Entries |
Document | Title | Date |
20080209548 | Method of and Circuit for Identifying and/or Verifying Hardware and/or Software of an Appliance and of a Data Carrier Cooperating with the Appliance - In a method of and circuit for identifying and/or verifying the hardware and/or software of an appliance and of a data carrier, for example a smartcard, cooperating with the appliance, it is provided that a first unit (E | 08-28-2008 |
20080209549 | COMPUTER READABLE MEDIUM, DOCUMENT PROCESSING APPARATUS, DOCUMENT PROCESSING SYSTEM, DOCUMENT PROCESSING METHOD, AND COMPUTER DATA SIGNAL - A computer readable medium storing a program causing a computer to execute a process for document processing, the process includes: receiving image data obtained by, with an image reading apparatus, reading a document of a predetermined format in which contents of an electronic document stored in a storage portion while being associated with identification information, the identification information, and an entry for additional information are arranged; extracting entered additional information from the entry area of the received image data; and correlating the extracted additional information with an electronic document associated with the identification information. | 08-28-2008 |
20080216172 | SYSTEMS, METHODS, AND APPARATUS FOR SECURE TRANSACTIONS IN TRUSTED SYSTEMS - Systems, methods, and software for protecting the identities of individuals, groups, and organizations are provided. In one embodiment, the systems, methods, and software provided by the present invention include a challenge-response architecture based upon entity-specific knowledge for verification of identity. In one aspect, a method for authenticating a first entity to at least one other entity includes creating an authenticator effective to authenticate said first entity to said at least one other entity; providing said authenticator or a substantially secure derivative thereof to an intermediary authentication service configured to interrogate said first entity; receiving a response to an identity interrogation from said first entity at said intermediary; and comparing at said intermediary the content of said response, or a derivative of said content, to said authenticator or said substantially secure derivative thereof to generate an estimation as to whether said first entity is authentic at said intermediary. | 09-04-2008 |
20080222721 | DIGITAL MULTIPLE APPARATUS - Authentication data is read when a digital multiple apparatus main body starts, it is authenticated whether the authentication data read is regular authentication data, a printing operation is permitted if the authentication data read is the regular authentication data, and print data is printed with information on at least the authentication data and date and time information of printing added to the print data. | 09-11-2008 |
20080222722 | Method and Apparatus for Sequential Authentication Using One or More Error Rates Characterizing Each Security Challenge - Methods and apparatus are provided for sequential authentication of a user that employ one or mole error rates characterizing each security challenge. According to one aspect of the invention, a user is challenged with at least one knowledge challenge to obtain an intermediate authentication result; and the user challenges continue until a cumulative authentication result satisfies one or more criteria. The intermediate authentication result is based, for example, on one or more of false accept and false reject error probabilities for each knowledge challenge. A false accept error probability describes a probability of a different user answering the knowledge challenge correctly. A false reject error probability describes a probability of a genuine user not answering the knowledge challenge correctly. The false accept and false reject error probabilities can be adapted based on field data or known information about a given challenge. | 09-11-2008 |
20080229412 | Associating Security Information with Information Objects - A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table. | 09-18-2008 |
20080229413 | Authorizing Information Flows - Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow. | 09-18-2008 |
20080235791 | System and Method for Distributed Module Authentication - Distributed module authentication allows security checks to be initiated by multiple software modules. Module authentication processes can be inserted into two or more modules in an operating system and/or various other applications. These module authentication processes can verify the integrity of binaries associated with one or more modules in computer memory. Security checks can be performed on modules stored on disk, in active system memory, or in any other location. Various security checks can be coordinated with each other to ensure variety and frequency of module authentication, as well as to randomize the module authentication process that performs a particular security check. In addition, security processor code can be interleaved within normal application code, so the security code is difficult for attackers to remove or disable without damaging the useful functionality of an application. | 09-25-2008 |
20080244736 | MODEL-BASED ACCESS CONTROL - Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems. | 10-02-2008 |
20080244737 | STORAGE DEVICE - A storage device has a data erasing function. A controller of a storage device, such as an USB, has a lost timer section and an emergency timer section. Both timer sections halt clocking operation as a result of initiation of use of the storage device by an authorized user. The lost timer section commences s clocking operation as a result of completion of use of the storage device by the authorized user. The emergency timer section commences clocking operation as a result of unauthorized removal of the storage device. When either the lost timer section or the emergency timer section outputs a count-up signal, data in flash ROM are erased. | 10-02-2008 |
20080244738 | ACCESS CONTROL - An access control method includes receiving an access request to a file system from a user terminal through a common Internet file system (CIFS) or a network file system (NFS) and determining whether the access request should be allowed. The method includes determining whether a basic permission attribute of an access request used in the NFS should be allowed with reference to access control information associated with basic permission attributes, the basic permission attribute being associated with an access request received from the user terminal through the CIFS, the access control information indicating whether an access request to respective objects of the file system should be allowed or denied, and the access control information being stored in an access-control-information storing unit. The method also includes determining whether the access request associated with the allowed basic permission attribute should be allowed, in reference to the access control information. | 10-02-2008 |
20080250495 | AUTHENTICATION PROCESSING APPARATUS, AUTHENTICATION PROCESSING METHOD, RECORDING MEDIUM STORING AUTHENTICATION PROCESSING PROGRAM, RECORDING MEDIUM STORING INFORMATION PROCESSING PROGRAM AND INFORMATION PROCESSING SYSTEM - An authentication processing apparatus, which includes: an authentication processing section that performs authentication using an authentication method selected from authentication methods provided; a storage section that stores authentication information indicating whether or not the authentication succeeds; a determination section that, when an operation on electronic information associated to one or more authentication methods is performed, determines whether the operation on the electronic information is permitted or not, on the basis of the one or more authentication methods associated to the electronic information and the stored authentication information; and an authentication request section that, when the determination section determines that the operation on the electronic information is not permitted, detects from among the one or more authentication methods associated to the electronic information an authentication methods for which it is not indicated in the authentication information that an authentication succeeds, and requests the authentication using the detected authentication method. | 10-09-2008 |
20080256627 | COPYRIGHTS WITH POST-PAYMENTS FOR P2P FILE SHARING - In accordance with an embodiment, a method, apparatus or tangible computer medium (which stores computer executable code or program code) performs or facilitates: determining one or more aspects of an unauthorized copy of electronic content accessible to or through a user device; and conducting a transaction between the user device and a legitimizing party to legitimize the electronic content in view of the determined aspect(s). The electronic content may be unsecured copyrighted content. | 10-16-2008 |
20080256628 | Security Objects Controlling Access To Resources - Controlling access to resources through use of security objects including creating a security object in dependence upon user-selected security control data types, the security object comprising security control data and at least one security method; receiving a request for access to the resource; receiving security request data; and determining access to the resource in dependence upon the security control data and the security request data. Creating a security object includes storing in the security object a resource identification for the resource; storing in the security object an authorization level of access for the resource; storing in the security object user-selected security control data types; and storing in the security object security control data for each user-selected security control data type. Embodiments include deploying the security object on a security server or on a client device. | 10-16-2008 |
20080256629 | Management Apparatus, System, and Method for Protecting a Memory Storage Card - A management apparatus, system, and method for protecting a memory storage card are provided. The management apparatus comprises an access unit and a check unit. The access unit is configured to read a first security message, and a second security message of the memory storage card. The check unit is configured to check the first and second security messages to generate a check result. The management apparatus makes the memory storage card available according to the check result and efficiently prevents the memory storage card from theft. | 10-16-2008 |
20080256630 | IMAGE FORMING APPARATUS, CONTROL METHOD OF IMAGE FORMING APPARATUS, PROGRAM, AND STORAGE MEDIUM - An image forming apparatus for executing a processing flow including a plurality of steps, includes a determination unit which determines whether or not a processing flow to be executed includes an instruction required step that requires an instruction of a user, a selection unit which selects, when the processing flow to be executed includes the instruction required step, a notification destination of information required to display an operation window for accepting the instruction of the user, a notification control unit which notifies the notification destination selected by the selection unit of the operation window, and an execution unit which executes processing of the instruction required step according to instruction contents input via the operation window. | 10-16-2008 |
20080263657 | Control of Media Components in a Session - A method for applying control to a plurality of media components in a media session, comprising determining a level of control for at least one component, and applying the determined level of control to said at least one component. | 10-23-2008 |
20080271140 | Verification for Computer Programs that Include External Call References - A program verification mechanism includes an external call reference verification mechanism that verifies external call references in a computer program. The external call reference verification mechanism checks the computer program after the computer program has been loaded by a loader/linker. The loader/linker stores a list of trusted entry points that specifies a trusted entry point for each external call reference, along with a list of allowable caller code for each trusted entry point. The external call reference verification mechanism determines the entry point for each instruction that is an external call reference, determines whether the entry point is listed as the trusted entry point for the external call reference, and whether the external call reference instruction is in the list of allowable caller code for the trusted entry point. If so, the computer program is verified. If not, verification of the computer program fails. | 10-30-2008 |
20080282344 | E-MAIL AUTHENTICATION - A system and method for determining whether an e-mail originates from a sender authorized by an address provider to send the e-mail to an intended recipient's e-mail address. The e-mail identifies an address provider from which the intended recipient's e-mail address was obtained. The e-mail is delivered to the intended recipient only upon verification that the sender is authorized by the address provider to obtain the intended recipient's e-mail address. The system and method may also provide for determining whether an e-mail originates from a forged source. A server receives data relating to an e-mail, including a purported sender and a verification host. The server queries the verification host with information pertaining to the e-mail and requests confirmation that the e-mail originates from the purported sender. The e-mail is determined to originate from a forged source unless the verification host responds that the e-mail originates from the purported sender. | 11-13-2008 |
20080282345 | APPARATUS FOR CONTROLLING PROCESSOR EXECUTION IN A SECURE ENVIRONMENT - Various embodiments described herein relate to apparatus for executing software in a secure computing environment. A secure processor can be used and configured to request a context swap from a first context to a second context when switching execution from a first portion of software to a second portion of software. A context manager, which can be in communication with the secure processor, can be configured to receive and initiate a requested context swap. A trust vector verifier, which can be in communication with the secure processor and the context manager, can be configured to load a trust vector descriptor upon command from a context manager. | 11-13-2008 |
20080289036 | TIME-BASED CONTROL OF USER ACCESS IN A DATA PROCESSING SYSTEM INCORPORATING A ROLE-BASED ACCESS CONTROL MODEL - Computer implemented method, system and computer usable program code for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model. A computer implemented method for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model includes providing at least one timing attribute for a role, wherein each at least one timing attribute specifies a timing condition by which a user is enabled to use the role. The user is enabled to use the role pursuant to satisfying the at least one timing attribute. | 11-20-2008 |
20080295168 | Method and communication system for controlling security association lifetime | 11-27-2008 |
20080301805 | METHODS OF COMMUNICATING OBJECT DATA - In an embodiment, a method of communicating an object data is provided. The method comprises receiving the object data from a first medical information system at a second medical information system, checking for an authorization for a user of the second medical information system to view the object data and displaying the object data upon finding the authorization. The method further comprises de identifying the object data upon not finding the authorization for the user and displaying the de identified object data at the second medical information system. | 12-04-2008 |
20080307522 | Data Management Method, Program For the Method, and Recording Medium For the Program - When user data and a program stored in a computer is recorded into an electronic recording medium by a recording device connected to the computer and carried outside, its recording is limited. The data management program stored in a computer has a function used when writing data from the computer onto the recording medium, for authenticating a user and disabling a person other than the authorized person to perform writing. The data management program authenticates whether the user is an authorized person by using a USB memory containing a secret key for authentication. | 12-11-2008 |
20080307523 | Federated ontology index to enterprise knowledge - A method, system, and computer program product for using a federated ontology as an index to enterprise knowledge are provided. The method includes receiving a request for the enterprise knowledge, mapping the request to a concept within the federated ontology, and searching the federated ontology for the concept to identify one or more data sources holding the enterprise knowledge. The method further includes retrieving the enterprise knowledge from the identified one or more data sources as search result data, and returning the search result data. | 12-11-2008 |
20080320590 | METHOD AND APPARATUS FOR CREATING SECURED FILE VIEWS IN A SOFTWARE PARTITION - A computer implemented method, apparatus, and computer program product for creating secured file views of a protected file. The process receives a request to access the file, wherein the file is stored in a common location, and wherein the request includes a set of file viewing parameters. The process identifies a callback function associated with the file and calls the callback function with the set of file viewing parameters to form a set of virtual viewing parameters. Thereafter, the process generates a secured file view of the file using the virtual viewing parameters, wherein the secured file view is viewable by a user of an authorized partition. | 12-25-2008 |
20090007259 | Restricting Access to Information - Technologies are presented herein for restricting access to information. According to various embodiments described herein, an authorization device is provided that includes functionality for detecting other proximately located authorization devices. When an authorization device detects another proximately located authorization device, authorization data stored in the detected device is retrieved. The retrieved authorization data is compared to stored authorization data and a determination is made as to whether a person associated with the detected device is authorized to receive information. The authorization device provides an indication as to whether the person is authorized to receive information. The authorization device may also provide an indication of the particular information that the person is authorized to receive. The authorization device may also be utilized to ensure that only authorized individuals participate in a meeting and that each participant is authorized to receive the information that is the subject of the meeting. | 01-01-2009 |
20090007260 | Security Synchronization Services - As a result of the inability to assign security in multiple applications at one time, there is an opportunity to tie the disparate security systems together. Security synchronization services is a method and apparatus that uses roles to provide a common administration experience for all applications that use it and fits better for new applications. | 01-01-2009 |
20090007261 | RECEIVING DATA IN A DATA STORE IN A SERVER COMPUTER SYSTEM - The present invention provides a method and system of receiving data in a data store in a server computer system. In an exemplary embodiment, the method and system include (1) receiving client authentication information of a client computer system, (2) receiving a data signature of the data from the client computer system, and (3) attempting to locate in the data store at least one data chunk with a stored data signature equal to the received data signature. | 01-01-2009 |
20090007262 | COMPUTER READABLE MEDIUM FOR RESOLVING PERMISSION FOR ROLE ACTIVATION OPERATORS - A computer-readable storage medium storing instructions executable by a processor for resolving permissions using role activation operators to evaluate permissions assigned to a user in a role context inheritance hierarchy. The stored instructions comprise several steps: a step of retrieving a plurality of activated roles within a role context that match roles assigned to a user, wherein one or more permissions in the role context inherit from one or more permissions in a parent role context in a role context permission inheritance hierarchy; a step of determining an aggregate permission for each of the plurality of activated roles, wherein a role activation operator determines how an activated role is evaluated; a step of processing the aggregate permissions for the plurality of activated roles; and a step of resolving a final permission for the user. | 01-01-2009 |
20090019542 | METHOD AND SYSTEM FOR INTELLIGENT ROUNTING BASED ON PRESENCE DETECTION - A message, which is to be routed to one of a plurality of authorized parties comprising a first authorized party and a second authorized party, is received by a routing system. A Web service is polled to detect for a presence of the first authorized party. After determining that the presence of the first authorized party remains undetected over an allocated time interval, the Web service is polled to detect for a presence of the second authorized party. In response to detecting the presence of the second authorized party, the message is routed to an active communication device associated with the second authorized party. | 01-15-2009 |
20090019543 | SYSTEM AND METHOD FOR ENCODING AND DECODING DATA AND REFERENCES TO DATA IN MACHINE-READABLE GRAPHICAL CODES - A system for decoding machine-readable graphical codes is provided. The system includes a graphical code reading device configured to read a graphical code and generate reference encoded source data. The reference encoded source data includes a first reference identifier and a second portion. The system also includes a computing device in electronic communication with the graphical code reading device. The computing device also includes a reference decoder configured to effect conversion of the reference encoded source data into source data. The source data includes first affiliated data in place of the first reference identifier. The first affiliated data may be longer in length than the first reference identifier. The source data also includes the second portion. The computing device also includes a software application configured to use the source data. | 01-15-2009 |
20090025081 | METHOD AND SYSTEM FOR CONFIGURING LOCAL AND REMOTE RESOURCES TO ACCOMPLISH RENDERING OF MULTIMEDIA CONTENT ON DISSIMILAR FORMAT DEVICES BASED ON USER BIOMETRIC DATA - A system and method is provided for communication of information in a mobile communication device (WMCD) configured to network connection may include discovering via a wireless mobile communication device, available communication resources based on acquired biometric data for a user of the WMCD, and communicating multimedia information between the WMCD and one or more of the discovered available resources. The acquired biometric data may include physical and behavioral biometric data to be authenticated and validated by a pattern recognition database. A connection between the WMCD and one or more discovered available resources may be established through linking the acquired biometric data to resources in available local or remote network. The established connection may enable the WMCD to consume or redirect media from the available resources and may be dynamically adjusted and updated based on dynamic sensing of the acquired biometric data in the available network or available resources. | 01-22-2009 |
20090031418 | Computer, method for controlling access to computer resource, and access control program - Valid state judging means judging a valid state of an access permission based on state of an execution environment; an access permission management table specifying an access permission to computer resource based on the valid state by the valid state judging means; and an access control execution environment conducting access control based on the access permission management table are provided. | 01-29-2009 |
20090031419 | MULTIMEDIA SYSTEM AND SERVER AND METHODS FOR USE THEREWITH - A multimedia server receives a plurality of programs of a multimedia source. The multimedia server includes a tuning module to receive the plurality of programs and to select a set of programs from the plurality of programs based on a set of program select commands that is derived from select requests. A program mixer mixes the set of programs into a stream of program data. One or more transceiving modules transmit the stream of program data on to corresponding communication paths and receive the select requests. A client module produces the select requests for one or more clients. The client module includes a selection module to produce at least one of the select requests. A network interface controller transmits at least one of select requests to the multimedia server and receives the stream of program data via the communication path or paths in response. | 01-29-2009 |
20090038005 | PRIVILEGE-BASED ACCESS SYSTEM - In one embodiment, an apparatus comprises a network interface system and a logic system. The network interface system comprises at least one network interface. The logic system comprises at least one logic device configured to do the following: receive, via the network interface system, task indications that a first person has completed predetermined tasks; ascertain points to award for the predetermined tasks; receive, via the network interface system, an access request to access identified content; determine a number of points required for granting the access request; determine a number of points currently available to the first person; determine whether to grant the access request; and send, via the network interface system, a message to a device indicating whether to grant the access request. | 02-05-2009 |
20090038006 | User authentication with image password - A method and apparatus authenticates a user with an image password. In one implementation, a method is provided. According to the method, a plurality of icons are displayed. The plurality of icons are arranged in a pattern. The method receives a sequence of selected inputs. Each of the inputs corresponds to one of the plurality of icons. The method further repositions the plurality of icons after each input and determines whether the user is authenticated based on the received sequence. | 02-05-2009 |
20090038007 | METHOD AND APPARATUS FOR MANAGING CLIENT REVOCATION LIST - A method and apparatus for managing a client revocation list are provided. The method includes receiving a first client revocation list from a server; and selectively discontinuing an operation of a client, based on the first client revocation list. By doing so, the method and the apparatus can securely control contents. | 02-05-2009 |
20090044269 | DIGITAL SIGNAL PROCESSING APPARATUS - If content is transmitted/received through a digital signal bus, protection of copyright causes a problem because of no deterioration in quality. Accordingly, authentication is required. The quantity of information to be processed is, however, so large that a long time is required for authentication. Accordingly, both achievement of handling property as in conventional analog connection and protection of copyrighted content without user's awareness become an object. The foregoing object can be achieved by authentication which is executed, for management of copyright, among apparatuses connected to the digital signal bus when the apparatuses are powered on or connected to the digital signal bus or when an input terminal connected to the digital signal bus is selected. The object can be further achieved by an encryption key shared among these apparatuses. | 02-12-2009 |
20090055926 | MANAGEMENT APPARATUS, MANAGEMENT METHOD AND RECORDING MEDIUM STORING PROGRAM - A management apparatus which includes: a receiving unit that receives first authorization information for a first document that is already issued and contains document identification information identifying at least one document for which it is possible to issue authorization information and an issuance request requesting that second authorization information for a second document be issued; a verifying unit that verifies authenticity of the first authorization information that is received by the receiving unit; a checking unit that, in a case where the authenticity of the first authorization information is verified, checks whether or not document identification information identifying the second document is included in the first authorization information; and an issuing unit that, in a case where the document identification information identifying the second document is included in the first authorization information, issues the second authorization information. | 02-26-2009 |
20090064321 | Methods for Providing User Authentication in a Computer Network or System - Embodiments of the present invention relate to methods for providing user authentication for a computer-type device or for a computer network. The method includes showing an interactive display comprising a plurality of media items. The plurality of media items may include a pre-designated authentication media item. A user is prompted to select the pre-designated media item from the plurality of media items, and may further be prompted to select a pre-designated location in the pre-designated media item. Network or other authentication may be provided if the user selects the pre-designated media item (and location) from the plurality of media. | 03-05-2009 |
20090064322 | Security Process Model for Tasks Within a Software Factory - Security for a software factory is provided by detecting a request by a user to utilize the software factory. Upon being authenticated, the user is granted permission to access specific areas of the software factory. A log is created of locations in software factory that have been accessed by the user. This log is then utilized in an audit that describes how effective the software factory is in creating deliverable software. | 03-05-2009 |
20090070867 | METHOD FOR SECURELY ENABLING DYNAMIC INSTRUMENTATION - A method is provided for securely enabling dynamic instrumentation. The method includes categorizing probes, upon creation, into one or more classes, providing lists of permissions for activating the probes and associating users with the permissions for activating the probes, such that certain users have permissions for activating certain probes. Users are associated with permissions by mapping classes of probes to permissions and mapping users to permissions, mapping classes of users to probes, or mapping users to at least one of classes of probes and classes of capabilities. | 03-12-2009 |
20090070868 | INFORMATION PROCESSOR, AUTHENTICATION CONTROL METHOD, AND STORAGE MEDIUM - An information processor is disclosed that includes an authentication part configured to authenticate a user based on predetermined information; an information obtaining part configured to obtain first information to be used to authenticate the user from an external device; and an authentication control part configured to cause the authentication part to authenticate the user by inputting information based on the first information to the authentication part as the predetermined information. The information obtaining part is configured to obtain the first information using a program module whose correlation with the information obtaining part is recorded in a recording medium. | 03-12-2009 |
20090077656 | IMAGE FORMING APPARATUS, IMAGE FORMING SYSTEM, AND CONTROL METHOD OF IMAGE FORMING APPARATUS - An image forming apparatus according to the present invention is an image forming apparatus capable of playing plural roles alone, the image forming apparatus including an authentication database in which association between a user and authentication information of the user is registered, a role management database in which association between the user and the role allocated to the user, association between a department to which a plurality of users belong and the role allocated to the department, and association between the user and the department to which the user belongs are registered, an authenticating unit that performs authentication of the user according to matching between authentication information inputted by the user and the authentication information registered in the authentication database, and a role managing unit that permits, with reference to the role management database, the user authenticated by the authenticating unit to use the role allocated to the user and permits the department to which the user authenticated by the authenticating unit belongs to use the role allocated to the department. | 03-19-2009 |
20090077657 | SYSTEM AND METHOD OF MANAGING USER ROLES IN AN AUTOMATED WORKFLOW PROCESS - A system and method that enable a user to establish a criteria for a plurality of user roles associated with a system of processing an authoring assignment. The system and method may also enable the user to customize the criteria. The system and method may enable a user to assign a role to a user and perform a function on the authoring assignment associated with that role. The system and method may maintain a history of each function performed on the authoring assignment by the user. The roles may enable a user to request, create, modify, approve, reject or publish an authoring assignment or any combination thereof. The system and method may enable a user to modify a role assigned to a user and assign a role to a user based on a function to be performed by that user. | 03-19-2009 |
20090077658 | ARCHIVE OF TEXT CAPTURES FROM RENDERED DOCUMENTS - A facility for storing a text capture data structure for a particular user is described. The data structure comprises a number of entries. Each entry corresponds to a text capture operation performed by the user from a rendered document. Each entry contains information specifying the text captured in the text capture operation. | 03-19-2009 |
20090077659 | Image processing apparatus, session managing method and session managing program - An image processing apparatus, a session managing method, and a session managing program allow an operator to change his or her role flexibly. The image processing apparatus comprises a session managing unit for managing information about an operator who is logged in as a session, and a role determination unit for determining a role of the operator. The session managing unit includes a login session unit that is generated upon login of the operator, and a subject unit that generates information indicating the operator, a group to which the operator belongs, and an existing role of the operator. Upon request for a role change from the operator, the login session unit requests initialization of the subject unit. The subject unit then generates information indicating a role after role change based on the role after role change that is confirmed by the role determination unit. | 03-19-2009 |
20090083851 | SERIALIZED LOCK COMBINATION RETRIEVAL SYSTEMS AND METHODS - Disclosed are embodiments of systems and methods for retrieving combination lock codes in a secure environment. In some embodiments, each of a plurality of combination locks are linked with a serial code. A user may then enter user identity information into a retrieval system. After the system has validated the user identity information, the user may enter a serial code into the system, the serial code associated with a combination lock for which the user would like to retrieve a corresponding combination code. Upon receipt of the serial code from the user, the system may securely transmit a combination code associated with the desired combination lock to the user. In one embodiment, the secure transmission of the combination code is done by sending an electronic mail message to an electronic mail account of the user. | 03-26-2009 |
20090089876 | APPARATUS SYSTEM AND METHOD FOR VALIDATING USERS BASED ON FUZZY LOGIC - An apparatus, system, and method are disclosed for validating users based on fuzzy logic. An interface with security questions is presented to a user who requires authentication. A typical scenario is authentication for password recovery. The interface comprises security questions for the user to answer. The security questions may be limited or unlimited response questions. The answers to the security questions are either scored using fuzzy logic, which may attribute a value between “1” and “0” based on similarity with the original, correct answer; or scored using digital logic. When fuzzy logic scoring is used, a similarity score is computed for each answer. The similarity score is compared against a similarity score threshold to either grant or deny access. An average similarity score is also computed for all answers and compared against an average similarity score threshold to either grant or deny access. | 04-02-2009 |
20090094695 | ACCOUNT ASSOCIATION GENERATION - Illustrative embodiments provide a computer implemented method, data processing system and computer program product for generating an association between a configuration item and an account. In one illustrative embodiment, the computer implemented method comprises selecting the configuration item requiring account association to create a selected configuration item, and selecting a set of rules for the selected configuration item to form a set of selected rules, wherein the selected set of rules is used to associate configuration items to accounts. Further the method determines whether a match is present between the set of selected rules and the selected configuration item, and responsive to determining that a match is present, obtains account mapping information for an account identified by the match, and associates the selected configuration item with the account using the account mapping information. | 04-09-2009 |
20090106834 | SYSTEMS AND METHODS FOR ENHANCING SECURITY BY SELECTIVELY OPENING A LISTENING PORT WHEN AN INCOMING CONNECTION IS EXPECTED - The present solution reduces the attack surface of a server by selectively opening a server port for listening when a client has been authenticated/authorized via another machine or process, and directed to connect to the server in question. When not selectively listening on a port, the server does not listen or open ports for connections or otherwise minimizes the number of open ports. By selectively listening for connections, the server reduces the opportunity for hackers to attack the server process, and improves the security of the server. The ability to selectively listen on a port at specific times may be combined with additional meta information—like ticketing and prior authentication information to help further secure the server. The meta information may identify and ensure that only the correct remote endpoint is allowed to connect via the port. Instead of first listening for connections and then authenticate and authorize the received connection as with typical servers, the present solution first authenticates/authorizes a connection via another machine or process, then listens for an expected and authorized connection. | 04-23-2009 |
20090106835 | METHOD AND APPARATUS FOR PROTECTING SENSITIVE INFORMATION ON A PUBLICLY ACCESSED DATA PROCESSING SYSTEM - The illustrative embodiments described herein provide a computer implemented method, apparatus, and computer program product protecting sensitive information on a data processing system. A determination is made as to whether a data processing system is publicly accessed. Responsive to determining that a data processing system is publicly accessed, the system identifies sensitive information. The data processing system monitors for the presence of sensitive information. Responsive to detecting the presence of the sensitive information, the system presents a warning to a user of the data processing system. | 04-23-2009 |
20090119772 | SECURE FILE ACCESS - In one method, the embodiments herein providing secure file access when a user opens an application and uses the application to make a request to open a data file on a secure file system. The method checks a trusted application list, by kernel extension, to determine if the application comprises a trusted application. The method also checks the user's permission to access the secure file system. The embodiments herein pass an “extended” permission to any applications that are trusted applications. Therefore, the methods herein control access to the secure file system based not only on the user's permission, but also on the “extended” permission, such that the kernel extension allows access to files. With embodiments herein, the trusted application performs the extended permission management. | 05-07-2009 |
20090119773 | APPARATUS AND METHODS OF CONFIGURABLE SYSTEM EVENT AND RESOURCE ARBITRATION MANAGEMENT - Methods, apparatus, and computer-readable media for management and arbitration of dedicated mobile communication resources for mobile applications are provided. Mobile applications can be given a priority level that establishes an importance with respect to one or more other mobile applications and at least one mobile resource. If competing applications attempt to access the mobile resource concurrently, access can be provided to an application having higher priority level. Furthermore, control of a resource can be taken away from an application having lower priority in order to affect control of such resource for a higher priority application. In one aspect, a privilege code of an application can be verified prior to establishing control of the resource for the application, to mitigate a likelihood of inappropriate transfer of resources. Accordingly, the subject disclosure provides for management of dedicated resources for a mobile processing environment to effect important device functions with minimum delay. | 05-07-2009 |
20090126011 | APPLICATION SECURITY MODEL - Performing security sensitive operations with an application security model. Security agnostic code is executed. The security agnostic code is identified as not having authorization to perform a security sensitive operation. Executing the security agnostic code includes calling code identified as security safe critical code. In response to the security agnostic code calling the security safe critical code, the security safe critical code is executed. The security safe critical code includes functionality for performing validity checks. Executing the security safe critical code includes performing an validity check for the security agnostic code. When the security agnostic code passes the validity check, code identified as security critical code is called. In response to the security safe critical code calling the security critical code, the security critical code is executed. The security critical code is authorized to perform the security sensitive operation. | 05-14-2009 |
20090138965 | SYSTEMS AND METHODS FOR PROVIDING ACCESS CONTROL AND ACCOUNTING INFORMATION FOR WEB SERVICES - A method for providing access control and accounting information for one or more services is described. A service request is received from a device. A service to execute the service request is selected. A determination is made whether the device is authorized to access the selected service. The accounting information associated with executing the service request using the selected service is calculated. | 05-28-2009 |
20090138966 | Advanced, self-balancing video multiplexer system - An advanced video multiplexer system designed and optimized for next generation on-demand video distribution is described. The system optimizes identifies a multi-program transport stream best able to accommodate new sessions based upon Quality of Service (QoS) and QAM utilization ratios. MPTS channels are rebalanced via re-grouping and transrating as necessary to optimize bandwidth utilization. Multiple video formats are supported via built-in transcoding. The multiplexer manages encryption resources and supports new sessions using previously allocated encryption resources where possible. Sessions can be grouped into encryption channels either by using a single authorization tier per channel policy, or by requiring all clients of the group to be in physically separated service groups. Encryption channels can be released when a channel no longer serves any clients or when one or more other channels that have been assigned the same entitlement can accommodate any remaining clients. | 05-28-2009 |
20090150995 | METHODS AND SYSTEMS FOR PROVIDING WEBSITE HOSTING SECURITY - A method for registering user identification data in an application service provider data repository is provided, where the application service provider provides web services for a plurality of customers, each customer having a plurality of users with respective user identification data. The method includes receiving user identification data from one of the users through a website associated with one of the plurality of customers, retrieving customer identification data based on a uniform resource locator assigned to the website, concatenating the user identification data and customer identification data to create a user key, and registering a user account within the data repository based on the created user key. | 06-11-2009 |
20090158425 | USER DEFINABLE POLICY FOR GRADUATED AUTHENTICATION BASED ON THE PARTIAL ORDERINGS OF PRINCIPALS - Apparatus, methods, and computer program products are disclosed that determine an actor context of an actor as well as an access environment for an attempted operation responsive to the actor context and a necessary condition. The method also evaluates whether the access environment satisfies the necessary condition and activates a principal responsive to the evaluation and authenticates the actor against the principal. | 06-18-2009 |
20090165124 | REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN - An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members. | 06-25-2009 |
20090165125 | SYSTEM AND METHOD FOR CONTROLLING USER ACCESS TO A COMPUTING DEVICE - A system and method for controlling user access to a computing device (e.g. a mobile device). In some embodiments, access rights are provided to a user based on successfully verified authentication factors, even where the user is unable to provide all the authentication factors typically required for access to the computing device. In one broad aspect, one or more authentication factors are provided by a user, and are received and verified by a security module application residing and executing on the computing device. When less than all of the authentication factors that would typically be expected in authenticating a user for access to the computing device is received and successfully verified, a subset of the available access rights selected from a plurality of different pre-defined subsets of access rights is provided to the user. The specific access rights provided to the user are based on the successfully verified authentication factors. | 06-25-2009 |
20090165126 | Manufacturing control system - Methods and systems for a manufacturing control system include but are not limited to identifying at least one object data file configured to produce an object by a manufacturing machine; confirming that an authorization code is associated with the object data file, the authorization code configured to be received by the manufacturing machine, the manufacturing machine adapted to receive the authorization code; and enabling the manufacturing machine to interface with the object data file only if the authorization code meets one or more predetermined conditions. | 06-25-2009 |
20090165127 | Authorization rights for operational components - Various methods and systems include exemplary implementations for a security-activated operational component. Possible embodiments include but are not limited to obtaining access to an object data file configured to implement various functional operation regarding one or more objects; verifying validity of an authorization code associated with the object data file; and controlling operation of the operational component to enable or prevent its activation pursuant to the authorization code in accordance with one or more predetermined conditions. | 06-25-2009 |
20090165128 | Authentication of a Contributor of Online Content - Methods, computer program products and systems are described for online-content management. Online content from multiple contributors is received at one or more first computers for public online display. An authentication score is determined for a contributor of the multiple contributors. The contributor's name and a representation of the contributor's authentication score is published online for display on one or more second computers in association with the online content received from the contributor. | 06-25-2009 |
20090165129 | METHOD FOR DELEGATING PRIVILEGES TO A LOWER-LEVEL PRIVILEGE INSTANCE BY A HIGHER-LEVEL PRIVILEGE INSTANCE - A method for a higher-level privilege instance to delegate privileges to a lower-level privilege instance, through which the granting of privileges, P | 06-25-2009 |
20090165130 | CONTENTS TRANSMISSION METHOD AND CONTENTS TRANSMISSION SYSTEM - Mobile unit | 06-25-2009 |
20090187986 | AUTHENTICATION SERVER, AUTHENTICATION METHOD AND AUTHENTICATION PROGRAM - Upon receipt of a service use request from a client, an authentication server device reads one or more image information pieces from an image information storage storing multiple image information pieces each containing one or more known symbols, one or more dummy symbols, or both of them, and thereafter creates challenge data using the one or more read image information pieces so that one or more two-dimensional images each containing one or more of the known symbols and one or more two-dimensional images each containing one or more of the dummy symbols can be presented to the user of the client, one image at a time. Upon receipt of response data, the authentication server device judges whether or not the received response data matches the one or more known symbols contained in the challenge data, and approves the service use of the client device if the match is confirmed. | 07-23-2009 |
20090193520 | SYSTEM AND METHOD FOR PROVIDING REPUTATION RECIPROCITY WITH ANONYMOUS IDENTITIES - System and method for providing reciprocity in a reputation system are described. In one embodiment, the method comprises: responsive to receipt by a first entity of a Reputation Guarantee (“RG”) request from a second entity, creating a token in accordance with specifications set forth in the RG request and forwarding the token to the second entity, wherein the token may include reputation information developed using reputation forming information (“RFI”) of the second entity and policies concerning treatment of the RFI of the second entity; forwarding the token to a third entity by at least one of the first and second entities; responsive to the token received by the third entity not including the reputation information of the second entity: forwarding from the third entity to the first entity the token and an assertion request; and responsive to receipt of the token and the assertion request, forwarding by the first entity to the third entity an assertion including the reputation information in accordance with the policies concerning treatment of the RFI of the second entity. | 07-30-2009 |
20090205043 | INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM - An information processing system includes: storage that stores electronic information in which an operation authority for each of a plurality of users is set in each of a plurality of defined work states; an acceptance unit that accepts an operation request for electronic information stored in the storage, and an operation execution unit that executes an operation for the electronic information of operation object in accordance with the operation authority based on a non-administrator authority of the user in the work state of the electronic information if the operation request based on an administrator authority by the user having the administrator authority and the non-administrator authority for the electronic information is accepted by the acceptance unit. | 08-13-2009 |
20090222914 | SECURITY MANAGEMENT METHOD AND APPARATUS, AND SECURITY MANAGEMENT PROGRAM - According to the present invention, a security management program which is recorded in a computer readable recording medium and is used to control access to target data in accordance with a security level of a device and an access right of a user, comprises a code of a user authentication step of setting the access right of the user with reference to a saved user authentication history when access to an authentication server cannot be made; and a code of a security level setting step of determining a security level of the device in accordance with a state of the device, and saving the determined security level. | 09-03-2009 |
20090222915 | System and Method for Securely Clearing Secret Data that Remain in a Computer System Memory - A system, method, and program product is provided that initializes a counter maintained in a nonvolatile memory of a security module to an initialization value. The security module receives requests for a secret from requesters. The security module releases the secret to the requesters and the released secrets are stored in memory areas allocated to the requesters. A counter is incremented when the secret is released. Requestors send notifications to the security module indicating that the requestor has removed the secret from the requestor's memory area. The security module decrements the counter each time a notification is received. When the computer system is rebooted, if the counter is not at the initialization value, the system memory is scrubbed erasing any secrets that remain in memory. | 09-03-2009 |
20090222916 | EMBEDDED PATCH MANAGEMENT - A method, system and apparatus is provided for embedded patch management. In one embodiment, a method is provided. The method includes receiving a call to a code module. The method further includes checking a guardian stack for indications of authorization. The guardian stack is separate from an execution stack. The method also includes passing the call to an internal code module. Moreover, the method includes executing the code module. | 09-03-2009 |
20090249479 | AUTHENTICATION MANAGEMENT METHODS AND MEDIA - A method for managing authentication includes receiving a request at a directory service for authentication from a first of a plurality of users operating a first of a plurality of products, wherein the directory service associates each of the plurality of users with a plurality of roles for each of the plurality of products. The method also includes authenticating the first user utilizing the directory service, wherein the directory service provides a first role associated with the first user and the first product in response to the request. | 10-01-2009 |
20090282474 | METHOD FOR SAFELY EXECUTING AN UNTRUSTED NATIVE CODE MODULE ON A COMPUTING DEVICE - A system that safely executes a native code module on a computing device. During operation, the system receives the native code module, which is comprised of untrusted native program code expressed using native instructions in the instruction set architecture associated with the computing device. The system then loads the native code module into a secure runtime environment, and proceeds to execute a set of instructions from the native code module in the secure runtime environment. The secure runtime environment enforces code integrity, control-flow integrity, and data integrity for the native code module. Furthermore, the secure runtime environment moderates which resources can be accessed by the native code module on the computing device and/or how these resources can be accessed. By executing the native code module in the secure runtime environment, the system facilitates achieving native code performance for untrusted program code without a significant risk of unwanted side effects. | 11-12-2009 |
20090282475 | Media Streams from Containers Processed by Hosted Code - Described is a technology by which code, such as an untrusted web application hosted in a browser, provides content through an interface for playback by an application environment, such as an application environment running in a browser plug-in. Content may be in the form of elementary video, audio and/or script streams. The content is in a container that is unpackaged by the application code, whereby the content may be packaged in any format that the application understands, and/or or come from any source from which the application can download the container. An application environment component such as a platform-level media element receives information from an application that informs the application environment that the application is to provide media stream data for playback. The application environment requests media stream data (e.g., samples) from the application, receives them as processed by the application, and provides the requested media stream data for playback. | 11-12-2009 |
20090293120 | ANTI-THEFT METHOD AND APPARATUS WITH WIRELESS TECHNOLOGIES - An anti-theft method to be executed in an active peer, comprising: (a) transmitting radio RF signals to a passive peer to detect whether one of the active peer and the passive peer as a monitored object is in the coverage area of the radio range of the other one of the active peer and the passive peer as a dock; (b) checking whether the monitored object is permitted to leave the dock when detecting that the monitored object is going to leave the area of the dock; (c) sending an alarm signal to an alarm apparatus if the monitored object is not permitted to leave the dock. | 11-26-2009 |
20090300758 | PROVISIONING SECRETS IN AN UNSECURED ENVIRONMENT - A method and apparatus for generating provisioning data to provision a device are described. A provisioning bundle is validated according to a relationship between a configuration and a bundle sequence number identifying the provisioning bundle. A provisioning request includes a device hardware identifier identifying the device. An authorization for the provisioning request is determined for generating provisioning data including the provisioning bundle personalized by the device hardware identifier for the device. | 12-03-2009 |
20090313693 | METHOD AND SYSTEM FOR GRAPHICAL PASSCODE SECURITY - A method and system for electronic access security uses touches and movements on a touch sensitive surface to determine graphical passcode that are used in a manner similar to passwords. Graphical passcodes comprise various combinations of swipes, taps or drags on a touchscreen surface as defined by a user. A user's selected graphical passcode is stored in memory for comparison to subsequent entries of graphical passcode in order to authenticate the users. An envelope may be generated to define a range of acceptable pressure, speed, coordinate positions or other parameters, as a function of time or position, required for passcode authentication. The envelope may be stored in a computer memory and is used to authenticate a user by determine whether an entered graphical passcode falls within the envelope. | 12-17-2009 |
20090313694 | GENERATING A CHALLENGE RESPONSE IMAGE INCLUDING A RECOGNIZABLE IMAGE - Provided are a method, system, and article of manufacture for generating a challenge response image including a recognizable image. A challenge image is generated including random elements and a recognizable image. The challenge image is transmitted to a recipient. Recipient input associated with the transmitted challenge image is received. A determination is made as to whether the received recipient input matches a descriptor associated with the recognizable image in the challenge image. Indication is made that the recipient correctly identified the recognizable image. | 12-17-2009 |
20090313695 | Methods and Systems for Checking Run-Time Integrity of Secure Code Cross-Reference to Related Applications - Methods and systems to guard against attacks designed to replace authenticated, secure code with non-authentic, unsecure code and using existing hardware resources in the CPU's memory management unit (MMU) are disclosed. In certain embodiments, permission entries indicating that pages in memory have been previously authenticated as secure are maintained in a translation lookaside buffer (TLB) and checked upon encountering an instruction residing at an external page. A TLB permission entry indicating permission is invalid causes on-demand authentication of the accessed page. Upon authentication, the permission entry in the TLB is updated to reflect that the page has been authenticated. As another example, in certain embodiments, a page of recently authenticated pages is maintained and checked upon encountering an instruction residing at an external page. | 12-17-2009 |
20090320127 | Approach for Printing Locked Print Data Using User and Print Data Authentication - An approach is provided for printing locked print data using user and print data authentication. The approach is applicable to a wide variety of contexts and implementations and includes the use of bi-directional security measures to ensure a secure transmission of a document to a printer and secure retrieval of the document from the printer by one or more intended recipients. In particular, the bi-directional security measures ensure that: 1) the document is received only by the intended recipient designated by the creator, 2) both the document's creator and the intended recipient are successfully authenticated, 3) the document received by the intended recipient is the document that was created by the creator, and 4) the document received by the intended recipient is identical to the document created by the creator. | 12-24-2009 |
20100005525 | Authorization method with hints to the authorization code - Authorizing a user for accessing a system, data, or a physical location is accomplished by receiving an authorization code from the user and determining whether the received code matches a valid authorization code. To relieve the user from the need of memorizing complex authorization codes, the authorizing party presents hints to a valid authorization code. The hints are presented concurrently with the user's entering of the authorization code. | 01-07-2010 |
20100005526 | INFORMATION PROCESSING APPARATUS AND METHOD - An information processing apparatus includes: a positional relation acquisition section that detects a person who is in a predetermined area around a display device and acquires a positional relation between the detected person and the display device; an authentication section that authenticates a person at an authentication position which is a position in the predetermined area; a control section that stores a correspondence between the positional relation and the state of displaying, associates, if a person is authenticated, the authenticated person, a person detected at the authentication position at the time of authentication, and a predetermined right of access, makes a determination as to whether or not the authenticated person has a right of access to the display information displayed, so as to change the correspondence according to the determination, and controls the state of displaying based on the correspondence and the positional relation. | 01-07-2010 |
20100017876 | ACCESS CONTROL AND ENTITLEMENT DETERMINATION FOR HIERARCHICALLY ORGANIZED CONTENT - Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control and entitlement determination for hierarchically organized content. In an embodiment of the invention, a method for access control and entitlement determination for hierarchically organized content can be provided. The method can include selecting a node in hierarchically organized content, inferring entitlements for direct descendants of the selected node based upon expressly conferred permissive access rights amongst ancestors and descendants of the selected node and expressly conferred impermissive rights amongst descendants of the selected node. Finally, the method can include applying the inferred entitlements in a view to the hierarchically organized content. | 01-21-2010 |
20100031351 | Security-activated production device - Methods and systems for a security-activated production device include but are not limited to obtaining access to an object data file configured to produce one or more objects on the production device; verifying an authorization code associated with the object data file; and controlling operation of the production device to enable or prevent production of the one or more objects pursuant to the authorization code in accordance with one or more predetermined conditions. | 02-04-2010 |
20100031352 | System and Method for Enforcing Licenses During Push Install of Software to Target Computers in a Networked Computer Environment - Systems, methods, and computer-readable media for enforcing licenses during the push install of a software package in a networked environment via parsed serial numbers. | 02-04-2010 |
20100043070 | FILE-ACCESS CONTROL APPARATUS AND PROGRAM - In a file-access control system according to an embodiment of this invention, control data in accordance with actions made is imparted, as an obligation-type policy, to a document file. Next, a policy evaluation control unit evaluates and executes the obligation-type policy imparted to the document file in accordance with the action to the document file. The execution of the obligation-type policy includes the controlling of a document application on the basis of an obligation fulfillment action. Therefore, an active control can be performed in accordance with any manipulation made to the document, and the access to the document can be changed. | 02-18-2010 |
20100050252 | ROLE NAVIGATION DESIGNER AND VERIFIER - Systems and methods are provide for providing role navigation design and verification. An embodiment includes displaying user interface having at least one secured element, identifying a first privilege needed for access the secured element, and associating the privilege with a role, whereby a user having the role may access the at least one secured element. | 02-25-2010 |
20100050253 | SYSTEM AND METHOD FOR REAL WORLD BIOMETRIC ANALYTICS THROUGH THE USE OF A MULTIMODAL BIOMETRIC ANALYTIC WALLET - A system and method for real world biometric analytics through the use of a multimodal analytic wallet. The system includes a biometric wallet comprising a pervasive repository for storing biometric data, the pervasive repository including at least one of a biometric layer, a genomic layer, a health layer, a privacy layer, and a processing layer. The biometric wallet further comprises a biometric analytic interface configured to communicate the biometric data to one or more devices. | 02-25-2010 |
20100050254 | ASSOCIATING OPERATING SYSTEM NATIVE AUTHORIZATIONS WITH CONSOLE ROLES - Disclosed is a computer implemented method and apparatus to provide authorizations to an administrative user. An integrated solutions console (ISC) receives an administrative user login corresponding to a console administrative user. The ISC presents a list of at least one management task. The ISC presents at least one input interface to a display for an administrative user name and at least one console role. The ISC receives an administrative user name and a console role. The ISC obtains an authorization descriptor that can be used to couple the administrative user name and the console role. | 02-25-2010 |
20100058464 | Implementing a Process-Based Protection System in a User-Based Protection Environment in a Computing Device - A computing device having a security model based on user permissions is provided with an ability to emulate a security model based on process capabilities by providing each executable program on the device with a separate user identity. | 03-04-2010 |
20100058465 | SECURE VIRTUAL TAPE MANAGEMENT SYSTEM WITH EARLY READ SUPPORT OPTIONS - A secure virtual tape management system with early read support options. The system includes at least two mainframe hosts having a catalog storing tape related information. A primary virtual tape emulation system includes an adaptor and includes software for facilitating remote configuration and utilization of the virtual tape management. A virtual tape system catalog storing tape related information is attached to the virtual tape management. Remote data storage devices may be in communication with the virtual tape management central processing unit. Software resident on the catalog monitors tape related information on the primary virtual tape emulation system for criteria matching a virtual tape to be made available to a secondary host and initiates immediate transfer of that data allowing it to be read in a paced manner by the secondary host before the primary host has completed its series of tape writes. | 03-04-2010 |
20100058466 | SYSTEMS AND METHODS FOR PROVIDING SECURITY FOR SOFTWARE APPLICATIONS - The described embodiments relate generally to methods and systems for providing computer security. In one embodiment, a security system is provided for use with a core application configured to interact with at least one add-in module, and the add-in module being configured to provide at least one privilege. The security system includes a privilege registry configured to identify the at least one privilege and its corresponding add-in module and a privilege assignments table identifying a privilege assignment type for the at least one privilege and corresponding to at least one assignee. | 03-04-2010 |
20100064364 | Method for Creating Multiple Virtualized Operating System Environments - A method of processing multiple workload using virtualized operating system environments. The creation of a new user in a global operating system may automatically cause the creation of a working partition (WPAR) instance. The user will be associated with the WPAR instance and a virtualized operating system environment will be created from the global operating system within the WPAR instance. Within the WPAR instance, the user may be assigned a root identification which enables the user to have root access privileges to perform operations or processes that may only be performed by a root user. The removal of a user from the system also results in the deletion of the associated WPAR. | 03-11-2010 |
20100064365 | METHOD FOR PASSWORD BASED AUTHENTICATION TRUST GENERATION AND AUTHORIZATION THEREOF - A method and system is provided to authorize a user to access in a service of higher trust level. The method includes the steps of defining first password, assigning a second password to a user, generating a value for each constituent of second password on operating an exclusivity relationship, calculating the score for the second password on summing the generating value, combining trust levels of multiple users to attain a higher trust level in aggregate, and obtaining access in a service if the aggregated trust level of users are equal to or more than the predetermined trust level of the service. The present technique provides flexibility of authenticating and authorizing a user to access in a service to perform desirable functions thereon. The present technique eliminates the requirement of tokens, pins, dongles etc while attaining a higher trust level to perform a task which belongs to a higher trust level. | 03-11-2010 |
20100077475 | PARTIAL INSTALLATION BASED ON AVAILABLE PRIVILEGES - Component identifications in a package identify components to be installed and/or components to be uninstalled. Each component has one or more install-uninstall-privilege requirements, namely, credentials that must be available to an installer-uninstaller in order to install-uninstall that component. Individual components and component sets are installed and/or uninstalled based on the privilege requirement(s) and the privilege(s) available to a current user of a target system. If required privilege(s) are not available, notice is given and additional privileges are requested. A user may receive partial functionality from a partially completed installation, and additional components may be installed later as more privileges become available. | 03-25-2010 |
20100083373 | METHODS AND APPARATUS FOR DETERMINING USER AUTHORIZATION FROM MOTION OF A GESTURE-BASED CONTROL UNIT - Methods and apparatus for determining user authorization from motion of a gesture-based control unit are disclosed. An example method to determine user authorization from motion of a gesture-based control unit disclosed herein comprises detecting motion of the gesture-based control unit, the motion caused by a user, determining a detected gesture from a sequence of one or more detected motions of the gesture-based control unit, and identifying the user from the detected gesture to determine an authorization for use by the gesture-based control unit. | 04-01-2010 |
20100083374 | TECHNIQUES TO MANAGE ACCESS TO ORGANIZATIONAL INFORMATION OF AN ENTITY - Techniques to manage access to organization information for an entity are described. An apparatus may include a presentation component operative to present an organizational chart on a presentation surface. The organizational chart may comprise multiple nodes associated with members of an organization, and connections between the nodes representing hierarchical relationships between the nodes. A security component may be communicatively coupled to the presentation component. The security component may be operative to receive a request to modify a characteristic of the organizational chart from an operator, access security settings for the operator, and authorize the operator to modify a characteristic of the organizational chart. Authorization may be granted, for example, when the operator is a delegate and a permission level for the delegate allows a modification operation associated with the modify request. Other embodiments are described and claimed. | 04-01-2010 |
20100088759 | DEVICE-SIDE INLINE PATTERN MATCHING AND POLICY ENFORCEMENT - Inline pattern matching and policy enforcement may be implemented by a memory storage device. In an example embodiment, a device-implemented method includes acts of receiving, intercepting, and performing and conditional acts of invoking or permitting. A request from a host to perform a memory access operation is received at a memory storage device. Data flowing between an I/O channel and physical storage of the memory storage device is intercepted. A pattern matching procedure is performed on the data with reference to multiple target patterns in real-time while the data is being intercepted. If a pattern match is detected between the data and a target pattern, a policy enforcement mechanism is invoked. If a pattern match is not detected between the data and the multiple target patterns, the request from the host to perform the memory access operation is permitted. | 04-08-2010 |
20100088760 | DEBUG SECURITY LOGIC - A system comprises debug logic usable to debug the system. The system also comprises processing logic capable of accessing the debug module using electronic signals. The system further comprises security logic configured to prevent the processing logic from accessing the debug logic unless the security logic is provided with a passkey that matches another passkey stored in the system. | 04-08-2010 |
20100095373 | System, Method and Program for Controlling Access Rights - A system for controlling access rights of artifacts having computer operated functions of a computer program includes an access control database which has policies that control access by a party to the artifacts in an application development environment. The system includes an access control environment having the artifacts. The system includes an access policy controller in communication with the access control database and the application development environment which implements the policies and controls access by the party to the artifacts being controlled. A computer program embodied on a computer readable medium for controlling access rights of a party during composition, design and execution includes a plurality of artifacts. At least a first of the plurality of artifacts having a part being modifiable by the party and operative with all other artifacts of the plurality of artifacts after being modified. A method for controlling access rights of artifacts having computer operated functions of a computer program includes the steps of requesting by a party a request to access to the artifacts in an application development environment. There is the step of controlling access by the party to the artifacts in the application development environment with policies in an access control database by implementing the policies with an access policy controller in communication with the access control database and the application development environment. An apparatus for controlling access rights of artifacts having computer operated functions of a computer program. | 04-15-2010 |
20100107243 | PERMISSIONS CHECKING FOR DATA PROCESSING INSTRUCTIONS - A data processing system having a processor and a target device processes decorated instructions (i.e. an instruction having a decoration value). A device of the data processing system such as the processor sends transactions to the target device over a system interconnect. The transactions include an indication of an instruction operation, an address associated with the instruction operation, a decoration value (i.e. a command to the target device to perform a function in addition to a primary function of the executed instruction), and access permissions associated with the address. The target device (e.g. a memory with functionality in addition to storage functionality) determines whether a decoration operation specified by the decoration value is permissible based on the received access permissions. The target device performs the decoration operation if appropriate permissions exist. | 04-29-2010 |
20100122341 | AUTHENTICATING USERS WITH MEMORABLE PERSONAL QUESTIONS - One embodiment provides a system that verifies a user's identity. The system generates a list including a plurality of items and formulates a substantially large set of security questions base on the plurality of items. The number of questions in the set is significantly larger than a subset of security questions presented to the user to reduce the likelihood of the same questions being asked repeatedly. During account creation, the system presents to the user the subset of questions, and receives and stores a response from the user. At least one question in the subset is selected based on user information that is automatically extracted from devices associated with the user. Subsequently, the system receives a request to reset the user's password and presents the subset of questions to the requester. The system determines whether the requester is the user by comparing the requester's response with the stored user response. | 05-13-2010 |
20100146620 | Centralized Device Virtualization Layer For Heterogeneous Processing Units - A method for providing an operating system access to devices, including enumerating hardware devices and virtualized devices, where resources associated with a first hardware device are divided into guest physical resources creating a software virtualized device, and multiple instances of resources associated with a second hardware device are advertised thereby creating a hardware virtualized device. First and second permission lists are generated that specify which operating systems are permitted to access the software virtualized device and the hardware virtualized device, respectively. First and second sets of virtual address maps are generated, where each set maps an address space associated with either the software virtualized device or the hardware virtualized device into an address space associated with each operating system included in the corresponding permission list. The method further includes arbitrating access requests from each of the plurality of operating systems based on the permission lists and the virtual address maps. | 06-10-2010 |
20100154054 | Clustered File System for Mix of Trusted and Untrusted Nodes - A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes. | 06-17-2010 |
20100162389 | PROVIDING PERMISSION TO PERFORM ACTION ON AN ELECTRONIC TICKET - Described are methods and systems related to providing permission to a user to perform an action on a workflow driven ticket. The ticket is accessed to determine an action type to be performed on the ticket and a correlated object associated therewith. A role based permission tuple is determined based upon a role of the user. A ticket based permission tuple is determined by generating a universal permission tuple based upon the action type and generating a dependency map based upon the correlated object. The dependency map is mapped to the universal permission tuple to construct the ticket based permission tuple. The role based permission tuple is supplemented with the ticket based permission tuple, to provide the required permission to execute the action. Upon an execution of the action, the permission is partially revoked, by removing the ticket based permission tuple. | 06-24-2010 |
20100169966 | Resource description framework security - Systems, methods, and other embodiments associated with resource description framework (RDF) security are described. One example method includes generating, based on sensitivity labels associated with the contents of a triple in an RDF record, a sensitivity label. The example method may also include comparing the sensitivity label to an access label associated with an entity requesting an action associated with the record to be performed. The example method may also include performing the action upon determining that the entity has sufficient permission to request the action. | 07-01-2010 |
20100180339 | SECURITY TOKEN AND SYSTEM AND METHOD FOR GENERATING AND DECODING THE SECURITY TOKEN - The present invention provides a system and method for encoding and decoding security labels utilisable in a computing system. The method for encoding includes, in part, ascribing an integer value to each one of a set of characteristics. Thereafter, to encode a particular security label, the integer values for each of the set of characteristics that describe the label are combined to arrive at a single integer value. | 07-15-2010 |
20100186085 | Method and System to Support Dynamic Rights and Resources Sharing - The invention relates to method for deriving a sub-right from a right, the right comprising a plurality of components, each of which specifies an aspect of the right. A component may be, for example, a principal, an action, a resource, and a condition. The invention also relates to a method for integrating a first right with a second right. Furthermore, the invention relates to a method of sharing rights by deriving a sub-right from a right, allowing use of the sub-right, and integrating the sub-right with the right. In addition, the invention relates to a system to support rights sharing by enabling the derivation of a sub-right from a right, the right comprising plural components each of which specifies an aspect of the right, the system comprising a receiving module for receiving a sub-right, the sub-right comprising plural components each of which specifies an aspect of the sub-right, and a confirmation module for confirming that the values of the components of the sub-right can be derived from the values of the corresponding components of the right. The invention further relates to a method for deriving a sub-right from a pool of rights granted by a grantor to a grantee for controlling use of resources within a computing environment, the computing environment having a mechanism for enforcing rights within the environment to control use of resources in accordance with the rights. | 07-22-2010 |
20100235907 | Authorization Caching In A Multithreaded Object Server - Systems and methods are included for accessing resource objects in a multi-threaded environment. A request is received from a requester to perform an operation with respect to a resource object, where the requested resource object has multiple associations with other objects. A determination as to whether an authorization cache entry corresponding to the requested resource object contains sufficient permission data for granting or denying the request for access to the requested resource object is made. A grant or deny of access to the requested resource object is returned when the authorization cache entry corresponding to the requested resource object contains sufficient permission data. | 09-16-2010 |
20100275260 | Deterministic Serialization of Access to Shared Resource in a Multi-Processor System for code Instructions Accessing Resources in a Non-Deterministic Order - Managing access to resources shared among multiple processes within a computer system. Multiple program instances of an application are almost simultaneously executed on multiple processors for fault tolerance. The replication solution supports the recording and subsequent replay of reservation events granting the shared resources exclusive access rights to the processes, when one program code instruction may request access to a set of shared resources in a non-deterministic order. | 10-28-2010 |
20100287611 | SYSTEM AND METHOD FOR MANAGING CAPTURED CONTENT - Provided are apparatuses and methods in a mobile communication and content capturing device for controlling ownership and use of captured content. A mobile device capturing content of a user of a target device may automatically request authorization to use and own the captured content from the target device and user. The mobile device may detect the target device by comparing metadata associated with the captured content with device information of a target device. Alternatively, the capture device may communicate with a server to facilitate the authorization request process. The capture device may further establish a piconet with one or more intermediate wireless devices to detect and request authorization from a target device outside of the capture device's wireless range. Tokens may further be implemented to reduce transmission and processing times of various communication information including authorization requests and content files. | 11-11-2010 |
20100287612 | Method for resource and admission control - The present invention discloses a method for resource and admission control, which relates to the communication field. The method of the present invention includes the following steps: during the process of the service authorization of resource and admission control in the PULL mode, the policy decision function entity (PD-FE) performs the QoS resource authorization for the service request, then informs the authorization information of the authorized service flow to the Policy Execute Function Entity (PE-FE); after the PE-FE receives the authorization information, the association relationship between the PD-FE and the authorization information of the authorized service flow is established; during the process of resource reservation of the authorized service flow initiated by the Customer Premises Equipment (CPE), the PE-FE selects the PD-FE according to the above mentioned corresponding relationship, and interacts with the PD-FE. The method of the present invention enables PE-FE or TRC-FE to select to implement the process of resource reservation request for the is PD-FE authorized by the service flow that initiates the resource reservation request, after receiving the resource reservation request of the service flow. | 11-11-2010 |
20100299751 | MICROCOMPUTER HAVING A PROTECTION FUNCTION IN A REGISTER - A control unit controls execution of an instruction according to a decode result of an instruction code. A GRA register stores an access attribute for each of the plurality of general-purpose registers. A mode storage unit stores modes for controlling an operation of a CPU. When the control unit makes a request for access to the general-purpose register, register access allowance determining circuit determines whether the access to the general-purpose register in question is to be allowed or not, depending on the access attribute stored in the GRA register and the mode stored in the mode storage unit. Therefore, the number of the general-purpose registers used corresponding to the mode can be changed, and efficiency of use of the general-purpose registers can be optimized. | 11-25-2010 |
20100306843 | IMAGE FORMING APPARATUS AND COMPUTER-READABLE STORAGE MEDIUM FOR COMPUTER PROGRAM - An image forming apparatus includes a first authentication portion performing a first authentication process on a user, a second authentication portion that performs a second authentication process on the user successfully authenticated by the first authentication portion, and thereby determines whether or not the user is permitted to log onto the apparatus, and a cooperative setting portion performing setting therethrough, on a user-by-user basis, whether or not the first authentication process and the second authentication process are performed in combination with each other. If the user for whom setting is performed such that the first authentication process and the second authentication process are performed in combination with each other is successfully authenticated by the first authentication portion, then the second authentication portion determines that the user is to be permitted to log onto the apparatus based on the associated information and ends the second authentication process. | 12-02-2010 |
20100319067 | Method and System for Managing Object Level Security Using an Object Definition Hierarchy - In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy. | 12-16-2010 |
20100319068 | METHOD AND SYSTEM FOR PERFORMING DELEGATION OF RESOURCES - A method for performing delegation of resources, in particular services, wherein a user—resource owner—has access to a resource offered by a service provider and wherein the resource is delegated to at least one other user—delegate—by using delegation credentials, is characterized in that the method includes the steps of defining authorization rules for the delegate regarding resource access restrictions and registering the authorization rules at an identity provider thereby employing the delegation credentials, performing an authentication of the delegate at the service provider, and performing an authorization of the delegate at the identity provider based on the authorization rules. Furthermore, a corresponding system is disclosed. | 12-16-2010 |
20100325724 | SCOPE MODEL FOR ROLE-BASED ACCESS CONTROL ADMINISTRATION - Architecture that provides centrally located role-based administration where role assignments that are used to calculate scopes for each operation and create a filtered request that only returns objects that the user is allowed to manage. No access checks are needed. The architecture addresses the proliferation of scope definitions by at least creating a set of relative scopes such as that can generically apply to multiple users at once. More specifically, self-relative scopes and absolute scopes are provided. | 12-23-2010 |
20100325725 | COMPUTER READABLE MEDIUM, METHOD FOR CONTROLLING EXECUTION OF PROCESSING, AND INFORMATION PROCESSING APPARATUS - A computer readable medium storing program causing a computer to execute a process for controlling execution of a processing, the process includes receiving, outputting, and executing. The receiving step receives a first request indicating an execution request of the processing from a user. The outputting step outputs processing correspondence information corresponding to the processing to recording medium when an execution result of the processing at the time of receiving the first request from user to which a first authority is given and a second authority is not given differs from an execution result of the processing at the time of receiving the first request from a user to which the second authority is given in case that the first request is sent from user to which both of the first authority and the second authority are given. | 12-23-2010 |
20110004934 | Computer Access Educational Tools System - Computers are currently often used for entertainment when they have been primarily provided to the user—often a child—primarily for education or work use. This invention aims to build in a gateway that makes access to the computer conditional upon passing a test or demonstrating completion of prior tasks such as homework or assignments. | 01-06-2011 |
20110035799 | METHOD AND SYSTEM FOR CHILD AUTHENTICATION - Methods and systems for child authentication are described. In one embodiment, a communication enablement request may be received to enable electronic communications between a first child and a second child. A confirmation acceptance code may be electronically generated. The confirmation acceptance code may be associated with the first child and the second child. The confirmation acceptance code may be received from a parental representative of the second child. The electronic communication may be enabled between the first child and the second child based on the receiving of the confirmation acceptance code from the parental representative of the second child. Additional methods and systems are disclosed. | 02-10-2011 |
20110055918 | ACCESS CONTROL MODEL OF FUNCTION PRIVILEGES FOR ENTERPRISE-WIDE APPLICATIONS - Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource. | 03-03-2011 |
20110055919 | System and Method for the Designation of Items in a Virtual Universe - The present invention enables items in a Virtual Universe to be tagged as available for pickup by one or more designated users. The present invention permits a designated user to be alerted that there is an item designated for that user/avatar and available for pick-up at a location in the Virtual Universe. A user may designate another user (or user's avatar), for example, a minor for whom the designating user has responsibility, as an “item” to be tracked. For privacy and other reasons, this and other features may be implemented on an opt-in basis. | 03-03-2011 |
20110061101 | COMPUTER SYSTEM AND METHOD OF CONTROLLING THE SAME - A computer system including that restricts access of an unauthorized. The computer system preferably includes: a system unit; an identification information storage unit storing user identification information about a user of the computer system; a communication unit communicating with a service server storing user authentication information about the user of the computer system; and a controller receiving the user authentication information corresponding to the user identification information through the communication unit and controlling the system unit to perform a selective operation on the basis of the user authentication information. | 03-10-2011 |
20110061102 | License management server, license management method, and computer program product - A license management server connected to an MFP includes an activating unit that, upon receiving an application activation request from the MFP, accesses a license management DB, and, when the number of licenses associated with a product key of the application in the license management DB is one or greater, grants a license for the application to the MFP and cancels the license for the application granted to the MFP upon receiving a deactivation request, and a license managing unit | 03-10-2011 |
20110061103 | Domain Isolation Through Virtual Network Machines - A method and device for communicating information resources between subscriber end stations and nodes belonging to different network domains is described. The device instantiates different virtual network machines for different network domains using separate independently administrable network databases. Each of the administrable chores of the separate independently administrable network databases includes the assignment of access control and the configuration of the policies for those network databases. The policies include traffic filtering policies to indicate what kind of information payloads can be carried, traffic and route filtering policies to indicate what paths through the network will be used for each payload carried. Each of the network domains includes one of the different virtual network machines and each of the different network domains is virtually isolated from other network domains. | 03-10-2011 |
20110067098 | FACIAL RECOGNITION FOR DOCUMENT AND APPLICATION DATA ACCESS CONTROL - A presentation system including a computing device, a display device coupled to the computing device and an image capture device that obtains an image containing facial images of at least two individuals capable of viewing the display device, the at least two individuals including a primary user and at least one secondary user, is provided. The system also includes a recognition apparatus operably coupled to the computing device and including a permission engine, the permission engine applying a policy to a protected information element displayed on the display screen, the policy causing one or more actions to be taken based on the identify of the primary and one or more of the secondary users. | 03-17-2011 |
20110067099 | Multifunction Multimedia Device - A method for interpreting messages, user-defined alert conditions, voice commands and performing an action in response is described. A method for annotating media content is described. A method for presenting additional content associated with media content identified based on a fingerprint is described. A method for identifying that an advertisement portion of media content is being played based on a fingerprint derived from the media content is described. A method of one media device recording particular media content automatically in response to another media device recording the particular media content is described. A method of concurrently playing media content on multiple devices is described. A method of publishing information associated with recording of media content is described. A method of deriving fingerprints by media devices that meet an idleness criteria is described. A method of loading, modifying, and displaying a high definition frame from a frame buffer is described. A method of recording or playing media content identified based on fingerprints is described. | 03-17-2011 |
20110067100 | JOB PROCESSING SYSTEM AND IMAGE PROCESSING APPARATUS - A multi function periphery includes a plurality of the modules (a scan control section | 03-17-2011 |
20110072512 | APPARATUS AND METHOD FOR PROVIDING COMMUNICATION SERVICE USING COMMON AUTHENTICATION - In an environment including a first service providing system and a second service providing system, the first service providing system forwards common authentication information received from a terminal to the second service providing system to perform authentication when the terminal that is located in a service provision area of the first service providing system and has requested connection is a visiting user. The first service providing system makes a connection request to the second service providing system based on the authentication result that is provided from the second service providing system based on the common authentication information. The second service providing system provides the communication service to the terminal by using the resources of the first service providing system. | 03-24-2011 |
20110072513 | PROVISIONAL ADMINISTRATOR PRIVILEGES - A system grants “provisional privileges” to a user request for the purpose of provisionally performing a requested transaction. If the provisionally-performed transaction does not put the system in a degraded state, the transaction is authorized despite the user request having inadequate privileges originally. | 03-24-2011 |
20110083178 | CONTROLLING ACTIVATION OF AN APPLICATION PROGRAM IN AN AUDIO SIGNAL PROCESSING SYSTEM - User operates a selection switch to instruct temporary activation of an application. For the application of which the temporary activation has been instructed, a CPU of a console allocates resources necessary for signal processing by a DSP of an engine and for a parameter editing function of the console. In the DSP, a bypass parameter is set to ON. Thus, there is provided a state capable of accepting various parameter setting operation related to the application, but the signal processing based on the application program is prevented from being started in a substantive manner. In response to a full activation instruction of an application via a full activation instruction switch, the bypass parameter is set to OFF, so that audio signal processing based on the application can be started. In this way, preparatory work for setting parameters related to the application can be performed efficiently. | 04-07-2011 |
20110088091 | METHODS AND APPARATUS TO MAINTAIN VALIDITY OF SHARED INFORMATION - Example methods and apparatus to maintain validity of shared information are disclosed. A disclosed example method involves receiving a communication requesting an extensible markup language (XML) document from an XML document management client associated with a principal. In addition, the example method involves generating a subset of the XML document for the principal such that validity of the subset is ensured by including all document parts required according to an XML schema despite the principal having access rights to only certain parts of the XML document but not other parts. The other parts are included in the subset without values. | 04-14-2011 |
20110093950 | PROGRAM-BASED AUTHORIZATION - Techniques which allow definition and enforcement of program-based action authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the program file indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy. | 04-21-2011 |
20110099627 | COMPUTING PLATFORM - The present application describes a computing platform incorporating a trusted entity and storing, in non-volatile memory, one or more indicators, which indicate a current update status of an executable program code, and one or more expected values associated with measurement of the program code, the trusted entity being programmed to update the one or more indicators, by reference to the expected values, in response to a measured change in a current update status of the program code. | 04-28-2011 |
20110113488 | ACCESS TO USER INFORMATION - A method may include storing user information associated with a first user, where the user information includes at least two of location information, presence information, address book information or calendar information. The method may also include storing access control information identifying criteria for allowing parties to access the user information and receiving, from a first party, a request for access to at least a first portion of the user information. The method may further include determining, based on the access control information, whether the first party is authorized to access the first portion of the user information and providing access to the first portion of the user information, when it is determined that the first party is authorized to access the first portion of the user information. | 05-12-2011 |
20110126281 | Controlling Resource Access Based on Resource Properties - Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource. | 05-26-2011 |
20110126282 | System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies - Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions. | 05-26-2011 |
20110138460 | SYSTEM AND METHOD FOR LOADING APPLICATION CLASSES - In an application, variants of a class may be generated and associated with different security permissions for the application. When a class is to be loaded, a determination is made as to the application's security permissions, e.g. by decoding a security token. The class is then retrieved from a repository that stores class variants matching the required security level. The retrieved class variant, which may have a full or a reduced functionality as appropriate for the security permission may then by loaded. | 06-09-2011 |
20110138461 | EXECUTION ENVIRONMENT FILE INVENTORY - A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system. | 06-09-2011 |
20110173695 | System and Methods for Secure Transaction Management and Electronic Rights Protection - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.” | 07-14-2011 |
20110191846 | IMAGE PROCESSING DEVICE CAPABLE OF SWITCHING CONTROL MODES - An image processing device includes a processing unit that performs processing on image data, an obtaining unit that obtains a number of users, and a control unit that executes a job by controlling the processing unit to perform the processing in one of control modes. The control unit switches between the control modes based on the number of users. | 08-04-2011 |
20110209213 | AUTHORIZATION LOGIC IN MEMORY CONSTRAINED SECURITY DEVICE - Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity. | 08-25-2011 |
20110209214 | METHOD AND SYSTEM FOR PROVIDING RECORDING DEVICE PRIVILEGES THROUGH BIOMETRIC ASSESSMENT - A method and system for providing recording device privileges through biometric assessment are disclosed herein. An embodiment of the method includes monitoring information associated with a recording device. The information includes a recording device location, dynamic biometric data, knowledge data, and recording device identification data. From the monitored information, an identity of a then-current user of the recording device is determined. An authorization level for the then-current user is determined, and recording device access privileges are dynamically adjusted based on the determined authorization level. | 08-25-2011 |
20110231930 | INCORPORATING VISUAL ASPECTS TO IDENTIFY PERMISSIONS AND SECURITY LEVELS IN AGGREGATED CONTENT - In one embodiment, a method includes identifying content associated with a composition and at least one authorization associated with a user. The content is a subject of a request for access associated with the user, and is an aggregate of a plurality of sections. The plurality of sections includes a first section with a first authorization level and a second section with a second authorization level that is higher than the first authorization level. The method also includes determining if at least one authorization indicates that the user may access the first section and determining if at least one authorization indicates that the user may access the second section. The first section is portrayed to the user if it is determined that the user may access the first section, and the second section is portrayed to the user if it is determined that the user may access the second section. | 09-22-2011 |
20110239293 | AUDITING ACCESS TO DATA BASED ON RESOURCE PROPERTIES - Described is a technology, such as implemented in an operating system security system, by which a resource's metadata (e.g., including data properties) is evaluated against an audit rule or audit rules associated with that resource (e.g., object). The audit rule may be associated with all such resources corresponding to a resource manager, and/or by a resource-specific audit rule. When a resource is accessed, each audit rule is processed against the metadata to determine whether to generate an audit event for that rule. The audit rule may be in the form of one or more conditional expressions. Audit events may be maintained and queried to obtain audit information for various usage scenarios. | 09-29-2011 |
20110258698 | Tailored System Management Interface - Processes and techniques for tailoring operations management in a system are described. The processes and techniques allow a user to customize operations management based on the user's function within a system and the particular tasks that the user wishes to accomplish. Simplified user interfaces can be created by scoping the interfaces based on user profiles, preferences and system components. | 10-20-2011 |
20110296523 | ACCESS CONTROL MANAGEMENT MAPPING RESOURCE/ACTION PAIRS TO PRINCIPALS - The access control management technique described herein manages access control to one or more resources. Rather than mapping individuals or groups to permissions, the technique maps each permission (the right to perform an action on a resource) to the list of authorized principals (the users and groups authorized to perform the action on the resource). These lists are written in text form just as one would write the list of recipients (individuals and groups) of an email composition window. The technique also provides various operations to allow a user to manage the list of authorized principals and the authorizations assigned to a principal to access the resource/action pair. | 12-01-2011 |
20110302650 | INITIATION OF STORAGE DEVICE SCANS - Example embodiments relate to initiation of storage device scans based on a record of existing scans of the storage device. In particular, example embodiments include a mechanism that maintains a record of existing scans of the storage device including an entry for each scan initiated by one of a plurality of scanning processes. In some embodiments, the record of existing scans may then be accessed in determining whether to initiate or permit initiation of a new scan. | 12-08-2011 |
20110314540 | PREVENTING ABUSE OF SERVICES THROUGH INFRASTRUCTURE INCOMPATIBILITY - Spammers, and other abusers of web services, may be deterred in their attempts to sign up for these services at large scale by making changes to the service registration procedure, where the changes are designed to break the spammer's infrastructure. In one example, a procedure to register for a web service involves presenting a Human Interaction Proof (HIP, or “captcha”) to the user, and gating access to the service upon receipt of a correct solution. If spammers use botnets and/or image capture techniques to initiate registration processes and to transport the HIPs to human or automated solvers, then the registration procedure can be changed in a way that is incompatible with capturing these images, or in a way that is incompatible with receiving HIP solutions from someplace other than the location at which registration was initiated. | 12-22-2011 |
20110314541 | Integrated Circuit, Method and Electronic Apparatus - An integrated circuit having a first security operation state arranged for utility operation, and a second security operation state arranged for test operation is disclosed. In the second security operation state, a first set and a second set of objects are available, while a third set of objects are unavailable. In the first security operation state, the third set of objects is available with authorization by a security mechanism of the first security operation state. The third set of objects is made unavailable by logic circuitry of the integrated circuit, when operating in the second security operation state, by the logic circuitry being arranged to control limited operation of parts of the integrated circuit comprising the third set of objects when operating in the second security operation state such that bypassing of the security mechanism of the first security operation state is disabled. An electronic apparatus utilising such an integrated circuit, and a method are also disclosed. | 12-22-2011 |
20110321159 | Dynamic Management of Role Membership - A method and system for dynamically managing entity membership in a role, using role configurations that comprise one or more dynamic role filters, which are linked to data sources such as databases or web services. The role filters are dynamic because, each time a role membership is queried, the role configuration and its component role filters must be evaluated with respect to the current information in the linked data sources. The roles may be used in role-based access control systems or entity identification systems. | 12-29-2011 |
20120005748 | SAFETY CONTROLLER AND METHOD FOR CONTROLLING AN AUTOMATED INSTALLATION - A safety controller for controlling an automated installation has a control unit to which a plurality of control input signals are supplied from the sensors of the installation. The control unit produces a plurality of control output signals on the basis of the control input signals in accordance with a user program running in said control unit in an automatic mode. The plurality of control output signals actuate the actuators. The safety controller also has a diagnosis evaluation unit that ascertains which one of a plurality of operating states is present at a defined instant of time and produces an operating state signal which represents the ascertained operating state. A diagnosis selection unit generates a diagnosis report as a function of the operating state signal and as a function of a user access authorization signal and/or a special operating mode signal. The diagnosis report representing the ascertained operating state thus varies depending on specific circumstances, such as a certain user access authorization or a certain operating mode. | 01-05-2012 |
20120011587 | SYSTEMS AND METHODS FOR ESTABLISHING TRUST BETWEEN ENTITIES IN SUPPORT OF TRANSACTIONS - Systems and methods for determining the identity of entities who meet trust requirements of a privilege grantor include an identity and trust management system including at least one computing device in communication with at least one entity, at least one privilege grantor, and at least one authoritative source. At least one rule is received from the at least one privilege grantor that must be satisfied for the at least one privilege grantor to trust an entity. A database is established of at least one entity with information about the at least one entity. The at least one authoritative source is queried to determine whether at least a portion of the information about the at least one entity is correct. A response is received from the at least one authoritative source as to whether or not the portion of information is correct. The database stores a result of the query without storing data underlying the result. The information stored in the database is compared with the at least one rule to determine if the at least one entity meets the at least one rule. The at least one privilege grantor is notified whether the at least one entity meets the at least one rule based on the comparison, without providing the at least one privilege grantor with either data stored in the database for the at least one entity or the data underlying the result. | 01-12-2012 |
20120023575 | CONTENT MANAGEMENT DEVICE AND CONTENT MANAGEMENT METHOD - A content management device, includes: a folder level access control information storage unit configured to store folder level access control information indicating access rights of a user to a folder where content is stored; an access control unit configured to acquire content level access control information indicating access rights of a user to content, from a predetermined content level access control unit; and a user interface configured to output display data for displaying a hierarchical structure between at least one folder and at least one content stored in the at least one folder, along with information indicating whether or not an inconsistency has occurred in access rights between the folder level access control information of the at least one folder and the content level access control information of the content stored in the at least one folder. | 01-26-2012 |
20120030756 | User Permissions In Computing Systems - A system and method of verifying accuracy of permission and access levels in a mainframe system are presented. The system and method may include receiving a plurality of records including a user identifier and an associated access level. The access level in the record may be matched (e.g., the access level on the stored record must be less than or equal to the access on the new system to “pass” the test) to the access level in a mainframe system. If the access levels match, the access level may be stored in the mainframe system. If the access levels do not match, the record may be flagged and correction of the inconsistency may be performed. | 02-02-2012 |
20120047575 | SYSTEMS AND METHODS FOR PERFORMING ACCESS ENTITLEMENT REVIEWS - Embodiments of the invention relate to risk assessments and, more particularly to performing access risk assessments based on identified outliers. | 02-23-2012 |
20120060216 | MEDICAL INFORMATION NAVIGATION ENGINE (MINE) SYSTEM - A method of transacting medical information includes receiving medical information from a medical sources, identifying, mapping, and consolidating the received medical information by a back-end medical processor, providing access to specific relevant data, based on a user's security privileges, within the identified, mapped, and consolidated medical information, based on user-specific functions or roles by a front-end medical processor, and generating user-customized processed medical information to a plurality of users, with at least a portion of the user-customized processed medical information being provided to each of the plurality of users based on its relevancy to each user's specific function or role and each user's associated security privileges. | 03-08-2012 |
20120079590 | METHOD FOR ENFORCING RESOURCE ACCESS CONTROL IN COMPUTER SYSTEMS - A method and system for enforcing access control to system resources and assets. Security attributes associated with devices that initiate transactions in the system are automatically generated and forwarded with transaction messages. The security attributes convey access privileges assigned to each initiator. One or more security enforcement mechanisms are implemented in the system to evaluate the security attributes against access policy requirements to access various system assets and resources, such as memory, registers, address ranges, etc. If the privileges identified by the security attributes indicate the access request is permitted, the transaction is allowed to proceed. The security attributes of the initiator scheme provides a modular, consistent secure access enforcement scheme across system designs. | 03-29-2012 |
20120084856 | GATHERING, STORING AND USING REPUTATION INFORMATION - A method and a system for collecting and maintaining historical party reputation data and for using the historical party reputation data to calculate an access decision rating and recalculating the access decision rating when the historical party reputation data has changed has a reputation updater for updating a reputation when a party's reputation has changed, a reputation storer for storing the party's reputation, an access decision rating maker for making a rating on a party's access abilities based upon the party's reputation and reputation history storage for storing a party's reputation having access decision rating storage for storing previous and present access decision storage ratings. | 04-05-2012 |
20120090024 | METHOD AND SYSTEM FOR QUALIFICATION OF AN ELEMENT - The invention relates to a method and a system for creating and qualifying one or more elements, such as multimedia content or, more generally, a performance by an author. The invention more particularly aims at associating a qualification level with an element so that a consultation work can be available, as regards relevance, robustness, skills and authorisation, and thus a degree of objective reliability can be granted to said element. Preferably, the invention relates to the generation of a bank of elements such as questions for television or radio quiz shows, on-line games, etc. | 04-12-2012 |
20120102567 | Hybrid System Implementing Distinct and Co-existing Application Execution Environments and Methods for Implementing the Same - A hybrid system is provided. The system includes a computing device implementing a first application execution environment (AEE) and a second AEE. The first AEE is configured to be isolated from the second AEE. The first software application associated with the first AEE is configured to be processed on the first AEE such that the first software application is denied direct access to the second AEE. A second software application associated with the second AEE is configured to be processed on the second AEE such that the second software application is denied direct access to the first AEE. | 04-26-2012 |
20120131667 | NONDESTRUCTIVE TESTING SYSTEM - A nondestructive testing apparatus includes a display section and a storage section which stores predetermined executable functions. Each of the predetermined functions is initially set to one of a permitted state and a disabled state, and one of a display state and a non-display state on the display section. In an initial state, at least one of the predetermined functions is set to the disabled state and the non-display state. The nondestructive testing apparatus can receive permission information which unlocks at least one of the predetermined functions initially set to the disabled state so as to be set to the permitted state, and unlocks at least one of the predetermined functions initially set in the non-display state so as to be in the display state. The apparatus displays an operation icon only with respect to all of the predetermined functions set to the display state. | 05-24-2012 |
20120151577 | Archive of Text Captures from Rendered Documents - A facility for storing a text capture data structure for a particular user is described. The data structure comprises a number of entries. Each entry corresponds to a text capture operation performed by the user from a rendered document. Each entry contains information specifying the text captured in the text capture operation. | 06-14-2012 |
20120192270 | CLUSTERED FILESYSTEMS FOR MIX OF TRUSTED AND UNTRUSTED NODES - A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes. | 07-26-2012 |
20120240224 | SECURITY SYSTEMS AND METHODS FOR DISTINGUISHING USER-INTENDED TRAFFIC FROM MALICIOUS TRAFFIC - Security systems and methods distinguish user-intended input hardware events from malicious input hardware events, thereby blocking resulting malicious output hardware events, such as, for example, outgoing network traffic. An exemplary security system can comprise an event-tracking unit, an authorization unit, and an enforcement unit. The event-tracking unit can capture a user-initiated hardware event. The authorization unit can analyze a user interface to determine whether the input hardware event should initiate outgoing hardware events and, if so, to create an authorization specific to the outgoing event initiated by the input event. This authorization can be stored in an authorization database. The enforcement unit can monitor outgoing hardware events and block the outgoing events for which no authorization matching the outgoing events are found in the authorization database. | 09-20-2012 |
20120246717 | APPARATUS, SYSTEMS AND METHODS FOR SECURELY STORING MEDIA CONTENT EVENTS ON A FLASH MEMORY DEVICE - Systems and methods are operable to securely store media content events on a flash memory device. An exemplary embodiment receives user-provided authorization information, compares the received user-provided authorization information with authorization information associated with the flash memory device, and permits access to a flash memory of the flash memory device when the received user-provided authorization information corresponds to the authorization information. | 09-27-2012 |
20120246718 | Method and System for Implementing Collaboration and Crowd-Sourced Distribution on a Content Management System - Systems and methods are provided for delegating permissions of a content provider for a content item to a delegate. In a graphical interface, a content selection input is configured to receive a selection of a content item from a plurality of content items to be delegated. A delegate selection input is configured to receive an identification of a delegate to which the permissions are to be assigned. The interface includes a plurality of permissions assignment inputs, where a permissions assignment input identifies a particular action and is configured to receive a selection of a permission type for the particular action. The identified delegate is permitted to perform the particular action according to the selected permission type for the selected content item. | 09-27-2012 |
20120254991 | Access restriction in response to determining device transfer - A computationally implemented method includes, but is not limited to: determining that a computing device used by a first user has been transferred from the first user to a second user; and restricting access via the computing device to one or more items in response to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure. | 10-04-2012 |
20120254992 | Providing greater access to one or more items in response to determining device transfer - A computationally implemented method includes, but is not limited to: determining that a computing device associated with a first user and that was in possession of a second user has been transferred from the second user to the first user; and providing at least greater access via the computing device to one or more items in response to determining that the computing device has been transferred from the second user to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure. | 10-04-2012 |
20120266239 | AUTHORIZED DATA ACCESS BASED ON THE RIGHTS OF A USER AND A LOCATION - Access to files is properly granted regardless of whether an accessing user is located at their primary location or at any “roaming” location. In particular, the techniques herein consider the user rights, rights of any computer from which the user is accessing files, and the rights associated with the files themselves, such as by determining the User ∩ Computer intersection of access rights (an overlap between rights of the user and rights of the computer), and applying these access rights to file rights (e.g., file metadata) to determine what access the user has to the files (e.g., viewing, modifying, etc.). | 10-18-2012 |
20120304285 | CENTRALIZED DEVICE VIRTUALIZATION LAYER FOR HETEROGENEOUS PROCESSING UNITS - A method for providing an operating system access to devices, including enumerating hardware devices and virtualized devices, where resources associated with a first hardware device are divided into guest physical resources creating a software virtualized device, and multiple instances of resources associated with a second hardware device are advertised thereby creating a hardware virtualized device. First and second permission lists are generated that specify which operating systems are permitted to access the software virtualized device and the hardware virtualized device, respectively. First and second sets of virtual address maps are generated, where each set maps an address space associated with either the software virtualized device or the hardware virtualized device into an address space associated with each operating system included in the corresponding permission list. The method further includes arbitrating access requests from each of the plurality of operating systems based on the permission lists and the virtual address maps. | 11-29-2012 |
20130007877 | System and Method of Owner Control of Electronic Devices - A system and method of owner control of an electronic device are provided. Owner identification information, such as data integrity and source authentication information, is stored on the electronic device. Received owner control information is stored on the electronic device where the integrity of the received owner control information is verified and/or the source is authenticated using the owner identification information. In one embodiment, owner identification information comprises an owner signature private key. | 01-03-2013 |
20130007878 | CENTRALIZED LICENSING SERVICES - Methods and devices are provided for central management of licenses, particularly those relating to wagering games. A license proxy deployed in and/or dedicated to a gaming establishment may operate under the control of a central licensing manager controlled by another entity, e.g., by a game provider. The license proxy may receive requests to enable features of an electronic gaming machine of the gaming establishment (e.g., game themes, player tracking features and/or peripheral device features) and determine, based on information provided by the central licensing manager, whether to grant such requests. The license proxy may also process requests to enable features of other devices in a gaming establishment, such as server-based features. | 01-03-2013 |
20130014252 | PORTABLE COMPUTER ACCOUNTS - User accounts, authentication information and user home directories are stored on an external storage media that can be transferred from one device to another. Measures are included for detecting tampering of stored information and for preventing possibly conflicting or damaging account and file information from entering a host device. | 01-10-2013 |
20130031624 | APPLICANT SCREENING - A system of screening servers, screener client computers, and screening kiosks distribute an applicant screening process among multiple sites and multiple participants. To facilitate and secure communications of screening results and applicant actions, a personal identification code is provided that identifies individual sets of screening results. In this manner, the applicant is authenticated and can then enter appropriate applicant profile data into a secure screening account, such as via a screening kiosk. Screening results may be generated for the applicant in association with a unique personal identification code. This code can then be communicated to the screener, who can access the screening results along with a recommendation, if desired, by sending the code to a screening server. The screener can also enter appropriate screening information into another secure screening account. | 01-31-2013 |
20130067569 | METHODS AND STRUCTURE FOR MANAGING VISIBILITY OF DEVICES IN A CLUSTERED STORAGE SYSTEM - Methods and system for implementing a clustered storage solution are provided. One embodiment is a storage controller that communicatively couples a host system with a storage device. The storage controller comprises an interface and a control unit. The interface is operable to communicate with the storage device. The control unit is operable to identify ownership information for a storage device, and to determine if the storage controller is authorized to access the storage device based on the ownership information. The storage controller is operable to indicate the existence of the storage device to the host system if the storage controller is authorized, and operable to hide the existence of the storage device from the host system if the storage controller is not authorized. | 03-14-2013 |
20130091565 | Access Control for Electrical Charging Stations - A method for access control and session control of electrical producers and/or consumers in accessible energy transfer units is provided, wherein the producer or the consumer is authenticated and authorized at the energy transfer unit, and producer- or consumer-specific data are forwarded by the energy transfer unit to an energy provider after authentication and authorization of the producer or the consumer. A temporarily-valid session token is generated for the control of the energy transfer by the energy provider, and forwarded to the energy transfer unit and the producer or the consumer. Electrical energy is transferred between the energy transfer unit and the producer or the consumer, wherein in a defined time interval during the energy transfer process the session token is sent at least once by the energy transfer unit to the producer or the consumer and from the producer or the consumer to the energy transfer unit. | 04-11-2013 |
20130111583 | SYSTEM AND METHOD FOR HYBRID ROLE MINING | 05-02-2013 |
20130125234 | IMAGE FORMING APPARATUS, IMAGE FORMING APPARATUS CONTROL METHOD, AND STORAGE MEDIUM STORING PROGRAM - The history of the output destination of a job is displayed, and selection of a send destination in the history by a user is accepted. It is determined whether the user has an authority to register the selected send destination in a database in which output destination candidates used when executing a job are registered. If it is determined that the user has the authority, an acceptance display is presented to be able to accept an instruction of registration of the send destination in the database. | 05-16-2013 |
20130145460 | Progammable Customized User Interface for Transport Refrigeration Units - A control device having a graphical user interface for controlling the operation of a transport refrigeration unit is disclosed. The graphical user interface may include a menu structure having multiple levels of menu options, executable functions and data items that may be navigated and viewed by a user. Access to the various menus may be user-specific and controlled so that a subset of the information in the menu structure is available to normal users, and larger subsets of the information are available to advanced users having higher levels of authorization to the menus and information contained in the graphical user interface device. The graphical user interface may also include programmable soft keys that may take users directly to frequently viewed menu options, functions and data items without the necessity of navigating through the levels of the menu structure. | 06-06-2013 |
20130152194 | SYSTEM, METHOD AND SOFTWARE FOR CONTROLLING ACCESS TO VIRTUAL MACHINE CONSOLES - A system and method for controlling access to virtual machine consoles. The system includes a console access controller configured to register an owner to a virtual machine to open a defined limit of consoles and capture the defined limit of consoles. An image console control is configured to receive a request to check-out one or more of the captured consoles in one of an exclusive mode and a shared mode and determine whether the check-out request was made by the owner. The console access controller is further configured to open the one or more captured consoles in the exclusive mode to the owner if the check-out request is made by the owner and recapturing the one ore more consoles in response to a check-in request from the owner. | 06-13-2013 |
20130160114 | INTER-THREAD COMMUNICATION WITH SOFTWARE SECURITY - A circuit arrangement and method utilize a process context translation data structure in connection with an on-chip network of a processor chip to implement secure inter-thread communication between hardware threads in the processor chip. The process context translation data structure maps processes to inter-thread communication hardware resources, e.g., the inbox and/or outbox buffers of a NOC processor, such that a user process is only allowed to access the inter-thread communication hardware resources that it has been granted access to, and typically with only certain types of authorized access types. Moreover, a hypervisor or supervisor may manage the process context translation data structure to grant or deny access rights to user processes such that, once those rights are established in the data structure, user processes are permitted to perform inter-thread communications without requiring context switches to a hypervisor or supervisor in order to handle the communications. | 06-20-2013 |
20130227680 | AUTOMATED PROTECTION AGAINST COMPUTER EXPLOITS - Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented. | 08-29-2013 |
20130232571 | Accessory Device Authentication - Accessory device authentication techniques are described. In one or more embodiments, connection of an accessory device to a host computing device is detected. Responsive to the detection, an authentication sequence may occur to verify an identity and/or capabilities of the accessory device. Upon successful authentication of the accessory device, the host device may authorize the accessory device for power exchange interactions with the host device. The host device may then draw supplemental power from a power source associated with the authorized accessory device, such as a battery or power adapter. The host device may also enable the accessory device to obtain and use power supplied by the host device in some scenarios. Power exchange between a host device and an authorized accessory may be managed in accordance with capabilities of the accessory device that are identified during authentication. | 09-05-2013 |
20130232572 | AUTHORIZING LOCAL APPLICATION ACTIVITY USING REMOTELY DEFINED SECURITY DATA - Systems and methods, including computer software adapted to perform certain operations, can be implemented for preventing content received from non-trusted sources from accessing protected data. A sequence of instructions and multiple permission indicators associated with the sequence of instructions are received. One or more of permission indicators are associated with a protected activity. An instruction within the sequence of instructions associated with the protected activity is identified. A determination is made whether execution of the identified instruction is permitted based, at least in part, on the one or more permission indicators, and the protected activity is performed if execution of the identified instruction is permitted. | 09-05-2013 |
20130247176 | NON-TRANSITORY COMPUTER READABLE MEDIUM STORING ACCESS RIGHTS UPDATE PROGRAM, ACCESS RIGHTS MANAGEMENT SYSTEM, AND ACCESS RIGHTS UPDATE METHOD - Provided is a non-transitory computer readable medium storing an access rights update program causing a computer to be executed as: an acquisition unit that acquires access rights update information, which includes information specifying an object of personnel changes, a type of personnel changes, a changed organization, a delegatee of access rights for a storage unit that stores a document, and an effective period of the access rights, before the personnel changes; a search unit that searches for the storage unit, for which access rights information including the effective period of the access rights is set and which needs to be updated, on the basis of the acquired access rights update information; and an update unit that updates the access rights information, which is set for the searched storage unit, before the personnel changes on the basis of the acquired access rights update information. | 09-19-2013 |
20130247177 | APPARATUS AND METHOD OF CONTROLLING PERMISSION TO APPLICATIONS IN A PORTABLE TERMINAL - An apparatus and method of controlling permission to an application in a portable terminal, the apparatus including a controller for, when requested for an invocation of a specific function provided by a framework during an execution of a specific application, determining whether a permission for the specific function is obtained using the specific application's user ID and process ID, and if the permission for the specific function is determined to be restricted, displaying a first message indicating that the permission is restricted. | 09-19-2013 |
20130254877 | Deterministic Serialization of Access to Shared Resources In A Multi-processor System For Code Instructions Accessing Resources In a Non-Deterministic Order - Managing access to resources shared among multiple processes within a computer system. Multiple program instances of an application are almost simultaneously executed on multiple processors for fault tolerance. The replication solution supports the recording and subsequent replay of reservation events granting the shared resources exclusive access rights to the processes, when one program code instruction may request access to a set of shared resources in a non-deterministic order. | 09-26-2013 |
20130263255 | SYSTEM AND METHOD ENABLING PARALLEL PROCESSING OF HASH FUNCTIONS USING AUTHENTICATION CHECKPOINT HASHES - Systems and methods enabling parallel processing of hash functions are provided. A data string including a plurality of pieces arranged in an order is hashed using a hash function to determine a plurality of authentication checkpoint hashes associated with the pieces. To authenticate the data string, the pieces are grouped into sets, and the authentication checkpoint hash associated with the piece following all other pieces of that set in the order is associated with that set. The system simultaneously performs a separate hash process on each set. That is, the system hashes the pieces of that set using the hash function to determine a result hash, and compares that result hash with the authentication checkpoint hash associated with that set. The initial input to the hash function for the hash process for each set includes one of the pieces and either a default seed or an authentication checkpoint hash. | 10-03-2013 |
20130269027 | TECHNIQUES TO EXPLAIN AUTHORIZATION ORIGINS FOR PROTECTED RESOURCE OBJECTS IN A RESOURCE OBJECT DOMAIN - Techniques to explain authorization origins for protected objects in an object domain are disclosed. In one embodiment, for example, an apparatus may comprise a processor circuit, a request processor component operative on the processor circuit to receive and process a request for an authorization origin of a resource object, the authorization origin comprising an access control with a permission arranged to control access to the resource object based on an identity, and a resource origin component operative on the processor circuit to identify the authorization origin of the resource object from a set of interrelated resource objects and associated access controls, retrieve authorization origin information for the authorization origin, and present the authorization origin information in a user interface view. Other embodiments are described and claimed. | 10-10-2013 |
20130291098 | DETERMINING TRUST BETWEEN PARTIES FOR CONDUCTING BUSINESS TRANSACTIONS - Trust is calculated between persons for purposes of a business transaction. A measure of relative trust is determined for a target user with respect to a source user based on common entities that are related to both the users, for example, common relations, common background, or common preferences. A measure of absolute trust is determined for the target user using factors including financial information, work history, and so on. The absolute trust for the target user is improved using trusts of other users connected to the target user. The absolute trust and relative trusts are combined to obtain an overall measure of trust for the target user. The measure of trust for the user may be used for a business transaction, for example, lead generation, angel investment, equity crowd funding, and sharing of a product or service with another person. | 10-31-2013 |
20130318599 | PROTECTING VIRTUAL MACHINE CONSOLE FROM MISUSE, HIJACKING OR EAVESDROPPING IN CLOUD ENVIRONMENTS - Access to virtual machine inputs and outputs are controlled. Controlling access to virtual machine inputs and outputs may comprise locking inputs and outputs of a virtual machine from within the virtual machine, other than a predefined limited access input, detecting a request to unlock the inputs and outputs of the virtual machine; determining if a requester is authorized to unlock the inputs and outputs of the virtual machine and unlocking, temporarily, the inputs and outputs of the virtual machine if the requester is authorized. The predefined limited access input is configured to receive an input device with a private secret for unlocking the inputs and outputs of the virtual machine. The inputs and outputs are unlocked when an input device having a shared password is attached. | 11-28-2013 |
20130326615 | METHODS AND STRUCTURE FOR IMPLEMENTING SECURITY IN SYSTEMS THAT UTILIZE SMALL COMPUTER SYSTEM INTERFACE ENCLOSURE SERVICES - Methods and structure are provided for implementing security features in SCSI Enclosure Services (SES) systems. The system comprises an SES device server, which includes a frontend interface, control unit, and backend interface. The frontend interface is operable to receive SES commands generated by Small Computer System Interface (SCSI) devices, and the backend interface is operable to manage operations of at least one peripheral device communicatively coupled with the SES device server based on received SES commands. The control unit is operable to determine whether a SCSI initiator that generated an SES command is an authorized device. The control unit is further operable to perform the SES command in response to determining that the SCSI initiator is an authorized device, and is further operable to reject the SES command in response to determining that the SCSI initiator is not an authorized device. | 12-05-2013 |
20130333025 | SYSTEM AND METHOD FOR ROLE BASED ANALYSIS AND ACCESS CONTROL - A system and method for program access control includes, for a typestate, providing typestate properties and assigning a role to the typestate in a program in accordance with the typestate properties. Access to operations is limited for the typestate in the program based on the role assigned to the typestate and an access permission level. | 12-12-2013 |
20140033302 | METHOD AND APPARATUS FOR SELECTIVELY ENABLING A MICROPROCESSOR-BASED SYSTEM - A system for selectively enabling a microprocessor-based system is disclosed. State information that describes the operating conditions or circumstances under which a user intends to operate the system is obtained. In the preferred embodiment of the invention, a valid hash value is determined, preferably based on the state information and preferably by locating the valid hash value within a table of valid hash values indexed by the state information. Candidate authorization information is obtained from the user, and a candidate hash value is generated by applying a hashing algorithm to the candidate authorization information, the state information, or a combination of the candidate authorization information and state information. The candidate hash value and the valid hash value are then compared, and the microprocessor-based system is enabled if the candidate hash value matches the valid hash value. In this manner, the designer or distributor of the system can determine, at the time of manufacture or distribution, the conditions and circumstances under which the system may be operated. | 01-30-2014 |
20140033303 | Infusion Devices and Methods - Medical devices having restrictive access, and methods thereof are provided. | 01-30-2014 |
20140059677 | MEDICAL DEVICE CUSTOMIZATION SYSTEM - A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application. | 02-27-2014 |
20140068760 | Method, System and Computer Storage Medium for Rights Management - A method, system and non-transitory computer storage readable medium for rights management are disclosed. The method for rights management includes the following steps: acquiring operation requests; querying from a pre-created rights list according to the operation request, and returning the corresponding processing result; and executing a corresponding operation according to the processing result. According to the above method, system and non-transitory computer readable storage medium for rights management, the corresponding processing result is obtained by querying from the pre-created rights list according to an operation request, and a corresponding operation is performed according to the processing result, without classification management of various resources or various operations, instead using the unified management, which reduces the complexity of rights management and improves the convenience of management. | 03-06-2014 |
20140082723 | ACCESS CONTROL TO OPERATING MODULES OF AN OPERATING UNIT - The invention relates to an operating unit ( | 03-20-2014 |
20140115698 | Method for Versatile Content Control with Partitioning - A mechanism or structure may be provided to divide a memory into partitions and so that at least some data in the partitions can be encrypted with a key, so that in addition to authentication that is required for accessing some of the partitions, access to one or more keys may be required to decrypt the encrypted data in such partitions. All of the content that the user wishes to access may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity. | 04-24-2014 |
20140123276 | AUTOMATION SYSTEM ACCESS CONTROL SYSTEM AND METHOD - An improved system and method for controlling access of components to industrial automation system resources by reference to the various operational states of the industrial automation system. A central access control system includes a processing circuitry, interface circuitry configured to receive information pertaining to the operational state of an automation system, memory circuitry, and a display and user interface. In operation, access to automation components are either allowed or denied based on the designation of an operational state of an automation system. | 05-01-2014 |
20140123277 | MOBILE TERMINAL APPARATUS, NON-TRANSITORY COMPUTER READABLE MEDIUMS, SIGNAL PROCESSING METHOD, DOCUMENT STORAGE SERVER, AND DOCUMENT MANAGEMENT SYSTEM - A mobile terminal apparatus includes a detection unit, a transmission unit, an acquisition unit, and a permission unit. The detection unit detects current position information at a predetermined timing. The transmission unit transmits the current position information, user information that specifies a user, and file specification information that specifies a file that is to be acquired. The acquisition unit acquires a limited-access file, which includes the file and access permission area information that defines an area from which the mobile terminal apparatus is allowed to access the file in accordance with the current position information, in a case where the user is a registered user with a right to download the file. The permission unit gives permission to access the file in a case where accessing of the file is commanded and a position specified by the current position information is included in the area. | 05-01-2014 |
20140137237 | SINGLE SYSTEM IMAGE VIA SHELL DATABASE - A single system image is provided for a parallel data warehouse system by exposing a shell database within a database management system comprising metadata and statistics regarding externally stored data. Further, functionality of the database management system can be exploited to perform pre-execution tasks. In one instance, one or more execution plans can be generated by the database management system for an input command and subsequently employed to generate a distributed execution plan. | 05-15-2014 |
20140150093 | ELECTRONIC MODULE FOR MAKING A MESSAGE ACCESSIBLE TO A TARGETED OPERATING SYSTEM - An electronic module that includes means for determining an operating system targeted by a message received by a transmitter-receiver of an electronic device, from among at least a Rich-OS operating system and a trusted operating system executed on a chipset of the electronic device, so that the message becomes accessible to the targeted operating system. The determining means may be set in operation in response to receipt of the message by the transmitter-receiver. | 05-29-2014 |
20140165188 | USING DATA ANALYTICS AND CROWDSOURCING TO DETERMINE ROLES FOR A COMPUTER SYSTEM - In an embodiment of the invention, wherein users must be able to access a computer system to perform respective functions, initial data is acquired from data sources, some of the initial data pertaining to previously granted system access rights. The initial data is used to create a crowdsourcing task, which is executed to acquire crowdsourced data from SMEs in an SME population, wherein the crowdsourced data comprises additional data pertaining to previously granted system access. The crowdsourced data is used to create a set of role definitions, wherein the role definitions determine which of the users are assigned to be members of a particular role associated with the system, and further determine the access rights that are granted to each member of the particular role. | 06-12-2014 |
20140173720 | SYSTEM AND METHOD FOR CONTROLLING THE ON AND OFF STATE OF FEATURES AT RUNTIME - Methods and systems are provided for turning on and off features at run time. The method includes providing a unique enabling predicate (e.g., an “if enabled” statement) for one or more executable features (blocks of code), configuring a permissions library, and caching the configured permissions library. The method further includes interrogating the cache with the first “if enabled” predicate, executing the block of code (feature) if the cache yields “true” for the requesting user, and not executing the code block if the cache yields “false” for the requesting user. | 06-19-2014 |
20140173721 | MANIPULATING SCREEN LAYERS IN MULTI-LAYER APPLICATIONS - A method performed on a device includes receiving, from a user, a finger-touch-initiated request for access to a layer of a multi-layer application on the device, the multi-layer application having a plurality of user interface layers. The method may also include identifying a finger of the user used to provide the finger-touch-initiated request, the finger associated with one of the layers of the multi-layer application. The layer associated with the identified finger of the user may be operated on. Each finger of the user can be associated with a different layer of the multi-layer application. Fingerprints can be used to differentiate each finger and/or to identify the user by fingerprint recognition techniques. Fingerprints can be used to vary the access parameters of a layer of the application and/or to provide security levels for accessing the layers of the multi-layer application. | 06-19-2014 |
20140181965 | Access Requests at IAM System Implementing IAM Data Model - Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification. | 06-26-2014 |
20140208419 | User Authentication - Disclosed is a method for providing a user access to a computer system comprising a plurality of services and a plurality of authentication levels, the method comprising dynamically monitoring a risk profile of a user authenticated on said computer system; dynamically selecting an authentication level for each of said services based on said monitored risk profile; and if said authentication level for a service is higher than an actual authentication level for said user, sending a further authentication request to the user requesting the user to provide authentication information corresponding to the dynamically selected authentication level upon said authenticated user requesting access to said service. | 07-24-2014 |
20140215603 | AUTOMATED ROLE ADJUSTMENT IN A COMPUTER SYSTEM - An embodiment of the invention is associated with a system having a role for controlling user access, the role comprising users, permissions, and a set of rules. The embodiment records each of a succession of access events in an access log, each event comprising an instance of the system being accessed by a user. The embodiment further analyzes recorded access events in the access log at selected time intervals, to detect a condition or violation of rules of the set of rules. Responsive to detecting a condition or violation, the embodiment selectively determines whether any change to the users or permissions of a specified role is needed. Each needed change is then implemented. | 07-31-2014 |
20140215604 | AUTOMATED ROLE ADJUSTMENT IN A COMPUTER SYSTEM - An embodiment of the invention is associated with a system having a role for controlling user access, the role comprising users, permissions, and a set of rules. The embodiment records each of a succession of access events in an access log, each event comprising an instance of the system being accessed by a user. The embodiment further analyzes recorded access events in the access log at selected time intervals, to detect a condition or violation of rules of the set of rules. Responsive to detecting a condition or violation, the embodiment selectively determines whether any change to the users or permissions of a specified role is needed. Each needed change is then implemented. | 07-31-2014 |
20140283023 | COMMON LOCATION OF USER MANAGED AUTHORIZATION - A method and apparatus for managing authorizations to access personal data of a user is disclosed. A computer retrieves a set of authorizations for a plurality of web based applications, wherein an authorization enables an application of the plurality of web based applications to access at least a portion of the personal data of the user. The computer presents the set of authorizations on a graphical user interface. The computer receives a user input indicating a change to a particular authorization in the set of authorizations for a particular web based application in the plurality of web based applications. Responsive to receiving the user input indicating the change to the particular authorization in the set of authorizations, the computer then stores the change to the particular authorization in the set of authorizations for the plurality of web based applications to access the personal data. | 09-18-2014 |
20140289846 | FACILITATING REVIEW OF ACCESS RIGHTS IN A COMPUTING SYSTEM - Systems and methods for facilitating reviews of IAM information are described. A list of pending reviews of respective access rights of a computing system may be provided to a display device for presentation at a display interface. A review decision for one of the pending reviews may be received such that the pending review becomes a completed review. The review decision and a date the review decision was received may be stored at a data store. An access right associated with the completed review may be selected in response to a review event that requires review of that access right. It may then be determined whether the completed review is accreditable to review of the access right selected for the review event based on the date the review decision was received for the completed review. | 09-25-2014 |
20140310806 | GATHERING, STORING AND USING REPUTATION INFORMATION - Approaches for using the historical party reputation data to calculate an access decision rating are provided. Specifically, one or more approaches provide a method, including: collecting reputation information of a first user that is requesting access to one or more assets, the reputation information based on at least an association of the first user with an organization and an association of the first user with one or more other users associated with one or more other organizations; storing the requester's reputation information; determining a change in the requester's reputation information, wherein the change comprises at least one of: the first user forming a new association with another organization, and the first user forming a new association with a second user, wherein the second user is affiliated with another organization; and causing an access decision rating to be calculated based upon the determined change in the requester's reputation information. | 10-16-2014 |
20140317729 | DATA COMMUNICATION AUTHENTICATION SYSTEM FOR VEHICLE GATEWAY APPARATUS FOR VEHICLE DATA COMMUNICATION SYSTEM FOR VEHICLE AND DATA COMMUNICATION APPARATUS FOR VEHICLE - A vehicular data communication system is disclosed. The vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device. | 10-23-2014 |
20140331316 | Functionality Watermarking and Management - A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to establish an association between a watermark template and a function of at least one user device and determining whether the request to establish the association between the watermark template and the function of the at least one user device is authorized. The method further includes authorizing the request to establish the association between the watermark template and the function of the at least one user device in response to a determination that the request to establish the association between the watermark template and the function of the at least one user device is authorized. | 11-06-2014 |
20140366131 | SECURE BUS SYSTEM - The invention discloses a secure bus system and a bus system security method. The secure bus system includes a bus interconnect structure, a bus master, a bus device and a security control module. The security control module determines a device security attribute for the bus device. When the master security attribute of the bus master or the device security attribute of the bus device has changed, the security control module determines a security permission flag related to the bus master. When the security control module receives a bus transaction from the bus master, the security control module determines whether a security violation condition happens between the bus master and the bus device according to the security permission flag. If the security violation condition happens, the security control module triggers a security violation handling process to further restrict accessibility of the bus master to the bus device. | 12-11-2014 |
20140373134 | PORTABLE INFORMATION TERMINAL AND PROGRAM - Configuration information of a portable information terminal can only be changed by reliable applications. A ROM area stores a first inter-process communication function unit that partially constitutes a first administrative application having an administrative privilege and is capable of transmitting information to and from other applications, and an authentication application name that partially constitutes the first administrative application and is used to authenticate an application that is a source of transmission of information, and an application name, a shared name, and a signature of a second administrative application having no administrative privilege. A RAM area stores an application name, a shared name, and an ID of an installed application and is managed via an OS. The first inter-process communication function unit authenticates an application, which is the source of transmission of the information, using a shared name corresponding to the ID of the application and the authentication application name. | 12-18-2014 |
20140373135 | AUTHORIZATION LOGIC IN MEMORY CONSTRAINED SECURITY DEVICE - Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity. | 12-18-2014 |
20150089637 | System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies - Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions. | 03-26-2015 |
20150101042 | TAG BASED PERMISSION SYSTEM AND METHOD FOR VIRTUALIZED ENVIRONMENTS - A virtualized computing system includes a plurality of inventory objects and an access control subsystem that manages permissions to perform actions on the inventory objects using corresponding access control labels of the inventory objects. Permissions are managed by detecting a change in an association of a tag with an inventory object, where the tag defines one or more users and one or more privileges. In response to the detecting, an access control label of the inventory object is updated based on the users and privileges that are defined by the tag. | 04-09-2015 |
20150143515 | METHOD AND APPARATUS FOR SELECTIVELY ENABLING A MICROPROCESSOR-BASED SYSTEM - A system for selectively enabling a microprocessor-based system is disclosed. State information that describes the operating conditions or circumstances under which a user intends to operate the system is obtained. In the preferred embodiment of the invention, a valid hash value is determined, preferably based on the state information and preferably by locating the valid hash value within a table of valid hash values indexed by the state information. Candidate authorization information is obtained from the user, and a candidate hash value is generated by applying a hashing algorithm to the candidate authorization information, the state information, or a combination of the candidate authorization information and state information. The candidate hash value and the valid hash value are then compared, and the microprocessor-based system is enabled if the candidate hash value matches the valid hash value. In this manner, the designer or distributor of the system can determine, at the time of manufacture or distribution, the conditions and circumstances under which the system may be operated. | 05-21-2015 |
20150347743 | METHOD AND APPARATUS FOR INTER PROCESS PRIVILIGE TRANSFER - A method and an apparatus to dynamically distribute privileges among a plurality of processes are described. Each process may have attributes including a privilege to control access to processing resources. A first process may be running with a first privilege prohibited from access to a processing resource. A second process may be running with a second privilege allowed to access the processing resource. The first process may receive a request from the second process to perform a data processing task for the second process. In response, the second privilege may be dynamically transferred to the first process to allow the first process to access the processing resource. The first process may perform operations for the data processing task with the second privilege transferred from the second process. | 12-03-2015 |
20150347787 | AUTHENTICATION IN A FLEXIBLE DISPLAY COMPUTING DEVICE - Embodiments of the invention provide for device authentication in a flexible display computing device. In an embodiment of the invention, a method for device authentication in a flexible display computing device includes pre-storing in memory of a computing device, data corresponding to a pattern of folds of a flexible display of the computing device. The method also includes receiving a subsequent authentication request in the computing device and, in response, monitoring a folding of the flexible display and computing data corresponding to a pattern of the monitored folding. The method yet further includes comparing in the memory of the computing device the computed data to the pre-stored data. Finally, the method includes granting access to the computing device if the pattern of the monitored folding compares to the pattern of folds based upon a threshold degree of equality between the computed data and the pre-stored data. | 12-03-2015 |
20150371017 | SECURITY DOMAIN PREDICTION - A data processing apparatus | 12-24-2015 |
20160110536 | ACCESSORY AUTHENTICATION FOR ELECTRONIC DEVICES - Improved techniques to control utilization of accessory devices with electronic devices are disclosed. The improved techniques can use cryptographic approaches to authenticate electronic devices, namely, electronic devices that interconnect and communicate with one another. One aspect pertains to techniques for authenticating an electronic device, such as an accessory device. Another aspect pertains to provisioning software features (e.g., functions) by or for an electronic device (e.g., a host device). Different electronic devices can, for example, be provisioned differently depending on different degrees or levels of authentication, or depending on manufacturer or product basis. Still another aspect pertains to using an accessory (or adapter) to convert a peripheral device (e.g., USB device) into a host device (e.g., USB host). The improved techniques are particularly well suited for electronic devices, such as media devices, that can receive accessory devices. One example of a media device is a media player, such as a hand-held media player (e.g., music player), that can present (e.g., play) media items (or media assets). | 04-21-2016 |
20160147983 | IMPLEMENTING EXTENT GRANULARITY AUTHORIZATION INITIALIZATION PROCESSING IN CAPI ADAPTERS - A method, system and computer program product are provided for implementing block extent granularity authorization initialization processing in Coherent Accelerator Processor Interface (CAPI) adapters. A master owning client and CAPI Server Register space assigned to the Master Owning Client are identified. Address mapping is created for the Master Owning Client to access the assigned CAPI Server Register space. The Master Owning Client is enabled to send commands to the CAPI adapter, other CAPI clients are prevented from sending commands to the CAPI adapter via the CAPI Server Register space assigned to the Master Owning Client. | 05-26-2016 |
20160147984 | IMPLEMENTING EXTENT GRANULARITY AUTHORIZATION INITIALIZATION PROCESSING IN CAPI ADAPTERS - A method, system and computer program product are provided for implementing block extent granularity authorization initialization processing in Coherent Accelerator Processor Interface (CAPI) adapters. A master owning client and CAPI Server Register space assigned to the Master Owning Client are identified. Address mapping is created for the Master Owning Client to access the assigned CAPI Server Register space. The Master Owning Client is enabled to send commands to the CAPI adapter, other CAPI clients are prevented from sending commands to the CAPI adapter via the CAPI Server Register space assigned to the Master Owning Client. | 05-26-2016 |
20190147154 | TECHNIQUES FOR VALIDATING USER CORRELATION TO SENSOR DATA | 05-16-2019 |