Patent application number | Description | Published |
20080235755 | Firewall propagation - Methods and systems for propagating data security policies and rules up a chain of network components, for example, from an end-user device having a firewall, to a network component at the “edge” of the network, such as a so-called “edge” firewall server, from where a policy statement can be transmitted to a service provider, such as an ISP, are described. A device, such as a computer or mobile phone, has, as part of its firewall software, a policy propagation file, that communicates with pre-existing firewall software. The firewall software creates a policy statement upon detecting a triggering event, which is transmitted from the device to the next data security component up the chain, “upstream,” in the network. In some cases this device may be a firewall server or a firewall policy server. The firewall server may combine policy statements from numerous end-user type devices and transmit the policy statement to an external network component, such as an ISP firewall server or similar device. The ISP or other service provider may then use the policy statement to implement date security rules for the devices in the network. In this manner, the firewall operated by the ISP implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network. | 09-25-2008 |
20080281953 | Managing network components using USB keys - Devices and methods for managing a communications network include using USB keys to provision and management components in the network by having the network component establish a connection to a network administrator device, such as a laptop, PDA, or desktop workstation. A first USB key is used to provision a network component so that it has the necessary security information to interact with a second USB key, used to enable actual management of the component. Once the component has the security information, the second USB key is inserted and certain callback data are made available to the component. It uses this data to make a “call” or connection to an administrator's device. The callback data may be an IP address of the device, an e-mail address, VoIP data, instant messaging data, dial-up data, and so on. Once the connection, initiated and established by the network component, is made the administrator can begin managing the component. | 11-13-2008 |
20090158282 | Hardware accelaration for large volumes of channels - A method apparatus and system for hardware acceleration for large volumes of channels is described. In an embodiment, the invention is a method. The method includes monitoring an inbound queue for hardware jobs. The method further includes detecting an interrupt from a hardware component. The method also includes transferring a job from the inbound queue to the hardware component. The method may further include transferring a completed job from the hardware component to an outbound queue. The method may also include providing an indication of completion of a job in an outbound queue. | 06-18-2009 |
20090222916 | EMBEDDED PATCH MANAGEMENT - A method, system and apparatus is provided for embedded patch management. In one embodiment, a method is provided. The method includes receiving a call to a code module. The method further includes checking a guardian stack for indications of authorization. The guardian stack is separate from an execution stack. The method also includes passing the call to an internal code module. Moreover, the method includes executing the code module. | 09-03-2009 |
20100088769 | PREVENTING EXECUTION OF TAMPERED APPLICATION CODE IN A COMPUTER SYSTEM - Methods and systems for preventing an application which has been maliciously or inadvertently tampered with from causing harm to a computer system are described. Application code of the tampered application is inputted into a code analyzer. The code is analyzed and functions within the application code are identified and examined. Multiple profiles are created and each identified function is assigned a profile. A profile may be a description of how a function is intended to operate, that is, the function's expected behavior. Multiple replacement functions are created using a first set of functions, where each function is called by the identified functions and a second set of functions where each function in the second set calls the identified function. Calls between functions are examined and a called function is replaced with a replacement function, such that a call to an original function results in a call to the replacement function. The original function is unaware that it is not getting function calls or that such calls are being directed to a replacement function or stub. A replacement function contains code to ensure that the user space maintains its original appearance. | 04-08-2010 |
20120066366 | AGENT-BASED BANDWITH MONITORING FOR PREDICTIVE NETWORK SELECTION - A mobile device, such as a smartphone or a laptop, connects to a network based on the available bandwidth (throughput) of the network rather than on signal strength. The device may send a request containing the device's location to a service provider who has data on networks in the device's location and specifically on bandwidth or pipe performance. This data is used to determine which network in the area would be best to connect to. The network may be a network that does not necessarily have the highest signal strength (often shown as bars on a handset device). The service provider can cause the device to transition to the network having the higher bandwidth. It can also direct the user so that blackout areas are avoided using the network data maintained by the provider. The provider uses testers to obtain current bandwidth data of networks. | 03-15-2012 |
20120137364 | REMOTE ATTESTATION OF A MOBILE DEVICE - Secure services and hardware on a mobile device are disabled if it is detected that software in the untrusted domain, such as the operating system, has been hacked or tampered with. Mobile devices often have rich, unprotected operating systems which are vulnerable to hacking, especially from execution of one or more apps. These apps are separated from secure services on the device, such as e-wallet services, NFC functionality, camera, enterprise access, and the like, and the present invention ensures that tampering with code in the untrusted domain or operating system does not affect these and other secure services. If tampering in the untrusted space is detected, the secure services and possible hardware on the device are shutdown or disabled. The extent of this disablement may depend on various factors, such as use of the device, type of device, context in which device is used (e.g., military, enterprise). | 05-31-2012 |
20120210443 | SECURING AND MANAGING APPS ON A DEVICE - Apps are secured or security-wrapped either before they are downloaded onto a device, such as a smartphone or tablet device, or after they are downloaded but before they are allowed to access the device operating system and cause any potential damage to the device. An app provider, such as an employer or a cellphone provider, can secure its apps before consumers download an app from their app store or marketplace. The app is secured before it is allowed to access the operating system of the device, thereby preventing the app from malicious behavior. Core object code of the app is obtained and the digital signature is removed. App object code is substituted with security program object code, thereby creating a security-wrapped app. The security-wrapped app is prepared for execution on the device and is re-signed with a new key. | 08-16-2012 |
20120246484 | SECURE EXECUTION OF UNSECURED APPS ON A DEVICE - Given the volume of apps being developed and downloaded, performing operations to enable security for mobile devices, such as locating relevant classes and substituting different classes, can become very inefficient when done to a very high number of apps. In the invention, a device is enabled with an app security enforcement layer. The consumer can download unsecured apps and have the app execute on the phone in a secure manner, where potential data loss to the device, such as a smart phone or tablet, is minimized. To make the security wrapping process more efficient, an app template containing markers is created. This template is merged with data in an active user policy or is used to randomize or obfuscate the code to add more security. The process of security wrapping an app becomes more efficient. | 09-27-2012 |
20120246731 | SECURE EXECUTION OF UNSECURED APPS ON A DEVICE - Devices are pre-deployed with an app security mechanism to ensure that apps that are downloaded onto the device do not cause data loss, data leakage, or other harm to the device. A user can start using the device and downloading apps in a conventional or typical manner and be assured that security measures are being taken to minimize potential harm for unsecured and secured apps. An app security enforcement layer or engine operates with, for example, a Type 2 hypervisor on the device, and ensures that any calls by the apps to the operating system of the device are generally safe. Measures such as enhancing or modifying the call, obfuscating the call, or terminating the app may be taken to protect the operating system. These actions are taken based on a policy that may be either interpreted or compiled by the enforcement engine with respect to app execution. The security measures are generally transparent to the user of the device. | 09-27-2012 |
20120304310 | SECURE EXECUTION OF UNSECURED APPS ON A DEVICE - An app is secured on a mobile device by being deconstructed or unbundled into multiple modules, where a module is a segment of app code that performs a particular function. It is then determined which modules from the multiple modules perform some type of security function, for example, a function dealing with confidential or security-related data. These modules, forming a group of modules, are loaded into a trusted execution environment. The app is then re-bundled so that it has the first plurality of modules and the second plurality of modules. The app executes in a manner where the high security functions execute so that break points cannot be inserted into the app code. The re-bundling is done automatically in an app security wrapping process. Security constraints are added to the app. | 11-29-2012 |
20130138969 | PREVENTING GLITCHING OF A FIRMWARE IMAGE USING ONE OR MORE LAYERS OF RANDOMNESS - Layers and elements of randomness are introduced to the firmware image comparison process to prevent hackers from glitching or tampering with the firmware image on a computing device. A hash function is applied to the firmware image thereby obtaining a first hash value. Random blocks of data are selected from the firmware image before it is hashed. Each or some of the random blocks of the firmware image are hashed thereby providing a hash value for the random blocks. The hash values are combined to derive a second hash value. The first hash value and the second hash value are combined to derive a final hash value. The final hash value is digitally signed and compared to a stored hash value. If the two match, a random non-zero value is stored in the relevant register. | 05-30-2013 |
20130247147 | CREATING A VIRTUAL PRIVATE NETWORK (VPN) FOR A SINGLE APP ON AN INTERNET-ENABLED DEVICE OR SYSTEM - An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module. | 09-19-2013 |
20130291086 | ENSURING NETWORK CONNECTION SECURITY BETWEEN A WRAPPED APP AND A REMOTE SERVER - A network connection between an app on a mobile device and a remote server is either enabled or denied based on whether a security wrapped app can verify that the connection is with a known and trusted server. The wrapped app uses a socket interception layer injected into the app code along with a trust store, also part of the wrapped app to determine whether a network connection attempted by the app should be allowed. The layer buffers relevant function calls from the app by intercepting them before they reach the device operating system. If the layer determines that a network connection is attempted, then it snoops the negotiation phase data stream to discern when the server sends a certificate to the app. It obtains this certificate and compares it to data in the trust store and makes a determination of whether the server is known and trusted. | 10-31-2013 |
20130343543 | USER EXPERIENCE AND METHOD FOR PROMOTING A LOW-ASSURANCE CALL TO A HIGH-ASSURANCE CALL ON A CALLING DEVICE - A low-assurance call on a mobile device to another device may be promoted to a high-assurance call using a user interface. The participants during the call do not need to hang up and start a new high-assurance call. A caller can swipe an icon up a slider, for example, and start a process of promoting the call. The initial low assurance call using SIP servers is terminated but this is transparent to the callers. Once the swipe is performed, a DTLS negotiation is performed between the devices. During this DTLS handshake, which is done directly between the device without involvement of the SIP servers, a key is exchanged. Only the calling devices are aware of this key which is used to encrypt media during the call. Screens on the calling devices show that the call is now high-assurance and security details of the call may also be displayed. | 12-26-2013 |