Vladimir Zbarsky

US Patent:

7694311, Apr 6, 2010

Filed:

Sep 29, 2004

Appl. No.:

10/952414

Inventors:

Arnon Amir - Saratoga CA, US
Prasad Manikarao Deshpande - San Jose CA, US
Savitha Srinivasan - San Jose CA, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 3/00
G06F 9/44
G06F 9/46
G06F 13/00

US Classification:

719320, 707100, 709200, 709224

Abstract:

A method of detecting tasks performed by users wherein a single task is a sequence of web URLs invocation. Task patterns are detected in web logs to identify tasks performed by users and analyze task trends over time, across corporate divisions and geographies. A grammar-based framework is used to model and detect tasks from web log patterns. The framework has two components: a declarative unit—to generate a task grammar, and a processing unit—to detect tasks from access logs by generating a state machine for applying the task grammar to the tokens associated with the access records. By analyzing user tasks, rather than just URLs, useful business information can be extracted.

US Patent:

7860246, Dec 28, 2010

Filed:

Nov 1, 2006

Appl. No.:

11/555605

Inventors:

Julian A Cerruti - San Jose CA, US
Sigfredo I Nin - Morgan Hill CA, US
Dulce B Ponceleon - Palo Alto CA, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

H04L 9/00
H04N 7/167

US Classification:

380 42, 380259, 380260, 380239

Abstract:

A system for protecting data in a security system generates and encodes a backup key for encoding long-lived secrets. The system generates a distribution plan for distributing cryptographic splits of the encoded backup key to selected persons based on geographic and organizational diversity. The distribution plan specifies a number M of the cryptographic splits to be generated and a number N of the cryptographic splits required to recover the backup key. The system processes utilize an init file comprising system parameters and state files each comprising parameters reflecting a state of the secure system after a transaction. Any of the state files may be used for any of the system processes. The state files and the init file are encoded by the backup key, thus protecting the long-lived secrets.

US Patent:

7886162, Feb 8, 2011

Filed:

May 29, 2007

Appl. No.:

11/754649

Inventors:

Masana Murase - Yokohama, JP
Kanna Shimizu - Austin TX, US
Masaharu Sakamoto - Yokohama, JP
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 12/14
G06F 9/24
G06F 7/04
H04L 29/06
H04L 9/28
G08B 29/00
H04K 1/00

US Classification:

713193, 713 1, 713150, 713161, 713165, 713189, 713194, 726 26, 726 27, 726 34, 380255, 380 28

Abstract:

A method, computer program product, and data processing system for executing larger-than-physical-memory applications while protecting sensitive program code (and also data) from unauthorized access in a memory space not subject to protection fault or page fault detection are disclosed. Large applications are accommodated by providing a mechanism for secure program overlays, in which a single large application is broken into two or more smaller applications (overlays) that can be executed from the same memory space by overwriting one of the smaller applications with another of the smaller applications when the latter needs to be executed. So that the data may be shared among these smaller applications, each of the applications contains embedded cryptographic keys, which may be used to encrypt or decrypt information to be stored persistently while control is transferred from one application to the other.

US Patent:

7934063, Apr 26, 2011

Filed:

Mar 29, 2007

Appl. No.:

11/693406

Inventors:

Masana Murase - Kawasaki, JP
Masaharu Sakamoto - Yokohama, JP
Kanna Shimizu - Austin TX, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 13/28

US Classification:

711154

Abstract:

A method of invoking power processor element (PPE) serviced C library functions on a synergistic processing element (SPE) running in isolated mode. When the SPE initiates a PPE-serviced function, an SPE stub routine allocates a parameter buffer in an open area of a local store (LS) memory within the SPE. The LS memory includes an open area accessible to the PPE, and an isolated area inaccessible to the PPE. The SPE stub routine copies function parameters corresponding to the PPE-serviced function to a buffer within the open area of the LS memory, and writes a message word, which contains an identification variable of the PPE-serviced function and a location variable of the function parameters, to the open area. When execution is temporarily suspended on the SPE, the PPE reads the message word from the open area of the LS memory and executes the PPE-serviced function.

US Patent:

8166304, Apr 24, 2012

Filed:

Oct 2, 2007

Appl. No.:

11/866020

Inventors:

Masana Murase - Kawasaki, JP
Kanna Shimizu - Austin TX, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 21/00

US Classification:

713176, 726 1, 726 21, 726 27, 380277, 713 2, 713192

Abstract:

A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for independent developers to develop software for the herein-described platform, a “global key pair” is provided in which both the public and private keys of the pair are publicly known, so that anyone may sign an application with the global key. Such an application may be allowed to execute by including the global key pair's public key in the key ring as a “vendor key” or, conversely, it may be disallowed by excluding the global public key from the key ring.

US Patent:

8280043, Oct 2, 2012

Filed:

Jun 5, 2008

Appl. No.:

12/133658

Inventors:

Julian A. Cerruti - San Jose CA, US
Sigfredo I Nin - Morgan Hill CA, US
Dulce B Ponceleon - Palo Alto CA, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

H04L 9/00
H04N 7/167

US Classification:

380 42, 380259, 380260, 380239

Abstract:

A system for protecting data in a security system generates and encodes a backup key for encoding long-lived secrets. The system generates a distribution plan for distributing cryptographic splits of the encoded backup key to selected persons based on geographic and organizational diversity. The distribution plan specifies a number M of the cryptographic splits to be generated and a number N of the cryptographic splits required to recover the backup key. The system processes utilize an init file comprising system parameters and state files each comprising parameters reflecting a state of the secure system after a transaction. Any of the state files may be used for any of the system processes. The state files and the init file are encoded by the backup key, thus protecting the long-lived secrets.

US Patent:

8332635, Dec 11, 2012

Filed:

May 29, 2007

Appl. No.:

11/754658

Inventors:

Kanna Shimizu - Austin TX, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

H04L 29/06
H04L 9/32
H04L 9/00
H04L 9/28
G06F 12/14
G06F 7/04
G08B 29/00
H04K 1/00

US Classification:

713164, 713176, 713187, 713189, 726 26, 726 34, 380255, 380277, 380 28

Abstract:

A method, computer program product, and data processing system provide an updateable encrypted operating kernel. Secure initialization hardware decrypts a minimal secure kernel containing sensitive portions of data and/or code into a portion of the processor-accessible memory space, from which the kernel is executed. Most system software functions are not directly supported by the secure kernel but are provided by dynamically loaded kernel extensions that are encrypted with a public key so that they can only be decrypted with a private key possessed by the secure kernel. The public/private key pair is processor-specific. Before passing control to a kernel extension, the secure kernel deletes a subset of its sensitive portions, retaining only those sensitive portions needed to perform the task(s) delegated to the kernel extension. Which sensitive portions are retained is determined by a cryptographic key with which the kernel extension is signed.

US Patent:

8332636, Dec 11, 2012

Filed:

Oct 2, 2007

Appl. No.:

11/866001

Inventors:

Masana Murase - Kawasaki, JP
Masaharu Sakamoto - Yokohama, JP
Kanna Shimizu - Austin TX, US
Vladimir Zbarsky - Newark CA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

H04L 29/06

US Classification:

713164, 713167, 380277

Abstract:

A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for users to execute software from independent software developers, an administrative user may disable the above-described vendor key-checking as an option.