| Patent application number | Description | Published |
|---|
| 20080235534 | INTEGRITY PROTECTION IN DATA PROCESSING SYSTEMS - A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine. | 09-25-2008 |
| 20080235793 | INTEGRITY PROTECTION IN DATA PROCESSING SYSTEMS - A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine. | 09-25-2008 |
| 20080288783 | METHOD AND SYSTEM TO AUTHENTICATE AN APPLICATION IN A COMPUTING PLATFORM OPERATING IN TRUSTED COMPUTING GROUP (TCG) DOMAIN - A method and system for verifying authenticity of an application in a computing-platform operating in a Trusted Computing Group (TCG) domain is provided. The method includes computing one or more integrity measurements corresponding to one or more of the application, a plurality of precedent-applications, and an output file. The output file includes an output of the application, the application is executing on the computing-platform. Each precedent-application is executed before the application. The method further includes comparing one or more integrity measurements with re-computed integrity measurements. The re-computed integrity measurements are determined corresponding to one or more of the application, the plurality of precedent-applications, and the computing-platform. | 11-20-2008 |
| 20080289028 | FIREWALL FOR CONTROLLING CONNECTIONS BETWEEN A CLIENT MACHINE AND A NETWORK - A firewall system adapted for location outside the client machine, preferably in the same data processing device as the client machine but outside a virtual machine containing the client machine. Control logic of the firewall system receives incoming and outgoing connections from the network and client machine respectively. In response to a connection request initiating a connection between respective endpoints in the network and client machine, the control logic performs a security assessment comprising obtaining from at least one of the network and client machine information indicative of the security state of the endpoint therein, and allows or inhibits the connection in dependence on the result of the security assessment. The security assessment may be performed in accordance with a security policy of the system, and different security assessments may be performed for different connection requests in accordance with the security policy. | 11-20-2008 |
| 20090192780 | HARDWARE EMULATION USING ON-THE-FLY VIRTUALIZATION - At least one anomaly associated with at least one actual hardware element in a computer system having a plurality of hardware elements is addressed. The anomaly is detected, and, responsive to the detection, a virtualization layer is inserted between (i) an operating system of the computer system, and (ii) the plurality of hardware elements. Hardware emulation and/or selective hardware activation/deactivation are performed on the at least one actual hardware element by the virtualization layer. The insertion of the virtualization layer is accomplished in an on-the-fly manner. | 07-30-2009 |
| 20090300307 | PROTECTION AND SECURITY PROVISIONING USING ON-THE-FLY VIRTUALIZATION - A virtualization layer is inserted between (i) an operating system of a computer system, and (ii) at least one of a memory module and a storage module of the computer system. At least one of read access and write access to at least one portion of the at least one of a memory module and a storage module is controlled, with the virtualization layer. The insertion of the virtualization layer is accomplished in an on-the-fly manner (that is, without rebooting the computer system) An additional aspect includes controlling installation of a security program from the virtualization layer. | 12-03-2009 |
| 20100017866 | SECURE USER INTERACTION USING VIRTUALIZATION - A first virtualization layer is inserted between (i) an operating system of a computer system, and (ii) at least first and second hardware devices of the computer system. Data is communicated between the first hardware device and the second hardware device, via the first virtualization layer, without exposing the data to the operating system. | 01-21-2010 |
| 20100214947 | Determination of Network Topology Using Flow-Based Traffic Information - A method for determination of a network topology includes generating a list of device sets for a destination; removing any duplicate device sets from the list; creating a tree for the destination by introducing a root node into the tree; sorting the list of device sets for the destination by length; removing the shortest device set from the list; introducing a new node representing the shortest device set into the tree; determining whether a node in the tree represents a maximum length subset of the shortest device set, and in the event that a node is determined, connecting the new node to the determined node, or else connecting the new node to the root node; setting the identifier of the introduced node to a list of members of the shortest device set that are not included in the maximum length subset of the determined node. | 08-26-2010 |
