-
公开(公告)号:WO2018140167A1
公开(公告)日:2018-08-02
申请号:PCT/US2017/067458
申请日:2017-12-20
Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC
Inventor: PATEL, Amar D. , GOERTZEL, Mario D. , HATLELID, Kristjan E.
Abstract: Providing safe access of a data item accessed through one of a plurality of access channels while concurrently providing a policy check of the data item. An indication associated with accessing a data item through one access channel of a plurality of access channels may be received. In response to receiving the indication associated with accessing the data item, the data item may be automatically analyzed to determine whether the data item satisfies a policy. Also in response to receiving the indication associated with accessing the data item and while determining whether the data item satisfies the policy, safe access of the data item may be provided. Regardless of the access channel through which the data item was accessed, any of the policy check, the safe access, and the analysis of the data item may be the same.
-
公开(公告)号:WO2018063724A1
公开(公告)日:2018-04-05
申请号:PCT/US2017/049468
申请日:2017-08-30
Applicant: INTEL CORPORATION
Inventor: CHHABRA, Siddhartha , DURHAM, David M.
CPC classification number: G06F12/1408 , G06F12/1425 , G06F21/53 , G06F21/602 , G06F21/64 , G06F21/79 , G06F2212/1052 , H04L9/0643
Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.
Abstract translation: 目前公开的用于共享安全元数据存储空间的方法和装置提出了一种允许元数据共享两种不同的加密技术的技术。 使用第一类型的加密并且具有与其相关联的第一安全性元数据加密的一部分存储器被转换为使用第二类型的加密并且具有与其相关联的第二安全性元数据加密的一部分存储器。 所述第一安全元数据的至少一部分与同一部分存储器的所述第二安全元数据的至少一部分共享存储空间。
-
83.发明申请KERNEL-BASED DETECTION OF TARGET APPLICATION FUNCTIONALITY USING OFFSET-BASED VIRTUAL ADDRESS MAPPING 审中-公开基于偏移的虚拟地址映射的基于核的目标应用功能检测
公开(公告)号:WO2018022257A1
公开(公告)日:2018-02-01
申请号:PCT/US2017/040502
申请日:2017-06-30
Applicant: QUALCOMM INCORPORATED
Inventor: DE, Subrato Kumar , GEORGE, Sajo Sunder
Abstract: Systems and methods are disclosed for detecting high-level functionality of an application executing on a computing device. One method comprises storing, in a secure memory, an application-specific virtual address mapping table for an application. The application-specific virtual address mapping table has several virtual address offsets in the application binary code mapped to corresponding target application functionalities. In response to launching the application, a process-specific virtual address mapping table is generated for an instance of an application process to be executed. The process-specific virtual address mapping table defines actual virtual addresses corresponding to the target application functionalities using the virtual address offsets in the application-specific virtual address mapping table. During execution of the application code, the method detects when one or more of the actual virtual addresses corresponding to the target application functionalities are executed based on the process-specific virtual address mapping table.
Abstract translation: 公开了用于检测在计算设备上执行的应用程序的高级功能的系统和方法。 一种方法包括在安全存储器中存储用于应用程序的专用应用程序虚拟地址映射表。 应用程序特定的虚拟地址映射表在映射到相应的目标应用程序功能的应用程序二进制代码中具有多个虚拟地址偏移量。 响应于启动应用程序,针对要执行的应用程序进程的实例生成进程特定的虚拟地址映射表。 特定于进程的虚拟地址映射表使用应用特定的虚拟地址映射表中的虚拟地址偏移来定义与目标应用功能对应的实际虚拟地址。 在执行应用程序代码期间,该方法基于特定于进程的虚拟地址映射表来检测何时执行与目标应用程序功能相对应的一个或多个实际虚拟地址。
-
公开(公告)号:WO2017172190A1
公开(公告)日:2017-10-05
申请号:PCT/US2017/020017
申请日:2017-02-28
Applicant: INTEL CORPORATION
Inventor: THOMAS, Ramesh , CASTELINO, Manohar R.
CPC classification number: G06F21/52 , G06F8/70 , G06F9/45558 , G06F2009/45587 , G06F2221/033
Abstract: A copy is made of at least a part a stack. A caller return address of a calling function in the stack is verified as trusted. A caller return address of a called function in the stack is verified as matching a source address of the calling function in the copy of the stack. If verification is affirmative, then the called function may be executed in a trusted domain.
Abstract translation:
副本至少由堆栈的一部分组成。 验证堆栈中调用函数的调用方返回地址为可信。 验证堆栈中被调用函数的调用者返回地址是否与堆栈副本中调用函数的源地址相匹配。 如果验证是肯定的,那么被调用函数可以在可信域中执行。
-
85.发明申请TECHNOLOGIES FOR DYNAMIC LOADING OF INTEGRITY PROTECTED MODULES INTO SECURE ENCLAVES 审中-公开将完整保护模块动态加载到安全壳中的技术
公开(公告)号:WO2017172157A1
公开(公告)日:2017-10-05
申请号:PCT/US2017/019642
申请日:2017-02-27
Applicant: INTEL CORPORATION
Inventor: SHANAHAN, Mark W. , XING, Bin
Abstract: Technologies for dynamic loading of integrity protected modules into a secure enclave include a computing device having a processor with secure enclave support. The computing device divides an executable image into multiple chunks, hashes each of the chunks with corresponding attributes that affect security to generate a corresponding hash value, and generates a hash tree as a function of the hash values. The computing device generates an initial secure enclave memory image that includes the root value of the hash tree. At runtime, the computing device accesses a chunk of the executable image from within the secure enclave, which generates a page fault. In response to the page fault, the secure enclave verifies the associated chunk based on the hash tree and accepts the chunk into the secure enclave in response to successful verification. The root value of the hash tree is integrity-protected. Other embodiments are described and claimed.
Abstract translation: 用于将完整性保护模块动态加载到安全区域中的技术包括具有带安全区域支持的处理器的计算设备。 计算设备将可执行映像划分成多个块,用影响安全性的对应属性对每个块进行散列以生成对应的散列值,并根据散列值生成散列树。 计算设备生成包括散列树的根值的初始安全区域存储器映像。 在运行时,计算设备从安全区域内访问可执行映像的块,这产生页面错误。 响应页面错误,安全区域基于哈希树来验证相关联的块,并且响应于成功验证将块接受到安全区域中。 哈希树的根值受到完整性保护。 描述并要求保护其他实施例。
-
Patent Agency Ranking86.发明申请
公开(公告)号:WO2017171987A8
公开(公告)日:2017-10-05
申请号:PCT/US2017/014494
申请日:2017-01-23
Applicant: MCAFEE, LLC
Inventor: KHARE, Atul A. , KOTARY, Karunakara , POORNACHANDRAN, Rajesh , ZIMMER, Vincent J. , DAS, Sudeep
Abstract: In one embodiment, a system includes: a processor; a security processor to execute in a trusted executed environment (TEE), the security processor to execute memory reference code (MRC) stored in a secure storage of the TEE to train a memory coupled to the processor; and the memory coupled to the processor. Other embodiments are described and claimed.
-
公开(公告)号:WO2017147441A1
公开(公告)日:2017-08-31
申请号:PCT/US2017/019379
申请日:2017-02-24
Applicant: CYLANCE INC.
Inventor: PERMEH, Ryan , WOLFF, Matthew , ZHAO, Xuan , SOEDER, Derek , JIN, Ming
CPC classification number: G06F21/54 , G06F21/44 , G06F21/50 , G06F21/53 , G06F21/566 , G06F2221/033 , G06N99/005
Abstract: In one aspect there is provided a method. The method may include: determining that an executable implements a sub-execution environment, the sub-execution environment being configured to receive an input, and the input triggering at least one event at the sub-execution environment; intercepting the event at the sub-execution environment; and applying a security policy to the intercepted event, the applying of the policy comprises blocking the event, when the event is determined to be a prohibited event. Systems and articles of manufacture, including computer program products, are also provided.
Abstract translation: 在一个方面,提供了一种方法。 所述方法可以包括:确定可执行程序实现子执行环境,所述子执行环境被配置为接收输入,并且所述输入在所述子执行环境下触发至少一个事件; 在子执行环境中拦截事件; 并且将所述安全策略应用于所截取的事件,则当所述事件被确定为禁止事件时,所述策略的应用包括阻止所述事件。 还提供系统和制造产品,包括计算机程序产品。
-
公开(公告)号:WO2017113584A1
公开(公告)日:2017-07-06
申请号:PCT/CN2016/084103
申请日:2016-05-31
Applicant: 宇龙计算机通信科技(深圳)有限公司
Inventor: 邵寿平
Abstract: 一种终端容器安全的控制方法与系统,所述方法包括:响应对目标应用的点击指令,判断目标应用是否为进入安全容器的入口应用,若是,则进入安全容器(S101);响应VPDN创建指令,断开互联网,创建VPDN并连接(S102);确定VPDN连接成功后,响应SIM卡信息核实指令,将终端的SIM卡信息通过VPDN通道传递给预设安全认证服务端,验证所述终端的SIM卡是否在所述预设安全认证服务端有注册记录(S103);在收到所述预设安全认证服务器的验证通过消息后,进入所述目标应用,同时调用预设的安全容器策略(S104),可以为需要保护客户隐私的应用提供安全容器,所有的应用程序可在同一系统中运行,不必分配额外的内存和空间,可以简单高效的保护终端用户的数据安全。
-
公开(公告)号:WO2017105326A1
公开(公告)日:2017-06-22
申请号:PCT/SE2016/051259
申请日:2016-12-15
Applicant: SAAB AB
Inventor: JONSSON, Mats
CPC classification number: G06F21/57 , G06F21/44 , G06F21/53 , G06F21/554 , G06F2201/865 , G06F2221/033 , H04L2209/127
Abstract: The present invention relates to a method for authenticating software. The method comprises defining 41 a set of parameters to use for trace mapping the software, wherein the set of parameters represents the software functionality when executed. The method further comprises: a) creating 42 a trusted fingerprint that is created by trace mapping the software using the set of parameters when executed in a trusted environment; b) creating 43 an operating fingerprint that is created by trace mapping the software using the set of parameters when executed in an operating environment; c) comparing 44 the operating fingerprint with the trusted fingerprint, and identifying 45 any difference between the trusted fingerprint and the operating fingerprint; and d) when said operating fingerprint is non-identical with the trusted fingerprint, initiating 46 predefined action(s) in response to the identified differences between the trusted fingerprint and the operating fingerprint.
Abstract translation: 本发明涉及一种用于认证软件的方法。 该方法包括定义41一组参数以用于跟踪映射软件,其中该组参数表示执行时的软件功能。 该方法进一步包括:a)创建42通过在可信环境中执行时使用该组参数跟踪映射软件而创建的可信指纹; b)创建43通过在操作环境中执行时使用该组参数跟踪映射软件而创建的操作指纹; c)将操作指纹与可信指纹进行比较44,并且识别可信指纹和操作指纹之间的任何差异; 以及d)当所述操作指纹与所述可信指纹不相同时,响应于所述可信指纹与所述操作指纹之间所识别的差异,发起46个预定义动作。
-
公开(公告)号:WO2017097116A1
公开(公告)日:2017-06-15
申请号:PCT/CN2016/107228
申请日:2016-11-25
Applicant: 华为技术有限公司
IPC: G06F21/53
CPC classification number: G06F21/53
Abstract: 本发明实施例提供了一种容器间通信的方法与装置,该方法包括:接收第一容器发送的用于请求与第二容器进行通信的鉴权请求,其中,该第一容器与该第二容器位于同一个主机上,并且该第一容器与该第二容器均挂载了该主机的共享目录;根据该鉴权请求,在该主机的共享目录下生成通信文件,该通信文件包括该第一容器与该第二容器进行通信的通信资源;向该第一容器与该第二容器发送该通信文件的文件信息,以便于该第一容器与该第二容器根据该通信文件的文件信息,在该主机的共享目录下确定该通信文件,并根据该通信文件进行通信,能够使相互隔离的两个容器进行通信。
-
-
-
-
-
-
-
-
-
Search Results
754
records
(took 0.019 seconds)
