Security Kernel Or Utility Patents (Class 713/164)
  • Patent number: 9870311
    Abstract: The disclosure is generally directed towards automatically generating a mock object from a description of a real object, such as for use in testing. Mock object generation logic parses the description to determine interface(s) of the real object, which are replicated in the mock object, and to determine method(s) of the real object, which are simulated in the mock object. The mock object generation logic may generate a description of the mock object that is then compiled into the mock object for execution. Data types may be validated so that the arguments and/or return values from the mock object meet the expectations of a calling object.
    Type: Grant
    Filed: August 31, 2015
    Date of Patent: January 16, 2018
    Assignee: HOME BOX OFFICE, INC.
    Inventor: Brendan Joseph Clark
  • Patent number: 9871800
    Abstract: In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.
    Type: Grant
    Filed: January 30, 2015
    Date of Patent: January 16, 2018
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Velmurugan Subramanian, Nilesh Junnarkar
  • Patent number: 9866548
    Abstract: Embodiments generally relate to out-of-band management of a computing system. The present technology discloses enable a primary service controller to provide a centralized configuration of multiple secondary service controllers so that they can share a same configuration. It can utilize an authentication-free protocol to modify and manage credentials for a large number of service controllers.
    Type: Grant
    Filed: April 14, 2015
    Date of Patent: January 9, 2018
    Assignee: QUANTA COMPUTER INC.
    Inventor: Ching-Chih Shih
  • Patent number: 9864878
    Abstract: A computer implemented method includes generating, by a processor, a first event record in response to an event being performed by a computer; and generating, by the processor, a second event record in response to the first event record being generated, wherein the second event record comprises a signature corresponding to the first event record.
    Type: Grant
    Filed: July 27, 2015
    Date of Patent: January 9, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Anthony T. Sofia, Peter G. Sutton
  • Patent number: 9853996
    Abstract: A system and method for identifying and preventing malicious application programming interface attacks is configured to, during a learning stage: monitor all requests sent to and from the server API; identify one or more first characteristic data points of each request and response sent during the learning stage; and determine, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage: monitor all requests sent to and from the server API; identify one or more second characteristic data points of each request and response sent during the protection stage; and one of validate and invalidate the identified one or more second characteristic data points against the one or more characteristic data models.
    Type: Grant
    Filed: April 13, 2016
    Date of Patent: December 26, 2017
    Assignee: SECFUL, INC.
    Inventors: Roey Eliyahu, Omer Sadika
  • Patent number: 9852001
    Abstract: Techniques are disclosed for controlling and managing virtual machines and other such virtual systems. VM execution approval is based on compliance with policies controlling various aspects of VM. The techniques can be employed to benefit all virtual environments, such as virtual machines, virtual appliances, and virtual applications. For ease of discussion herein, assume that a virtual machine (VM) represents each of these environments. In one particular embodiment, a systems management partition (SMP) is created inside the VM to provide a persistent and resilient storage for management information (e.g., logical and physical VM metadata). The SMP can also be used as a staging area for installing additional content or agentry on the VM when the VM is executed. Remote storage of management information can also be used. The VM management information can then be made available for pre-execution processing, including policy-based compliance testing.
    Type: Grant
    Filed: October 26, 2015
    Date of Patent: December 26, 2017
    Assignee: ManageIQ, Inc.
    Inventors: Joseph Fitzgerald, Oleg Barenboim
  • Patent number: 9846781
    Abstract: Example embodiments disclosed herein relate to unused parameters. A request to a web page of an application under test is made. It is determined whether the web page includes one or more unused parameter fields. Another request to the web page of the application under test is made using one or more parameters corresponding to the unused parameter fields.
    Type: Grant
    Filed: April 19, 2013
    Date of Patent: December 19, 2017
    Assignee: EntIT Software LLC
    Inventors: Nidhi GovindRam Kejriwal, Ronald Joseph Sechman, Sasi Siddharth Muthurajan
  • Patent number: 9843453
    Abstract: A method for authorizing I/O (input/output) commands in a storage cluster is provided. The method includes generating a token responsive to an authority initiating an I/O command, wherein the token is specific to assignment of the authority and a storage node of the storage cluster. The method includes verifying the I/O command using the token, wherein the token includes a signature confirming validity of the token and wherein the token is revocable.
    Type: Grant
    Filed: October 23, 2015
    Date of Patent: December 12, 2017
    Assignee: Pure Storage, Inc.
    Inventors: John Hayes, Robert Lee
  • Patent number: 9843451
    Abstract: An electronic device includes a memory configured to store a lab certificate, a code authentication certificate and the executable code. The electronic device also includes a processor associated with a unique device identifier. For a first operational condition of the plurality of operational conditions, the processor is configured to: retrieve the code authentication certificate associated with the executable code; determine that a valid lab certificate is present in the memory; authenticate the code authentication certificate by determining that the code authentication certificate is signed with a private developer key and that the signature is valid; and execute the executable code on the electronic device responsive to determining that the lab certificate is valid and authenticating the code authentication certificate.
    Type: Grant
    Filed: October 30, 2014
    Date of Patent: December 12, 2017
    Assignee: MOTOROLA SOLUTIONS, INC.
    Inventors: Ellis A. Pinder, Thomas S. Messerges
  • Patent number: 9836286
    Abstract: A computer program product according to some embodiments causes a processor to perform operations including disassembling executable code of an application program to provide disassembled code, identifying first wrapping code in the disassembled code, receiving second wrapping code, generating a consolidated application wrapper that manages operation of both the first wrapping code and the second wrapping code, inserting the second wrapping code and the consolidated application wrapper into the disassembled code to form modified disassembled code, and assembling the modified disassembled code to form modified executable code.
    Type: Grant
    Filed: March 27, 2015
    Date of Patent: December 5, 2017
    Assignee: CA, INC.
    Inventor: Vikrant Nandakumar
  • Patent number: 9838424
    Abstract: Techniques to contain lateral movement of attackers through just-in-time (JIT) provisioned accounts comprising an account management component to receive a request from a first account via a client device for a second account to access a server device in a set of server devices, an account authorization component to authorize the request for the second account based at least partially on account information associated with the first account, an account provisioning component to provision the second account to enable a client to access the server device, and an account notification component to provide account information associated with the second account to a client via the client device. Other embodiments are described and claimed.
    Type: Grant
    Filed: March 20, 2014
    Date of Patent: December 5, 2017
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Shane Brady, Siddhartha Mathur, Rajalakshmi Dani, Santosh Kumar, Luke Schoen, David Hetherington
  • Patent number: 9832015
    Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1, client_ID),??(1) client_key_LSB=AES128(base_key_2, client_ID+pad), and??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.
    Type: Grant
    Filed: December 1, 2014
    Date of Patent: November 28, 2017
    Assignee: Intel Corporation
    Inventors: Men Long, Jesse Walker, Karanvir S Grewal
  • Patent number: 9819650
    Abstract: A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space.
    Type: Grant
    Filed: July 21, 2015
    Date of Patent: November 14, 2017
    Assignee: NANTHEALTH, INC.
    Inventors: Patrick Soon-Shiong, Harsh Kupwade-Patil, Ravi Seshadri, Nicholas J. Witchey
  • Patent number: 9807129
    Abstract: A logical communication path is provided between a target virtual machine (VM) and a host or application communicating with the VM. The target VM runs on a hypervisor host that has a hypervisor and a proxy agent. The hypervisor manages execution of the VM. A mapping is maintained indicating which VMs execute on which hosts. When the host or application is to send a message or packet to the target VM, the mapping is consulted and the hypervisor host hosting the target VM is identified. The message or packet, which may identify the target VM, is transmitted to the hypervisor host. A proxy agent at the hypervisor host selects a communication channel between the hypervisor and the target VM. The hypervisor then passes the message or packet through the selected channel to the target VM.
    Type: Grant
    Filed: October 30, 2015
    Date of Patent: October 31, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Robert Fries, Srivatsan Parthasarathy, Ashvinkumar Sanghvi, Aravind Ramarathinam, Michael Grier
  • Patent number: 9800618
    Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.
    Type: Grant
    Filed: May 9, 2016
    Date of Patent: October 24, 2017
    Assignee: Open Invention Network LLC
    Inventor: Gail-Joon Ahn
  • Patent number: 9798678
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.
    Type: Grant
    Filed: April 2, 2015
    Date of Patent: October 24, 2017
    Assignee: International Business Machines Corporation
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9800688
    Abstract: Embodiments include processes, systems, and devices for initiating proximity actions upon the activation of a proximity connection. A proximity service receives an indication from a proximity provider that a proximity connection is established, and then determines a joint proximity context of the proximity connection. The proximity service then initiates a proximity action to facilitate a proximity function indicated by the joint proximity context. Joint proximity contexts include indications that an application has queued content to be shared with a proximity device, that an application has registered to publish messages on a namespace, that an application has subscribed to messages on a namespace, that an application has registered to find a peer application on a proximity device to enable multi-user collaboration, and that a device seeks to pair with another device.
    Type: Grant
    Filed: September 12, 2011
    Date of Patent: October 24, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Marc Christopher Pottier, Max Glenn Morris, Travis J. Martin, Michael N. Loholt, Darren R. Davis, Priya Bhushan Dandawate, Kenton A. Shipley, Khurram M. Zia
  • Patent number: 9785784
    Abstract: A method of operating a host controller interface includes receiving a buffer descriptor including sector information from a main memory, fetching data by using a source address included in the buffer descriptor, selecting one of a plurality of entries included in a security policy table by using the sector information, and determining whether to encrypt the fetched data by using a security policy included in the selected entry.
    Type: Grant
    Filed: August 19, 2015
    Date of Patent: October 10, 2017
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Kwan Ho Kim, Seok Min Kim, Heon Soo Lee
  • Patent number: 9787714
    Abstract: A threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.
    Type: Grant
    Filed: October 25, 2016
    Date of Patent: October 10, 2017
    Assignee: SALESFORCE.COM, INC.
    Inventor: Timothy Bach
  • Patent number: 9779248
    Abstract: Protecting secured boot secrets while starting an operating system. Embodiments include starting a first operating system using a trusted computing base, protecting a portion of the system memory to prevent access to the portion of the system memory by the first operating system, and storing secured boot secrets in the protected portion of the system memory. Based at least on identifying that a second operating system is to be started to replace the first operating system, embodiments include configuring one or more memory data structures, including code of the second operating system, in the protected portion of the system memory. The protected portion of the system memory is unprotected, while mitigating attacks on the portion of system memory, and processor state is set to execute the code of the second operating system. The second operating system starts using the secured boot secrets stored in the portion of the system memory.
    Type: Grant
    Filed: March 30, 2016
    Date of Patent: October 3, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Alain Gefflaut, Andrey Shedel
  • Patent number: 9779032
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system includes one or more processing units sharing the storage. Each of the processing units has at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key, data transferred between its processor cache and the storage, when data relates to the protected section used by the hypervisor; and each processing unit respectively encrypts or decrypts, with a virtual machine key, data transferred between its processor cache and the storage, when data relates to storage areas used by a virtual machine.
    Type: Grant
    Filed: November 14, 2015
    Date of Patent: October 3, 2017
    Assignee: International Business Machines Corporation
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9773117
    Abstract: Reducing risk of data loss by automatically background scanning data to detect a plurality of candidate sensitive data items. For at least some of those candidate sensitive data items that are deemed not to concretely classified as sensitive, a dissolvable encryption is applied to the data item to at least temporarily protect the data item. When the user requests access to the data item, the system determines that the data item has been dissolvably encrypted and that the user is authorized to define the sensitivity of the data item. In response, the user is allowed to direct the system as to whether the data item is to be concretely encrypted (such as if the user was to confirm the data item as sensitive), or whether the dissolvable encryption of the data item is to be dissolved (such as if the user was to confirm the data item as not sensitive).
    Type: Grant
    Filed: June 4, 2014
    Date of Patent: September 26, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventor: Daniel Plastina
  • Patent number: 9772954
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.
    Type: Grant
    Filed: November 14, 2015
    Date of Patent: September 26, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9774568
    Abstract: A computer security architecture applies selected rules from among a set of rules defining one or more security policies to a given set of security context parameters to produce security verdicts, each representing whether a certain action requested by a subject entity is permissible. Each security policy is associated with a corresponding communication interface. A plurality of gateway engines are each associated with at least one of the subject entities and dedicated to interfacing with the security server. Each of the gateway engines carries out monitoring of requested actions by the associated subject entity and, for each requested action, identifies a security context. A security policy is determined for the requested action based on a corresponding security context, and a security verdict is obtained via a communication interface corresponding to the applicable security policy.
    Type: Grant
    Filed: January 27, 2016
    Date of Patent: September 26, 2017
    Assignee: AO KASPERSKY LAB
    Inventors: Andrey P. Doukhvalov, Pavel V. Dyakin, Dmitry A. Kulagin, Sergey B. Lungu, Stanislav V. Moiseev
  • Patent number: 9767301
    Abstract: A method, system, and computer usable program product-for context aware data protection are provided. Information about an access context is received in a data processing system. A resource affected by the access context is identified. The identification of the resource may include deriving knowledge about resource by making an inference from a portion of contents of the resource that the access context affects the resource, making an inference that the access context affects a second resource thereby inferring that the resource has to be modified, determining that the access context is relevant to the resource, or a combination thereof. The resource is received. A policy that is applicable to the access context is identified. A part of the resource to modify according to the policy is determined. The part is modified according to the policy and the access context to form a modified resource. The modified resource is transmitted.
    Type: Grant
    Filed: March 6, 2012
    Date of Patent: September 19, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Srinivas Jandhyala, Albee Jhoney, Sridhar R Muppidi, Nataraj Nagaratnam, Atul Saxena
  • Patent number: 9762609
    Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a URL from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method includes automatically placing the URL in a sandbox for analysis.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: September 12, 2017
    Assignee: Proofpoint, Inc.
    Inventors: Steven Robert Sandke, Bryan Burns
  • Patent number: 9760395
    Abstract: A method for configuring and maintaining external monitoring of one or more instances of a virtual machine within a virtualized computing environment. The method includes a computer processor monitoring a hypervisor. The method further includes a computer processor identifying a first list, wherein the first list is comprised of one or more monitoring templates respectively associated with one or more virtual machine types, and maintaining a second list comprised plurality of provisioned instances of virtual machines, wherein the second list also includes a first information respectively associated with the plurality of provisioned instances of virtual machines. The method further includes a computer processor compiling a third list and transmitting the third list to the monitoring system. The method further includes a computer processor receiving the third list and in response, a computer processor executing one or more monitoring functions based, at least in part, on the third list.
    Type: Grant
    Filed: October 5, 2016
    Date of Patent: September 12, 2017
    Assignee: International Business Machines Corporation
    Inventors: Liam M. Doherty, King-Yan Kwan, Mark A. Shewell, Peter G. Woodward
  • Patent number: 9756069
    Abstract: A virtual machine is used to perform a raw scan for evasive malware on a host computer without requiring an interrupt or restart of a host operating system. An antivirus program installs a raw scanner virtual machine. The raw scanner virtual machine is triggered to scan files and memory for malware. The raw scan results are collected by the antivirus program for analysis, such as for use in generating a report or for removal of malware. The memory and files of the host are mapped to a guest space of the virtual machine.
    Type: Grant
    Filed: January 10, 2014
    Date of Patent: September 5, 2017
    Assignee: TREND MICRO INC.
    Inventors: Yuefeng Li, Qiang Huang, Hu Cao
  • Patent number: 9747381
    Abstract: A processor-executed access manager with an identity management framework receives a first query from a user of a client device connected to a network for a system. The query seeks information as to identity types supported by the system. The access manager responds to the first query with a list of supported identity types. The supported identity types include at least a hardware device, a role, and a user. The list is retrieved from a global configuration data structure in a global data store. The access manager receives a second query from the user for identities of the hardware devices associated with one of the supported identity types. And the access manager responds to the second query with the identity of a specific hardware device, if the user is permitted to access the specific hardware device according to permissions obtained through the global configuration data structure.
    Type: Grant
    Filed: May 4, 2015
    Date of Patent: August 29, 2017
    Assignee: Oracle America, Inc.
    Inventors: Deepa Mahendraker, Aravindan Ranganathan
  • Patent number: 9749498
    Abstract: Content files are isolated in a sandbox as a content isolation environment formed by a secondary user account. Printing is controlled by an agent via a staging file of a secure file type. The agent intercepts print requests (e.g. print start requests and print end requests) in a printing sub-system of an operating system in order to coordinate and securely control printing of the untrusted content file via the intermediate staging file.
    Type: Grant
    Filed: July 19, 2016
    Date of Patent: August 29, 2017
    Assignee: AVECTO LIMITED
    Inventors: Mark James Austin, John Goodridge
  • Patent number: 9729332
    Abstract: An authentication system according to the present disclosure includes a first controller connected to a first server via a first network, a second controller connected to a second server via a second network, and a device. The device compares a next issue date described in a first certificate revocation list acquired from the first controller and an issue date described in a second certificate revocation list acquired from the second controller thereby determining whether the first controller is invalid or not.
    Type: Grant
    Filed: June 1, 2015
    Date of Patent: August 8, 2017
    Assignee: PANASONIC INTELLECTUAL PROPERTY MANAGEMENT CO., LTD.
    Inventors: Yuji Unagami, Motoji Ohmori, Natsume Matsuzaki, Hideki Matsushima, Tomoyuki Haga, Manabu Maeda, Yoshihiro Ujiie
  • Patent number: 9715462
    Abstract: Protecting contents of storage in a computer system from unauthorized access. The computer system comprises one or more processing units sharing the storage, the processing units each having at least one processor cache. Each processing unit respectively encrypts or decrypts, with a protected section key in the chip cache, data transferred between its processor cache and the protected section, and each processing unit respectively encrypts or decrypts, with a segment key, data transferred between the chip cache and the storage, when data relates to a specific segment of the storage.
    Type: Grant
    Filed: April 2, 2015
    Date of Patent: July 25, 2017
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Christine Axnix, Ute Gaertner, Jakob C. Lang, Angel Nunez Mencias
  • Patent number: 9712530
    Abstract: Methods and systems described herein relate to enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine.
    Type: Grant
    Filed: January 7, 2013
    Date of Patent: July 18, 2017
    Assignee: OPTIO LABS, INC.
    Inventors: Christopher Jules White, Thomas Charles Clancy III, Brian Dougherty
  • Patent number: 9710671
    Abstract: This disclosure includes techniques for using distributed computing over a network to resolve difficult computational problems. Anonymization of the data allows computing devices in the distributed computing system to solve the computational problem without exposing private aspects of the data. Individual computing devices receive instructions and data that correspond to a piece of a larger computational problem. In one implementation, a user may request a webpage from a web server and receive the webpage along with commands in a scripting language that instructs the user's computer to process a piece of the larger computational problem. The web server may assign the piece of the problem to the user's computer based on processing capabilities of the user's computer. Combining solutions received from multiple distributed computing devices and reversing the anonymization process yields a solution to the computational problem.
    Type: Grant
    Filed: January 2, 2015
    Date of Patent: July 18, 2017
    Assignee: Amazon Technologies, Inc.
    Inventor: Zachary J. Wiggins
  • Patent number: 9703586
    Abstract: A virtual hard disk drive containing a guest operating system is bound to a source computing device through encryption. When the virtual hard drive is moved to a difference computing device, a virtual machine manager instantiates a virtual machine and causing the virtual machine to boot the operating system from the virtual hard disk drive. Because the guest operating system is encrypted by an encryption device on a source computing device, the virtual machine causing the decryption of the guest operating system with a copy of the key. The virtual hard disk is bound to the target computing device through encryption based on a hardware on the target computing device.
    Type: Grant
    Filed: February 17, 2010
    Date of Patent: July 11, 2017
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Son VoBa, Octavian T. Ureche
  • Patent number: 9703950
    Abstract: A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
    Type: Grant
    Filed: March 30, 2012
    Date of Patent: July 11, 2017
    Assignee: IRDETO B.V.
    Inventor: Ron Vandergeest
  • Patent number: 9697353
    Abstract: Disclosed are a method and a device for intercepting a call for a service by an application in an operating system of an electronic apparatus. The method comprises: loading an interception dynamic link library to a process where the service is located; replacing the address of an input/output control function in the process with a first address of the interception dynamic link library; when the application is calling the service, executing the interception dynamic link library based on the first address so as to obtain the name and information of the application as well as the information of the call, and replacing the address of the service to be called comprised in the information of the call with a second address of the interception dynamic link library; and executing processing based on the second address according to the name and/or information of the application. The invention increases the security of the operating system of the electronic apparatus.
    Type: Grant
    Filed: May 30, 2013
    Date of Patent: July 4, 2017
    Assignee: BEIJING QIHOO TECHNOLOGY COMPANY LIMITED
    Inventors: Yi Ding, Yuan Li
  • Patent number: 9690937
    Abstract: A computer-implemented technique provides rules for use in a malicious activity detection system. The technique involves performing evaluation operations on a plurality of malicious activity detection rules. The technique further involves ranking the plurality of malicious activity detection rules in an order based on results of the evaluation operations (e.g., sorting the rules systematically in an order based on measures such as precision, recall, correlation to other rules already in use, etc.). The technique further involves, based on the order of the plurality of malicious activity detection rules, providing a malicious activity detection rule report which recommends a set of malicious activity detection rules of the plurality of malicious activity detection rules for use in the malicious activity detection system.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: June 27, 2017
    Assignee: EMC IP Holding Company LLC
    Inventors: Zohar Duchin, Alon Kaufman, Alex Zaslavsky, Martin Rosa, Luan Nguyen
  • Patent number: 9692851
    Abstract: Disclosed are methods, apparatus, systems, and computer readable storage media for maintaining anonymity in an online social network. In some implementations, a user can be designated a ghost user with respect to an entity in the online social network. One or more invisibility levels can be determined for the ghost user. Data indicating content to display in accordance with one or more invisibility levels can be generated and provided to a display device configured to display a presentation of the social network feed associated with the entity in a user interface associated with a second user. Also disclosed are methods, apparatus, systems, and computer readable storage media for designating a proxy in an online social network. In some implementations, a first user can be designated as a proxy user of a second user in an online social network with respect to one or more entities within the online social network.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: June 27, 2017
    Assignee: salesforce.com, inc.
    Inventors: Zachary J. Dunn, Joseph M. Olsen
  • Patent number: 9684525
    Abstract: Disclosed are an apparatus and a method for configuring an operating system. An apparatus for configuring an operating system may comprise a system resource management part managing system resources by assigning control permission for system resources which interwork with the operating system to a first domain of the operating system; and a system operation part executing an application program in a second domain of the operating system which is independent from the first domain by utilizing the system resources managed by the system resource management part. Therefore, performance of the operating system may be enhanced at the same time of supporting high security of the operating system so that reliability of the operating system can also be enhanced.
    Type: Grant
    Filed: July 18, 2014
    Date of Patent: June 20, 2017
    Assignee: POSTECH ACADEMY—INDUSTRY FOUNDATION
    Inventors: Chan Ik Park, Se Jin Park
  • Patent number: 9684790
    Abstract: An apparatus and a method for processing an application in a mobile terminal are provided. The method includes loading, by a bootloader upon system booting, a kernel, determining whether the kernel is modified, creating, when the kernel is modified, kernel verification information indicating a custom kernel, encrypting the kernel verification information, and sending the encrypted kernel verification information, activating, by a kernel handler, the kernel, and receiving the kernel verification information from the bootloader, and forwarding the kernel verification information, decrypting, by a rooting detector, the kernel verification information into kernel status information and delivering the kernel status information when a specified Application Programming Interface (API) is invoked, and invoking, by an application handler, the API when an application is executed and controlling an execution of the application when the kernel status information indicating the custom kernel is received.
    Type: Grant
    Filed: February 19, 2013
    Date of Patent: June 20, 2017
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Yohwa Kim, Hyungchul Jung
  • Patent number: 9684608
    Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.
    Type: Grant
    Filed: October 28, 2014
    Date of Patent: June 20, 2017
    Assignee: Intel Corporation
    Inventors: Francis McKeen, Vincent Scarlata, Carlos Rozas, Ittai Anati, Vedvyas Shanbhogue
  • Patent number: 9654499
    Abstract: A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.
    Type: Grant
    Filed: June 18, 2015
    Date of Patent: May 16, 2017
    Assignee: Vencore Labs, Inc.
    Inventors: Angelo Sapello, Abhrajit Ghosh, Alexander Poylisher, C. Jason Chiang, Ayumu Kubota, Takashi Matsunaka
  • Patent number: 9633200
    Abstract: A computer-implemented method can include creating a sandbox responsive to a sandbox creation request from a user, wherein the sandbox represents an alternate version of a base version and is accessible only by the user. The method can also include visually presenting to the user information pertaining to the sandbox and information pertaining to the base version, saving changes to the information pertaining to the sandbox, and publishing the sandbox responsive to a publish request from the user.
    Type: Grant
    Filed: September 25, 2015
    Date of Patent: April 25, 2017
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Prasad Kulkarni, Manish Kamalkishor Daga
  • Patent number: 9626302
    Abstract: Encryption of virtual disc image is accomplished by increasing the size of a virtual disc to support the inclusion of a master boot record and a decryption program. Encrypting portions of a virtual disc image on the virtual disc, but leaving the boot record and decryption program unencrypted and accessible, where the decryption program will decrypt the encrypted portions if the appropriate cryptographic key is supplied. Subsequent decryption is accomplished by initiating a boot sequence through the master boot record, receiving the appropriate cryptographic key, appropriately ordering the decrypted disc image.
    Type: Grant
    Filed: October 22, 2015
    Date of Patent: April 18, 2017
    Assignee: International Business Machines Corporation
    Inventors: Claudio Marinelli, Luigi Pichetti, Jacques Fontignie, Marc V. Stueckelberg
  • Patent number: 9626205
    Abstract: Aspects of the present disclosure are directed to methods and systems of hypervisor driven embedded endpoint security monitoring. A computer implemented method may include providing one or more computer processors configured to operate a bare-metal hypervisor; launching a user OS virtual machine operatively connected to the hypervisor; launching a security virtual machine operatively connected to the hypervisor and receiving data from the security virtual machine via the hypervisor; and receiving data representative of security information from the computer processor processed by the security virtual machine. The hypervisor may include using a virtual switch for providing communications between the user OS virtual machine and the security virtual machine. The method may include using the security virtual machine to monitor malware on the user OS virtual machine.
    Type: Grant
    Filed: August 14, 2013
    Date of Patent: April 18, 2017
    Assignee: Bank of America Corporation
    Inventor: Sounil Yu
  • Patent number: 9628496
    Abstract: In the present invention, a control section of a CRM server performs editing processing for TPO (the time, the place, and the occasion) requirements. Next, a control section of a TPO server registers the TPO requirements in order to convert the same to TPO definitions. Then, the control section performs setting processing for the TPO definitions. A portable terminal identifies the current location and the current time. Then, a control section verifies TPO definition state transitioning. If transitioning of the TPO definition state is detected, the control section performs TPO definition state transition notification processing. The control section of the portable terminal performs individual control processing on the basis of the TPO definitions.
    Type: Grant
    Filed: August 7, 2012
    Date of Patent: April 18, 2017
    Assignee: Mizuho Information & Research Institute, Inc.
    Inventor: Atsushi Tomoeda
  • Patent number: 9619649
    Abstract: The disclosed computer-implemented method for detecting potentially malicious applications may include (1) detecting a request issued by an application running on a client device to download a file from a remote device, (2) determining that the request calls an application programming interface that enables the client device to download the file from the remote device, (3) determining that a parameter passed to the application programming interface in the request has been implicated in a previous attempt to download a known malicious file, and then in response to determining that the parameter has been implicated in a previous attempt to download a known malicious file, (4) classifying the application that issued the request as potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.
    Type: Grant
    Filed: March 13, 2015
    Date of Patent: April 11, 2017
    Assignee: Symantec Corporation
    Inventor: James Yun
  • Patent number: 9602503
    Abstract: A method executes at an authentication server. The method receives a request from a shared user device. The request seeks access to personal information that is associated with a user and stored at a resource server. The method receives access authentication information from a personal user device and creates an access token that grants access privileges to the personal information associated with the user. The method provides the access token to the shared user device. The method receives from the personal user device a command to revoke access privileges associated with the access token. When the method receives a validation request from the resource server, including the access token, the method determines that access privileges associated with the access token have been revoked. The method then notifies the resource server that the validation request failed, thereby preventing access to the personal information by the shared user device.
    Type: Grant
    Filed: November 23, 2015
    Date of Patent: March 21, 2017
    Assignee: GOOGLE INC.
    Inventors: Paul Saxman, J. Leslie Vogel
  • Patent number: 9596264
    Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a URL from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method automatically processes the URL using a sandbox.
    Type: Grant
    Filed: February 18, 2015
    Date of Patent: March 14, 2017
    Assignee: Proofpoint, Inc.
    Inventors: Steven Robert Sandke, Bryan Burns