Security Kernel Or Utility Patents (Class 713/164)
  • Patent number: 11954207
    Abstract: A system and method are disclosed for delegating, by a resource-constrained device, a privilege to a basic input/output system, wherein the privilege allows the basic input/output system to authenticate an endpoint device on behalf of the resource-constrained device. The system and method also includes generating an asymmetric security key that includes a private key and a public key and transmitting the public key to the basic input/output system, wherein the public key is included in a proxy certificate generated by the basic input/output system. In addition, the system and method includes establishing a secure session between the basic input/output system and the endpoint device using the private key and the proxy certificate, wherein the secure session is used by the basic input/output system to authenticate and verify that the endpoint device is authorized to perform an operation.
    Type: Grant
    Filed: September 17, 2021
    Date of Patent: April 9, 2024
    Assignee: Dell Products L.P.
    Inventors: Viswanath Ponnuru, Chandrashekar Nelogal, Chandrasekhar Mugunda, Dharma Bhushan Ramaiah, Shinose Abdul Rahiman, Vineeth Radharisknan, Rama Rao Bisa
  • Patent number: 11949798
    Abstract: A primary platform (PP) can (i) support a first set of cryptographic parameters and (ii) securely download an unconfigured secondary platform bundle (SPB) that includes a configuration package (SPB CP). The SPB CP can establish a secure session with a configuration server (CS). The CS can select operating cryptographic parameters supported by the first set. The SPB CP can derive an SPB private and public key. The PP can use the selected operating cryptographic parameters to securely authenticate and sign the SPB public key. The CS can (i) verify the PP signature for the SPB public key and (ii) generate an SPB identity and certificate for the SPB and (iii) send the certificate and SPB configuration data to the SPB CP. The SPB CP can complete configuration of the SPB using the SPB identity, certificate, and configuration data. The configured SPB can authenticate with a network using the certificate.
    Type: Grant
    Filed: April 17, 2023
    Date of Patent: April 2, 2024
    Inventor: John A. Nix
  • Patent number: 11928190
    Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include an executable file having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may modify the executable file to include a separation header. The separation header may indicate that the data can be placed at an arbitrary distance in the memory from the code. The separation header may indicate that the code should be loaded into a hardware enclave and that the data should be loaded outside of the hardware enclave. The platform may encrypt the code and provide it to a computing device. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave.
    Type: Grant
    Filed: October 20, 2022
    Date of Patent: March 12, 2024
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Xinyang Ge, Weidong Cui, Ben Niu, Ling Tony Chen
  • Patent number: 11886579
    Abstract: The present disclosure is directed to methods and apparatus for validating and authenticating use of machine learning models. For example, various techniques are described herein to limit the vulnerability of machine learning models to attack and/or exploitation of the model for malicious use, and for detecting when such attack/exploitation has occurred. Additionally, various embodiments described herein promote the protection of sensitive and/or valuable data, for example by ensuring only licensed use is permissible. Moreover, techniques are described for version tracking, usage tracking, permission tracking, and evolution of machine learning models.
    Type: Grant
    Filed: January 13, 2020
    Date of Patent: January 30, 2024
    Assignee: Koninklijke Philips N.V.
    Inventors: Shawn Arie Peter Stapleton, Amir Mohammad Tahmasebi Maraghoosh
  • Patent number: 11861005
    Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.
    Type: Grant
    Filed: April 30, 2020
    Date of Patent: January 2, 2024
    Assignee: Lynx Software Technologies, Inc.
    Inventors: Edward T Mooring, Phillip Yankovsky
  • Patent number: 11838326
    Abstract: Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.
    Type: Grant
    Filed: March 7, 2022
    Date of Patent: December 5, 2023
    Assignee: Palo Alto Networks, Inc.
    Inventors: Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Chang Li
  • Patent number: 11811820
    Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.
    Type: Grant
    Filed: February 24, 2020
    Date of Patent: November 7, 2023
    Assignee: PALO ALTO NETWORKS (ISRAEL ANALYTICS) LTD.
    Inventors: Yinnon Meshi, Idan Amit, Jonathan Allon, Aviad Meyer
  • Patent number: 11797680
    Abstract: Methods, systems, and devices to enable a device with chain of trust are described. A controller may authenticate a root of trust entity as part of a boot-up procedure of a system that includes the root of trust entity. The root of trust entity may receive, as part of the boot-up procedure, a first portion of code associated with a first entity of the system. The controller may generate a first measurement result of the first portion of code and may identify, by the root of trust entity, a second measurement result associated with the first portion of code. The controller may determine, by the root of trust entity, whether the first measurement result matches the second measurement result as part of authenticating the first portion of code and may transmit, by the root of trust entity, an indication of whether the first and second measurement results match.
    Type: Grant
    Filed: August 28, 2020
    Date of Patent: October 24, 2023
    Assignee: Micron Technology, Inc.
    Inventor: Zhan Liu
  • Patent number: 11782730
    Abstract: Methods, systems, and apparatuses for configuring a device for a specific task or set of tasks thereby allowing the device to be used for more than one task or set of tasks while also enabling fine-grain control over how the device may be used. A device's file system can operate with a particular file system based on the task(s) that the device will perform. Further, the device can physically configure itself based on the task(s) that the device will perform.
    Type: Grant
    Filed: May 19, 2023
    Date of Patent: October 10, 2023
    Assignee: Lowe's Companies, Inc.
    Inventors: Balajee Thachakkadu Mohan, Dheeraj Kysetti, Saravanan Rajendran, Vighnesh S Kumar
  • Patent number: 11775327
    Abstract: Apparatus and methods are described herein for multiple single level security (MSLS) domains including, but not limited to, a secure kernel hypervisor (SKH). The SKH configures a single multi-tenant cloud to host the MSLS domains. A cloud orchestration system (COS) configures the single multi-tenant cloud to set up a plurality of separate virtual work packages (VWPs) for the MSLS domains. A key management system (KMS) is configured to manage security objects associated with the MSLS domains.
    Type: Grant
    Filed: July 10, 2020
    Date of Patent: October 3, 2023
    Assignee: SEMPER FORTIS SOLUTIONS, LLC
    Inventors: Gregory B. Pepus, Todd O'Connell
  • Patent number: 11757882
    Abstract: Techniques are described herein for using special session identifiers to defer additional authentication steps (AAS) for at least some restricted application actions. A client session is associated with a special session identifier that is mapped to an authentication tier (AT) achieved for the session based on the satisfied authentication steps. Web servers that are enabled for AAS deferral include context information, which identifies a requested action, with session verification requests to an authentication service. The authentication service determines that AAS is required to perform an action when (a) the AT associated with the action is a higher-security tier than the AT associated with the session, or (b) the session is associated with an AT that is lower than the highest-security AT and there is no context information accompanying the request for session validation, in which case the authentication service assumes that the highest-security AT is required to perform the request.
    Type: Grant
    Filed: October 24, 2022
    Date of Patent: September 12, 2023
    Assignee: LENDINGCLUB BANK, NATIONAL ASSOCIATION
    Inventors: Hyunsuk Han, Mahesh Acharya
  • Patent number: 11728974
    Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A security module running on a database server may generate a private key-public key pair in response to receiving a request to store client data in a database. The security module may then transmit a request to derive a symmetric key to a key server, the request including the generated public key. The key server may derive a symmetric key, using key agreement and a key derivation function, based on the received public key and a private key managed by the key server. The security module may then receive the symmetric key from the key server and encrypt the client data. To facilitate decryption, the public key used to generate the symmetric key and an identifier for the private key managed by the key server may be stored in metadata associated with the client data.
    Type: Grant
    Filed: January 29, 2021
    Date of Patent: August 15, 2023
    Assignee: Salesforce, Inc.
    Inventors: Prasad Peddada, Taher Elgamal
  • Patent number: 11722532
    Abstract: Techniques for providing security for Cellular Internet of Things (CIoT) in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for enhanced security for CIoT in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session, in which the session is associated with a CIoT device; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.
    Type: Grant
    Filed: March 8, 2022
    Date of Patent: August 8, 2023
    Assignee: Palo Alto Networks, Inc.
    Inventors: Sachin Verma, Leonid Burakovsky, Jesse C. Shu, Lei Chang
  • Patent number: 11640461
    Abstract: A computer-implemented method at a data management system comprises: generating, with one or more processors, a containerized runtime in a memory in communication with the one or more processors; instantiating, with the one or more processors, an app in the runtime; receiving, with the one or more processors, a request from the app for data; retrieving, with the one or more processors, a copy of the requested data from a data source; and transmitting, with the one or more processors, the data to the containerized runtime for the app to operate on.
    Type: Grant
    Filed: March 6, 2020
    Date of Patent: May 2, 2023
    Assignee: Rubrik, Inc.
    Inventors: Abhay Mitra, Vijay Karthik, Vivek Sanjay Jain, Avishek Ganguli, Arohi Kumar, Kushaagra Goyal, Christopher Wong
  • Patent number: 11625485
    Abstract: There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.
    Type: Grant
    Filed: April 15, 2020
    Date of Patent: April 11, 2023
    Assignee: Sentinel Labs Israel Ltd.
    Inventors: Tomer Weingarten, Almog Cohen, Udi Shamir, Kirill Motil
  • Patent number: 11604876
    Abstract: A computer-implemented method at a data management system comprises: receiving, at a storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the transmitted write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.
    Type: Grant
    Filed: January 28, 2020
    Date of Patent: March 14, 2023
    Assignee: Rubrik, Inc.
    Inventors: Abhay Mitra, Vijay Karthik, Vivek Sanjay Jain, Avishek Ganguli, Arohi Kumar, Kushaagra Goyal, Christopher Wong
  • Patent number: 11593489
    Abstract: A boot read only memory (ROM) chip unit can perform a secure boot routine based on various operations. A processor device comprises a boot ROM chip with processing circuitry on a system board configured to perform a system board power up according to a read operation in a one-time-programmable OTP memory/non-volatile memory (NVM). The OTP memory/NVM includes a spare area in a portion of the OTP/NVM that can receive a first sequence pattern. The processor determines whether a secure boot indication indicates a secure boot routine, and differentiates one or more read return content of the OTP memory/NVM between a wrongly read return content and a trusted read return content, in response to, or concurrent with, the secure boot indication indicating the secure boot routine.
    Type: Grant
    Filed: December 28, 2018
    Date of Patent: February 28, 2023
    Assignee: MaxLinear, Inc.
    Inventors: Jiaxiang Shi, Chun Feng Hu, Yao Chye Lee, Qiming Wu
  • Patent number: 11595366
    Abstract: Techniques are disclosed relating to securely communicating traffic. In some embodiments, an apparatus includes a secure circuit storing keys usable to encrypt data communications between devices over a network. The secure circuit is configured to store information that defines a set of usage criteria for the keys. The set of usage criteria specifies that a first key is dedicated to encrypting data being communicated from a first device to a second device. The secure circuit is configured to receive a request to encrypt a portion of a message with the first key, the request indicating that the message is being sent from the first device to the second device, and to encrypt the portion of the message with the first key in response to determining that the set of usage criteria permits encryption with the first key for a message being sent from the first device to the second device.
    Type: Grant
    Filed: September 8, 2017
    Date of Patent: February 28, 2023
    Inventor: Tristan F. Schaap
  • Patent number: 11588822
    Abstract: A permission control method and apparatus for a terminal device, where the method includes: acquiring, in response to detecting a login operation of the target user on the target application, from the server, a permission control code of the target user for the target application; processing the permission control code into at least one permission code, the permission code being used to indicate that a user has a use permission for a corresponding functionality of the target application; and controlling, on the basis of the at least one permission code, the use of at least one functionality of the target application by the target user.
    Type: Grant
    Filed: April 4, 2018
    Date of Patent: February 21, 2023
    Assignees: Beijing Jingdong Shangke Information Technology Co., Ltd., Beijing Jingdong Century Trading Co., Ltd.
    Inventors: Shuo Gan, Wenming Zhe, Qi Hu
  • Patent number: 11565836
    Abstract: An item to write on a surface of a celestial body that has less atmosphere than Earth is received at a communications station and from a user device. An instruction that triggers the robot to write the item on the surface of the celestial body is provided by the communications station and to a robot on the surface of the celestial body. An image of the item written on the surface of the celestial body is received by the communications station and from the robot. The image of the item written on the surface of the celestial body is provided by the communications station and to the user device.
    Type: Grant
    Filed: December 20, 2018
    Date of Patent: January 31, 2023
    Assignee: RKF Engineering Solutions LLC
    Inventors: Jeffrey Freedman, Ted Kaplan, Phil Rubin, David Marshack, David Milliner
  • Patent number: 11563574
    Abstract: This invention relates generally to distributed ledger technology (including blockchain related technologies), and in particular the use of a blockchain in implementing, controlling and/or automating a task or process. It may relate to the use of a blockchain or related technology for recording or representing the execution of a portion of logic. This portion of logic may be arranged to implement the functionality of a logic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc. . . . .
    Type: Grant
    Filed: July 21, 2017
    Date of Patent: January 24, 2023
    Assignee: nChain Holdings Ltd
    Inventor: Gavin Allen
  • Patent number: 11552998
    Abstract: A device includes a root of trust and a controller to perform a device function of the device using the root of trust. The root of trust is designed to control and/or observe the controller at least partially for the performance of the device function.
    Type: Grant
    Filed: August 21, 2019
    Date of Patent: January 10, 2023
    Assignee: Infineon Technologies AG
    Inventors: Josef Haid, Stefan Rueping
  • Patent number: 11526599
    Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.
    Type: Grant
    Filed: April 19, 2021
    Date of Patent: December 13, 2022
    Assignee: International Business Machines Corporation
    Inventors: Ruriko Kudo, Hirokuni Kitahara, Kugamoorthy Gajananan, Yuji Watanabe
  • Patent number: 11501005
    Abstract: A method and system for performing computational jobs securely on a shared computing resource. Data files for the computational job are encrypted on a secure system and the encrypted data files are stored in a data store on the shared computing resource. A key distribution server is established using a secure enclave on a front end of the shared computing resource. Cryptographic keys and application binaries are transferred to the enclave of the shared computing resource using a session key. The computational job is run using an application launcher on compute nodes of an untrusted execution environment of the shared computing resource, the application launcher obtaining the application binaries and the cryptographic keys from the key distribution server.
    Type: Grant
    Filed: August 26, 2020
    Date of Patent: November 15, 2022
    Assignee: ROLLS-ROYCE plc
    Inventor: Bryan L Lapworth
  • Patent number: 11500969
    Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include multiple image files having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may encrypt the code and provide it to a computing device comprising a hardware enclave. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave. The computing device may request a decryption key from an authentication server using a hash of the hardware enclave signed by a processor. The authentication server may provide the decryption key if it verifies the signature and the hash. The computing device may decrypt the code and mark the hardware enclave as non-readable.
    Type: Grant
    Filed: January 3, 2020
    Date of Patent: November 15, 2022
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Xinyang Ge, Weidong Cui, Ben Niu, Ling Tony Chen
  • Patent number: 11488144
    Abstract: A computer-implemented method to participate in a token transfer process for transferring a first quantity of token from a sender node to a recipient node using a blockchain is disclosed. The token transfer process includes a plurality of participating nodes and execution of a set of indirect token transactions between multiple pairs of the participating nodes.
    Type: Grant
    Filed: June 19, 2018
    Date of Patent: November 1, 2022
    Inventors: Daniel Joseph, Silvia Bartolucci
  • Patent number: 11468386
    Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.
    Type: Grant
    Filed: January 12, 2022
    Date of Patent: October 11, 2022
    Assignee: OneTrust, LLC
    Inventors: Richard A. Beaumont, Jonathan Blake Brannon
  • Patent number: 11449613
    Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.
    Type: Grant
    Filed: May 6, 2019
    Date of Patent: September 20, 2022
    Assignee: CUPP Computing AS
    Inventors: Ami Oz, Shlomo Touboul
  • Patent number: 11449627
    Abstract: Systems and methods for tokenization in a cloud-based environment. The disclosed systems and methods may perform operations including receiving input to be tokenized; obtaining a keyed hash function from a key management system; using the keyed hash function to generate a storage token for the input; creating an encrypted database entry linking the generated token to the received input; setting an expiry for the storage token; and when the storage token is received before the expiry, providing the linked input in response.
    Type: Grant
    Filed: April 23, 2020
    Date of Patent: September 20, 2022
    Assignee: Amadeus S.A.S.
    Inventors: Roman Jean Jo Bayon, Giuseppe Andrea Turelli
  • Patent number: 11438366
    Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network risk assessment. One of the methods includes obtaining information describing network traffic between a plurality of network devices within a network. A network topology of the network is determined based on the information describing network traffic, with the network topology including nodes connected by an edge to one or more other nodes, and with each node being associated with one or more network devices. Indications of user access rights of users are associated to respective nodes included in the network topology. User interface data associated with the network topology is generated.
    Type: Grant
    Filed: July 17, 2020
    Date of Patent: September 6, 2022
    Assignee: Palantir Technologies Inc.
    Inventors: Miles Seiver, Stephen Cohen
  • Patent number: 11429725
    Abstract: Systems and methods involve a database function of an ATM processor on which rules database records for positive transition flows of ATM hardware or software activities are stored, a security agent function of the ATM processor that extracts data points from a transition flow for every succeeding ATM activity, and an algorithm function of the ATM processor that generates a rules database record for the transition flows for succeeding ATM activity based on the extracted data points and discards any generated rules database record that is identical to a rules database record already stored on the rules database function. A discovery phase of the algorithm function stores new rules database records, rules database function, and a protection phase of the algorithm function selects a risk protocol, when a generated record is not identical to a record already stored.
    Type: Grant
    Filed: April 26, 2018
    Date of Patent: August 30, 2022
    Assignee: CITICORP CREDIT SERVICES, INC. (USA)
    Inventor: Ganesh Banerjee
  • Patent number: 11409881
    Abstract: A method of controlling access of an information handling system to a secured network may comprise detecting a time of flight (TOF) signal distance between the information handling system and a plurality of WLAN access points and received signal strength indication (RSSI) values to determine, via a processor executing code instructions of the information handling system, a location fingerprint of the information handling system relative to the plurality of address-identified wireless local area network (WLAN) access points and a secured perimeter of the facility before completing a boot process of the information handling system or allowing access to a secured network, if the location fingerprint indicates the information handling system is located within the secured perimeter.
    Type: Grant
    Filed: August 12, 2019
    Date of Patent: August 9, 2022
    Assignee: Dell Products, LP
    Inventors: Kamal J. Koshy, Eugene R. Simpson, Lars Fredrik Proejts
  • Patent number: 11409860
    Abstract: A system enables a content creator to upload the content onto the server and set rules and conditions for the access and retrieval. The content is downloaded to a portable storage medium, the content will be encrypted for display at a particular destination device. When the content is loaded on the destination device, the destination device will check if the content is loaded on the correct destination device by checking the information of the destination device attached to the content against the device information stored on the destination device.
    Type: Grant
    Filed: May 21, 2020
    Date of Patent: August 9, 2022
    Assignee: Equalearning Corp.
    Inventor: Shih-Yuan Wang
  • Patent number: 11411996
    Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.
    Type: Grant
    Filed: April 23, 2019
    Date of Patent: August 9, 2022
    Assignee: Akamai Technologies, Inc.
    Inventors: Brandon O. Williams, Martin K. Lohner, Kevin Harmon, Jeffrey Bower
  • Patent number: 11392512
    Abstract: Apparatuses, methods and storage medium associated with virtualizing a USB device controller of a SoC in a computing platform hosting multiple VMs, are disclosed herein. In some embodiments, a CRM includes instructions to implement a USB driver stack in a SOS of a SVM on the computing platform. The USB driver stack of the SOS includes a SOS device controller driver to communicate with one or more USB devices of the computing platform, via a USB device controller of the SoC; and a SOS function virtualization driver to communicate with one or more corresponding UVM function virtualization drivers of the UVMs to paravirtualize the SOS device controller driver to the UVMs. Other embodiments are also described and claimed.
    Type: Grant
    Filed: October 16, 2018
    Date of Patent: July 19, 2022
    Assignee: Intel Corporation
    Inventors: Rajaram Regupathy, Abdul R. Ismail
  • Patent number: 11388258
    Abstract: Embodiments described include systems and methods for managing downloads from an embedded browser. The client application can control the locations to which downloads are directed. A system administrator can configure a policy to restrict downloads to approved locations. The client application can prevent a user from navigating to and downloading a file to a location that has not been approved according to the policy.
    Type: Grant
    Filed: December 7, 2020
    Date of Patent: July 12, 2022
    Assignee: Citrix Systems, Inc.
    Inventor: Christopher Fleck
  • Patent number: 11379589
    Abstract: An information processing apparatus having at least a first controller and a second controller. The second controller includes a CPU and a first storage for storing, in a non-volatile manner, a first program to be executed by the CPU. When the information processing apparatus is started up, the first controller verifies a presence or absence of alteration of the first program stored in the first storage, and causes the CPU to start up after confirming by the verification that the first program has not been altered.
    Type: Grant
    Filed: March 30, 2020
    Date of Patent: July 5, 2022
    Assignee: Canon Kabushiki Kaisha
    Inventor: Junichi Goda
  • Patent number: 11379593
    Abstract: Examples associated with storage monitoring are described. One example system includes generating an encryption key and transmitting the encryption key to a basic input/output system (BIOS) security module. The BIOS security module uses the encryption key as a basis for a heartbeat. A provisioning module receives a signal identifying a monitored storage and generates an enforced storage associated with the monitored storage. The provisioning module also creates a manifest describing the relationship between the enforced storage and the monitored storage. The provisioning module transmits the manifest to the BIOS security module. A versioning module assigns a first access policy for the monitored storage and a second access policy to the enforced storage based on the manifest. The versioning module performs versioning for the monitored storage using the enforced storage, and periodically verifies operation to the BIOS security module using the heartbeat.
    Type: Grant
    Filed: August 16, 2017
    Date of Patent: July 5, 2022
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventor: Ronaldo Rod Ferreira
  • Patent number: 11354446
    Abstract: A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other.
    Type: Grant
    Filed: March 20, 2020
    Date of Patent: June 7, 2022
    Assignee: Architecture Technology Corporation
    Inventors: Barry A. Trent, Edward R. Mandy
  • Patent number: 11354151
    Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.
    Type: Grant
    Filed: February 12, 2020
    Date of Patent: June 7, 2022
    Assignee: International Business Machines Corporation
    Inventors: Harshal Patil, Pradipta Banerjee, Nitesh Konkar, Manjunath Kumatagi
  • Patent number: 11354407
    Abstract: Various embodiments are generally directed to techniques for library behavior verification, such as by generating executables for software with indications of permitted behaviors by the library. Some embodiments are particularly directed to monitoring library behavior and performing one or more protective actions based on abnormal or unpermitted library behavior. In many embodiments, libraries and library manifests may be validated based on one or more signatures. In various embodiments, library behavior data comprising a set of permitted behaviors for the library may be determined based on the library manifest. In various such embodiments, a compiler may embed indications of the permitted library behavior in executables.
    Type: Grant
    Filed: December 28, 2018
    Date of Patent: June 7, 2022
    Assignee: Intel Corporation
    Inventors: Omer Ben-Shalom, Hila Yitzhaki, Yoni Wolf, Dror Shilo, Gyora M. Benedek, Ezra Caltum
  • Patent number: 11347865
    Abstract: Systems, methods, and software can be used to analyze security risks of a binary software code. In some aspects, a computer-implemented method comprises: receiving, by at least one hardware processor, a binary software code; determining, by the at least one hardware processor, a security risk value for each of a plurality of security risk factors of the binary software code; for each of the plurality of security risk factors, determining, by the at least one hardware processor, a security confidence level of the respective security risk factor; and generating, by the at least one hardware processor, a security notification, wherein the security notification includes the security confidence levels corresponding to the plurality of security risk factors.
    Type: Grant
    Filed: March 29, 2019
    Date of Patent: May 31, 2022
    Assignee: BlackBerry Limited
    Inventor: Adam John Boulton
  • Patent number: 11341280
    Abstract: Disclosed are various embodiments for executing entity-specific cryptographic code in a cryptographic coprocessor. In one embodiment, encrypted code implementing a cryptographic algorithm is received from a service via a network. The cryptographic coprocessor decrypts the encrypted code. The cryptographic coprocessor executes the decrypted code to generate a cryptogram including information encrypted using the cryptographic algorithm. The cryptogram is sent to the service via the network.
    Type: Grant
    Filed: October 30, 2019
    Date of Patent: May 24, 2022
    Assignee: American Express Travel Related Services Company, Inc.
    Inventors: Wael Ibrahim, Manish K. Deliwala, Manik Biswas, Subrahmanyam Venakata Vishnuvajhala, Andrew Lei
  • Patent number: 11336684
    Abstract: A device includes a secure execution context that is segregated from an operating system of the device. A security application executing in the operating system interfaces with the secure execution context to obtain verified data. The secure execution context may verify that operating system files are free of malware, obtain sensor readings that may be cryptographically signed, verify functioning of a baseband processor, and verify other aspects of the function and security of the device. The verified data may be used for various purposes such as verifying location of the device, training a machine learning model, and the like.
    Type: Grant
    Filed: March 5, 2020
    Date of Patent: May 17, 2022
    Assignee: LOOKOUT, INC.
    Inventors: Brian James Buck, Karina Levitian, Francis Kelly, Sebastian Krawczuk, Michael Murray
  • Patent number: 11328063
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.
    Type: Grant
    Filed: November 1, 2019
    Date of Patent: May 10, 2022
    Assignee: McAfee, LLC
    Inventor: Greg W. Dalcher
  • Patent number: 11314868
    Abstract: A system root of trust device of a computing system authenticates boot images associated with data processing units of the computing system. The device includes at least one processor configured to determine whether a first set of boot code associated with a first processor of the computing system is authentic, in response to determining that the first set of boot code is authentic, reset the first processor to allow the first processor to boot and authenticate first executable code to be executed by the first processor, after resetting the first processor, determine whether a second set of boot code associated with a second processor of the computing system is authentic, and in response to determining that the second set of boot code is authentic, reset the second processor to allow the second processor to boot and to authenticate second executable code to be executed by the second processor.
    Type: Grant
    Filed: August 30, 2019
    Date of Patent: April 26, 2022
    Assignee: Fungible, Inc.
    Inventors: Yvonne Hou, Sunil Mekad, Prathap Sirishe, Satish D Deo, Umar Badusha
  • Patent number: 11308202
    Abstract: An intrusion detection system, comprising a monitor to receive messages from a target over a low-latency communication link comprising a controlled access memory structure logically positioned between the target and the monitor using point-to-point interconnects, the controlled access memory structure to receive a message from the target indicating that the target has entered a controlled mode of operation.
    Type: Grant
    Filed: June 7, 2018
    Date of Patent: April 19, 2022
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventors: Ronny Chevalier, David Plaquin, Maugan Villatel, Guillaume Hiet
  • Patent number: 11308226
    Abstract: The described technology is generally directed towards secure collaborative processing of private inputs. A secure execution engine can process encrypted data contributed by multiple parties, without revealing the encrypted data to any of the parties. The encrypted data can be processed according to any program written in a high-level programming language, while the secure execution engine handles cryptographic processing.
    Type: Grant
    Filed: July 28, 2021
    Date of Patent: April 19, 2022
    Assignee: CipherMode Labs, Inc.
    Inventors: Mohammad Sadegh Riazi, Ilya Razenshteyn
  • Patent number: 11308160
    Abstract: One embodiment provides for a computer-implemented method comprising generating a linked list table including a first component having linking data to be stored in a table data structure for one or more rebase and bind operations and second a component having instructions to implement the table data structure to perform the rebase and bind operations according to a linked list chain and executing the instructions in the second component of the linked list table to perform the one or more rebase and bind operations based on the linked list chain.
    Type: Grant
    Filed: September 28, 2018
    Date of Patent: April 19, 2022
    Assignee: Apple Inc.
    Inventors: Peter Cooper, Louis G. Gerbarg, Nick Kledzik
  • Patent number: 11294727
    Abstract: Various embodiments are provided for managing cryptographic bottlenecks for distributed multi-signature blockchain contracts in a computing environment. One or more cryptographic bottlenecks of cryptographic requests at a cryptographic accelerator may be resolved by switching between a blockchain node cryptographic library and an accelerator cryptographic library upon a number of the cryptographic requests at the accelerator exceeding a defined threshold.
    Type: Grant
    Filed: March 26, 2019
    Date of Patent: April 5, 2022
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Emanuele Ragnoli, Mustafa Rafique, John Sheehan, Kevin Reilly