| Patent application number | Description | Published |
|---|
| 20090222878 | SYSTEMS AND METHODS FOR A SECURE GUEST ACCOUNT - An embodiment relates generally to a method of creating a secure environment in a computer device. The method includes providing a secure guest account in a multi-user operating system and enforcing a policy on the secure account to allow a user to log-in to the secure guest account while preventing access at least one network port of the computer device. The method also includes enforcing a rule to allow the secure guest account access to an application and the at least one network port. | 09-03-2009 |
| 20100131559 | ISOLATING AN EXECUTION CONTAINER IN A SYSTEM WITH MANDATORY ACCESS CONTROL (MAC) - Preventing a process from traversing back a directory tree through its parent directories is described. In a system with a program executing in a path container, an access permission rule applicable to the instance of the program prevents the program from traversing the tree structure back through its parent directories towards an absolute root directory. The access permission rule may be a rule in an instance of a security policy applicable to the particular path container from which the process is executing. | 05-27-2010 |
| 20100132011 | Mechanism to Implement Security in Process-Based Virtualization - In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system. | 05-27-2010 |
| 20100132012 | MERGING MANDATORY ACCESS CONTROL (MAC) POLICIES IN A SYSTEM WITH MULTIPLE EXECUTION CONTAINERS - Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance. | 05-27-2010 |
| 20100132013 | RELIABLY TERMINATING PROCESSES IN A SYSTEM WITH CONFINED EXECUTION ENVIRONMENTS - Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container. | 05-27-2010 |
| 20110047613 | SYSTEMS AND METHODS FOR PROVIDING AN ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING UNTRUSTED CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing untrusted content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can allocate resources (storage space, memory, etc) of the computing system, which are necessary to access the untrusted content, to the isolated execution environment, and apply security polices of the operating system to the isolated execution environment such that untrusted content running in the isolated execution environment can only access the resources allocated to the isolated execution environment. | 02-24-2011 |
| 20110154431 | SYSTEMS AND METHODS FOR PROVIDING MULTIPLE ISOLATED EXECUTION ENVIRONMENTS FOR SECURELY ACCESSING UNTRUSTED CONTENT - A sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process. | 06-23-2011 |
| 20110296487 | SYSTEMS AND METHODS FOR PROVIDING AN FULLY FUNCTIONAL ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can create the isolated execution environment with an assigned security context of the secure operating system. The security context can define the security policies applied by the operating system to the isolated execution environment, thereby, defining the levels of access the isolated execution environment has to the resources of the computing system. | 12-01-2011 |
