Abstract: An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range by mapping the effectiveness of performing the mitigation measures to determine a residual risk after a mitigation measure has been implemented.

Abstract: A scheme for protecting policy state information during the lifetime of a virtual machine is presented. In order to protect and preserve the policy state information of the virtual machine, a process creates a source policy, a mapping policy, and a binary policy. These policies are all different representations of a security policy. The different policy representations are chained together via cryptographic hashes.

Abstract: An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range.

Abstract: An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range.

Abstract: A method and system for performing interprocess communications (IPCs). The method comprises the steps of receiving IPC requests, where each of the IPC requests identifies a source and a destination; building IPCs in response to the request: transmitting the IPCs from the sources to the destinations; and intercepting and examining selected ones of the IPCs. The method comprises the further step of controlling the synchrony of the IPCs so that each IPC appears to its source and destination to be implemented according to the same semantics regardless of whether the IPC is intercepted and examined. With the preferred embodiment of this invention, the system monitors are considered as an extension of the system kernel (although they may be linked into the kernel and run in kernel mode as well), so the source and destination are treated as if the kernel is still processing the IPC. Thus, the desired. semantics of communication can be implemented in the monitors.

Abstract: A mechanism for inter-process communication (IPC) redirection is defined that enables flexible and dynamic management of IPC paths. In some cases, it is desirable to interpose a process on a communication channel. There are a number of uses of such interposition, ranging from auditing communication to capturing requests for a debugger to authorizing operations expressed in the communication. Prior IPC mechanisms typically do not enable dynamic and flexible interposition. Either interposition is ingrained in the process identity or is done in an ad hoc manner (e.g., by inserting code into the kernel). An IPC mechanism is defined that enables a communication from a source to a destination to be arbitrarily redirected. Services, called redirection controllers, are defined that are able to specify the redirections for IPC paths.

Abstract: A server complex including at least one hit server with item cache, used to process read and write operations relating to cached items from clients, and at least one miss server, serving as a link to other servers (e.g., web servers, file system servers, and databases) for receiving requests relayed from the hit server(s) which relate to non-cached items and for responding to same. The hit server is a general-purpose, generic, component, which is independent of concrete applications and is basically responsible for the performance; while a miss server is a highly-customizable component, which is responsible for flexibility, and is application specific. The inventive architecture provides improved performance whereby a server complex achieves exceptionally high throughput rates for local services (i.e.

Abstract: A cache system in accordance with the present invention consists of one or more cache components and a set of one or more consistency-replacement functions. A cache component caches one or more items in its one or more cache entries. Items that hit in the cache can result in corresponding cache entries being read or written. Any valid entry in a cache component includes status information reflecting whether the entry has been accessed and whether it has been modified, and is linked to a consistency-action matrix that, in correspondence with the entry's status information and access type (i.e. read or write), determines what consistency action has to be executed in conjunction with the current entry access. Consistency actions and the consistency-action matrix are the inventive mechanisms for implementing cache-coherency and cache-replacement policies. Any valid entry in a cache is linked to a consistency-replacement function that implements one or more consistency and/or replacement policies.

Abstract: A dynamic derivation mechanism is defined which enables limited permissions to be dynamically and flexibly derived for executables based upon their authenticated description. The dynamic derivation mechanism uses the authenticated description to determine the maximal permissions that individual principals can delegate to the content. A principal's maximal permissions for content define a superset of the rights that that principal will actually delegate to that content. Although the maximal permissions are derived from predefined specifications, the specifications can be sensitive to runtime state on the downloader's system or previous delegations to enable the dynamic (i.e., runtime) derivation. Multiple principals can delegate a subset of their maximal permissions for the executable content. The mechanism uses policy for combining the delegated permissions into the content's runtime permissions.

Abstract: A cache system in accordance with the present invention consists of one or more cache components and a set of one or more consistency-replacement functions. A cache component caches one or more items in its one or more cache entries. Items that hit in the cache can result in corresponding cache entries being read or written. Any valid entry in a cache component includes status information reflecting whether the entry has been accessed and whether it has been modified, and is linked to a consistency-action matrix that, in correspondence with the entry's status information and access type (i.e. read or write), determines what consistency action has to be executed in conjunction with the current entry access. consistency actions and the consistency-action matrix are the inventive mechanisms for implementing cache-coherency and cache-replacement policies. Any valid entry in a cache is linked to a consistency-replacement function that implements one or more consistency and/or replacement policies.