Enhancing digital rights management system security through policy enforcement
    1.
    发明申请
    Enhancing digital rights management system security through policy enforcement 有权
    通过政策执行增强数字版权管理系统的安全性

    公开(公告)号:US20050257271A1

    公开(公告)日:2005-11-17

    申请号:US10842061

    申请日:2004-05-10

    摘要: In order to allow for security beyond revocation lists, a policy regarding when permissions may be granted (in the form of a rights document, e.g. a use license or a certificate) is enforced. When a request is made for a rights document, the requester submits an account certificate which includes certain metadata regarding the requester. This metadata is analyzed to determine whether it meets a specific policy before the request is granted. If the request is not granted, the cause of the rejection may be overcome, for example by updating or upgrading some system component (hardware or software) in the requesting system. In certain cases, such an update to overcome a policy-based rejection may be performed transparently to the user.

    摘要翻译: 为了允许超出撤销列表的安全性,执行关于何时可以授予权限(以权利文档的形式,例如使用许可证或证书)的策略。 当为权利文件提出请求时,请求者提交一个帐户证书,其中包括有关请求者的某些元数据。 分析此元数据以确定在批准请求之前是否满足特定策略。 如果不允许请求,则可以克服拒绝的原因,例如通过更新或升级请求系统中的一些系统组件(硬件或软件)。 在某些情况下,可以透明地对用户执行这种克服基于策略的拒绝的更新。

    Enhancing digital rights management system security through policy enforcement
    2.
    发明授权
    Enhancing digital rights management system security through policy enforcement 有权
    通过政策执行增强数字版权管理系统的安全性

    公开(公告)号:US07376975B2

    公开(公告)日:2008-05-20

    申请号:US10842061

    申请日:2004-05-10

    IPC分类号: G06K9/00

    摘要: In order to allow for security beyond revocation lists, a policy regarding when permissions may be granted (in the form of a rights document, e.g. a use license or a certificate) is enforced. When a request is made for a rights document, the requester submits an account certificate which includes certain metadata regarding the requester. This metadata is analyzed to determine whether it meets a specific policy before the request is granted. If the request is not granted, the cause of the rejection may be overcome, for example by updating or upgrading some system component (hardware or software) in the requesting system. In certain cases, such an update to overcome a policy-based rejection may be performed transparently to the user.

    摘要翻译: 为了允许超出撤销列表的安全性,执行关于何时可以授予权限(以权利文档的形式,例如使用许可证或证书)的策略。 当为权利文件提出请求时,请求者提交一个帐户证书,其中包括有关请求者的某些元数据。 分析此元数据以确定在批准请求之前是否满足特定策略。 如果不允许请求,则可以克服拒绝的原因,例如通过更新或升级请求系统中的一些系统组件(硬件或软件)。 在某些情况下,可以透明地对用户执行这种克服基于策略的拒绝的更新。

    Import address table verification
    3.
    发明申请
    Import address table verification 有权
    导入地址表验证

    公开(公告)号:US20050198507A1

    公开(公告)日:2005-09-08

    申请号:US10794292

    申请日:2004-03-05

    IPC分类号: H04L9/00

    CPC分类号: G06F12/1416 G06F21/51

    摘要: The import address table of a software module is verified in order to prevent detouring attacks. A determination is made regarding which entries in the IAT must be verified; all of the entries may be verified or some subset of the entries that are critical may be verified. For each external function, the external module containing the external function is loaded, if it is not already loaded. The function address in the exported function table is found. That address is compared to the address for the function in the IAT. Additionally, the external module, in one embodiment, is verified to ensure that it has not been modified. For a delay load IAT, a similar procedure is followed; however the delay load IAT may be periodically checked to ensure that the delay load IAT entries are either valid (indicating that the external function has been bound) or in their initial state (indicating that no binding has yet occurred).

    摘要翻译: 验证软件模块的导入地址表,以防止迂回攻击。 确定必须验证IAT中的哪些条目; 可以验证所有条目,或者可以验证关键的条目的某些子集。 对于每个外部功能,如果外部模块尚未加载,则会加载包含外部功能的外部模块。 找到导出的功能表中的功能地址。 该地址与IAT中功能的地址进行比较。 此外,在一个实施例中,外部模块被验证以确保其未被修改。 对于延迟负载IAT,遵循类似的过程; 然而,可以定期检查延迟负载IAT以确保延迟负载IAT条目是有效的(指示外部功能已经被绑定)或处于其初始状态(指示还没有发生绑定)。

    Portion-level in-memory module authentication
    4.
    发明申请
    Portion-level in-memory module authentication 有权
    部分级内存模块认证

    公开(公告)号:US20060026569A1

    公开(公告)日:2006-02-02

    申请号:US10902244

    申请日:2004-07-29

    IPC分类号: G06F9/44

    CPC分类号: G06F21/51

    摘要: Dynamic run-time verification of a module which is loaded in memory (in whole or in part) for execution is enabled by using pre-computed portion-level verification data for portions of the module smaller than the whole (e.g. at the page-level). A portion of the module as loaded into memory for execution can be verified. Pre-computed portion-level verification data is retrieved from storage and used to verify the loaded portions of the executable. Verification data may be, for example, a digitally signed hash of the portion. Where the operating system loader has modified the portion for execution, the modifications are reversed, removing any changes performed by the operating system. If the portion has not been tampered, this will return the portion to its original pre-loaded state. This version is then used to determine validity using the pre-computed portion-level verification. Additionally, during execution of the module, new portions/pages of the module which are loaded can be verified to ensure that they have not been changed, and a list of hot pages of the module can be made, including pages to be continually reverified, in order to ensure that no malicious changes have been made in the module.

    摘要翻译: 通过对小于整个模块的部分(例如在页面级别)使用预先计算的部分级验证数据来启用加载在存储器(整体或部分)中用于执行的模块的动态运行时验证 )。 可以验证加载到存储器中用于执行的模块的一部分。 从存储器检索预先计算的部分级验证数据,并用于验证可执行文件的加载部分。 验证数据可以是例如该部分的经数字签名的散​​列。 在操作系统加载程序修改了执行部分的情况下,修改将相反,从而删除操作系统执行的任何更改。 如果该部分没有被篡改,这将使该部分恢复到原来的预加载状态。 然后使用该版本使用预先计算的部分级验证来确定有效性。 此外,在执行模块期间,可以验证装载的模块的新部分/页面,以确保它们未被更改,并且可以制作模块的热页面列表,包括要不断重新验证的页面, 以确保模块中不会发生恶意更改。