Safety and management of computing environments that may support unsafe components
    1.
    发明授权
    Safety and management of computing environments that may support unsafe components 失效
    可能支持不安全组件的计算环境的安全和管理

    公开(公告)号:US08621551B2

    公开(公告)日:2013-12-31

    申请号:US12106235

    申请日:2008-04-18

    IPC分类号: G06F21/00

    摘要: Techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device. As such, various trusted components (or agent) can operate in a trusted computing environment secured from interference by components that many not be trusted and perform various security and/or management tasks alone or in connection, for example, with other trusted components (e.g., trusted serves).

    摘要翻译: 公开了用于管理和保护计算环境的技术。 可以提供安全的计算环境,以确保设备的安全和/或管理。 安全的计算环境可以通过一个安全的组件来保护,该安全组件可以将其与可能还在运行的不安全的计算环境进行隔离和保护。 因此,可以从安全的计算环境安全地执行各种安全和管理活动。 例如,可以将安全的计算环境作为安全的虚拟计算环境(例如,安全的虚拟机)在由一个或多个其他虚拟的安全的虚拟计算监视器(例如,安全的虚拟机监视器))保护的设备上提供 不知道或不相信设备安全的计算环境。 还将理解,安全组件可以例如被提供为用于设备的可信组件。 因此,各种受信任的组件(或代理)可以在受信任的计算环境中操作,以防受到许多不被信任的组件的干扰,并且单独执行各种安全和/或管理任务,或者例如与其他受信任的组件(例如, ,可信任的服务)。

    DETECTING UNAUTHORIZED USE OF COMPUTING DEVICES BASED ON BEHAVIORAL PATTERNS
    2.
    发明申请
    DETECTING UNAUTHORIZED USE OF COMPUTING DEVICES BASED ON BEHAVIORAL PATTERNS 有权
    检测基于行为模式的计算机设备的未经授权的使用

    公开(公告)号:US20090199296A1

    公开(公告)日:2009-08-06

    申请号:US12025678

    申请日:2008-02-04

    IPC分类号: G06F11/00

    摘要: Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

    摘要翻译: 公开了用于检测计算系统(例如,计算设备)的未经授权的使用(例如,恶意攻击)的技术。 可以基于计算系统的使用模式(例如,通常与人相关联的行为模式)来检测未经授权的使用。 可以通过监视在计算系统上运行的支持系统(例如,操作系统,虚拟环境)的使用来为计算系统生成可接受的行为模式数据。 例如,可以监视支持系统的多个系统支持提供商组件(例如,系统调用,设备驱动程序),以便以有效地定义可接受的使用模式(使用模式)的形式生成可接受的行为模式数据, 用于监视的系统支持提供者组件,从而通过检测与受监视的系统支持提供商组件的可接受的使用模式的任何偏离来允许检测计算系统的未经授权的使用。

    Detecting unauthorized use of computing devices based on behavioral patterns
    3.
    发明授权
    Detecting unauthorized use of computing devices based on behavioral patterns 有权
    根据行为模式检测未经授权使用计算设备

    公开(公告)号:US08595834B2

    公开(公告)日:2013-11-26

    申请号:US12025678

    申请日:2008-02-04

    IPC分类号: G06F21/00 H04L29/06

    摘要: Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

    摘要翻译: 公开了用于检测计算系统(例如,计算设备)的未经授权的使用(例如,恶意攻击)的技术。 可以基于计算系统的使用模式(例如,通常与人相关联的行为模式)来检测未经授权的使用。 可以通过监视在计算系统上运行的支持系统(例如,操作系统,虚拟环境)的使用来为计算系统生成可接受的行为模式数据。 例如,可以监视支持系统的多个系统支持提供商组件(例如,系统调用,设备驱动程序),以便以有效地定义可接受的使用模式(使用模式)的形式生成可接受的行为模式数据, 用于监视的系统支持提供者组件,从而通过检测与受监视的系统支持提供商组件的可接受的使用模式的任何偏离来允许检测计算系统的未经授权的使用。

    Safe and efficient access control mechanisms for computing environments
    4.
    发明授权
    Safe and efficient access control mechanisms for computing environments 有权
    安全高效的计算环境访问控制机制

    公开(公告)号:US08510805B2

    公开(公告)日:2013-08-13

    申请号:US12108455

    申请日:2008-04-23

    IPC分类号: G06F15/16 H04L29/06 G06F17/30

    CPC分类号: G06F12/1458

    摘要: Improved techniques for controlling access to accessible components of computing environments are disclosed. The techniques, among other things, can be used to provide Mandatory Access Control (MAC) mechanisms for mobile and embedded systems. One or more accessible components (e.g., accessible resources) which a component may attempt to access are determined so that one or more access permissions can be stored in a manner that they can be obtained if the component attempts to access the one or more accessible components, thereby allowing access to the one or more accessible components to be determined based on access permissions that are readily available. Generally, access permissions can be identified and stored in anticipation of need. Access permissions can be identified, for example, based on the likelihood of use, or all possible access permissions can be determined and stored. A safe (e.g., a trusted) access controlling (or monitoring) system (or component) can control access to resources of a computing environment. For example, a trusted access monitoring system can be provided in a secure and trusted operating environment utilizing Mandatory Access Control (MAC) capabilities of a secure operating system (e.g., SELinux Operating System).

    摘要翻译: 公开了用于控制对计算环境的可访问组件的访问的改进的技术。 这些技术可以用于为移动和嵌入式系统提供强制访问控制(MAC)机制。 确定组件可尝试访问的一个或多个可访问组件(例如,可访问资源),使得可以以如下方式来存储一个或多个访问许可:如果组件尝试访问一个或多个可访问组件 从而允许基于容易获得的访问权限来访问要被确定的一个或多个可访问组件。 通常,可以根据需要识别和存储访问权限。 可以例如基于使用的可能性来识别访问权限,或者可以确定和存储所有可能的访问许可。 安全(例如,受信任的)访问控制(或监视)系统(或组件)可以控制对计算环境的资源的访问。 例如,可以使用安全操作系统(例如,SELinux操作系统)的强制访问控制(MAC)功能在安全和受信任的操作环境中提供可信赖的访问监控系统。

    VERIFICATION OF INTEGRITY OF COMPUTING ENVIRONMENTS FOR SAFE COMPUTING
    5.
    发明申请
    VERIFICATION OF INTEGRITY OF COMPUTING ENVIRONMENTS FOR SAFE COMPUTING 审中-公开
    验证安全计算的计算环境的完整性

    公开(公告)号:US20090300049A1

    公开(公告)日:2009-12-03

    申请号:US12132541

    申请日:2008-06-03

    IPC分类号: G06F17/00

    CPC分类号: G06F21/57

    摘要: Improved verification techniques for verification of the integrity of various computing environments and/or computing systems are disclosed. Verifiable representative data can effectively represent verifiable content of a computing environment, thereby allowing the integrity of the computing environment to be verified based on the verifiable representative data instead of the content being represented. Verifiable representative data can effectively include selected portions of the content (e.g., selected content which may be of general and/or specific security interest) and can be generally smaller than the verifiable content it represents. As such, it may generally be more efficient to use the verifiable representative data instead of the content it represents. Verifiable representative data can also be organized. By way of example, unstructured content (e.g., a configuration file written in text) can be effectively transformed based on a scheme (e.g., an XML schema) into a structured text-based content written in a structured language (e.g., XML). Verifiable organized representative data can be organized in accordance with various organizational aspects including, for example, structural, semantics, parameter verification, parameter simplification, and other organizational rules and/or preferences. Organization of verifiable organized representative data can be verified as an additional measure of its integrity, and by in large the integrity of a computing environment and/or system being effectively represented by the verifiable representative data.

    摘要翻译: 公开了用于验证各种计算环境和/或计算系统的完整性的改进的验证技术。 可验证的代表数据可以有效地代表计算环境的可验证内容,从而基于可验证的代表数据而不是所表示的内容来允许验证计算环境的完整性。 可验证的代表数据可以有效地包括内容的所选部分(例如,可能具有一般和/或具体安全利益的所选择的内容),并且可以通常小于其表示的可验证内容。 因此,使用可验证的代表数据而不是其表示的内容通常可能更有效。 也可以组织可验证的代表性数据。 作为示例,可以基于将方案(例如,XML模式)转换成以结构化语言(例如,XML)编写的基于结构的基于文本的内容的方式来有效地转换非结构化内容(例如,以文本形式写入的配置文件)。 可以根据各种组织方面来组织可验证的有组织的代表性数据,包括例如结构,语义,参数验证,参数简化以及其他组织规则和/或偏好。 可验证的有组织的代表性数据的组织可以被验证为其完整性的附加度量,以及由可验证的代表性数据有效地表示的计算环境和/或系统的完整性。

    Active access monitoring for safer computing environments and systems
    6.
    发明授权
    Active access monitoring for safer computing environments and systems 失效
    更安全的计算环境和系统的主动访问监控

    公开(公告)号:US08631468B2

    公开(公告)日:2014-01-14

    申请号:US12267990

    申请日:2008-11-10

    IPC分类号: G06F17/30 G06F7/04 G06F15/16

    CPC分类号: G06F21/554

    摘要: Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours. Disallow-access policies, rules and/or conditions can be defined and modified, for example, by end-users and system administrators, allowing a customizable and flexible security environment that is more adaptable to change.

    摘要翻译: 公开了用于控制访问的技术。 这些技术可用于各种计算系统(例如,计算设备)中的参考监视,包括可能相对更易受威胁(例如,移动电话)的那些。 允许访问可以被禁止。 换句话说,即使访问可能正在进行,也可以有效地撤销访问组件的权限。 允许访问组件后,可以有效地监视一个或多个不允许访问条件或事件,以便确定是否撤销访问组件的权限。 因此,允许访问组件可以被禁止。 可以通过有效地考虑组件在集合中和/或在确定的时间内的行为来禁止访问。 作为示例,如果消息传递应用程序在会话期间或在4小时内发送比可接受的限制更多的消息,则可以不允许消息传递应用程序访问通信端口。 禁止访问策略,规则和/或条件可以由最终用户和系统管理员进行定义和修改,从而允许更适应于更改的可自定义和灵活的安全环境。

    Representation and verification of data for safe computing environments and systems
    7.
    发明授权
    Representation and verification of data for safe computing environments and systems 有权
    表示和验证安全计算环境和系统的数据

    公开(公告)号:US08788841B2

    公开(公告)日:2014-07-22

    申请号:US12256773

    申请日:2008-10-23

    摘要: Techniques for representation and verification of data are disclosed. The techniques are especially useful for representation and verification of the integrity of data (integrity verification) in safe computing environments and/or systems (e.g., Trusted Computing (TC) systems and/or environments). Multiple independent representative values can be determined independently and possibly in parallel for respective portions of the data. The independent representative values can, for example, be hash values determined at the same time for respective distinct portions of the data. The integrity of the data can be determined based on the multiple hash values by, for example, processing them to determine a single hash value that can serve as an integrity value.

    摘要翻译: 公开了用于表示和验证数据的技术。 这些技术对于在安全计算环境和/或系统(例如,可信计算(TC)系统和/或环境)中的数据完整性(完整性验证)的表示和验证特别有用。 可以针对数据的各个部分独立且可能并行地确定多个独立代表值。 独立代表值可以例如是数据的相应不同部分同时确定的散列值。 可以通过例如处理它们来确定可以用作完整性值的单个散列值,基于多个散列值来确定数据的完整性。

    Integrating hashing and decompression of compressed data for safe computing environments and systems
    8.
    发明授权
    Integrating hashing and decompression of compressed data for safe computing environments and systems 失效
    为安全的计算环境和系统集成了压缩数据的散列和解压缩功能

    公开(公告)号:US07847710B2

    公开(公告)日:2010-12-07

    申请号:US12268001

    申请日:2008-11-10

    IPC分类号: H03M7/34 H03M7/38

    CPC分类号: H03M7/3086 H03M7/30

    摘要: Techniques for hashing and decompression of data are disclosed. Hashing and decompression of compressed data can be integrated in order to effectively hash and decompress the compressed data at the same time. The integrated hashing and decompression techniques of the invention are useful for any computing environment and/or system where compressed data is hashed and decompressed. The invention is especially useful for safe computing environment and/or system (e.g., a Trusted Computing (TC) computing environment) where hashing decompression of compressed data can be routinely performed. The Integrity of a computing environment and/or system can be protected by integrating the decompressing and hashing of the compressed data or effectively hashing and decompressing the compressed data at the same time. A combined hashing and decompression function can be provided based on conventional hashing and compression functions by integrating their similar components and in an efficient manner.

    摘要翻译: 公开了散列和解压缩数据的技术。 可以集成压缩数据的哈希和解压缩,以便同时有效地对压缩数据进行散列和解压缩。 本发明的集成散列和解压缩技术对于压缩数据被散列和解压缩的任何计算环境和/或系统是有用的。 本发明对于可以常规执行压缩数据的散列解压缩的安全计算环境和/或系统(例如,可信计算(TC)计算环境)特别有用。 计算环境和/或系统的完整性可以通过对压缩数据的解压缩和散列进行集成来进行保护,或者同时有效地对压缩数据进行散列和解压缩。 可以通过集成其类似组件并以有效的方式,基于常规散列和压缩功能提供组合的散列和减压功能。

    SAFETY AND MANAGEMENT OF COMPUTING ENVIRONMENTS THAT MAY SUPPORT UNSAFE COMPONENTS
    9.
    发明申请
    SAFETY AND MANAGEMENT OF COMPUTING ENVIRONMENTS THAT MAY SUPPORT UNSAFE COMPONENTS 失效
    可以支持不安全组件的计算环境的安全和管理

    公开(公告)号:US20090265756A1

    公开(公告)日:2009-10-22

    申请号:US12106235

    申请日:2008-04-18

    IPC分类号: G06F21/00 H04L9/00 G06F17/00

    摘要: Techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device. As such, various trusted components (or agent) can operate in a trusted computing environment secured from interference by components that many not be trusted and perform various security and/or management tasks alone or in connection, for example, with other trusted components (e.g., trusted serves).

    摘要翻译: 公开了用于管理和保护计算环境的技术。 可以提供安全的计算环境,以确保设备的安全和/或管理。 安全的计算环境可以通过一个安全的组件来保护,该安全组件可以将其与可能还在运行的不安全的计算环境进行隔离和保护。 因此,可以从安全的计算环境安全地执行各种安全和管理活动。 例如,可以将安全的计算环境作为安全的虚拟计算环境(例如,安全的虚拟机)在由一个或多个其他虚拟的安全的虚拟计算监视器(例如,安全的虚拟机监视器))保护的设备上提供 不知道或不相信设备安全的计算环境。 还将理解,安全组件可以例如被提供为用于设备的可信组件。 因此,各种受信任的组件(或代理)可以在受信任的计算环境中操作,以防受到许多不被信任的组件的干扰,并且单独执行各种安全和/或管理任务,或者例如与其他受信任的组件(例如, ,可信任的服务)。

    Secure multicast content delivery
    10.
    发明授权
    Secure multicast content delivery 有权
    安全的多播内容传送

    公开(公告)号:US08218772B2

    公开(公告)日:2012-07-10

    申请号:US12165201

    申请日:2008-06-30

    IPC分类号: H04L9/00

    摘要: In one embodiment, a method for establishing a secure multicast channel between a service provider and a terminal is provided. A request is received from the service provider for a configuration of the terminal. A configuration of the terminal at a first time is sent to the service provider. A security key is obtained, wherein the security is bound to the configuration of the terminal at the first time. Then the security key is decrypted using a configuration of the terminal at a second time, wherein the decryption fails if the configuration of the terminal at the second time is not identical to the configuration of the terminal at the first time. A secure multicast channel is then established with the service provider using the security key.

    摘要翻译: 在一个实施例中,提供了一种用于在服务提供商和终端之间建立安全组播信道的方法。 从服务提供商接收到终端配置的请求。 首先将终端的配置发送给服务提供商。 获得安全密钥,其中安全性在第一时间被绑定到终端的配置。 然后使用终端的配置在第二时间对安全密钥进行解密,其中如果第二次终端的配置与终端的配置不同,则解密失败。 然后使用安全密钥与服务提供商建立安全的多播信道。