Security Kernel Or Utility Patents (Class 713/164)
  • Patent number: 10356122
    Abstract: A new device for detection and prevention of an attack on a vehicle via its communication channels, having: an input-unit configured to collect real-time and/or offline data from various sources such as sensors, network based services, navigation applications, the vehicles electronic control units, the vehicle's bus-networks, the vehicle's subsystems, and on board diagnostics; a database, for storing the data; a detection-unit in communication with the input-unit; and an action-unit, in communication with the detection unit, configured for sending an alert via the communication channels and/or prevent the attack, by breaking or changing the attacked communication channels. The detection-unit is configured to simultaneously monitor the content, the meta-data and the physical-data of the data and detect the attack.
    Type: Grant
    Filed: January 10, 2017
    Date of Patent: July 16, 2019
    Assignee: Tower-Sec Ltd.
    Inventors: Guy Ruvio, Saar Dickman, Yuval Weisglass
  • Patent number: 10346320
    Abstract: Applications and users can be restricted from making persistent changes to artifacts on a protected volume. In Windows-based systems that include a file-based write filter, a policy-based write filter can be positioned below the file-based write filter and can examine any write requests that target artifacts of a protected volume and are not redirected by the file-based write filter. The policy-based write filter can examine the write requests against any applicable policies to determine whether the write requests should be allowed to proceed. If the policy-based write filter determines that a write request is not allowed by policy, it can fail the write request to thereby prevent the targeted artifact from being updated in the protected volume.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: July 9, 2019
    Assignee: WYSE TECHNOLOGY L.L.C.
    Inventors: Salil S Joshi, Puneet Kaushik
  • Patent number: 10348500
    Abstract: Methods and systems for key material management are disclosed. One system can include a virtual machine monitor (VMM) running on a host device and a number of virtual machines (VMs) running on the VMM, wherein the VMM is configured to perform key management to provide access by the number of VMs to key material required for the VMs to perform key management operations.
    Type: Grant
    Filed: May 5, 2016
    Date of Patent: July 9, 2019
    Assignee: Adventium Enterprises, LLC
    Inventor: Steven A. Harp
  • Patent number: 10349274
    Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.
    Type: Grant
    Filed: November 27, 2017
    Date of Patent: July 9, 2019
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Meir Mendelovich, John Neystadt, Ken Aoyama, Nir Nice, Shay Yehuda Gurman
  • Patent number: 10339006
    Abstract: A method begins by a processing module receiving a checked write slice request from a requesting entity. The method continues by determining that locally stored encoded data slices do not include the requested encoded data slice. The method continues by identifying an alternate location for the requested encoded data slice. The method continues by determining whether the alternate location is associated with storage of the encoded data slice. The method continues when the alternate location is associated with the storage of the encoded data slice, by issuing a favorable checked write slice response to a requesting entity. The method can include facilitating transfer of the requested encoded data slice from the alternate location to the storage unit for storage.
    Type: Grant
    Filed: June 6, 2018
    Date of Patent: July 2, 2019
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Asimuddin Kazi, Niall J. McShane, Manish Motwani, Michael J. Niedbala
  • Patent number: 10333990
    Abstract: In embodiments of the present invention improved capabilities are described for the operation of a threat management facility, wherein the threat management facility may provide for a plurality of computer asset protection services to a corporate computer network. The threat management facility may provide a policy management service as one of the plurality of protection services, wherein the policy management service may be adapted to provide corporate policy updates to a plurality of computer facilities associated with the corporate computer network. In addition, the corporate policy updates, and a related corporate policy, may relate to the acceptability of an operation of a computer application.
    Type: Grant
    Filed: December 20, 2017
    Date of Patent: June 25, 2019
    Assignee: Sophos Limited
    Inventor: Richard Jacobs
  • Patent number: 10331890
    Abstract: Systems and methods of disarming malicious code in protected content in a computer system having a processor are provided. The method includes determining that a received input file intended for a recipient is protected, the recipient may be connected to a network; accessing a credential associated with the intended recipient for accessing the protected input file; accessing the content of the protected input file based on the credential; modifying at least a portion of digital values of the content of the input file configuring to disable any malicious code included in the input file, thereby creating a modified input file; and protecting the modified input file based on the credential associated with the intended recipient. The method also includes forwarding the protected modified input file to the intended recipient in the network.
    Type: Grant
    Filed: March 20, 2018
    Date of Patent: June 25, 2019
    Assignee: VOTIRO CYBERSEC LTD.
    Inventor: Aviv Grafi
  • Patent number: 10326795
    Abstract: Techniques to contain lateral movement of attackers through just-in-time (JIT) provisioned accounts comprising an account management component to receive a request from a first account via a client device for a second account to access a server device in a set of server devices, an account authorization component to authorize the request for the second account based at least partially on account information associated with the first account, an account provisioning component to provision the second account to enable a client to access the server device, and an account notification component to provide account information associated with the second account to a client via the client device. Other embodiments are described and claimed.
    Type: Grant
    Filed: November 3, 2017
    Date of Patent: June 18, 2019
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Shane Brady, Siddhartha Mathur, Rajalakshmi Dani, Santosh Kumar, Luke Schoen, David Hetherington
  • Patent number: 10311122
    Abstract: Migrating support for a web browsing session between a virtual machine and a host operating system. A web session is supported by a first virtual machine which executes on a computer system. Upon receiving a request for the web session to enter an unprotected mode, support for the web session is migrated from the first virtual machine to a host operating system of the computer system. In unprotected mode, web sessions are supported by the host operating system rather than by a virtual machine. After migrating support for the web session to the host operating system, a visual cue indicating that the unprotected mode is active is displayed. After receiving a request to exit the unprotected mode, support for the web session is migrated from the host operating system to a second virtual machine executing on the computer system and the visual cue is removed.
    Type: Grant
    Filed: August 22, 2014
    Date of Patent: June 4, 2019
    Assignee: Bromium, Inc.
    Inventors: Gaurav Banga, Ian Pratt, Vikram Kapoor, Kiran Bondalapati
  • Patent number: 10305901
    Abstract: A method at an authentication server for multi-factor authentication of an electronic device, the method including receiving at the authentication server a request for authentication of the electronic device; sending information to the electronic device; receiving a response based on the information sent to the electronic device, the response further including an authentication time limit; authenticating the response; and storing the response and time limit upon verification of the response.
    Type: Grant
    Filed: May 6, 2016
    Date of Patent: May 28, 2019
    Assignee: BlackBerry Limited
    Inventor: Adam Justin George Evans
  • Patent number: 10303503
    Abstract: An apparatus and method for hardware protection of a virtual machine monitor (VMM) runtime integrity watcher is described. A set of one or more hardware range registers that protect a contiguous memory space that is to store the VMM runtime integrity watcher. The set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space. The VMM runtime integrity watcher, when executed, performs an integrity check on a VMM during runtime of the VMM.
    Type: Grant
    Filed: February 14, 2017
    Date of Patent: May 28, 2019
    Assignee: Intel Corporation
    Inventors: Shamanna M. Datta, Alberto J. Munoz, Mahesh S. Natu, Scott T. Durrant
  • Patent number: 10298620
    Abstract: Providing streaming of applications from streaming servers onto clients. The applications are contained within isolated environments, and the isolated environments are streamed from the servers onto clients. The system may include the option of running both in on-line and off-line. When on-line, the system may include authentication of the streaming servers and authentication of clients and credentialing of the isolated environments and applications the clients are configured to run. The system may further include encrypted communication between the streaming servers and the clients. When off-line, the system may include the ability to run already installed isolated environments without requiring credentialing. The system may further include a management interface where administrators may add, remove and configure isolated environments, configure client policies and credentials, and force upgrades.
    Type: Grant
    Filed: November 28, 2017
    Date of Patent: May 21, 2019
    Assignee: OPEN INVENTION NETWORK LLC
    Inventor: Allan Havemose
  • Patent number: 10296247
    Abstract: A storage-area network (SAN) system includes one or more storage drives directly connected to a fabric. Each storage drive provisions and operates a drive volume, and creates a security token for the drive volume. The system includes a client computing device directly connected to the fabric, and that executes a SAN software agent to create, mount, and use a logical volume realized by drive volumes of the storage drives. The client computing device accesses each drive volume using the security token for the drive volume. The system includes a SAN manager directly connected to the fabric that manages the drive volumes of the storage drives, manages the logical volume that the SAN software agent operates, receives from each storage drive the security token for the drive volume of the storage drive, and sends the security token for the drive volume of each storage drive to the SAN software agent.
    Type: Grant
    Filed: November 21, 2016
    Date of Patent: May 21, 2019
    Assignee: Lenovo Enterprise Solutions (Singapore) PTE. LTD.
    Inventors: Patrick Leo Caporale, Michael Neil Condict, David W. Cosby, Jonathan Randall Hinkle
  • Patent number: 10289816
    Abstract: A computer implemented method is disclosed for obfuscating an algorithm. The computer-implemented method includes (1) receiving ciphertext input data, and (2) executing obfuscated program instructions using the ciphertext input data and an obfuscation key. The ciphertext input data is based on plaintext input data encrypted using an input encryption key. The obfuscated program instructions are configured for concealing initial program instructions. The initial program instructions are configured for (1) receiving the plaintext input data, (2) providing plaintext output data based on an algorithm, and (3) providing ciphertext output data. The ciphertext output data is configured for decryption to provide the plaintext output data.
    Type: Grant
    Filed: June 8, 2018
    Date of Patent: May 14, 2019
    Assignee: GSFM LLC
    Inventors: Francois Jacques Malassenet, Glenn Daniel Sidle
  • Patent number: 10291648
    Abstract: A system for distributing virtual entity behavior profiling in cloud deployments is disclosed. In particular, the system may include conducting entity behavior profiling closer to where data and data logs are generated, such as at a hypervisor server, in a distributed fashion. By doing so, the system may reduce bandwidth consumption typically associated with transferring data to a central processing system, may be able to use more data collected closer to sources of data generation, and may provide faster reaction times because of the faster processing of data enabled by the system. Additionally, the system may assist with reducing false positives associated with malware detection and other compromises associated with entities by aggregating the results of distributed computations at different sites.
    Type: Grant
    Filed: December 22, 2015
    Date of Patent: May 14, 2019
    Assignee: AT&T INTELLECTUAL PROPERTY I, L.P.
    Inventors: Paul Giura, Gustavo de los Reyes
  • Patent number: 10279611
    Abstract: A communication terminal device includes: an application acquisition section that acquires an application prepared to operate an image forming apparatus; an instruction acceptance section that accepts an operation instruction for processing indicated by the application; a processing executing section that makes the application runnable under an operating system of the communication terminal device and executes, in accordance with the application, the processing indicated by the operation instruction accepted by the instruction acceptance section; and a communication section that sends to the image forming apparatus a result of the processing executed by the processing executing section and an operation request.
    Type: Grant
    Filed: December 18, 2015
    Date of Patent: May 7, 2019
    Assignee: KYOCERA Document Solutions Inc.
    Inventors: Anthony Olores, Lianney Deleverio, Fernando Dagoc, Jr.
  • Patent number: 10282551
    Abstract: A computing system and method to implement a three-dimensional virtual reality world having user created virtual objects. During the creation of a virtual object, a user of the virtual reality world identifies components and/or resources of the virtual object, such as a mesh model defining the shape of the virtual object, an image specifying the appearance of the virtual object, and a script defining the run time behavior of the virtual object. The computer system examines the components and/or resources duration the creation process of the virtual object to detect and/or address security threats and/or performance hurdles. Before the approval of the publication of the virtual object in the virtual world, the computer system performs a simulation of the rendering of the virtual object to detect security threats and evaluate performance impacts.
    Type: Grant
    Filed: May 12, 2017
    Date of Patent: May 7, 2019
    Assignee: LINDEN RESEARCH, INC.
    Inventors: Matthew A. Breindel, Donald N. Kjer, Richard Benjamin Trent Nelson, Avery Lauren Orman, Jeffery Blaine Petersen
  • Patent number: 10275581
    Abstract: A method of a first device and an electronic device are provided. The method includes receiving a request signal related to contents stored in the first device from a second device communicatively coupled to the first device; transmitting the contents to the second device in response to the request signal, wherein the contents are security applied contents; and releasing the security of the contents by authenticating a user related to the contents.
    Type: Grant
    Filed: May 6, 2015
    Date of Patent: April 30, 2019
    Assignee: Samsung Electronics Co., Ltd
    Inventors: Su-Ha Yoon, Su-Young Park, Kwang-Sub Son, In-Chul Lee, Eui-Chang Jung
  • Patent number: 10277408
    Abstract: A method for authorizing I/O (input/output) commands in a storage cluster is provided. The method includes generating a token responsive to an authority initiating an I/O command, wherein the token is specific to assignment of the authority and a storage node of the storage cluster. The method includes verifying the I/O command using the token, wherein the token includes a signature confirming validity of the token and wherein the token is revocable.
    Type: Grant
    Filed: November 9, 2017
    Date of Patent: April 30, 2019
    Assignee: Pure Storage, Inc.
    Inventors: John Hayes, Robert Lee
  • Patent number: 10262124
    Abstract: An individualized software container is provided. The software container may be created by a remote entity. The software container may be located on a computer of a local entity. The software container may provide an entity separation between the local entity and at least one other entity. The software container may encompass a plurality of containers. The software container may communicate with a plurality of other software containers. The plurality of other software containers may be associated with at least one other entity. The software container may host its own database. The software container may include a plurality of security features associated with the remote entity. The software container may include a container-encrypted fingerprint (“CEF”). The CEF may enable encrypted end-to-end connection between the software container and the remote entity. The CEF may leverage fingerprinting and/or tokenization of the software container.
    Type: Grant
    Filed: January 18, 2017
    Date of Patent: April 16, 2019
    Assignee: Bank of America Corporation
    Inventors: Manu Kurian, Mark E. Wenzel, Richard A. Mobley, Gregory Sito, Paul Grayson Roscoe
  • Patent number: 10250595
    Abstract: The invention relates to a method for computer systems based on the ARM processor, for example mobile devices, wherein the ARM processor provides fully hardware isolated runtime environments for an operating system (OS) and Trusted Execution Environment (TEE) including an embedded trusted network security perimeter. The isolation is performed by hardware ARM Security Extensions added to ARMv6 processors and greater and controlled by TrustWall software. The invention therefore comprises an embedded network security perimeter running in TEE on one or more processor cores with dedicated memory and storage and used to secure all external network communications of the host device. The invention addresses network communications control and protection for Rich OS Execution Environments and describes minimal necessary and sufficient actions to prevent unauthorized access to or from external networks.
    Type: Grant
    Filed: March 8, 2016
    Date of Patent: April 2, 2019
    Assignee: GBS Laboratories, LLC
    Inventor: Oleksii Surdu
  • Patent number: 10250613
    Abstract: A data access method based on a cloud computing platform, and a user terminal, are provided. The method is performed by a user terminal, and the method includes obtaining an access request for a data ciphertext of the cloud computing platform, the access request including a decryption key, and the decryption key including a user precise identity identifier and a user attribute identifier. The method further includes decrypting the data ciphertext into a data plaintext, in response to the user precise identity identifier belonging to an identity identifier set included in an access structure of the data ciphertext and/or in response to the user attribute identifier belonging to a user attribute identifier set included in the access structure of the data ciphertext.
    Type: Grant
    Filed: May 24, 2016
    Date of Patent: April 2, 2019
    Assignees: TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED, Hunan University
    Inventor: Qin Liu
  • Patent number: 10223526
    Abstract: Embodiments relate to a managed application package generator that creates an executables file, a resource file, and a manifest file for a managed application. The executables file comprises an executable for a loader that loads a target application into memory. The resource file comprises a public resource for the target application. The manifest file comprises manifest data for the target application.
    Type: Grant
    Filed: May 21, 2015
    Date of Patent: March 5, 2019
    Assignee: AirWatch LLC
    Inventors: Chaoting Xuan, Erich Stuntebeck
  • Patent number: 10218767
    Abstract: The present disclosure discloses a method, a system and a browser for executing a browser active object. In the present invention, a proxy object is run in a page process and an active object is run in an independent process, so that a true plug-in is separated from the page process. The present invention further discloses an inter-process script execution method, system and browser. The present invention further discloses a browser active object executing method and system, and a browser.
    Type: Grant
    Filed: August 30, 2013
    Date of Patent: February 26, 2019
    Assignee: Beijing Qihoo Technology Company Limited
    Inventors: Jinwei Li, Yuesong He, Zhi Chen, Yu Fu, Ming Li, Huan Ren
  • Patent number: 10216957
    Abstract: Computationally implemented methods and systems include acquiring data regarding an application configured to access one or more protected portions of a particular device, said application configured to provide one or more services, detecting that the application has completed at least one of the one or more services and that the application maintains access to the one or more protected portions of the particular device, presenting information indicating that the one or more services are completed and that the application maintains access to the one or more protected portions of the particular device, and circuitry for facilitating presentation of an option to discontinue the access of the application to the one or more protected portions of the particular device. In addition to the foregoing, other aspects are described in the claims, drawings, and text.
    Type: Grant
    Filed: February 28, 2013
    Date of Patent: February 26, 2019
    Assignee: Elwha LLC
    Inventors: Edward K. Y. Jung, Royce A. Levien, Richard T. Lord, Robert W. Lord, Mark A. Malamud
  • Patent number: 10216648
    Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.
    Type: Grant
    Filed: June 2, 2017
    Date of Patent: February 26, 2019
    Assignee: Intel Corporation
    Inventors: Francis X. McKeen, Vincent R. Scarlata, Carlos V. Rozas, Ittai Anati, Vedvyas Shanbhogue
  • Patent number: 10216649
    Abstract: Methods, systems, and computer program products are included for providing one or more additional kernels kernel in a protected kernel environment. A method includes providing, by a hypervisor, a virtual machine that includes a first kernel. A first portion of memory of the virtual machine is allocated for the first kernel and a second portion of memory of the virtual machine is allocated for a second kernel. The virtual machine executes the first kernel. The hypervisor disables access privileges corresponding to the second portion of memory. Execution is transitioned from the first kernel to the second kernel by clearing memory corresponding to the first kernel, enabling access privileges corresponding to the second portion of the memory, and executing the second kernel on the virtual machine.
    Type: Grant
    Filed: February 29, 2016
    Date of Patent: February 26, 2019
    Assignee: RED HAT ISRAEL, LTD.
    Inventors: Michael Tsirkin, Paolo Bonzini
  • Patent number: 10212172
    Abstract: A data access method based on a cloud computing platform, and a user terminal, are provided. The method is performed by a user terminal, and the method includes obtaining an access request for a data ciphertext of the cloud computing platform, the access request including a decryption key, and the decryption key including a user precise identity identifier and a user attribute identifier. The method further includes decrypting the data ciphertext into a data plaintext, in response to the user precise identity identifier belonging to an identity identifier set included in an access structure of the data ciphertext and/or in response to the user attribute identifier belonging to a user attribute identifier set included in the access structure of the data ciphertext.
    Type: Grant
    Filed: May 24, 2016
    Date of Patent: February 19, 2019
    Assignees: TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED, Hunan University
    Inventor: Qin Liu
  • Patent number: 10210470
    Abstract: Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.
    Type: Grant
    Filed: April 13, 2017
    Date of Patent: February 19, 2019
    Assignee: Albeado, Inc.
    Inventor: Partha Datta Ray
  • Patent number: 10204223
    Abstract: Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.
    Type: Grant
    Filed: September 18, 2017
    Date of Patent: February 12, 2019
    Assignee: McAfee, LLC
    Inventors: Peter Szor, Rachit Mathur
  • Patent number: 10199848
    Abstract: Apparatuses, methods, and systems for enabling higher current charging of Universal Serial Bus (USB) Specification Revision 2.0 (USB 2.0) portable electronic devices from USB 3.x hosts are disclosed. In one aspect, a USB 2.0 controller is provided in a USB 2.0 portable device. A USB 3.x controller is provided in a USB 3.x host. The USB 2.0 controller is configured to draw a higher charging current than specified in USB 2.0 for the USB 2.0 portable device over a USB 2.0 cable. In order to draw the higher charging current without violating USB 2.0, the USB 2.0 controller is configured to use one or more reserved elements in an existing USB 2.0 descriptor(s) or bitmap(s) to indicate a higher charging current request from the USB 2.0 controller.
    Type: Grant
    Filed: July 28, 2014
    Date of Patent: February 5, 2019
    Assignee: QUALCOMM Incorporated
    Inventors: Devdutt Patnaik, Jay Yu Jae Choi, Terrence Brian Remple
  • Patent number: 10191788
    Abstract: Programmable devices, hierarchical parallel machines and methods for providing state information are described. In one such programmable device, programmable elements are provided. The programmable elements are configured to implement one or more finite state machines. The programmable elements are configured to receive an N-digit input and provide a M-digit output as a function of the N-digit input. The M-digit output includes state information from less than all of the programmable elements. Other programmable devices, hierarchical parallel machines and methods are also disclosed.
    Type: Grant
    Filed: November 16, 2016
    Date of Patent: January 29, 2019
    Assignee: Micron Technology, Inc.
    Inventor: Paul Dlugosch
  • Patent number: 10178205
    Abstract: A wireless station associates with an access point to join a wireless local area network (WLAN). The access point is part of the WLAN and operates as a switching device between wireless stations of the WLAN. The wireless station forms a TCP session via the access point with an external device which is external to the WLAN. The wireless station exchanges (i.e., transmits and/or receives) a first sequence of packets on the TCP session. The wireless station receives a frame from the access point, the frame indicating that the wireless station has been disassociated after having associated earlier with the access point. The wireless station re-associates with the access point. The access point then communicates with the external device on the TCP session after re-associating, the communicating involving exchanging a second sequence of packets with the external device after the re-association.
    Type: Grant
    Filed: September 12, 2016
    Date of Patent: January 8, 2019
    Assignee: GAINSPAN CORPORATION
    Inventors: Pankaj Vyas, Vishal Batra, Burhanuddin Lohawala
  • Patent number: 10169573
    Abstract: A data processing apparatus including circuitry for performing data processing, a plurality of registers; and a data store including regions having different secure levels, at least one secure region (for storing sensitive data accessible by the data processing circuitry operating in the secure domain and not accessible by the data processing circuitry operating in a less secure domain) and a less secure region (for storing less secure data). The circuitry is configured to determine which stack to store data to, or load data from, in response to the storage location of the program code being executed. In response to program code calling a function to be executed, the function code being stored in a second region, the second region having a different secure level to the first region, the data processing circuitry is configured to determine which of the first and second region have a lower secure level.
    Type: Grant
    Filed: October 4, 2016
    Date of Patent: January 1, 2019
    Assignee: ARM Limited
    Inventors: Thomas Christopher Grocutt, Richard Roy Grisenthwaite
  • Patent number: 10152589
    Abstract: Methods and devices for searching are described. In one aspect, the method includes: receiving a search query; identifying a search data file associated with a third party application, the search data file being prepared according to predetermined format rules by the third party application, and stored, prior to receiving the search query; searching, at least a portion of the search data file using the search query to identify information that matches the search query; using the predetermined format rules to identify associated information in the search data file, the associated information being related to the information that matches the search query; obtaining search results from at least one other source; and generating a display of search results based on both the information matching the search query and the associated information, the display including the search results from the at least one other source.
    Type: Grant
    Filed: March 21, 2016
    Date of Patent: December 11, 2018
    Assignee: BLACKBERRY LIMITED
    Inventors: Ryan John Waters, Sivakumar Nagarajan, Martello Michealangelo Jones
  • Patent number: 10152605
    Abstract: A security framework and methodology is provided which provides front-end security through authentication and authorization, and back-end security through a virtual private data-store created within an insecure environment using existing object-relational mapping (ORM) layers or database drivers. The front-end security utilizes numerous multi-factor authentication metrics and a distributed denial of service (DDoS) cryptographic boundary to proactively attack malicious users using a cryptographic puzzle, and the back-end security provides data encryption and decryption, data privacy, data integrity, key management, pattern monitoring, audit trails and security alerts while simultaneously hiding the complexity behind an identical or similar ORM or database drive application programming interface (API).
    Type: Grant
    Filed: May 21, 2015
    Date of Patent: December 11, 2018
    Inventor: Siddharth Shetye
  • Patent number: 10146934
    Abstract: A system and method for sharing data and a risk assessment of the data comprises receiving data in a first application and obtaining a risk level of the data, performing an action in the first application necessitating passing a message comprising at least the data and the risk level to a second application, passing the message from the first application to the second application, receiving, at the second application, the message, determining by said second application whether the risk level exceeds a predetermined threshold, when the risk level exceed the predetermined threshold, implementing a protocol to perform actions in the second application using the data in accordance with the protocol, and when the risk level does not exceed the predetermined threshold, running the second application using the data.
    Type: Grant
    Filed: March 14, 2014
    Date of Patent: December 4, 2018
    Assignee: International Business Machines Corporation
    Inventors: Tamer E. Abuelsaad, Carlos A. Hoyos, Nader M. Nassar
  • Patent number: 10140320
    Abstract: Systems, methods, and media for generating analytical data from actions performed on one or more publishing servers. Methods may include capturing one or more audit trails by determining actions performed on the one or more publishing servers via one or more client devices, the one or more publishing servers adapted to publish informational content; generating analytical data from the one or more audit trails; and storing the generated analytical data in a database.
    Type: Grant
    Filed: February 28, 2011
    Date of Patent: November 27, 2018
    Assignee: SDL Inc.
    Inventors: Andrew Trese, Frank Closset
  • Patent number: 10129222
    Abstract: Systems and methods are disclosed for providing a trusted database system that leverages a small amount of trusted storage to secure a larger amount of untrusted storage. Data are encrypted and validated to prevent unauthorized modification or access. Encryption and hashing are integrated with a low-level data model in which data and meta-data are secured uniformly. Synergies between data validation and log-structured storage are exploited.
    Type: Grant
    Filed: April 24, 2017
    Date of Patent: November 13, 2018
    Assignee: Intertrust Technologies Corporation
    Inventors: Umesh Maheshwari, Radek Vingralek, W. Olin Sibert
  • Patent number: 10121004
    Abstract: An apparatus and method for monitoring a virtual machine based on a hypervisor. The method for monitoring a virtual machine based on a hypervisor includes monitoring an attempt to access an executable file located in a virtual machine, when the attempt to access the executable file is detected, extracting a system call transfer factor, input through a task that attempted to make access, acquiring, based on the system call transfer factor, an execution path corresponding to the executable file and a reference path corresponding to a reference file that is executed together with the executable file, and checking based on the execution path and the reference path whether any of the executable file and the reference file is malicious, and collecting a file in which malicious code is present when the malicious code is present in any of the executable file and the reference file.
    Type: Grant
    Filed: September 23, 2016
    Date of Patent: November 6, 2018
    Assignee: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE
    Inventors: Sung-Jin Kim, Woomin Hwang, ByungJoon Kim, ChulWoo Lee, HyoungChun Kim
  • Patent number: 10121001
    Abstract: Systems for a method for monolithic workload scheduling in a portable computing device (“PCD”) having a hypervisor are disclosed. An exemplary method comprises instantiating a primary virtual machine at a first exception level, wherein the primary virtual machine comprises a monolithic scheduler configured to allocate workloads within and between one or more guest virtual machines in response to one or more interrupts, instantiating a secure virtual machine at the first exception level and instantiating one or more guest virtual machines at the first exception level as well. When an interrupt is received at a hypervisor associated with a second exception level, the interrupt is forwarded to the monolithic scheduler along with hardware usage state data and guest virtual machine usage state data. The monolithic scheduler may, in turn, generate one or more context switches which may comprise at least one intra-VM context switch and at least one inter-VM context switch.
    Type: Grant
    Filed: June 21, 2017
    Date of Patent: November 6, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Thomas Zeng, Azzedine Touzni, Satyaki Mukherjee
  • Patent number: 10097607
    Abstract: Embodiments for changing bit rates in streaming media are provided. As portions of a streaming media file are downloaded for playback, the size of the portion is compared with an expected size determined prior to initiating playback of streaming AV data. The portion of the media file may be padded such that the size of the portion matches the size specified prior to initiating playback of streaming AV data.
    Type: Grant
    Filed: April 1, 2016
    Date of Patent: October 9, 2018
    Assignee: NETFLIX, INC.
    Inventors: Chung-Ping Wu, Christian Kaiser, Yung-Hsiao Lai, James Mitch Zollinger, David Randall Ronca
  • Patent number: 10097563
    Abstract: A computing system for a secure and reliable firmware update through a verification process, dynamic validation and continuous monitoring for error or failure and speedy correction of Internet of Things (IoT) device operability. The invention uses a Trusted Execution Environment (TEE) for hardware-based isolation of the firmware update, validation and continuous monitoring services. The isolation is performed by hardware System on a Chip (SoC) Security Extensions such as ARM TrustZone or similar technologies on other hardware platforms. The invention therefore comprises Firmware Update Service (FUS), System Validation Service (SMS) and Continuous Monitoring Service (CMS) running in the TEE with dedicated memory and storage, thus providing a trusted configuration management functionality for the operating system (OS) code and applications on IoT devices.
    Type: Grant
    Filed: May 4, 2016
    Date of Patent: October 9, 2018
    Assignee: GBS Laboratories, LLC
    Inventor: Oleksii Surdu
  • Patent number: 10097513
    Abstract: Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE.
    Type: Grant
    Filed: September 14, 2014
    Date of Patent: October 9, 2018
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Youssef Barakat, Kinshuman Kinshumann, Brian Perkins, Jinsub Moon
  • Patent number: 10095530
    Abstract: Approaches for transferring control to a bit set. At a point of ingress, prior to transferring control to the bit set, a determination is made as to whether the bit set is recognized as being included within a set of universally known malicious bit sets. If the bit set is not so recognized, then another determination is made as to whether the bit set is recognized as being included within a set of locally known virtuous bit sets. If the bit set is recognized as being included within a set of locally known virtuous bit sets, then control is not transferred to the bit set. Upon determining that the bit set is not included within the set of locally known virtuous bit sets, then the bit set is copied into a micro-virtual machine and control is transferred to the bit set within the micro-virtual machine.
    Type: Grant
    Filed: July 13, 2015
    Date of Patent: October 9, 2018
    Assignee: Bromium, Inc.
    Inventors: Gaurav Banga, Ian Pratt, Rahul Kashyap
  • Patent number: 10097349
    Abstract: Systems and methods for protecting symmetric encryption keys when performing encryption are described. In one embodiment, a computer-implemented method includes retrieving at least one real key from a secure area and executing, with a processor, a key transform instruction to generate at least one transformed key based on receiving the at least one real key. The at least one transformed key is an encrypted version of at least one round key that is encrypted by the processor using the at least one real key. The processor is able to decrypt the at least one transformed key and encrypt the at least one round key.
    Type: Grant
    Filed: August 14, 2015
    Date of Patent: October 9, 2018
    Assignee: Intel Corporation
    Inventors: Steven L. Grobman, Jason W. Brandt
  • Patent number: 10089460
    Abstract: A behavior-based malicious code detecting apparatus and method using multiple feature vectors is disclosed. A malicious code learning method may include collecting characteristic factor information when a training target process comprising a malicious code is executed, generating a feature vector for malicious code verification based on the collected characteristic factor information, learning the generated feature vector through a plurality of machine learning algorithms to generate a model of representing the malicious code and a model of representing a normal file, and storing the model of representing the malicious code and the model of representing the normal file generated through the learning.
    Type: Grant
    Filed: May 31, 2016
    Date of Patent: October 2, 2018
    Assignee: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE
    Inventors: Dae Sung Moon, Ik Kyun Kim, Yang Seo Choi
  • Patent number: 10091216
    Abstract: Technologies are provided in embodiments for receiving policy information associated with at least one security exception, the security exception relating to execution of at least one program, determining an operation associated with the security exception based, at least in part, on the policy information, and causing the operation to be performed, based at least in part, on a determination that the at least one security exception occurred.
    Type: Grant
    Filed: March 28, 2016
    Date of Patent: October 2, 2018
    Assignee: Intel Corporation
    Inventors: Gal Chanoch, Eran Birk, Baiju Patel, Steven Grobman, Tobias Kohlenberg, Rajeev Gopalakrishna
  • Patent number: 10083277
    Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.
    Type: Grant
    Filed: January 19, 2017
    Date of Patent: September 25, 2018
    Assignee: Intertrust Technologies Corporation
    Inventors: W. Knox Carey, Jarl A. Nilsson, Bart Grantham
  • Patent number: 10075296
    Abstract: Embodiments of an invention for loading and virtualizing cryptographic keys are disclosed. In one embodiment, a processor includes a local key storage location, a backup key storage location, and execution hardware. Neither the local key storage location nor the backup key storage location is readable by software. The execution hardware is to perform a first operation and a second operation. The first operation includes loading a cryptographic key into the local key storage location. The second operation includes copying the cryptographic key from the local key storage location to the backup key storage location.
    Type: Grant
    Filed: July 2, 2015
    Date of Patent: September 11, 2018
    Assignee: Intel Corporation
    Inventors: Jason W Brandt, Vedvyas Shanbhogue