-done when the user changes a password.

Abstract: The invention provides central storage for core data secrets, referred to as data items. The architecture includes a storage server, a plurality of installable storage providers, and one or more authentication providers. Programming interfaces are exposed so that application programs can utilize the services provided by the invention without having to actually implement the features. When storing a data item using the protected storage services, an application program can specify rules that determine when to allow access to the data item. Access can, if desired, be limited to the current computer user. Access can similarly be limited to specified application programs or to certain classes of application programs. The storage server authenticates requesting application programs before returning data to them. A default authentication provider authenticates users based on their computer or network logon.

Abstract: Described herein is a method of verifying the integrity of client programs that request services from server programs. The invention includes a step of accepting a request for services from a client program, wherein the client program executes from an executable image in executable memory. In response to such a request, the server program identifies one or more image files on secondary storage corresponding to non-writeable sections of the executable image. The server program then compares the non-writeable sections of the executable image with the corresponding sections of the image files to determine whether the executable image has been altered in the executable memory. The server program provides the requested services only if the executable image of the client program has not been altered.

Abstract: The invention provides central storage for core data secrets, referred to as data items. The data items are encrypted by a client computer using a client key that is derived from a logon secret, such as a password, supplied by a user during a network logon procedure. The client key is escrowed with the participation of a network supervisory computer such as a domain controller. The client sends the client key to the domain controller. The domain controller appends a user identification corresponding to the currently authenticated user of the client computer, and encrypts the resulting combination. The encrypted combination is sent back to and stored locally by the client. To recover the client key, the encrypted combination is sent to the domain controller, which decrypts the combination to obtain the data item. However, the data item is returned to the client computer only if the decrypted user identification corresponds to the currently authenticated user of the client computer.

Abstract: A system and method for diagnosis of living tissue diseases is described. The system includes a computer device for controlling its operation. An operator control device is coupled to the computer device. A viewing screen is coupled to the computer device for displaying digitized images of the living tissue. The operator, using the control device, selects desired portions of the digitized image for further image enhancement according to a desired image enhancement feature selectable from a plurality of image enhancement features. The image enhancement features include any combination of grey scale stretching, contrast enhancement based on logarithmic histogram equalization, spot enhancement and magnification. The system further includes means for visualization and quantification of micro-calcifications, and means for visualization and quantification of mass spiculations.

Abstract: A system and method for diagnosis of living tissue diseases is described. The system includes a computer device for controlling its operation. An operator control device is coupled to the computer device. A viewing screen is coupled to the computer device for displaying digitized images of the living tissue. The operator, using the control device, selects desired portions of the digitized image for further image enhancement according to a desired image enhancement feature selectable from a plurality of image enhancement features. The image enhancement features include any combination of grey scale stretching, contrast enhancement based on logarithmic histogram equalization, spot enhancement and magnification. The system further includes means for visualization and quantification of micro-calcifications, and means for visualization and quantification of mass spiculations.