Fine-grained security in federated data sets

US 8,943,313 B2
Filed: 07/29/2011
Issued: 01/27/2015
Est. Priority Date: 07/19/2011
Status: Active Grant

First Claim

Patent Images

1. A data processing system comprising:

at least one member server of a federated server configured to access data distributed among a plurality of remote data sources upon request from one or more client users or applications; and

logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces one or more fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor, the logic-in-memory configured to fuse the at least one of data or one or more data sets at least partially determined by one or more permissions for the first entity or the second entity that are specified independently.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system, a server such as a federated server, a computer system, and like devices, and associated operating methods can be configured to support fine-grained security including resource allocation and resource scheduling. A data processing system can comprise a federated server operable to access data distributed among a plurality of remote data sources upon request from a plurality of client users and applications; and logic executable on the federated server. The logic can be operable to enforce fine-grained security operations on a plurality of federated shared data sets distributed among the plurality of remote data sources.

210 Citations

50 Claims

1. A data processing system comprising:
- at least one member server of a federated server configured to access data distributed among a plurality of remote data sources upon request from one or more client users or applications; and
  
  logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces one or more fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor, the logic-in-memory configured to fuse the at least one of data or one or more data sets at least partially determined by one or more permissions for the first entity or the second entity that are specified independently.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets at granularities for the first entity and the second entity that are specified independently including operations on data elements more fine-grained than a memory page or virtual page size.
  - 3. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by scheduling operations for the first entity and the second entity that is specified independently including performing at least one hardware scheduling operation and enforcing fine-grained security operations in logic at least partly integrated into memory on selected hardware devices and components.
  - 4. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets managing memory access for the first entity and the second entity that is specified independently including performing at least one operation of managing access of virtual memory access management operation and performing at least one operation for enforcing enforce fine-grained security operations on selected logic at least partly integrated into memory regions in the virtual memory.
  - 5. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by managing running applications for the first entity and the second entity that is specified independently including performing at least one operation for managing running of applications on a computer selected from among a plurality of computers networked to the federated server and performing at least one operation for enforcing fine-grained security operations on the selected computer.
  - 6. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to verify changes in control flow and respond to verification failure by trap or exception.
  - 7. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to verify changes in control flow comprising conditions of instruction length or instruction alignment.
  - 8. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to verify changes in control flow including changes resulting from direct branches, indirect branches, direct calls, indirect calls, returns, and exceptions.
  - 9. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction including an immediate constant bitmask that defines at least one check to be made of at least one condition, the at least one check being logically-ORed and a trap or exception is generated if none of the at least one condition matches, the immediate constant bitmask comprising bitmask bits configured to identify one or more of;
      
      whether the control flow integrity instruction is reachable through sequential execution from a previous instruction;
      
      whether the control flow integrity instruction is target of an unconditional direct branch;
      
      whether the control flow integrity instruction is target of a conditional direct branch;
      
      whether the control flow integrity instruction is target of a non-relative direct branch;
      
      whether the control flow integrity instruction is target of an indirect branch;
      
      whether the control flow integrity instruction is target of a relative function call;
      
      whether the control flow integrity instruction is target of a non-relative or absolute function call;
      
      whether the control flow integrity instruction is target of an indirect function call;
      
      orwhether the control flow integrity instruction is target of a function return instruction.
  - 10. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by managing memory access for the first entity and the second entity that is specified independently including performing at least one memory access management operation and perform at least one operation for enforcing fine-grained security operations on selected start and end boundaries and selected granularity in the memory with selected permissions.
  - 11. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by managing memory access for the first entity and the second entity that is specified independently including performing at least one memory access management operation and perform at least one operation for enforcing fine-grained security operations in the memory with permissions selected from write enablement, read enablement, execution enablement, and duration of enablement.
  - 12. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by managing memory access for the first entity and the second entity that is specified independently including performing at least one memory access management operation in memory blocks and perform at least one operation for enforcing fine-grained security operations by individually protecting selected memory blocks.
  - 13. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by managing running applications for the first entity and the second entity that is specified independently including performing at least one operation for managing running of applications in a plurality of virtual machines and perform at least one operation for enforcing fine-grained security operations including assigning data to a selected virtual machine.
  - 14. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets using encryption for the first entity and the second entity that is specified independently including performing channel encryption operations on a communication channel that communicates information between a selected processor and a selected memory, wherein the logic-in-memory configured to enforce fine-grained security operations is further configured to perform at least one operation in logic at least partly integrated into memory one or more of;
      
      decrypting information encrypted by the selected processor;
      
      decrypting address and data information encrypted by the selected processor and store data at the address;
      
      partially decrypting information encrypted by the selected processor;
      
      performing stream encryption of information communicated on the communication channel wherein processor and memory sides of the communication channel are assigned a key;
      
      performing channel encryption operations on the communication channel for information that is storage encrypted wherein the storage-encrypted information is encrypted by the selected processor, stored in the selected memory, accessed from the selected memory, and decrypted by the selected processor;
      
      orperforming time-varying encryption.
  - 15. The data processing system according to claim 1 wherein the logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces the fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets using encryption for the first entity and the second entity that is specified independently including forming at least one cryptographic security perimeter enclosing at least one selected region of memory and managing information communication between a processor and the at least one selected region of memory.
  - 16. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to copy executable code from a received message into memory for execution.
  - 17. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to copy executable code from a received message into memory for execution operating on data designated by a pointer or offset in the received message.
  - 18. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to copy executable code, a copy of the executable code, and a copy of data to be operated on by the executable code from a received message into memory for execution.
  - 19. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets using encryption for the first entity and the second entity that is specified independently including decrypting encrypted information from a received message and writing the decrypted information into memory.
  - 20. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to apply a template to a received message and fill the template at least in part from the received message and at least in part from information previously installed in memory for execution.
  - 21. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to apply a template to a received message, fill the template at least in part from the received message and at least in part from information previously installed in memory, and execute at least one instruction specified by an instruction pointer included in the received message.
  - 22. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to apply a template to a received message, fill the template at least in part from the received message and at least in part from information previously installed in memory, verify a signature specified by the received message, and execute at least one instruction specified by the received message if the signature is verified.
  - 23. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to dynamically generate executable code by applying a template to a received message and filling the template at least in part from the received message and at least in part from information previously installed in memory for execution.
  - 24. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more a plurality of federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to apply a template to a received message, determine whether at least one location in the template is unavailable as used by a conflicting process, and communicate with the conflicting process to resolve the conflict.
  - 25. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to receive a message including a pointer to data in memory that is operated upon by executable code in the logic-in-memory for execution.
  - 26. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to enforce security by generating a fault in response to a process attempting to branch to at least one instruction not copied to memory by the process.
  - 27. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets by controlling flow integrity for the first entity and the second entity that is specified independently including executing at least one control flow integrity instruction specified to logic-in-memory configured to identify memory to be protected using pointers to data and data sets specified according to the first entity controlling the first sensor and the second entity controlling the second sensor.
  - 28. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets at least partially determined by permissions for the first entity and the second entity that are specified independently including enforcing security of memory using at least one pointer that identifies a lower bound, an upper bound and permissions for data and data sets specified according to the first entity controlling the first sensor and the second entity controlling the second sensor.
  - 29. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets managing memory access for the first entity and the second entity that is specified independently including enforcing security of memory using at least one poisoned bit that prevents subsequent branching and/or returns for data and data sets specified according to the first entity controlling the first sensor and the second entity controlling the second sensor.
  - 30. The data processing system according to claim 1 wherein logic-in-memory integrated into at least one memory device of the at least one member server of the federated server, the logic-in-memory configured with logic that enforces fine-grained security operations on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - logic-in-memory configured to fuse the at least one of data or one or more data sets at least partially determined by permissions for the first entity and the second entity that are specified independently including enforcing security of memory using fusion of data and data sets in numerical aspects and permissions aspects specified according to the first entity controlling the first sensor and the second entity controlling the second sensor.

31. A federated system comprising:
- at least one member server of a federated server configured to access data via distributed queries over data stored in a plurality of remote data sources; and
  
  at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor, the at least one wrapper configured to fuse the at least one of data or one or more data sets at least partially by managing running applications for the first entity and the second entity that is specified independently.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 32. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - at least one wrapper configured to fuse the at least one of data or one or more data sets at granularities for the first entity and the second entity that are specified independently including operations on data elements more fine-grained than a memory page or virtual page size.
  - 33. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a software module containing characteristics about the plurality of remote data sources.
  - 34. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to set permissions defining fine-grained security operations for selectively accessing data on the plurality of remote data sources independently for at least the first entity and the second entity.
  - 35. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to set hardware scheduling and fine-grained security operations on selected hardware devices and components independently for at least the first entity and the second entity.
  - 36. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to set access to virtual memory and fine-grained security operations on selected memory regions in the virtual memory independently for at least the first entity and the second entity.
  - 37. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to determine applications running on a computer selected from among one or more computers networked to the federated server and one or more fine-grained security operations on the selected computer independently for at least the first entity and the second entity.
  - 38. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify a control flow integrity instruction to verify changes in control flow and respond to verification failure by trap or exception independently for at least the first entity and the second entity.
  - 39. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify a control flow integrity instruction to verify changes in control flow comprising conditions of instruction length or instruction alignment independently for at least the first entity and the second entity.
  - 40. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify a control flow integrity instruction to verify changes in control flow including changes resulting from direct branches, indirect branches, direct calls, indirect calls, returns, and exceptions independently for at least the first entity and the second entity.
  - 41. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify a control flow integrity instruction independently for at least the first entity and the second entity, the control flow integrity instruction including at least an immediate constant bitmask that defines at least one check to be made of at least one condition, the at least one check being logically-ORed and a trap or exception is generated if none of the at least one condition matches, the immediate constant bitmask including one or more bitmask bits configured to identify one or more of;
      
      whether the control flow integrity instruction is reachable through sequential execution from a previous instruction;
      
      whether the control flow integrity instruction is target of an unconditional direct branch;
      
      whether the control flow integrity instruction is target of a conditional direct branch;
      
      whether the control flow integrity instruction is target of a non-relative direct branch;
      
      whether the control flow integrity instruction is target of an indirect branch;
      
      whether the control flow integrity instruction is target of a relative function call;
      
      whether the control flow integrity instruction is target of a non-relative or absolute function call;
      
      whether the control flow integrity instruction is target of an indirect function call;
      
      orwhether the control flow integrity instruction is target of a function return instruction.
  - 42. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify access to memory and fine-grained security operations on selected start and end boundaries and selected granularity in the memory with selected permissions.
  - 43. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify access to memory and fine-grained security operations in the memory with permissions independently for at least the first entity and the second entity, the specifying access selected from a group consisting of write enablement, read enablement, execution enablement, and duration of enablement.
  - 44. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify access to memory in memory blocks and fine-grained security operations independently for at least the first entity and the second entity, the specifying access by individually protecting selected memory blocks.
  - 45. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify applications to run in a plurality of virtual machines and fine-grained security operations independently for at least the first entity and the second entity, the specifying applications to run including assigning data to a selected virtual machine.
  - 46. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify channel encryption operations on a communication channel that communicates information between a selected processor and a selected memory independently for at least the first entity and the second entity, wherein the wrapper portion is further configured to specify one or more of;
      
      decrypting information encrypted by the selected processor;
      
      decrypting address and data information encrypted by the selected processor and store data at the address;
      
      partially decrypting information encrypted by the selected processor;
      
      performing stream encryption of information communicated on the communication channel wherein processor and memory sides of the communication channel are assigned a key;
      
      performing channel encryption operations on the communication channel for information that is storage encrypted wherein the storage-encrypted information is encrypted by the selected processor, stored in the selected memory, accessed from the selected memory, and decrypted by the selected processor;
      
      orperforming time-varying encryption.
  - 47. The federated system according to claim 31 wherein the at least one wrapper configured for communicating among the plurality of remote data sources, the at least one wrapper containing characteristics and determining fine-grained security operations for selected ones of the remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a wrapper portion configured to specify at least one cryptographic security perimeter independently for at least the first entity and the second entity, the cryptographic security perimeter enclosing at least one selected region of memory and information communication between a processor and the at least one selected region of memory.

48. A computer system comprising:
- a network interface configured to communicate data among a plurality of remote data sources and one or more client users or applications; and
  
  a processor operatively coupled to the network interface and configured to control fine-grained security operations configured at least partly as logic-in-memory distributed on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor, the logic-in-memory configured to fuse the at least one of data or one or more data sets using encryption for the first entity and the second entity that is specified independently.
- View Dependent Claims (49, 50)
- - 49. The computer system according to claim 48 wherein the processor operatively coupled to the network interface and configured to control fine-grained security operations configured at least partly as logic-in-memory distributed on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - at least one process configured to fuse the at least one of data or one or more data sets at granularities for the first entity and the second entity that are specified independently including fine-grained security operations on data elements more fine than a memory page or virtual page size.
  - 50. The computer system according to claim 48 wherein the processor operatively coupled to the network interface and configured to control fine-grained security operations configured at least partly as logic-in-memory distributed on one or more federated shared data sets distributed among the plurality of remote data sources using sensor fusion that fuses at least one of data or one or more data sets for a first entity controlling a first sensor and a second entity controlling a second sensor further includes:
    - a process configured to access data distributed among the plurality of remote data sources upon request from the plurality of client users and applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Elwha LLC (Intellectual Ventures LLC)
Inventors
Tegreene, Clarence T., Gerrity, Daniel A., Glew, Andrew F.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US13/136,401
Publication Number

US 20130031364A1
Time in Patent Office

1,278 Days
Field of Search

713/162, 726/1
US Class Current

713/162
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/606   by securing the transmissio...

G06F 21/62   Protecting access to data v...

G06F 21/72   in cryptographic circuits

G06F 21/79   in semiconductor storage me...

G06F 21/85   interconnection devices, e....

G06F 21/87   by means of encapsulation, ...

Fine-grained security in federated data sets

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

210 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Fine-grained security in federated data sets

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links