利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

50 条记录 (耗时 0.024 秒)

    Active access monitoring for safer computing environments and systems
    21.
    发明授权
    Active access monitoring for safer computing environments and systems 失效
    更安全的计算环境和系统的主动访问监控

    公开(公告)号:US08631468B2

    公开(公告)日:2014-01-14

    申请号:US12267990

    申请日:2008-11-10

    申请人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez Afshin Latifi

    发明人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez Afshin Latifi

    IPC分类号: G06F17/30 G06F7/04 G06F15/16

    CPC分类号: G06F21/554

    摘要: Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours. Disallow-access policies, rules and/or conditions can be defined and modified, for example, by end-users and system administrators, allowing a customizable and flexible security environment that is more adaptable to change.

    摘要翻译: 公开了用于控制访问的技术。 这些技术可用于各种计算系统(例如,计算设备)中的参考监视,包括可能相对更易受威胁(例如,移动电话)的那些。 允许访问可以被禁止。 换句话说,即使访问可能正在进行,也可以有效地撤销访问组件的权限。 允许访问组件后,可以有效地监视一个或多个不允许访问条件或事件,以便确定是否撤销访问组件的权限。 因此,允许访问组件可以被禁止。 可以通过有效地考虑组件在集合中和/或在确定的时间内的行为来禁止访问。 作为示例,如果消息传递应用程序在会话期间或在4小时内发送比可接受的限制更多的消息,则可以不允许消息传递应用程序访问通信端口。 禁止访问策略,规则和/或条件可以由最终用户和系统管理员进行定义和修改,从而允许更适应于更改的可自定义和灵活的安全环境。

    Authentication, identity, and service management for computing and communication systems
    22.
    发明授权
    Authentication, identity, and service management for computing and communication systems 有权
    计算和通信系统的认证,身份和服务管理

    公开(公告)号:US08201232B2

    公开(公告)日:2012-06-12

    申请号:US12147246

    申请日:2008-06-26

    申请人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez

    发明人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez

    IPC分类号: H04L29/06

    CPC分类号: H04L63/0884 G06F21/31 H04L63/08 H04L63/102

    摘要: Improved techniques for obtaining authentication identifiers, authentication, and receiving services are disclosed. Multiple devices can be used for receiving service from a servicing entity (e.g., Service Providers). More particularly, a first device can be used to authenticate a first entity (e.g., one or more persons) for receiving services from the servicing entity, but the services can be received by a second device. Generally, the first device can be a device better suited, more preferred and/or more secure for authentication related activates including “Identity Management.” The second device can be generally more preferred for receiving and/or using the services. In addition, a device can be designated for authentication of an entity. The device releases an authentication identifier only if the entity has effectively authorized its release, thereby allowing “User Centric” approaches to “Identity Management.” A device can be designated for obtaining authentication identifiers from an identity assigning entity (e.g., an Identity Provider). The authentication identifiers can be used to authenticate an entity for receiving services from a servicing entity (e.g., a Service Provider) that provides the services to a second device. The same device can also be designated for authentication of the entity. The device can, for example, be a mobile phone allowing a mobile solution and providing a generally more secure computing environment than the device (e.g., a Personal Computer) used to receive and use the services.

    摘要翻译: 公开了用于获得认证标识符,认证和接收服务的改进的技术。 多个设备可用于从服务实体(例如,服务提供商)接收服务。 更具体地,可以使用第一设备来认证用于从服务实体接收服务的第一实体(例如,一个或多个人),但是可以由第二设备接收服务。 通常,第一设备可以是对于包括“身份管理”的认证相关激活更适合,更优选和/或更安全的设备。第二设备通常可以更优选用于接收和/或使用服务。 另外,可以指定一个设备来认证一个实体。 只有当实体有效地授权其发布时,才能释放认证标识符,从而允许以“用户为中心”的方式进行“身份管理”。设备可以被指定用于从身份分配实体(例如,身份提供者)获取认证标识符, 。 认证标识符可用于认证用于从向第二设备提供服务的服务实体(例如,服务提供商)接收服务的实体。 同样的设备也可以被指定为实体的认证。 例如,设备可以是允许移动解决方案并且提供比用于接收和使用服务的设备(例如,个人计算机)通常更安全的计算环境的移动电话。

    EFFECTIVE MAPPING OF CODE SECTIONS TO THE SAME SECTION OF SECONDARY MEMORY TO IMPROVE THE SECURITY OF COMPUTING SYSTEMS
    24.
    发明申请
    EFFECTIVE MAPPING OF CODE SECTIONS TO THE SAME SECTION OF SECONDARY MEMORY TO IMPROVE THE SECURITY OF COMPUTING SYSTEMS 审中-公开
    代码段有效映射到二次存储器的同一部分以提高计算系统的安全性

    公开(公告)号:US20100257514A1

    公开(公告)日:2010-10-07

    申请号:US12417999

    申请日:2009-04-03

    申请人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    发明人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    IPC分类号: G06F9/45 G06F12/00

    CPC分类号: G06F21/125 G06F12/0875 G06F21/14

    摘要: Executable computer code sections can be stored in the same section of secondary memory (e.g., instruction cache) during execution time in order to reduce the observable changes to the state of the secondary memory, thereby enhancing the security of computing systems that use secondary memory in addition the primary (main) memory to support execution of computer code. In addition, size of code sections can also be effectively adjusted so that code sections that are mapped to the same section of the secondary memory appear to have the same size, thereby further reducing the observable changes to the state of the secondary memory. As a result, the security of computing system can be further enhanced. It should be noted that code sections can be effectively relocated to cause them to map to the same section of secondary memory. It will be appreciated that mapping code sections considered to be critical to security can be especially useful to improving security. For example, codes sections considered to be critical to security can be identified and effectively mapped to the same section of an instruction cache (I-cache) as provided in more modern computing systems in order to improve the efficiency of execution, thereby allowing use of the I-cache in a more secure manner.

    摘要翻译: 可执行的计算机代码部分可以在执行时间期间存储在次要存储器(例如,指令高速缓存)的相同部分中,以便减少对次要存储器的状态的可观察到的改变,从而增强使用辅助存储器的计算系统的安全性 添加主(主)内存以支持执行计算机代码。 此外,还可以有效地调整代码段的大小,使得映射到辅助存储器的相同部分的代码段看起来具有相同的大小,从而进一步减少对次级存储器的状态的可观察的改变。 结果,可以进一步提高计算系统的安全性。 应该注意的是,代码段可以被有效地重新定位,以使它们映射到相同的辅助存储器部分。 应当理解,被认为对安全性至关重要的映射代码部分对于提高安全性尤其有用。 例如,被认为对安全性至关重要的代码部分可以被识别并有效地映射到更现代的计算系统中提供的指令高速缓存(I缓存)的相同部分,以便提高执行的效率,从而允许使用 I缓存以更安全的方式。

    EVICTING CODE SECTIONS FROM SECONDARY MEMORY TO IMPROVE THE SECURITY OF COMPUTING SYSTEMS
    25.
    发明申请
    EVICTING CODE SECTIONS FROM SECONDARY MEMORY TO IMPROVE THE SECURITY OF COMPUTING SYSTEMS 审中-公开
    从次级存储器中检验代码段,以提高计算系统的安全性

    公开(公告)号:US20100257318A1

    公开(公告)日:2010-10-07

    申请号:US12418033

    申请日:2009-04-03

    申请人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    发明人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    IPC分类号: G06F12/08 G06F9/44

    CPC分类号: G06F21/14 G06F12/0808 G06F12/0842 G06F21/79 G06F2212/1052 G06F2221/2105 G06F2221/2149

    摘要: Executable computer code sections can be effectively evicted from secondary memory (e.g., instruction cache) during execution time in order to reduce the observable changes to the state of the secondary memory, thereby enhancing the security of computing systems that use secondary memory in addition the primary (main) memory to support execution of computer code. In particular, codes sections considered to be critical to security can be identified and effectively mapped to the same section of an instruction cache (I-cache) as provided in more modern computing systems in order to improve the efficiency of execution, thereby allowing use of the I-cache in a more secure manner.

    摘要翻译: 可执行的计算机代码部分可以在执行时间期间从次要存储器(例如,指令高速缓存)中被有效地驱逐,以便减少对次要存储器的状态的可观察的改变,从而增强使用辅助存储器的计算系统的安全性 (主)内存支持执行计算机代码。 特别地,被认为对于安全性至关重要的代码部分可以被识别并且被有效地映射到更现代的计算系统中提供的指令高速缓存(I-cache)的相同部分,以便提高执行的效率,从而允许使用 I缓存以更安全的方式。

    PREVENTING ABUSE OF SERVICES IN TRUSTED COMPUTING ENVIRONMENTS
    26.
    发明申请
    PREVENTING ABUSE OF SERVICES IN TRUSTED COMPUTING ENVIRONMENTS 审中-公开
    防止滥用计算环境中的服务

    公开(公告)号:US20090300348A1

    公开(公告)日:2009-12-03

    申请号:US12131711

    申请日:2008-06-02

    申请人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    发明人: Onur Aciicmez Xinwen Zhang Jean-Pierre Seifert

    IPC分类号: H04L9/06

    CPC分类号: H04L63/08 H04L63/04 H04L63/0823

    摘要: Methods and systems for regulating services provided by a first computing entity, such as a server, to a second computing entity, such as a client are described. A first entity receives a request for a service from a second entity over a network. The first entity determines whether the second entity has a trusted agent by examining an attestation report from the second entity. The first entity transmits a message to the second entity. The trusted agent on the second entity may receive the message. A response is created at the second computing entity and received at the first entity. The first entity then provides the service to the second entity. The first entity may transmit an attestation challenge to the second entity and in response receives an attestation report from the second entity.

    摘要翻译: 描述用于将第一计算实体(诸如服务器)提供的服务调整到诸如客户端的第二计算实体的方法和系统。 第一实体通过网络从第二实体接收对服务的请求。 第一实体通过检查来自第二实体的证明报告来确定第二实体是否具有可信代理。 第一实体向第二实体发送消息。 第二实体上的可信代理可以接收消息。 在第二计算实体处创建并在第一实体处接收到响应。 然后,第一实体将服务提供给第二实体。 第一实体可以向第二实体发送认证挑战,并且在响应中接收到来自第二实体的认证报告。

    SECURING CPU AFFINITY IN MULTIPROCESSOR ARCHITECTURES
    27.
    发明申请
    SECURING CPU AFFINITY IN MULTIPROCESSOR ARCHITECTURES 有权
    在多处理器架构中保护CPU的优势

    公开(公告)号:US20090126006A1

    公开(公告)日:2009-05-14

    申请号:US11937320

    申请日:2007-11-08

    申请人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez Qingwei Ma

    发明人: Xinwen Zhang Jean-Pierre Seifert Onur Aciicmez Qingwei Ma

    IPC分类号: G06F21/02

    CPC分类号: G06F9/5033 G06F21/52 G06F21/62 G06F21/6281

    摘要: In an embodiment of the present invention, the ability for a user or process to set or modify affinities is restricted in order to method for control a multi-processor environment. This may be accomplished by using a reference monitor that controls a process' capability to retrieve and set its or another process' affinity. This aids in the prevention of security breaches.

    摘要翻译: 在本发明的一个实施例中,为了控制多处理器环境的方法,限制了用户或进程设置或修改关联性的能力。 这可以通过使用参考监视器来实现,该监视器控制过程检索和设置其或另一进程的亲和力的能力。 这有助于预防安全漏洞。

    Representation and verification of data for safe computing environments and systems
    30.
    发明授权
    Representation and verification of data for safe computing environments and systems 有权
    表示和验证安全计算环境和系统的数据

    公开(公告)号:US08788841B2

    公开(公告)日:2014-07-22

    申请号:US12256773

    申请日:2008-10-23

    申请人: Onur Aciicmez Jean-Pierre Seifert Xinwen Zhang Afshin Latifi

    发明人: Onur Aciicmez Jean-Pierre Seifert Xinwen Zhang Afshin Latifi

    IPC分类号: G06F21/00 G06F17/30 G06F21/56 H04L9/06

    CPC分类号: G06F17/30516 G06F21/565 G06F21/64 H04L9/0643

    摘要: Techniques for representation and verification of data are disclosed. The techniques are especially useful for representation and verification of the integrity of data (integrity verification) in safe computing environments and/or systems (e.g., Trusted Computing (TC) systems and/or environments). Multiple independent representative values can be determined independently and possibly in parallel for respective portions of the data. The independent representative values can, for example, be hash values determined at the same time for respective distinct portions of the data. The integrity of the data can be determined based on the multiple hash values by, for example, processing them to determine a single hash value that can serve as an integrity value.

    摘要翻译: 公开了用于表示和验证数据的技术。 这些技术对于在安全计算环境和/或系统(例如,可信计算(TC)系统和/或环境)中的数据完整性(完整性验证)的表示和验证特别有用。 可以针对数据的各个部分独立且可能并行地确定多个独立代表值。 独立代表值可以例如是数据的相应不同部分同时确定的散列值。 可以通过例如处理它们来确定可以用作完整性值的单个散列值,基于多个散列值来确定数据的完整性。