公开(公告)号：WO2012088363A3

公开(公告)日：2012-11-08

申请号：PCT/US2011066687

申请日：2011-12-22

Applicant: MICROSOFT CORP

Inventor： MEFFORD CREAD WELLINGTON JR ,  DE SOUZA LIDIANE PEREIRA ,  ALEXION-TIERNAN KARRI

IPC: G06F15/16 ,  G06F9/44 ,  G06F21/22

CPC classification number: G06F21/10 ,  G06F2221/2135

Abstract: When a request is received to execute a virtualized application, a licensing/metering component determines whether a valid license exists for the requested application. If the licensing/metering component determines that a valid software license exists for the requested application, the application virtualization server component streams the virtualized application to a client device and permits the application to be executed. If the licensing/metering component determines that a valid software license does not exist for the requested application, the application virtualization server component prevents the virtualized application from being streamed to the client device. Once the virtualized application is streamed to the client device, the licensing/metering component monitors usage of the virtualized application.

Abstract translation: 当接收到执行虚拟化应用的请求时，许可/测量组件确定是否存在针对所请求的应用的有效许可证。 如果许可/计量组件确定存在针对所请求的应用程序的有效的软件许可证，则应用虚拟化服务器组件将虚拟应用程序流式传输到客户端设备，并允许应用程序被执行。 如果许可/计量组件确定所请求的应用程序不存在有效的软件许可证，则应用程序虚拟化服务器组件可防止将虚拟化应用程序流式传输到客户端设备。 一旦将虚拟化应用程序流式传输到客户端设备，许可/计量组件将监视虚拟化应用程序的使用情况。

公开(公告)号：WO2012115956A3

公开(公告)日：2012-11-01

申请号：PCT/US2012025927

申请日：2012-02-21

Applicant: PCTEL SECURE LLC ,  UNER ERIC RIDVAN ,  LESLIE BENJAMIN JAMES ,  MATTHEWS JOSHUA SCOTT ,  CHEN CHANGHUA ,  SMIGELSKI THOMAS ,  KOBRINETZ ANTHONY

Inventor： UNER ERIC RIDVAN ,  LESLIE BENJAMIN JAMES ,  MATTHEWS JOSHUA SCOTT ,  CHEN CHANGHUA ,  SMIGELSKI THOMAS ,  KOBRINETZ ANTHONY

IPC: G06F21/22 ,  G06F9/44 ,  G06F11/30

CPC classification number: G06F21/51 ,  G06F21/50 ,  G06F21/52 ,  G06F21/566 ,  H04L9/3234

Abstract: A method and apparatus for resisting malicious code in a computing device. A software component corresponding to an operating system kernel is analyzed prior to executing the software component to detect the presence of one or more specific instructions such as malicious code, a change in mode permissions or instructions to modify or turn off security monitoring software, and taking a graduated action in response to the detection of one or more specific instructions. The graduated action taken is specified by a security policy (or policies) stored on the computing device. The analyzing may include off-line scanning of a particular code or portion of code for certain instructions, or codes, or patterns, and includes scanning in real-time as the kernel or kernel module is loading while the code being scanned is not yet executing (i.e., it is not yet "on-line"). Analysis of other code proceeds according to policies.

Abstract translation: 一种用于在计算设备中抵抗恶意代码的方法和装置。 在执行软件组件之前分析对应于操作系统内核的软件组件以检测一个或多个特定指令的存在，例如恶意代码，模式许可的改变或修改或关闭安全监控软件的指令，以及采取 响应于检测到一个或多个特定指令的分级动作。 所采取的分级动作由存储在计算设备上的安全策略（或策略）指定。 分析可以包括用于某些指令或代码或模式的特定代码或代码部分的离线扫描，并且包括当正在扫描的代码尚未执行时内核或内核模块正在加载时实时扫描 （即，它还没有“在线”）。 根据政策对其他代码进行分析。

公开(公告)号：WO2012088542A3

公开(公告)日：2012-10-11

申请号：PCT/US2011067296

申请日：2011-12-24

Applicant: MICROSOFT CORP

Inventor： LEACH PAUL ,  MCPHERSON DAVID ,  AGARWAL VISHAL ,  NOVAK MARK FISHEL ,  TANG MING ,  RANGANATHAN RAMASWAMY ,  KUKREJA PRANAV ,  POPOV ANDREY ,  BEN ZVI NIR ,  NANDA ARUN K

IPC: G06F21/22

CPC classification number: G06F21/604 ,  G06Q10/06

Abstract: Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled "Y", etc.). Policies describe what can be done with a resource (e.g., "read-only," "read/write," "delete, if requestor is a member of the admin group," etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted.

Abstract translation: 资源授权策略和资源范围可以单独定义，从而将一组授权规则从适用这些规则的资源范围中分离出来。 在一个示例中，资源包括可以在计算环境中使用的任何东西（例如，文件，设备等）。 范围描述了一组资源（例如，文件夹X中的所有文件，标记为“Y”的所有文件等）。 策略描述了对资源可以做什么（例如，“只读”，“读/写”，“删除，如果请求者是管理员组的成员”等）。 当范围和策略被定义时，它们可能会被链接，从而表明策略适用于范围内的任何资源。 当对资源发出请求时，会根据与包含该资源的范围关联的所有策略来评估该请求。 如果政策中规定的条件适用，则可以批准该请求。

公开(公告)号：WO2012124270A1

公开(公告)日：2012-09-20

申请号：PCT/JP2012/001399

申请日：2012-03-01

Applicant: パナソニック株式会社 ,  海上 勇二 ,  布田 裕一 ,  松崎 なつめ ,  静谷 啓樹 ,  磯辺 秀司 ,  梅田 篤

Inventor： 海上　勇二 ,  布田　裕一 ,  松崎　なつめ ,  静谷　啓樹 ,  磯辺　秀司 ,  梅田　篤

IPC: G06F21/22 ,  G06F21/24

CPC classification number: G06F21/575 ,  G06F21/64 ,  G06F2221/2125 ,  H04L9/085 ,  H04L2209/16

Abstract: 　管理装置２００ｄは、暗号化アプリケーションプログラムの復号鍵を分解して、複数の分散鍵を生成する分散鍵生成部２５１ｄ及び複数の前記分散鍵を複数の検知モジュールに出力する出力部２５２ｄを備える。各検知モジュールは、前記分散鍵を内部に記憶する。保護制御モジュール１２０ｄは、複数の検知モジュールから前記分散鍵を取得する取得部３８１ｄ、複数の前記分散鍵を統合して、前記復号鍵を復元する復元部３８２ｄ、前記復号鍵を用いて、暗号化アプリケーションプログラムを復号する復号部３８３ｄ及び復号終了後、前記復号鍵を消去する消去部３８４ｄを備える。

Abstract translation: 管理装置（200d）包括：分析密钥生成单元（251d），分析加密的应用程序的解密密钥并生成多个分布式密钥; 以及将多个分布式键输出到传感器模块的输出单元（252d）。 每个传感器模块内部存储分布式密钥。 保护控制模块（120d）包括：获取单元（381d），其从多个传感器模块获取分布式密钥; 恢复单元（382d），其对所述多个分散密钥进行积分并恢复所述解密密钥; 使用解密密钥对加密的应用程序进行解密的解密单元（383d）; 以及在完成解密之后删除解密密钥的删除单元（384d）。

公开(公告)号：WO2012100092A3

公开(公告)日：2012-07-26

申请号：PCT/US2012/021921

申请日：2012-01-19

Applicant: SERVICEMESH, INC. ,  MARTINEZ, Frank R ,  PULIER, Eric

Inventor： MARTINEZ, Frank R ,  PULIER, Eric

IPC: G06F21/22 ,  G06F9/44 ,  G06F15/16

Abstract: In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

公开(公告)号：WO2012092111A2

公开(公告)日：2012-07-05

申请号：PCT/US2011/066769

申请日：2011-12-22

Applicant: MICROSOFT CORPORATION

Inventor： REIERSON, Kristofer Hellick ,  ANDERSON, Angela Mele

IPC: G06F21/22 ,  G06F9/44

CPC classification number: G06F21/53 ,  G06F9/468 ,  G06F9/541 ,  G06F9/545 ,  G06F2209/542 ,  G06F2221/2141

Abstract: Application programming interface (API) calls made by an application are intercepted at runtime. A determination is made as to whether each intercepted API call is allowed or blocked by a restricted application execution environment. Each API call that is blocked by the restricted application execution environment is modified so that the API call is allowable such as, for instance, modifying the API call to execute against a shadow resource. Remediation code might also be executed at runtime to reformat the API call so that it is allowed to execute in the restricted application execution environment.

Abstract translation: 应用程序的应用程序编程接口（API）调用在运行时被截取。 确定每个拦截的API调用是否被受限应用程序执行环境允许或阻止。 被受限制的应用程序执行环境阻止的每个API调用被修改，以便允许API调用，例如，修改API调用以对影子资源执行。 修复代码也可能在运行时执行，以重新格式化API调用，以便允许它在受限应用程序执行环境中执行。

公开(公告)号：WO2012088109A2

公开(公告)日：2012-06-28

申请号：PCT/US2011/066153

申请日：2011-12-20

Applicant: MICROSOFT CORPORATION

Inventor： REIERSON, Kristofer, Hellick ,  DE SOUZA, Lidiane, Pereira ,  ANDERSON, Angela, Mele

IPC: G06F21/22 ,  G06F9/44

CPC classification number: G06F21/74 ,  G06F21/53 ,  G06F21/604 ,  G06F2221/2141

Abstract: In order to enable potentially conflicting applications to execute on the same computer, application programming interface (API) calls are intercepted when an application attempts to access a computer system's resources. During a learning mode of operation, a security monitor stores data in a security monitor database identifying which applications are allowed to access the computer system resources. At runtime of an application, the security monitor operates in an enforcement mode and utilizes the contents of the security monitor database to determine if an application is permitted to access system resources. If data associated with the application is located in the security monitor database, the application is allowed to access computer system resources. If data associated with the application is not located in the security monitor database, the application is not allowed to access computer system resources.

Abstract translation: 为了使潜在冲突的应用程序能够在同一台计算机上执行，应用程序编程接口（API）调用在应用程序试图访问计算机系统的资源时被拦截。 在学习操作模式期间，安全监视器将数据存储在安全监视器数据库中，该数据库标识哪些应用程序被允许访问计算机系统资源。 在应用程序运行时，安全监视器以强制模式运行，并利用安全监视器数据库的内容来确定是否允许应用程序访问系统资源。 如果与应用程序关联的数据位于安全监视器数据库中，则允许该应用程序访问计算机系统资源。 如果与应用程序关联的数据不在安全监视器数据库中，则应用程序不被允许访问计算机系统资源。

公开(公告)号：WO2012087582A3

公开(公告)日：2012-06-28

申请号：PCT/US2011/063824

申请日：2011-12-07

Applicant: INTEL CORPORATION ,  SAXENA, Paritosh ,  DIAMANT, Nimrod ,  GORDON, David ,  GETZ, Benny

Inventor： SAXENA, Paritosh ,  DIAMANT, Nimrod ,  GORDON, David ,  GETZ, Benny

IPC: G06F21/22 ,  G06F21/20

Abstract: Systems and methods of restricting access to mobile platform location information may involve receiving, via a link, location information for a mobile platform at a processor of the mobile platform, and preventing unauthorized access to the location information by an operating system associated with the mobile platform.

公开(公告)号：WO2012082708A2

公开(公告)日：2012-06-21

申请号：PCT/US2011/064576

申请日：2011-12-13

Applicant: ZERILLI, Santoro, Massimo ,  D'EMILIA, Paul

Inventor： ZERILLI, Santoro, Massimo

IPC: G06F21/20 ,  G06F21/22

CPC classification number: G06F17/30867

Abstract: A method and system containing predetermined programmed software in Java, C/c, JavaScript and Html is installed on a client PC containing a hard disc and is accessible via a browser. Programmed related settings to blocks and filters protected by encryption are stored on the hard disk. A "RADAR WEB" server is enabled for sending SMS and email to a parent for controlling the client PC and has stored therein listings of websites that can be accessed or blocked. A gateway communicates with the server for sending SMS or email to a parent.

Abstract translation: 包含Java，C / c，JavaScript和Html中的预定编程软件的方法和系统安装在包含硬盘的客户PC上，并且可通过浏览器访问。 与加密保护的块和过滤器的编程相关设置存储在硬盘上。 启用“RADAR WEB”服务器，用于向家长发送短信和电子邮件，用于控制客户端PC并存储可访问或阻止的网站列表。 网关与服务器进行通信，发送短信或发送给父母。

公开(公告)号：WO2012082524A1

公开(公告)日：2012-06-21

申请号：PCT/US2011/064008

申请日：2011-12-08

Applicant: MICROSOFT CORPORATION

Inventor： SPRADLIN, Jeremiah

IPC: G06F21/22 ,  G06F9/30 ,  G06F9/44

CPC classification number: G06F21/53

Abstract: Different instruction sets are provided for different units of execution such as threads, processes, and execution contexts. Execution units may be associated with instruction sets. The instruction sets may have mutually exclusive opcodes, meaning an opcode in one instruction set is not included in any other instruction set. When executing a given execution unit, the processor only allows execution of instructions in the instruction set that corresponds to the current execution unit. A failure occurs if the execution unit attempts to directly execute an instruction in another instruction set.

Abstract translation: 为不同的执行单元（如线程，进程和执行上下文）提供不同的指令集。 执行单元可能与指令集相关联。 指令集可以具有互斥的操作码，这意味着在一个指令集中的操作码不包括在任何其他指令集中。 当执行给定的执行单元时，处理器仅允许执行与当前执行单元相对应的指令集中的指令。 如果执行单元尝试直接执行另一个指令集中的指令，则发生故障。