Patent application number | Description | Published |
20080229115 | PROVISION OF FUNCTIONALITY VIA OBFUSCATED SOFTWARE - In an example embodiment, executable files are individually encrypted utilizing a symmetric cryptographic key. For each user to be given access to the obfuscated file, the symmetric cryptographic key is encrypted utilizing a public key of a respective public/private key pair. A different public key/private key pair is utilized for each user. Obfuscated files are formed comprising the encrypted executable files and a respective encrypted symmetric cryptographic key. The private keys of the public/private key pairs are stored on respective smart cards. The smart cards are distributed to the users. When a user wants to invoke the functionality of an obfuscated file, the user provides the private key via his/her smart card. The private key is retrieved and is utilized to decrypt the appropriate portion of the obfuscated file. The symmetric cryptographic key obtained therefrom is utilized to decrypt the encrypted executable file. | 09-18-2008 |
20080256631 | RENEWABLE INTEGRITY ROOTED SYSTEM - A method of validating software is disclosed. The method may include receiving, at a first function, a first hash and a first version. The first function may validate a second function according to the first hash and first version. The second function may receive a second hash and a second version, and the second function may validate a third function according to the second hash and second version. The first version and first hash may be stored within the first function, for example. The first version and first hash may be stored within a manifest, for example. | 10-16-2008 |
20080276314 | SOFTWARE PROTECTION INJECTION AT LOAD TIME - A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium. | 11-06-2008 |
20090327711 | AUTHENTICATION OF BINARIES IN MEMORY WITH PROXY CODE EXECUTION - Presented is an anti-tampering method that validates and protects specific sections of a binary file. In one embodiment, this method permits a proxy engine to execute (via emulation by a virtual machine) the protected code on behalf of the binary in kernel mode upon successful completion of an integrity check. The integrity check can optionally check only the specific parts of code that the developer wishes to validate. The integrity check can cross binary boundaries. Moreover, the integrity check can be done on a hard drive or in memory. Furthermore, since the encrypted code is executed by the proxy engine in kernel mode, hackers are further deterred from modifying the code. Additionally, a method of creating a protected binary file is described herein. | 12-31-2009 |
20100274750 | Data Classification Pipeline Including Automatic Classification Rules - Described is a technology in which data items (e.g., files) are processed through an extensible data processing pipeline, including a classification pipeline, to facilitate management of the data items based upon their classifications. A discovery module locates data items to process. An independent classification pipeline obtains metadata (properties) associated with each discovered data item, and one or more classifiers classify the data item based on the metadata. An independent policy module applies policy to each data item based upon its classification. Multiple classifiers may be invoked, based upon various criteria. Predefined ordering of the classifiers, authoritative classifiers and/or an aggregation mechanism handle any classification conflicts. Different types of classifiers may be provided, and each classifier may correspond to automatic classification rules; the classifier may directly change a property, (e.g., set the classification) or return a result to a corresponding rule mechanism for changing a property. | 10-28-2010 |
20110099152 | ALTERNATE DATA STREAM CACHE FOR FILE CLASSIFICATION - Described is caching classification-related metadata for a file in an alternate data stream of that file. When a file is classified (e.g., for data management), the classification properties are cached in association with the file, along with classification-related metadata that indicates the state of the file at the time of caching. The classification-related metadata in the alternate data stream is then useable in determining whether the classification properties are valid and up-to-date when next accessed, or whether the file needs to be reclassified. If the properties are valid and up-to-date, they may be used without requiring the computationally costly steps of reclassification. Also described is using more than one alternate data stream for the cache, and extending the classification-related metadata through a defined extension mechanism. | 04-28-2011 |
20110119266 | METHOD FOR DOCUMENTING AND VIEWING EXPERIENCES - A method for documenting and viewing human experiences is disclosed. The method may include enabling people to record experiences starting at a decision that needs to be taken (decision point) and providing the relevant data points for the decision followed by the action taken and the consequences. These consequences can then be further linked to a new experience. Further, this method may allow multiple people to enter their experiences for the same decision point creating a per decision point inclusive repository of the various data points, actions and consequences as experienced by multiple people. Last, the method may allow people to view the experiences entered by others applying keyword search criteria, tags and data point filters that fit their desired viewing parameters and to navigate between the experiences using the defined links between consequences and experiences | 05-19-2011 |
20110126281 | Controlling Resource Access Based on Resource Properties - Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource. | 05-26-2011 |
20110145393 | METHOD FOR DYNAMIC RESERVATION OF CLOUD AND ON PREMISES COMPUTING RESOURCES FOR SOFTWARE EXECUTION - A method for dynamic reservation of cloud and on premises resources for software execution is disclosed. The method may be comprised of: receiving the specification for the resources needed for the software, evaluating the availability of resources and reserving the resources for the software. The method may include a protocol to discover, evaluate availability, negotiate terms and create a reservation contract for software execution resources based on the required specification. This can be implemented using resource agent modules that represent available software execution resources (e.g.: CPU, memory, storage, network . . . ) and reservation agent modules that are used for communicating with the resource agent modules for reserving software execution resources. In addition, monitoring agent modules are used to monitor the actual software execution reservation contract. | 06-16-2011 |
20110239293 | AUDITING ACCESS TO DATA BASED ON RESOURCE PROPERTIES - Described is a technology, such as implemented in an operating system security system, by which a resource's metadata (e.g., including data properties) is evaluated against an audit rule or audit rules associated with that resource (e.g., object). The audit rule may be associated with all such resources corresponding to a resource manager, and/or by a resource-specific audit rule. When a resource is accessed, each audit rule is processed against the metadata to determine whether to generate an audit event for that rule. The audit rule may be in the form of one or more conditional expressions. Audit events may be maintained and queried to obtain audit information for various usage scenarios. | 09-29-2011 |
20120096566 | FIRST COMPUTER PROCESS AND SECOND COMPUTER PROCESS PROXY-EXECUTING CODE ON BEHALF OF FIRST PROCESS - Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof. | 04-19-2012 |
20120167158 | SCOPED RESOURCE AUTHORIZATION POLICIES - Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled “Y”, etc.). Policies describe what can be done with a resource (e.g., “read-only,” “read/write,” “delete, if requestor is a member of the admin group,” etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted. | 06-28-2012 |
20120260303 | Mapping Global Policy for Resource Management to Machines - The subject disclosure is directed towards applying global policy to only select resources (e.g., certain file folders) based on property settings associated as metadata with those resources. The resource property settings correspond to a defined property set (e.g., a global taxonomy) that is consistent with the global policy. When global policy is received, the property metadata for each resource determines whether to apply the global policy to that resource. In this way, a central administrator may provide the defined property set, a policy author may provide the policy, and a local administrator may set the resource property settings. | 10-11-2012 |
20130125199 | TESTING ACCESS POLICIES - A policy that governs access to a resource may be tested against real-world access requests before being used to control access to the resource. In one example, access to a resource is governed by a policy, referred to as an effective policy. When the policy is to be modified or replaced, the modification or replacement may become a test policy. When a request is made to access the resource, the request may be evaluated under both the effective policy and the test policy. Whether access is granted is determined under the effective policy, but the decision that would be made under the test policy is noted, and may be logged. If the test policy is determined to behave acceptably when confronted with real-world access requests, then the current effective policy may be replaced with the test policy. | 05-16-2013 |
20140351225 | ALTERNATE DATA STREAM CACHE FOR FILE CLASSIFICATION - Described is caching classification-related metadata for a file in an alternate data stream of that file. When a file is classified (e.g., for data management), the classification properties are cached in association with the file, along with classification-related metadata that indicates the state of the file at the time of caching. The classification-related metadata in the alternate data stream is then useable in determining whether the classification properties are valid and up-to-date when next accessed, or whether the file needs to be reclassified. If the properties are valid and up-to-date, they may be used without requiring the computationally costly steps of reclassification. Also described is using more than one alternate data stream for the cache, and extending the classification-related metadata through a defined extension mechanism. | 11-27-2014 |