摘要:
Techniques are disclosed to provide security for graphical user interface elements being displayed in a system in which a first, host operating system is used along with a second, high assurance operating system, where the first system provides at least some of the infrastructure for the second system. Graphical user interface elements associated with the high-assurance operating system are prevented from being obscured and from any partial transparency. Additionally, a piece of secret information is stored which can be displayed upon command by graphical user interface elements associated with the high-assurance operating system. Coordinating certain elements of the display of all graphical user interface elements associated with the high assurance operating system also helps to identify legitimate elements associated with the high assurance operating system, as opposed to impostor elements which are not. Where a windowing system is used, public title information is furnished to a host operating system windowing system to identify a window owned by a process running on a high-assurance operating system. Private title information associated with the same window is used only in the high assurance operating system.
摘要:
Techniques are disclosed to provide security for user input in which a first, host operating system is used along with a second, high assurance operating system, where the first system provides at least some of the infrastructure for the second system. Two modes are presented. In a first mode, user data is passed to the host operating system. In a second mode, user data is retained in the second operating system for the use of the second operating system or processes running on the second operating system. Transitions between the nodes can be accomplished according to hypothecated user actions such as keystroke combinations, or when the user performs an action which indicates a programmatic activation of a process running in the second operating system. Where shadow graphical elements are run by the first operating system to indicate the location of graphical elements from processes running on the second operating system, this programmatic activation may be indicated by programmatic activation of a shadow graphical element.
摘要:
A security device watches over the secure functionality in a computer system. This “watcher” security device may be integrated within the computer system or may be separate from it. The security device queries the secure functionality to determine whether the state of the secure functionality is acceptable. If no satisfactory state exists, or if no response is received, then a signal is transmitted. The signal may be auditory (a buzzer) or visual (a flashing light) in order to signal to any user that the secure functionality has been compromised. Optionally, human input devices may be disabled, or a monitoring service notified, in conjunction with or in lieu of the signal. If the secure functionality includes a secret shared between the secure functionality and the user, then the security device may signal the secret. For example, where the secret is visual, the security device may display the secret. Where there is more than one element of secure functionality in the computer system, the security device may separately watch and report on more than one element of secure functionality. The security device may also display status information regarding the computer system. Some or all of the security device may be distributed via a trusted distribution infrastructure.
摘要:
Techniques are disclosed to provide security for user output and input in which a first, host operating system is used along with a second, high assurance operating system (nexus), where the first system provides at least some of the infrastructure for the second system. A trusted UI engine has a trusted input manager and a trusted output manager. The trusted input manager controls access to trusted input, distributing decrypted input to the host operating system where appropriate, or to the appropriate process running in the nexus. The trusted output manager manages output to the display, and allows trusted agents in the nexus to output data for display without needing to be aware of output-device-dependent details.
摘要:
Techniques are disclosed to provide security for user input in which a first, host operating system is used along with a second, high assurance operating system, where the first system provides at least some of the infrastructure for the second system. Two modes are presented. In a first mode, user data is passed to the host operating system. In a second mode, user data is retained in the second operating system for the use of the second operating system or processes running on the second operating system. Transitions between the nodes can be accomplished according to hypothecated user actions such as keystroke combinations, or when the user performs an action which indicates a programmatic activation of a process running in the second operating system. Where shadow graphical elements are run by the first operating system to indicate the location of graphical elements from processes running on the second operating system, this programmatic activation may be indicated by programmatic activation of a shadow graphical element.
摘要:
Methods for maintaining the security of a secured execution environment on a system comprising said secured execution environment and a second execution environment are disclosed. A maintained current state for the secured execution environment is selected from among a group of possible states including a standard input mode state and a nexus input mode state. A flow of user input is directed according to the current state through a secure kernel of both the second environment and the secured execution environment.
摘要:
Methods for maintaining the security of a secured execution environment on a system comprising said secured execution environment and a second execution environment are disclosed. A maintained current state for the secured execution environment is selected from among a group of possible states including a standard input mode state and a nexus input mode state. A flow of user input is directed according to the current state through a secure kernel of both the second environment and the secured execution environment.
摘要:
Access to an authentication image may be protected so that only authenticated processes have access to the image. The image can be displayed to authenticate a User Interface (UI) to a computer user. The image indicates the UI can be trusted. If the image is not displayed, it may be that an application UI is “spoofed” to trick a user into providing sensitive information. Additionally, a large variety of different images can be used as authentication images, so spoofing one image be recognized by most users. A set of original images may be provided, along with image modification processes which can generate a large number of variations. Techniques for authenticating UIs in a virtual machine context are provided. A secure attention sequence is also provided, which allows users to test whether processes running on a computer are authenticated.
摘要:
The claimed subject matter provides a system or method for managing software changes. An exemplary method comprises creating a reset boot loader, a last known good (LKG) boot loader, and a current boot loader, then pointing the reset boot loader, LKG boot loader, and current boot loader to a parent virtual hard disk (VHD) containing a default master image. An operation to perform is determined, and a service partition is booted into. The LKG boot loader or current boot loader is pointed to a child VHD loaded with another desired image based on the operation selected, and the system is rebooted into the parent VHD or child VHD pointed to by the current boot loader.
摘要:
A retaining formation defined on a brake lever of an air disc brake includes a push fit/snap fit connection for releasably securing a push rod to a brake lever. The retaining formation can include a pinned connection and a ball and socket joint, and a main axis of the pinned connection is coincident with a center of rotation of the ball and socket joint. The retaining formation can include a concave formation on one of the push rod and the brake lever and a corresponding convex formation on the other of the push rod and the brake lever. The concave formation at least partially surrounds the convex formation to prevent axial separation of the push rod and the brake lever. A method of assembling a brake subassembly includes the steps of assembling a push rod and a brake lever including a retaining formation such that at least a portion of the retaining formation deforms during assembly and resiles when the push rod is assembled to the brake lever to provide a snap fit connection therebetween. Another method of manufacturing a retaining formation includes the steps of providing one of a push rod and a brake lever with a concave formation, providing the other of the push rod and the brake lever with a convex formation able to receive the concave formation, assembling the concave formation and the convex formation, mechanically working the one of the push rod and the brake lever with the concave formation such that the concave formation at least partially surrounds the convex formation to prevent axial separation of the push rod and the brake lever.