公开(公告)号：US07159032B2

公开(公告)日：2007-01-02

申请号：US09951410

申请日：2001-09-14

申请人： Trevor Jim ,  Dan Suciu

发明人： Trevor Jim ,  Dan Suciu

IPC分类号： G06F15/173 ,  G06F7/00 ,  G01R31/28

CPC分类号： H04L45/00 ,  H04L45/18

摘要： The occurrence of recursive loops between network elements are detected and prevented. One or more queries are generated that are sent between the network elements. One or more of the network elements detect the imminent occurrence of a recursive loop between the network elements, and prevent the recursive loop by generating an intensional answer in response to the query. The intensional answer contains rules.

摘要翻译： 检测并防止网元之间递归循环的发生。 生成在网络元件之间发送的一个或多个查询。 一个或多个网络元件检测网络元件之间即将发生的递归循环，并通过响应于该查询产生强烈的答案来防止递归循环。 强调的答案包含规则。

公开(公告)号：US07913092B1

公开(公告)日：2011-03-22

申请号：US11321479

申请日：2005-12-29

申请人： Matti Aarno Hiltunen ,  Mohan Rajagopalan ,  Richard Dale Schlichting ,  Trevor Jim

发明人： Matti Aarno Hiltunen ,  Mohan Rajagopalan ,  Richard Dale Schlichting ,  Trevor Jim

IPC分类号： G06F11/30

CPC分类号： G06F21/54

摘要： Disclosed is an approach to system call monitoring in which authenticated system calls from an application are easily verified by an operating system kernel. The authenticated system call may be a system call augmented with extra arguments, which specify the policy for that call as well as a cryptographic message authentication code (MAC) that guarantees the integrity of the policy and the system call arguments. This extra information is used by the operating system kernel to verify the system call with little processing overhead. Versions of the applications in which regular system calls have been replaced by authenticated calls are generated automatically by a trusted installer program that reads the application binary, uses static analysis to generate policies, and then rewrites the binary with the authenticated calls. As a result, hacker attacks, malicious software and the like are less likely to be successful in compromising any computers or networks that employ such authenticated system calls.

摘要翻译： 公开了一种系统呼叫监控的方法，其中来自应用的认证系统调用容易由操作系统内核验证。 经认证的系统调用可以是增加额外的参数的系统调用，其中指定该调用的策略以及保证策略和系统调用参数的完整性的加密消息认证码（MAC）。 这些额外的信息被操作系统内核用来验证系统调用，而且处理开销很小。 常规系统调用被认证呼叫替换的应用程序的版本由读取应用程序二进制文件的可信安装程序自动生成，使用静态分析生成策略，然后使用已认证的呼叫重写二进制文件。 因此，黑客攻击，恶意软件等不太可能成功地破坏任何使用这种经过身份验证的系统呼叫的计算机或网络。

公开(公告)号：US06981148B1

公开(公告)日：2005-12-27

申请号：US09561806

申请日：2000-04-29

申请人： Trevor Jim ,  Carl A. Gunter

发明人： Trevor Jim ,  Carl A. Gunter

IPC分类号： H04L9/00 ,  H04L9/32 ,  H04L29/06

CPC分类号： H04L9/3263 ,  H04L63/102 ,  H04L63/12 ,  Y10S707/99933 ,  Y10S707/99939

摘要： A verification method and system including a verifier which can both interpret policies and determine if they are satisfied, and request and obtain relevant certificates. This new architecture includes a verifier which itself can both direct a retrieval mechanism and use a local database of information. Users and applications can obtain and supply certificates to the verifier and the local database. The verifier may invoke a retrieval mechanism to obtain necessary certificates from other authenticated data servers and store them in a secondary database. The flexibility to allow for both on-line and off-line authenticated data server responses for verification is encompassed, as is an enhanced system for security including revocation of certificates using a polarity discipline, which allows data used for revocation to be handled with the same system used for other verification data without imperiling security.

摘要翻译： 一种验证方法和系统，包括可以解释策略并确定是否满足的验证者，并请求并获取相关证书。 这种新架构包括验证者，它本身既可以引导检索机制，也可以使用本地信息数据库。 用户和应用程序可以向验证者和本地数据库获取和提供证书。 验证者可以调用检索机制从其他经过身份验证的数据服务器获取必要的证书，并将其存储在辅助数据库中。 包括允许在线和离线认证的数据服务器响应进行验证的灵活性，以及​​用于安全性的增强系统，包括使用极性纪律撤销证书，这允许用于撤销的数据被处理 系统用于其他验证数据，无危险安全。

公开(公告)号：US20060090075A1

公开(公告)日：2006-04-27

申请号：US11295417

申请日：2005-12-06

申请人： Trevor Jim ,  Carl Gunter

发明人： Trevor Jim ,  Carl Gunter

IPC分类号： H04L9/00

CPC分类号： H04L9/3263 ,  H04L63/102 ,  H04L63/12 ,  Y10S707/99933 ,  Y10S707/99939

摘要： A verification method and system including a verifier which can both interpret policies and determine if they are satisfied, and request and obtain relevant certificates. This new architecture includes a verifier which itself can both direct a retrieval mechanism and use a local database of information. Users and applications can obtain and supply certificates to the verifier and the local database. The verifier may invoke a retrieval mechanism to obtain necessary certificates from other authenticated data servers and store them in a secondary database. The flexibility to allow for both on-line and off-line authenticated data server responses for verification is encompassed, as is an enhanced system for security including revocation of certificates using a polarity discipline, which allows data used for revocation to be handled with the same system used for other verification data without imperiling security.

摘要翻译： 一种验证方法和系统，包括可以解释策略并确定是否满足的验证者，并请求并获取相关证书。 这种新架构包括验证者，它本身既可以引导检索机制，也可以使用本地信息数据库。 用户和应用程序可以向验证者和本地数据库获取和提供证书。 验证者可以调用检索机制从其他经过身份验证的数据服务器获取必要的证书，并将其存储在辅助数据库中。 包括允许在线和离线认证的数据服务器响应进行验证的灵活性，以及​​用于安全性的增强系统，包括使用极性纪律撤销证书，这允许用于撤销的数据被处理 系统用于其他验证数据，无危险安全。