Patent application number | Description | Published |
20080222407 | Monitoring Bootable Busses - A security circuit in a computer monitors data busses that support memory capable of booting the computer during the computer reset/boot cycle. When activity oil one of the data busses indicates the computer is booting from a non-authorized memory location, the security circuit disrupts the computer, for example, by causing a reset. Execution from the non-authorized memory location may occur when an initial jump address at a known location, such as the top of memory, is re-programmed to a memory location having a rogue BIOS program. | 09-11-2008 |
20080222663 | Policy-Based Direct Memory Access Control - A computer that operates in a metered mode for normal use and a restricted mode uses an input/output memory management unit (I/O MMU) in conjunction with a security policy to determine which peripheral devices are allowed direct memory access during the restricted mode of operation. During restricted mode operation, non-authorized peripheral devices are removed from virtual address page tables or given vectors to non-functioning memory areas. | 09-11-2008 |
20080238612 | Direct Peripheral Communication for Restricted Mode Operation - A computer that self-administers operating in restricted and unrestricted operating modes boots from a main processor and operates normally in the unrestricted operating mode and operates from an alternate processor in a security module in the restricted operating mode. The alternate processor may communicate directly with peripheral devices such as a display controller and keyboard. Because the main processor is not used and may not even be started in the restricted operating mode, viruses, shims, and other related attacks are virtually eliminated. In one embodiment, the security module may operate as a PCI bus master when in the restricted operating mode. | 10-02-2008 |
20080246774 | Implementing Limited Function Mode in a Display Device - A display device for use with a computer adapted for operation in an unrestricted use mode and a limited function mode and a method for enforcing a limited function mode display is disclosed. The display device enters a limited function mode when a condition of non-compliance with an operating policy is discovered by the computer. Additionally, the display device may also enter a limited function mode upon powering up or when connections to the computer and/or selected components of the display are disabled or disconnected. When in the limited function mode, the display may support a limited function interface for use in correcting the condition of non-compliance. | 10-09-2008 |
20080250406 | Virtual Machine Support for Metered Computer Usage - A virtual machine monitor provides a trusted operating environment for a software usage metering application when a qualified virtual machine monitor is loaded as part of trusted boot and when all other programs and operating systems run in containers managed by the virtual machine monitor. The virtual machine monitor may also host a locking application for limiting the functionality of the computer if contractual terms of use are not met. Both the metering and locking applications run at a higher privilege level than ring | 10-09-2008 |
20080282017 | Serial Peripheral Interface Switch - An SPI switch allows selection of a BIOS memory transparent to a Southbridge chipset component. The SPI switch provides address translation to a selected BIOS memory area under the control of a security module processor. The SPI switch also provides command filtering to prevent commands that represent a security risk such as bulk erase commands. Because the SPI switch allows transparent redirection between BIOS programs, booting in different operating modes may be supported without any changes to the basic computer architecture or major chipset components. | 11-13-2008 |
20080319910 | Metered Pay-As-You-Go Computing Experience - A computer with scalable performance level components and selectable software and service options has a user interface that allows individual performance levels to be selected. The scalable performance level components may include a processor, memory, graphics controller, etc. Software and services may include word processing, email, browsing, database access, etc. To support a pay-per-use business model, each selectable item may have a cost associated with it, allowing a user to pay for the services actually selected and that presumably correspond to the task or tasks being performed. An administrator may use a similar user interface to set performance levels for each computer in a network, allowing performance and cost to be set according to a user's requirements. | 12-25-2008 |
20080319925 | Computer Hardware Metering - A computer or other electronic device may be used in one of several selectable modes of operation. Computer resources, such as a processor, memory, or a graphics controller, are individually settable for operation at different levels of performance. A mode of operation or performance level is determined by the combination of individual settings for the various resources. Pay-per-use operation is charged at a rate determined by the mode of operation or performance level. Operation in a gaming mode may be charged at a higher rate than operation in web-browsing mode. A metering agent may be associated with each scalable use resource to securely set the performance level and to securely report on metered operation of the resource. | 12-25-2008 |
20090094455 | Frequency Managed Performance - A computer or other electronic device may use a security module to securely control a system or processor clock to set a predetermined performance level. In an exemplary embodiment, the performance level may be high, medium, or low, supporting a range of application performance requirements. Changes to the performance level may be authorized by a third party presenting cryptographic rights to alter the performance level. Alternatively, postpaid ro pre-paid value may be accumulated at a rate corresponding to the predetermined performance level set by the security module. | 04-09-2009 |
20090112521 | Secure digital forensics - A security module is used to perform an audit of both a computer memory and the computer's processor status. The security module may assert itself as a bus master to read the computer memory without dependence on a program running on the computer. In addition, using a separate hardware path, the security module may access processor register data using a debug port. The security module may collect both memory and processor status information without the use of any of the computer resources being measured, avoiding either alteration of the data by the measurement tool or tampering with the data while being collected. | 04-30-2009 |
20090113210 | Program and operation verification - A security module may be used to verify integrity of an executable program and may also be used to verify execution of the executable program on a computer. The security module may directly read a computer memory by asserting bus master control of a system bus. The executable program may be directly verified by calculating a hash or may be indirectly verified by an intermediate program that calculates the hash and passes it to the security module. To verify operation, the executable program may cause an interrupt to be generated when the executable program is in a known state. An interrupt service routine may trigger the security module to read registers in the computer processor via a debug port. If either the verification of the executable program fails or the register values are inconsistent with operation of the executable program, the security module may interrupt operation of the computer. | 04-30-2009 |
20090177892 | PROXIMITY AUTHENTICATION - A security token is coupled to a computer and is available for use by both local and remote processes for on-demand response to a challenge. To minimize the security risk of an unattended session, the challenge may be issued to verify the presence of the token. When the token has a user interface, it may be used in conjunction with the computer to require that a user also participate in transferring displayed data between the token and computer. This helps to ensure that not only the token, but the user are both present at the computer during operation. For the most sensitive operations, such a confirmation may be required with each data submission. | 07-09-2009 |
20090178123 | TRUSTED INTERNET IDENTITY - A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requester by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request. | 07-09-2009 |
20090183249 | TRUSTED STORAGE AND DISPLAY - A storage token has a display and a keyboard, or other input device, that allows a user to view a request to access a memory location and enter a response to the request. The display allows presentation of details of the request, such as a pathname to a requested memory location, metadata describing a cryptographic key for use in a transaction confirmation, and/or transaction details which are awaiting verification by a credential stored on the token. The storage token may also include a cryptographic engine and a secure memory allowing signing data returned in response to the request. | 07-16-2009 |
20090276595 | PROVIDING A SINGLE DRIVE LETTER USER EXPERIENCE AND REGIONAL BASED ACCESS CONTROL WITH RESPECT TO A STORAGE DEVICE - A method and a storage device may be provided. The storage device may include physical storage subdivided into a number of regions. The regions may start and end based on logical block addresses specified in a region table. At least one of the regions may be mapped to a logical drive letter. One or more others of the regions may be mapped to a subfolder with respect to the logical drive letter. The storage device may include an access control table. Each entry of the access control table may correspond to a respective region of the physical storage. Each of the entries of the access control table may indicate whether the respective region is protected and whether at least one entity is permitted protected access to the respective region after being successfully authenticated. | 11-05-2009 |
20090276837 | CREDENTIAL EQUIVALENCY AND CONTROL - A number of equivalent credentials may be associated with at least one entity. Each of the equivalent credentials may be of one of a number of types, such as, for example, a cryptographic key pair, a password, a biometric, or other types or combinations thereof. When one of the equivalent credentials is authenticated by an authentication control system, the at least one entity may be permitted access to a hardware device, software, or a service associated with the authentication control system. The authentication control system may include a number of authentication endpoints and blocking controls, each of which may be associated with a respective equivalent credential. After the authentication control system authenticates one of the equivalent credentials, a parameter of a blocking control and/or configurable credential-related attributes of an authentication endpoint associated with another of the equivalent credentials may be changed or reset. | 11-05-2009 |
20090307451 | DYNAMIC LOGICAL UNIT NUMBER CREATION AND PROTECTION FOR A TRANSIENT STORAGE DEVICE - A dynamic logical unit number system is implemented as a storage device that includes processing logic and storage functionality. A storage device may be configured to provide a first logical unit number when the storage device is attached to a computer system or other computing device. The storage device through its dynamic logical unit number system provides a configuration interface through which the computer system can configure additional logical unit numbers and reconfigure existing logical unit numbers of the storage device. After the redefinition of the logical unit numbers, the dynamic logical unit number system may cause a reestablishment of the connection between the storage device and the computer system. Upon establishing the new connection, the computer system recognizes the redefined logical unit numbers and treats each logical unit number as a separate storage device, including assigning a different number to each logical unit number. | 12-10-2009 |
20090319799 | GENERATING UNIQUE DATA FROM ELECTRONIC DEVICES - Providing for analysis of artifacts of electronic devices to generate data that is substantially unique to a particular device or to a class of devices is described herein. In some aspects, analyzed artifacts are chosen based on reliable reproducibility of such data over many analyses. The substantially unique data can be associated with a particular electronic device(s) to distinguish such devices from other devices. In some aspects, the generated data is first transformed into an identifier, such as a number, word, string of data, etc., to distinguish the electronic device in remote communication, to provide a key in an encryption/decryption algorithm, and so on. The data can be reproduced by reanalyzing the artifacts, and thus need not be stored for future consumption, mitigating risks involved in storing sensitive data. | 12-24-2009 |
20100037325 | Enhanced Packaging for PC Security - A pay-per-use computer, or other electronic device that uses local security, may use a security module or other circuit for monitoring and enforcement of a usage policy. To help prevent physical attacks on the security module, or the circuit board near the security module, a second circuit may be mounted over the security module to help prevent access to the security module. Both circuits may be mounted on a interposer and the interposer mounted to the circuit board, creating a stack including the first circuit, the interposer, the security module, and a main PC board. When the PC board includes dense signal traces under the security module a three dimensional envelope is created around the security module. When the first circuit is a high value circuit, such as a Northbridge, the risk/reward of attacking the security module is increased substantially and may deter all but the most determined hackers. | 02-11-2010 |
20100088759 | DEVICE-SIDE INLINE PATTERN MATCHING AND POLICY ENFORCEMENT - Inline pattern matching and policy enforcement may be implemented by a memory storage device. In an example embodiment, a device-implemented method includes acts of receiving, intercepting, and performing and conditional acts of invoking or permitting. A request from a host to perform a memory access operation is received at a memory storage device. Data flowing between an I/O channel and physical storage of the memory storage device is intercepted. A pattern matching procedure is performed on the data with reference to multiple target patterns in real-time while the data is being intercepted. If a pattern match is detected between the data and a target pattern, a policy enforcement mechanism is invoked. If a pattern match is not detected between the data and the multiple target patterns, the request from the host to perform the memory access operation is permitted. | 04-08-2010 |
20100174921 | DEVICE SIDE HOST INTEGRITY VALIDATION - Described is a technology by which a transient storage device or secure execution environment-based (e.g., including an embedded processor) device validates a host computer system. The device compares hashes of host system data against valid hashes maintained in protected storage of the device. The host data may be a file, data block, and/or memory contents. The device takes action when the host system data does not match the information in protected storage, such as to log information about the mismatch and/or provide an indication of validation failure, e.g., via an LED and/or display screen output. Further, the comparison may be part of a boot process validation, and the action may prevent the boot process from continuing, or replace an invalid file. Alternatively, the validation may take place at anytime. | 07-08-2010 |
20100192209 | PASSIVE SECURITY ENFORCEMENT - Technology is described for enabling passive enforcement of security at computing systems. A component of a computing system can passively authenticate or authorize a user based on observations of the user's interactions with the computing system. The technology may increase or decrease an authentication or authorization level based on the observations. The level can indicate what level of access the user should be granted. When the user or a component of the computing device initiates a request, an application or service can determine whether the level is sufficient to satisfy the request. If the level is insufficient, the application or service can prompt the user for credentials so that the user is actively authenticated. The technology may enable computing systems to “trust” authentication so that two proximate devices can share authentication levels. | 07-29-2010 |
20100192230 | PROTECTING TRANSACTIONS - Technology is described for protecting transactions. The technology may include a switching component that a user can employ to switch an associated mobile device into a secure mode so that a user can confirm the transaction. After initiating a transaction request, the user can confirm the transaction request by activating the switching component, which can cause the mobile device to switch into a secure mode. In the secure mode, the mobile device may prevent the mobile device from conducting various normal activities, such as executing applications, receiving input, providing output, and so forth. The switching component may disable other processing temporarily. Upon receiving the confirmation from the user, the switching component may send a confirmation communication to complete the transaction. | 07-29-2010 |
20100199108 | Device Enforced File Level Protection - Described is a technology by which files that are hardware protected on a storage device, such as a USB flash drive, are managed on a host, including by integration with an existing file system. Each file maintained on a storage device is associated with a protection attribute that corresponds to that file's device hardware protection level. Requests directed towards accessing metadata or actual file data are processed based upon the protection attribute and a state of authentication, e.g., to allow or deny access, show file icons along with their level of protection, change levels, and so forth. Also described is splitting a file system file table into multiple file tables, one file table for each level of protection. Entries in the split file tables are maintained based on each file's current level; space allocation tracking entries are also maintained to track the space used by other split tables. | 08-05-2010 |
20100235596 | Offline Device-Side Logical Unit Number Controller - Described is a technology by which a single physical storage device such as a USB flash memory device is able to boot different computing devices via corresponding different operating systems. The storage device includes a selection mechanism that determines which virtual disk (corresponding to a LUN) is seen by the host as the currently active LUN having sector | 09-16-2010 |
20100287344 | CAPTURING AND LOADING OPERATING SYSTEM STATES - Operating system states capture and loading technique embodiments are presented that involve the capture and loading of baseline system states. This is accomplished, in one embodiment, by storing the states of a computer's operating system memory that it is desired to restore at a future time. No changes are permitted to the persisted storage associated with the computer. Instead, changes that would have been made to the persisted storage during an ensuing computing session, had they not been prevented, are stored in a separate computing session file. Whenever it is desired to return the operating system to its baseline condition, the stored baseline system memory states are loaded into the operating system memory, in lieu of the operating system memory's current states. | 11-11-2010 |
20100318617 | Local Loop For Mobile Peer To Peer Messaging - Techniques described herein describe a proxy used in an instant messaging system. The proxy, upon receiving an instant message (IM) from a first mobile device and addressed to a second mobile device, dynamically determines whether, and for how long to store the IM on a local proxy. Otherwise the IM is forwarded to a server. | 12-16-2010 |
20100318633 | Dynamic Time Weighted Network Identification and Fingerprinting for IP Based Networks Based on Collection - Techniques described herein describe a dynamic time weighted network identification and/or fingerprinting method. A method includes identifying one or more machines connected to a network of machines; performing an address resolution procedure on each of the one or more machines to determine one or more machine specific identifiers associated with each of the one or more machines; and applying a dynamic weighting to each identified machine on the network of machines as a function of a determined transience of each identified machine. | 12-16-2010 |
20100318745 | Dynamic Content Caching and Retrieval - This disclosure provides techniques for dynamic content caching and retrieval. For example, a computing device includes cache memory dedicated to temporarily caching data of one or more applications of the computing device. The computing device also includes storage memory to store data in response to requests by the applications. The storage memory may also temporarily cache data. Further, the computing device includes system software to represent to the applications of the computing device that the portions of the storage memory utilized to cache content are available to store data of the applications. In addition, the computing device includes application programming interfaces to provide content to a requesting application from a cache of the computing device and/or from a remote content source. | 12-16-2010 |
20100319072 | Hardware Specific Product License Validation - Server-side validation of hardware specific software product licenses is described herein. | 12-16-2010 |
20100325258 | CAPTURING A COMPUTING EXPERIENCE - The described implementations relate to capturing a computing experience. In one case, a user session capture tool can launch a remote user session where a user-interface and user inputs are gathered from a single computing device. Remote user session data produced by the remote user session can be analyzed to determine user activity. | 12-23-2010 |
20100333066 | METHOD AND SYSTEM FOR MANAGING SOFTWARE ISSUES - A method of managing software issues includes receiving issue data from a remote host, where the issue data is related to an issue associated with a software application installed on the remote host. The method identifies a potential solution for the issue and sends solution data to the remote host, where the solution data is related to the identified potential solution. Feedback data may be received from the remote host, where the feedback data is indicative of a degree to which the identified potential solution was effective in resolving the issue. | 12-30-2010 |
20100333212 | PORTABLE PARAMETER-BASED LICENSING - Portable parameter-based licensing techniques are described. These techniques allow licenses to be decoupled from any particular host device and utilized in a portable and flexible fashion. In at least some embodiments, license data that includes a license to use computer-related functionality can be stored in a secure execution environment. The secure execution environment can be provided by a suitable secure execution environment hosting device(s) (SEHD), such as a portable flash memory device for instance. The license data in the secure execution environment can then be utilized to authorize use of the computer-related functionality, according to the license, on any number of host devices not responsible for providing the secure execution environment. As a result, the owner of the license can use the computer-related functionality without being restricted to any particular host device. | 12-30-2010 |
20110125601 | INVOCATION OF ACCESSORY-SPECIFIC USER EXPERIENCE - An accessory-specific user experience can be invoked at a mobile host device attached to an accessory device. The mobile device can receive accessory device information from the accessory and transmit the accessory device information to an online marketplace. The mobile device can receive information indicating accessory-specific goods or services available from the online marketplace and display the received information as part of the invoked user experience. The accessory device information can comprise accessory usage categories as well as additional information about the accessory. A marketplace can select accessory-specific goods or services based on the received accessory device information based on matching between accessory attribute values associated with the goods and services and accessory attributes values contained in the received accessory device information. The accessory device can be a docking station connected to additional accessories and the accessory device information can comprise information pertaining to the additional accessories. | 05-26-2011 |
20110125930 | CONFIGURABLE CONNECTOR FOR SYSTEM-LEVEL COMMUNICATION - A host device comprises a controller and a connector. The host connector comprises fixed-function and multi-function pins. A first group of host connector pins comprises one or more of the fixed-function pins and a second group of pins comprises the remainder of the fixed-function pins and the multi-function pins. The host connector can be releasably attached to a connector of an accessory device. The first group of host connector pins can be used to discover the functions of the accessory connector. The host device can select functions to be enabled at the host and accessory connectors from among the functions mutually supported by the two connectors. The host can enable the selected functions at the host connector and can instruct the accessory to enable the selected functions at the accessory connector. The host can reconfigure host connector functions in response to a different accessory being attached to the host. | 05-26-2011 |
20110126005 | DYNAMIC CONFIGURATION OF CONNECTORS FOR SYSTEM-LEVEL COMMUNICATIONS - A host device comprises a configurable connector. The host device connector can be connected to a configurable connector of an accessory device. The host device can select connector functions to be enabled for connecting to the accessory device connector. The selection of connector functions can be based on accessory device information such as accessory device power consumption, power configuration and application information. The accessory device can exclude connector functions supported by the accessory device from the list of accessory device functions sent to the host device. The accessory device can exclude connector functions based on information about the host and connector devices. Single or mutual authentication can be performed before connection functions are enabled at either device. Host and accessory devices can require that a host device be licensed to use an accessory device connector function or to gain access to accessory device resources. Tiered licensing policies can be supported. | 05-26-2011 |
20140351544 | DEVICE SIDE HOST INTEGRITY VALIDATION - Described is a technology by which a transient storage device or secure execution environment-based (e.g., including an embedded processor) device validates a host computer system. The device compares hashes of host system data against valid hashes maintained in protected storage of the device. The host data may be a file, data block, and/or memory contents. The device takes action when the host system data does not match the information in protected storage, such as to log information about the mismatch and/or provide an indication of validation failure, e.g., via an LED and/or display screen output. Further, the comparison may be part of a boot process validation, and the action may prevent the boot process from continuing, or replace an invalid file. Alternatively, the validation may take place at anytime. | 11-27-2014 |