公开(公告)号：US08239538B2

公开(公告)日：2012-08-07

申请号：US12609970

申请日：2009-10-30

申请人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

发明人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

IPC分类号： G06F15/173

CPC分类号： H04L29/08144 ,  G06F9/5044 ,  G06F9/5094 ,  H04L29/08306 ,  H04N21/23103 ,  Y02D10/22

摘要： Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution to or between a first computing device (e.g., a mobile device) and one or more computing resource providers (e.g., one or more Clouds) can be determined during runtime of the executable code. It will be appreciated that a computing system can operate independently of the first computing device and one or more computing resource providers and provide execution allocation cost assessment as a service to the first computing device and/or one or more computing resource providers. Execution allocation cost can be assessed (or determined) based on execution allocation data pertaining to the first computing device and/or one or more computing resource providers. By way of example, power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program (e.g., weblets) between a mobile phone and a Cloud. The invention is especially suited for Elastic computing environment and systems. In an Elastic computing environment, scalable and dynamic external computing resources can be used in order to effectively extend the computing capabilities beyond that which can be provided by internal computing resources of a computing system or environment.

摘要翻译： 披露了评估分配成本和影响执行分配的技术。 可以在可执行代码的运行时间期间确定向第一计算设备（例如，移动设备）和一个或多个计算资源提供者（例如，一个或多个云）分配执行的成本。 应当理解，计算系统可以独立于第一计算设备和一个或多个计算资源提供者操作，并且将作为服务的执行分配成本评估提供给第一计算设备和/或一个或多个计算资源提供者。 可以基于与第一计算设备和/或一个或多个计算资源提供者有关的执行分配数据来评估（或确定）执行分配成本。 作为示例，可以使用移动设备的功率消耗作为确定如何在移动电话和云之间分配应用程序（例如，冒号）的各个组件的因素。 本发明特别适用于弹性计算环境和系统。 在弹性计算环境中，可以使用可扩展和动态的外部计算资源，以便有效地将计算能力扩展到可以由计算系统或环境的内部计算资源提供的能力。

公开(公告)号：US20100131592A1

公开(公告)日：2010-05-27

申请号：US12609970

申请日：2009-10-30

申请人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

发明人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

IPC分类号： G06F9/50 ,  G06F15/16 ,  G06F15/173

CPC分类号： H04L29/08144 ,  G06F9/5044 ,  G06F9/5094 ,  H04L29/08306 ,  H04N21/23103 ,  Y02D10/22

摘要： Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution to or between a first computing device (e.g., a mobile device) and one or more computing resource providers (e.g., one or more Clouds) can be determined during runtime of the executable code. It will be appreciated that a computing system can operate independently of the first computing device and one or more computing resource providers and provide execution allocation cost assessment as a service to the first computing device and/or one or more computing resource providers. Execution allocation cost can be assessed (or determined) based on execution allocation data pertaining to the first computing device and/or one or more computing resource providers. By way of example, power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program (e.g., weblets) between a mobile phone and a Cloud. The invention is especially suited for Elastic computing environment and systems. In an Elastic computing environment, scalable and dynamic external computing resources can be used in order to effectively extend the computing capabilities beyond that which can be provided by internal computing resources of a computing system or environment.

摘要翻译： 披露了评估分配成本和影响执行分配的技术。 可以在可执行代码的运行时间期间确定向第一计算设备（例如，移动设备）和一个或多个计算资源提供者（例如，一个或多个云）分配执行的成本。 应当理解，计算系统可以独立于第一计算设备和一个或多个计算资源提供者操作，并且将作为服务的执行分配成本评估提供给第一计算设备和/或一个或多个计算资源提供者。 可以基于与第一计算设备和/或一个或多个计算资源提供者有关的执行分配数据来评估（或确定）执行分配成本。 作为示例，可以使用移动设备的功率消耗作为确定如何在移动电话和云之间分配应用程序（例如，冒号）的各个组件的因素。 本发明特别适用于弹性计算环境和系统。 在弹性计算环境中，可以使用可扩展和动态的外部计算资源，以便有效地将计算能力扩展到可以由计算系统或环境的内部计算资源提供的能力。

公开(公告)号：US08775630B2

公开(公告)日：2014-07-08

申请号：US13492772

申请日：2012-06-08

申请人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

发明人： Xinwen Zhang ,  Onur Aciicmez ,  Simon J. Gibbs ,  Anugeetha Kunjithapatham ,  Sangoh Jeong ,  Doreen Cheng

IPC分类号： G06F15/16 ,  H04L29/08 ,  H04N21/231 ,  G06F9/50

CPC分类号： H04L29/08144 ,  G06F9/5044 ,  G06F9/5094 ,  H04L29/08306 ,  H04N21/23103 ,  Y02D10/22

摘要： Techniques for assessing the cost of allocation of execution and affecting the allocation of execution are disclosed. The cost of allocation of execution between a first computing device (e.g., mobile device) and one or more computing resource providers (e.g., Clouds) can be determined during runtime of the code. A computing system can operate independently of the first computing device and a computing resource provider and provide execution allocation cost assessment. Execution allocation cost can be assessed based on execution allocation data pertaining to the first computing device and computing resource providers. Power consumption of a mobile device can be used as a factor in determining how to allocate individual components of an application program between a mobile phone and a Cloud. In an Elastic computing environment, external computing resources can be used to extend the computing capabilities beyond that which can be provided by internal computing resources.

摘要翻译： 披露了评估分配成本和影响执行分配的技术。 可以在代码的运行时间期间确定第一计算设备（例如，移动设备）与一个或多个计算资源提供者（例如，云）之间的执行分配成本。 计算系统可以独立于第一计算设备和计算资源提供者操作并提供执行分配成本评估。 可以基于与第一计算设备和计算资源提供者有关的执行分配数据来评估执行分配成本。 可以将移动设备的功耗用作确定如何在移动电话和云之间分配应用程序的各个组件的因素。 在弹性计算环境中，外部计算资源可用于将计算能力扩展到内部计算资源所能提供的计算能力之外。

公开(公告)号：US20100293559A1

公开(公告)日：2010-11-18

申请号：US12464507

申请日：2009-05-12

申请人： Onur Aciicmez ,  Doreen Cheng ,  Swaroop S. Kalasapur ,  Yu Song ,  Xinwen Zhang ,  Victoria S. Coleman

发明人： Onur Aciicmez ,  Doreen Cheng ,  Swaroop S. Kalasapur ,  Yu Song ,  Xinwen Zhang ,  Victoria S. Coleman

IPC分类号： G06F9/46 ,  G06F3/00

CPC分类号： G06F9/4411

摘要： Techniques for achieving Input/Output I/O coalition across multiple computing systems and/or environments (e.g., computing devices) are disclosed. I/O coalition can be achieved by allowing one or more internal I/O devices of a first computing device to be effectively shared with a second computing device while one or more I/O devices of the second computing device is effectively shared with the first computing device. An Input-Output Coalition Management (IOCM) system can be provided for each the computing devices to facilitate I/O coalition between them. An IOCM system can, for example, be provided as Virtual Input-Output Computing Environment (VIOCE). By way of example, one or more Virtual Machines (VMs) can be provided to effectively support one or more Virtual Device Drivers (VDDs). An IOCM system can also be provided as and/or by an Operating System (OS). Furthermore, an IOCM system of a first computing device can be operable to switch between: (i) use of a first I/O device of the first computing device, (ii) use of a second I/O device of a second computing device, and (iii) use of a third I/O device of a third computing device.

摘要翻译： 公开了用于实现跨多个计算系统和/或环境（例如，计算设备）的输入/输出I / O联盟的技术。 可以通过允许第一计算设备的一个或多个内部I / O设备与第二计算设备有效地共享来实现I / O联盟，而第二计算设备的一个或多个I / O设备被有效地与第一计算设备共享 计算设备。 可以为每个计算设备提供输入 - 输出联盟管理（IOCM）系统，以便于它们之间的I / O联盟。 例如，IOCM系统可以作为虚拟输入 - 输出计算环境（VIOCE）提供。 作为示例，可以提供一个或多个虚拟机（VM）以有效地支持一个或多个虚拟设备驱动器（VDD）。 IOCM系统也可以由操作系统（OS）提供。 此外，第一计算设备的IOCM系统可以用于在以下之间切换：（i）使用第一计算设备的第一I / O设备，（ii）使用第二计算设备的第二I / O设备 ，和（iii）使用第三计算设备的第三I / O设备。

公开(公告)号：US08218772B2

公开(公告)日：2012-07-10

申请号：US12165201

申请日：2008-06-30

申请人： Onur Aciicmez ,  Xinwen Zhang ,  Jean-Pierre Seifert

发明人： Onur Aciicmez ,  Xinwen Zhang ,  Jean-Pierre Seifert

IPC分类号： H04L9/00

CPC分类号： H04L63/06 ,  H04L12/1859 ,  H04L2463/062

摘要： In one embodiment, a method for establishing a secure multicast channel between a service provider and a terminal is provided. A request is received from the service provider for a configuration of the terminal. A configuration of the terminal at a first time is sent to the service provider. A security key is obtained, wherein the security is bound to the configuration of the terminal at the first time. Then the security key is decrypted using a configuration of the terminal at a second time, wherein the decryption fails if the configuration of the terminal at the second time is not identical to the configuration of the terminal at the first time. A secure multicast channel is then established with the service provider using the security key.

摘要翻译： 在一个实施例中，提供了一种用于在服务提供商和终端之间建立安全组播信道的方法。 从服务提供商接收到终端配置的请求。 首先将终端的配置发送给服务提供商。 获得安全密钥，其中安全性在第一时间被绑定到终端的配置。 然后使用终端的配置在第二时间对安全密钥进行解密，其中如果第二次终端的配置与终端的配置不同，则解密失败。 然后使用安全密钥与服务提供商建立安全的多播信道。

公开(公告)号：US08136153B2

公开(公告)日：2012-03-13

申请号：US11937320

申请日：2007-11-08

申请人： Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez ,  Qingwei Ma

发明人： Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez ,  Qingwei Ma

IPC分类号： G06F13/00

CPC分类号： G06F9/5033 ,  G06F21/52 ,  G06F21/62 ,  G06F21/6281

摘要： In an embodiment of the present invention, the ability for a user or process to set or modify affinities is restricted in order to method for control a multi-processor environment. This may be accomplished by using a reference monitor that controls a process' capability to retrieve and set its or another process' affinity. This aids in the prevention of security breaches.

摘要翻译： 在本发明的一个实施例中，为了控制多处理器环境的方法，限制了用户或进程设置或修改关联性的能力。 这可以通过使用参考监视器来实现，该监视器控制过程检索和设置其或另一进程的亲和力的能力。 这有助于预防安全漏洞。

公开(公告)号：US08112634B2

公开(公告)日：2012-02-07

申请号：US12132862

申请日：2008-06-04

申请人： Onur Aciicmez ,  Xinwen Zhang ,  Jean-Pierre Seifert

发明人： Onur Aciicmez ,  Xinwen Zhang ,  Jean-Pierre Seifert

IPC分类号： G06F11/30 ,  G06F12/14

CPC分类号： H04L9/0872

摘要： Methods and devices for increasing or hardening the security of data stored in a storage device, such as a hard disk drive, are described. A storage device provides for increased or hardened security of data stored in hidden and non-hidden partitions of a storage medium in the device. An algorithm may be utilized for deriving a key that is used to encrypt or decrypt text before it is read from or written to the hard disk. The algorithm accepts as input a specific media location factor, such as an end address or start address of the block where the text is being read from or written to, and a secret key of the storage component. The output of the algorithm is a final key that may be used in the encryption and decryption process. Thus, in this manner, the final key is dependent on the location of the block where the data is being written or read, thereby making it more difficult to tamper with the data, which may be stored in a hidden or non-hidden partition of a hard disk.

摘要翻译： 描述用于增加或加强存储在诸如硬盘驱动器的存储设备中的数据的安全性的方法和设备。 存储设备提供存储在设备中的存储介质的隐藏和非隐藏分区中的数据的增加或加强的安全性。 可以使用算法来导出用于在从硬盘读取或写入硬盘之前加密或解密文本的密钥。 该算法接受特定媒体位置因子的输入，诸如文本被读取或写入的块的结束地址或起始地址以及存储组件的秘密密钥。 算法的输出是可以在加密和解密过程中使用的最终密钥。 因此，以这种方式，最终密钥取决于数据被写入或读取的块的位置，从而使得更难以篡改可以存储在隐藏或非隐藏分区中的数据 一个硬盘。

公开(公告)号：US08055848B2

公开(公告)日：2011-11-08

申请号：US12183689

申请日：2008-07-31

申请人： Onur Aciicmez ,  Jean-Pierre Seifert ,  Qingwei Ma ,  Xinwen Zhang

发明人： Onur Aciicmez ,  Jean-Pierre Seifert ,  Qingwei Ma ,  Xinwen Zhang

IPC分类号： G06F12/08

CPC分类号： G06F12/1408 ,  G06F12/0842

摘要： A method and system is provided for securing micro-architectural instruction caches (I-caches). Securing an I-cache involves maintaining a different substantially random instruction mapping policy into an I-cache for each of multiple processes, and for each process, performing a substantially random mapping scheme for mapping a process instruction into the I-cache based on the substantially random instruction mapping policy for said process. Securing the I-cache may further involve dynamically partitioning the I-cache into multiple logical partitions, and sharing access to the I-cache by an I-cache mapping policy that provides access to each I-cache partition by only one logical processor.

摘要翻译： 提供了一种用于保护微架构指令高速缓存（I缓存）的方法和系统。 保护I缓存涉及为多个进程中的每一个维护不同的基本上随机的指令映射策略到I缓存中，并且对于每个进程，执行基本上随机的映射方案，用于将处理指令映射到I缓存中， 用于所述进程的随机指令映射策略。 保护I缓存还可以包括动态地将I缓存分区成多个逻辑分区，并且通过仅由一个逻辑处理器提供对每个I缓存分区的访问的I缓存映射策略共享对I缓存的访问。

公开(公告)号：US20100162240A1

公开(公告)日：2010-06-24

申请号：US12343154

申请日：2008-12-23

申请人： Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez

发明人： Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez

IPC分类号： G06F9/455

CPC分类号： G06F21/577

摘要： Security can be enforced in a consistent manner with respect to various computing environments that may be operable in a computing system. Consistent security criteria can be generated, based on input security criterion, in a computer readable and storable form and stored in a computer readable storage medium, thereby allowing the consistent security criterion to be effectively provided to a computing system for enforcement of the input security criterion in a consistent manner with respect to, for example, (a) a first executable computer code effectively supported by an Operating System (OS), and (b) a second computer code effectively supported by the Virtual Computing Environment (VCE). A Trusted Component (TC) can effectively provide a consistent security criterion as a part and/or form that is suitable for a particular computing environment. The TC can, for example, be an automated tool that performs various functions including: verifying the consistency of security criteria, generation and deployment of consistent security criteria, and transformation of security criteria to parts and/or forms suitable for various computing environments. In addition, a Virtual Computing Environment (VCE) can obtain from the Operating System (OS) one or more security criteria. The Virtual Computing Environment (VCE) can be operable in a Trusted Computing Environment (TCE) and interface with a Trusted Operating System (TOS) that effectively enforces Mandatory Access Control (MAC), thereby allowing the Virtual Computing Environment (VCE) to leverage the security provided by the OS. The OS can, for example, be a Security-Enhanced Linux (SELinux) Operating System operating as a Trusted Component in a Trusted Environment that includes a Trusted Security Agent (TSA) operable to deploy consistent security criteria.

摘要翻译： 相对于可在计算系统中可操作的各种计算环境，可以以一致的方式实施安全性。 可以基于输入安全标准以计算机可读和可存储的形式生成一致的安全标准，并存储在计算机可读存储介质中，从而允许将一致的安全标准有效地提供给计算系统，以便执行输入的安全标准 以相对于例如（a）由操作系统（OS）有效支持的第一可执行计算机代码和（b）由虚拟计算环境（VCE）有效支持的第二计算机代码以一致的方式。 可信组件（TC）可以有效地提供一致的安全标准作为适合特定计算环境的部分和/或形式。 例如，TC可以是执行各种功能的自动化工具，包括：验证安全标准的一致性，生成和部署一致的安全标准，以及将安全标准转换为适用于各种计算环境的部件和/或形式。 此外，虚拟计算环境（VCE）可以从操作系统（OS）获得一个或多个安全标准。 虚拟计算环境（VCE）可以在可信计算环境（TCE）中进行操作，并与可靠的操作系统（TOS）进行接口，可靠的操作系统（TOS）有效地强制执行强制访问控制（MAC），从而允许虚拟计算环境（VCE）利用 OS提供的安全性。 例如，操作系统可以是在可信环境中作为受信任组件运行的安全增强型Linux（SELinux）操作系统，其中包含可操作以部署一致的安全性标准的可信安全代理（TSA）。

公开(公告)号：US20090199296A1

公开(公告)日：2009-08-06

申请号：US12025678

申请日：2008-02-04

申请人： Liang Xie ,  Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez ,  Afshin Latifi

发明人： Liang Xie ,  Xinwen Zhang ,  Jean-Pierre Seifert ,  Onur Aciicmez ,  Afshin Latifi

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/316 ,  G06F21/552 ,  G06F21/554 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/145

摘要： Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

摘要翻译： 公开了用于检测计算系统（例如，计算设备）的未经授权的使用（例如，恶意攻击）的技术。 可以基于计算系统的使用模式（例如，通常与人相关联的行为模式）来检测未经授权的使用。 可以通过监视在计算系统上运行的支持系统（例如，操作系统，虚拟环境）的使用来为计算系统生成可接受的行为模式数据。 例如，可以监视支持系统的多个系统支持提供商组件（例如，系统调用，设备驱动程序），以便以有效地定义可接受的使用模式（使用模式）的形式生成可接受的行为模式数据， 用于监视的系统支持提供者组件，从而通过检测与受监视的系统支持提供商组件的可接受的使用模式的任何偏离来允许检测计算系统的未经授权的使用。