138 results about "Operating system security" patented technology

Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

An operating system has security updates preintegrated to reduce vulnerability of the operating system to malicious programs, such as worms. Preintegration writes update files over corresponding operating system files before boot of the operating system so that malicious programs are not provided an opportunity to attack the operating system during a post-boot security update. An update package extracts update files, such as QFE files, and prepares the update files within a file and directory structure corresponding to the operating system. An overwrite engine running on an alternative operating system writes the update files to the operating system so that the operating system boots secure from attack by worms that the updates are intended to prevent.

The invention discloses a software package-based online automatic updating method for an open source operating system of a mobile terminal, which relates to the field of mobile terminal software and is applied to the open source operating system of the mobile terminal. By the method, the remote automatic updating of system software can be realized by taking a package as a unit, and convenience isbrought to the rehabilitation of security holes and the installation of the operating system. The method comprises the two aspects that: a server automatically finishes structuring and publishing thesoftware package, acquires all source codes of the operating system from an open source site, automatically divides and structures a proper software package, determines the updating information of the software package according to the version information and dependency of the source codes, and publishes the software package by utilizing a network; and the mobile terminal serving as a software package acquirer and user automatically checks the updating information by client software, and downloads and updates the system by taking the software package as the unit to fulfill the aim of automaticonline updating. The method has the characteristics of high degree of automation and the like, and is easy to deploy in large scale and use.

The invention discloses a dynamic running method for a security kernel service of a tristate operating system in a Feiteng CPU. The method comprises the steps of: dividing a kernel into a system state and a kernel state of different privilege levels; establishing a service framework in the kernel state to serve as a container for the security kernel service, and establishing a call interface for the security kernel service; establishing a virtual driving interface in the system state to support a user state to call the security kernel service; loading the service framework and the built-in security kernel service after enabling the CPU to be powered on; and loading a loading part of a system service module and starting a system service, wherein the service framework provides the security kernel service and makes a response to a dynamic loading/unloading request of the security kernel service. The dynamic running method can realize security protection on specific hardware resources of the system, realize security access to a core service of the operating system, efficiently support credibility conformation of the system, effectively improve the system security, lower the security risk of traditional kernel bugs and provide an efficient and flexible credible calculating ecological environment for users.

The invention relates to an access control method for an operation system and an implementation platform thereof. The platform comprises an operation system Hook layer, a platform abstraction layer and a core security server. The operation system Hook layer transmits an intercepted request to the core security server; a strategy caching module queries the request, and judges whether the same request exists; if the same request exists, the request is executed; if the same request does not exist, a strategy managing module is queried, whether the access permission of the request exists is judged according to the security rule of the operation system security model which is saved in a strategy database; if the access permission of the request exists, the request is stored in a cache and executed; and if the access permission of the request does not exist, the request is refused. The invention provides the flexible access control platform which can be applied to various operation systems, and provides a unified strategy configuration method which can be conveniently implemented on the various operation systems.

A method and a system for securely installing patches for an operating system, wherein the system comprises a personal firewall, for filtering inbound and outbound network traffic; an operating system update agent, for connecting to an update server via the personal firewall to download patches; a policy manager, for invoking respective policies according to respective stages of the operating system; a stage coordinator, for coordinating the policy manager and the operating system update agent for different stages; and a policy database, for storing respective policies for respective stages of the operating system. With the method and system, the possibility of being infected by malicious software is significantly reduced when downloading patches for the operating system from the Internet.

The invention belongs to the field of safety of operation systems, and provides a document safety access control method based on a Linux kernel. The document safety access control method comprises the following steps: when a Linux system is started up, the Linux kernel reads startup script registration information, and is registered with a pre-processing module; starting procedure information is read, and a strategy loading module is started up, wherein the pre-processing module runs in the state of the Linux kernel; after the pre-processing module is started up, a safety document system is registered in a VFS (virtual file system), and then a listening port is registered; the strategy loading module reads a local safety strategy file, and a safety strategy is created, and is sent to the listening port of the pre-processing module; the pre-processing module receives the safety strategy, and a safety strategy is created in a memory to be used for the safety file system; when a file is accessed by an application process, the safety file system calls the local file system to complete the operation of the file data according to the safety strategy. According to the method, the efficiency of the file safety access control in the Linux system is improved.

The invention relates to a creditable calculation password platform and a realization method thereof, which belong to the technical field of computer safety. The creditable calculation password platform comprises a hardware system and an operation system, wherein the hardware system is connected with the operation system; the hardware system comprises a hardware safety module (HSM); the HSM is bound with the platform and the realization method thereof and comprises an embedded safety module (ESM) or/and an inserted and pulled USB/PCI password module which is connected to a main plate; and theoperation system is provided with an operation system safety module comprising a forced access control submodule, a progress monitoring submodule and an application program integrality measurement identification module. The invention has the advantages of increasing the application range of the creditable calculation password platform and the technique of the realization method thereof, increasingthe self attack resisting degree of the forced access control submodule, the progress monitoring submodule and the integrality measurement identification module, measuring the integrality of the whole platform and the realization method thereof, establishing the creditable environment of the whole platform and the realization method thereof and fully ensuring the benefit of a user of the platformand the realization method thereof.

A system and method for protecting against the unauthorized use of operating system level commands is disclosed. The system includes a computer module including: a processor configured for performing data operations; a memory unit configured to store instructions executable by the processor; and an operating system module for supporting basic functions of the computer module, such as scheduling tasks, executing applications, and controlling peripherals. A virtual keyboard is connected to the computer module for creating one or more events or sequences of events recognizable by the operating system module. A system level command filter module is provided for filtering system level commands from the one or more recognizable events or sequences of events.

The invention discloses an operation system security bootstrap device, which includes a base input and output system, a central processing unit and a hard disk. The central processing unit is connected with the base input and output system and the hard disk; a bootstrap program is stored in the hard disk to realize the bootstrap to an operation system. Particularly, the bootstrap device further includes a dependable computing cryptographic module which is connected with the central processing unit. The central processing unit controls the dependable computing cryptographic module to verify the legality of an operator and detect the completeness of the bootstrap program, and backups the bootstrap program to realize the restorability of the bootstrap program. The invention further provides a security bootstrap method utilizing the device. Before the operation system is started, the identity of the operator is subjected to legality verification, so as to ensure that the operator is authorized legally; the hard disk bootstrap program is subjected to completeness detection, so as to ensure that the bootstrap program to be not maliciously interpolated; and the backup and restoring mechanism of the bootstrap program can continue the correct bootstrap to the operation system under the condition that the bootstrap program is interpolated.

A method (200, 300) of securing an operating system. The method can include, for a first application to be instantiated on the operating system, receiving from a first security template (106) at least a first recommended value for a configuration line item. The method also can include, for a second application to be instantiated on the operating system, receiving a second security template at least a second recommended value for the configuration line item. From among at least the first and second values, at least one value that is compatible with each of the applications can be selected. Further, an output (120) can be generated that automatically updates the configuration line item with the selected at least one value.

Provided are a device and method for automatic driver installation. The device comprises: a remoter server, a client host and an information security device. The remote server stores driver and interface protocol program downloading service for the client host. The client host is in communication connection with the remote server, receives data information inputted by the information security device, and downloads the driver or interface protocol program from the remote server according to the data information and install or load the driver or interface protocol program. The information security device is in communication connection with the client host and feedbacks data information according to instruction issued by the client host. The present scheme can effectively reduce the number of times user account control (UAC) window pops up and ensure operating system security while installing and deploying middleware, thus simplifying user operation.

The invention provides a method for managing application programs in an SSR centralized management platform and belongs to the field of operating system security technology. The method mainly comprises the steps of centralized management, application program list management, strategy management and single-client viewing, wherein application program lists of a plurality of clients under a complicated network are managed in a unified and centralized mode; full-web lists can be checked and trust levels of the full-web lists can be set through an application program list management function; specific application program strategies of the clients are controlled through strategy management; and current operating states of the application programs of the clients are checked and operation is performed through single-client viewing.

A system and method for updating firmware data on a computing platform in response to a firmware update request received in the form of a signed capsule file received via a runtime service is discussed. The firmware update request may be a request to update UEFI firmware and be received using the UpdateCapsule runtime service. The firmware data may include data associated with UEFI protected variables, SMBIOS data, logo data, microcode update data and pre-operating system security policy data.

The invention discloses a user privilege escalation method supporting mandatory access control. The method comprises the following steps that: (1) privilege programs of an operating system are subjected to mandatory classification in advance and are correlated with different administrator roles; (2) access requests of users are detected, and when a privilege operation request is detected, jumping is carried out to execute the step (3); and (3) a user sending out the privilege operation request is authenticated, if the authentication is passed, a child process is derived, security attributes of the child process are set and are enabled to inherit security attributes of the administrator roles corresponding to the target privilege programs, and the target privilege programs are executed through the child process; and if the authentication is not passed, the privilege operation request of the user is refused, and exiting is carried out. The user privilege escalation method has the advantages that a realization method is simple; the privilege escalation operation of the user can be realized; in addition, the mandatory access control is supported; the safety of the operating system is high; and in addition, the usability is high.

The invention discloses a safe remote loading method of an operating system. The safe remote loading method comprises the following steps: (1) a legality verification step of a computer to be subjected to loading; (2) a remote loading step of the operating system; (3) an integrity measurement step of the operating system in a loading process. Aiming at the problem that current security software cannot process operating system-level malicious programs, the integrity of the operating system can be measured before the operating system is started up, so that the environment security before startup is guaranteed.

The invention discloses a TPM (Trusted Platform Module)-based control method for safe startup of an operating system, and belongs to the field of trusted computing. According to the invention, a safe startup control policy of the operating system is configured into a TPM chip; the designated measurement configuration file is measured to obtain a reference value for encrypting the operating system core; then when the operating system is started up, combined with guidance of OS Loader, the measurement configuration file in the TPM is read to measure the designated measurement configuration file so as to obtain the measurement value; the measurement value is used for decrypting the operating system core; if decryption fails, the corresponding safe startup control motion can be carried out as per the startup control policy information in the TPM. Therefore, safe startup of the operating system is configurable and controllable.

The invention discloses a method for realizing bi-operation system starting of terminal equipment by using a USB (universal serial bus) controller and belongs to the technical field of dual operation system starting of the user terminal equipment. The method is characterized by including on a single hard disk provided with a working area and a free area, judging whether the USB controller is inserted or not by a BIOS (bi-operation system); if yes, executing a modified guide file GRLDR in the USB controller, verifying PIN of a user, loading a secret key, guiding to enter a reserved partition, executing a decryption program to decrypt the working area, and then entering the working area; if not, guiding to enter the free area by an MBR (master boot record), executing a partition boot record (PBR), in the type of BOOTMGR, of the free area, and entering the free area. Different from other methods for realizing bi-operation system starting through double hard disks, the method has the advantages that a mode of realizing bi-operation system starting through the same hard disk and multiple partitions is used, and through an encryption mechanism of a working area operation system, safety of the working area operation system is guaranteed, cost is lowered, and efficiency is improved.

A system and method for protecting security of Linux operating system base on IMA. At first, that node unit of the security management cent configures a protection policy to the protect node unit, Asthat system executable file, system dynamic link library, System configuration files on the protected node unit need to be run and loaded into the Linux operating system, A measure value of that protected node element is obtain by measuring the object using an IMA technology, and then reporting the measure value to the node unit of the security management center. At last, after that node unit of the security management center analyze and confirms the identity information of the protected node unit, whether the upload metric value is the same as the reference value collected beforehand is compared to judge whether the protected object is tampered with or not, so as to protect the security of the Linux operating system on the protected node unit. The invention protects the integrity of the Linux operating system core system file, enhances the security of the Linux operating system, and the protection cycle will accompany the whole operating system running phase.

The method adds database of digital signature and certificate, module of security management and module of security agreement on Unix operating system (OS) at user level, and adds an access control module of digital signature authentication on Unix OS at kernel level. Without changing executable files of system and kernel, the method makes the each added module become an effective section of OS so as to be able to carry out security protection and effective control for whole Unix OS under condition of without rewriting operation and condition of transparence. Advantages are: simple, safety, practical and reliable.