Patent application number | Description | Published |
20090222878 | SYSTEMS AND METHODS FOR A SECURE GUEST ACCOUNT - An embodiment relates generally to a method of creating a secure environment in a computer device. The method includes providing a secure guest account in a multi-user operating system and enforcing a policy on the secure account to allow a user to log-in to the secure guest account while preventing access at least one network port of the computer device. The method also includes enforcing a rule to allow the secure guest account access to an application and the at least one network port. | 09-03-2009 |
20100131559 | ISOLATING AN EXECUTION CONTAINER IN A SYSTEM WITH MANDATORY ACCESS CONTROL (MAC) - Preventing a process from traversing back a directory tree through its parent directories is described. In a system with a program executing in a path container, an access permission rule applicable to the instance of the program prevents the program from traversing the tree structure back through its parent directories towards an absolute root directory. The access permission rule may be a rule in an instance of a security policy applicable to the particular path container from which the process is executing. | 05-27-2010 |
20100132011 | Mechanism to Implement Security in Process-Based Virtualization - In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system. | 05-27-2010 |
20100132012 | MERGING MANDATORY ACCESS CONTROL (MAC) POLICIES IN A SYSTEM WITH MULTIPLE EXECUTION CONTAINERS - Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance. | 05-27-2010 |
20100132013 | RELIABLY TERMINATING PROCESSES IN A SYSTEM WITH CONFINED EXECUTION ENVIRONMENTS - Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container. | 05-27-2010 |
20110047613 | SYSTEMS AND METHODS FOR PROVIDING AN ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING UNTRUSTED CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing untrusted content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can allocate resources (storage space, memory, etc) of the computing system, which are necessary to access the untrusted content, to the isolated execution environment, and apply security polices of the operating system to the isolated execution environment such that untrusted content running in the isolated execution environment can only access the resources allocated to the isolated execution environment. | 02-24-2011 |
20110154431 | SYSTEMS AND METHODS FOR PROVIDING MULTIPLE ISOLATED EXECUTION ENVIRONMENTS FOR SECURELY ACCESSING UNTRUSTED CONTENT - A sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process. | 06-23-2011 |
20110296487 | SYSTEMS AND METHODS FOR PROVIDING AN FULLY FUNCTIONAL ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can create the isolated execution environment with an assigned security context of the secure operating system. The security context can define the security policies applied by the operating system to the isolated execution environment, thereby, defining the levels of access the isolated execution environment has to the resources of the computing system. | 12-01-2011 |
20120167048 | SYSTEMS AND METHODS FOR BUILDING SOFTWARE PACKAGES IN SECURE DEVELOPMENT ENVIRONMENTS - The mock tool can be configured to create a mock execution environment for building software packages. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the building the software packages. | 06-28-2012 |
20120167157 | SYSTEMS AND METHODS FOR SECURE SOFTWARE DEVELOPMENT ENVIRONMENTS - The mock tool can be configured to create a mock execution environment for supporting software development processes. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the software development process. | 06-28-2012 |
20130086623 | SYSTEMS AND METHODS FOR ESTABLISHING ISOLATION BETWEEN CONTENT HOSTING SERVICES EXECUTING ON COMMON SUPPORT SERVER - Embodiments relate to systems and methods for establishing isolation between content hosting services executing on a common support server. In aspects, a server virtualization platform can operate on a common physical support server to instantiate, configure, and operate a set of virtual servers. The set of virtual servers can, for instance, be used to run independent Web sites or other locations or services. The data available to each process on each virtual server can be encoded using an SELinux™ label including an MCS (multi-category security) category or categories uniquely identifying that process. Isolation of the potentially sensitive data for multiple Web sites and/or their content hosted on a common physical server can therefore be enforced, since each process operating on each virtual server is restricted to only access and manipulate data objects or other entities having matching MCS category information identified on that baremetal support server. | 04-04-2013 |
20130227561 | Mechanism for Applying a Custom Security Type Label to Multi-Tenant Applications of a Node in a Platform-as-a-Service (PaaS) Environment - A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes receiving, by a virtual machine (VM) executing on a computing device, a custom security type label (STL) and a custom security policy associated with the custom STL, the custom STL and associated custom security policy applied to one or more multi-tenant applications executed by the VM. The method further include receiving a request to initialize an application on the VM, the request identifying the custom STL as an STL to apply to the application, assigning a local UID maintained by the VM to the application, recording a mapping of the assigned local UID to the custom STL, assigning the custom STL to files of the application, and assigning the custom STL to a running process of the application. | 08-29-2013 |
20130227635 | Mechanism for Applying Security Category Labels to Multi-Tenant Applications of a Node in a Platform-as-a-Service (PaaS) Environment - A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes generating, by a virtual machine (VM), a unique security category label (SCL) for each local user identification (UID) maintained by the VM, assigning, for each local UID maintained by the VM, the unique SCL associated with the local UID to one or more Internet Protocol (IP) addresses mapped to the local UID, receiving a request to initialize an application on the VM, assigning a local UID of the local UIDs maintained by the VM to the application, assigning files of the application the unique SCL associated with the local UID of the application, and assigning the unique SCL associated with the local UID of the application to a running process of the application. | 08-29-2013 |
20130332981 | METHOD AND SYSTEM FOR EXTENDING SELINUX POLICY WITH ENFORCEMENT OF FILE NAME TRANSLATIONS - An operating system identifies a request of a process to create, in a file system of the computing device, a new object, the new object having a name. The operating system identifies a policy rule applicable to the new object using a label of the process, a label of a parent object pertaining to the new object, a class of the new object, and the name of the new object. The operating system creates a label for the new object using the applicable policy rule and associates the new object with the associated label. | 12-12-2013 |
20140075495 | METHOD AND SYSTEM FOR FACILITATING SECURE FILE CREATION USING SELINUX POLICIES - An operating system identifies a request of a process to create, in a file system of the computing device, a new object. The operating system creates an object label for the new object, identifies one or more security policy rules applicable to the process, and verifies whether the process is authorized to create the new object with the object label in the file system of the computing device using the applicable security policy rules. When the process is authorized to create the new object with the object label, the operating system creates the new object with the object label in the file system of the computing device. When the process is not authorized to create the new object with the object label, an error message is generated. | 03-13-2014 |
20140215202 | EXTENSION OF A PLATFORM CONFIGURATION REGISTER WITH A KNOWN VALUE - A computing system calculates a hash value of binary of a component of the computing system using a hash function and determines whether a signature that is associated with the binary of the component is valid. A trusted platform module in the computing system extends a platform configuration register value in the trusted platform module using a known value that is associated with the binary if the signature is valid. | 07-31-2014 |