GB2506604A - Method of selectively decrypting encrypted files - Google Patents

Method of selectively decrypting encrypted files Download PDF

Info

Publication number
GB2506604A
GB2506604A GB1217610.3A GB201217610A GB2506604A GB 2506604 A GB2506604 A GB 2506604A GB 201217610 A GB201217610 A GB 201217610A GB 2506604 A GB2506604 A GB 2506604A
Authority
GB
United Kingdom
Prior art keywords
application
file
method according
access
files
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1217610.3A
Other versions
GB201217610D0 (en
Inventor
Jarno Niemela
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
F Secure Corp
Original Assignee
F Secure Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Corp filed Critical F Secure Corp
Priority to GB1217610.3A priority Critical patent/GB2506604A/en
Publication of GB201217610D0 publication Critical patent/GB201217610D0/en
Publication of GB2506604A publication Critical patent/GB2506604A/en
Application status is Withdrawn legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Abstract

A method of selectively decrypting encrypted files stored on a computer memory comprises allowing applications to have controlled access to the files by way of a drive crypto. Each application is associated with one or more files and when an application seeks to access a file via the drive crypto, it is determined whether a file type of the file is one of those associated with the application and the drive crypto then uses the result to selectively decrypt the file. The method further comprises performing a security check on the application which can include determining whether the application is signed with a correct digital signature, identifying the application using a secure hash algorithm, reading the file extension of the file or undertaking a process image path check. The security check can further comprise checking a look up table comprising a list of file types accessible by an application. The system obviates the need for each user to have access rights and/or access to a DRM server.

Description

SELECTIVE DECRYPTION OF FILES

Technical Field

The invention relates to methods and apparatus for selectively decrypting files stored on a computer memory.

Background

Industrial espionage is a large and expensive problem for many corporations.

Protecting files stored on computer systems against industrial espionage attacks is of great importance to maintain the integrity of sensitive commercial information.

One aspect of industrial espionage is the act of obtaining a competitor's files without permission. This may be achieved by "infecting" a system (e.g. a computer device or a computer network) with an application configured to obtain files stored in a memory of a computer device. Typically, an attacker launches a program on a victims system, copies files from the system and sends them over network using some channel, such as HTTP push.

Systems may use digital rights management (DRM) technologies to restrict user access to stored files. In DRM, access to digital content is restricted based on rights attributed to a user. Such technologies may be used to protect documents, but they typically have the problem that they do not allow modification of documents and thus are of limited corporate usefulness. US 20030217275 discloses methods and systems for digital rights management.

There are DRM technologies that allow editing of files, such as Windows Rights Management. However, such systems allow malware to request a decryption key from rights management services (RMS) server. Additionally, editing is not possible if there is no network connection between a computer system from which a user requires access and the RMS server.

DRM technologies make the sharing of files and documents between users problematic in that each user must have rights to access a tile so that they may read and/or edit the file. Further, each user must have access to some kind of DRM server. Therefore, if a first user creates a file and sends the file to a second user, the second user must also have the correct DRM rights in order to open and/or edit the file.

Summary

According to the invention in a first aspect, there is provided a method of selectively decrypting encrypted files stored on a computer memory. The method comprises allowing applications to have controlled access to the files by way of a drive crypto.

Each application is associated with one or more files. The method further comprises, when an application seeks to access a file via the drive crypto, determining whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.

Optionally, using the result to control the drive crypto to selectively decrypt the file comprises controlling the drive crypto to decrypt the file if the file is one of those associated with the application.

Optionally, using the result to control the drive crypto to selectively decrypt the file comprises, if the file is one of those associated with the application, performing a security check on the application and controlling the drive crypto to decrypt the file if the application passes the security check.

Optionally, the file is decrypted if the security check indicates that the application is unmodified.

Optionally, the method further comprises, if the security check indicates that the application is modified, checking whether the modification is benign, and, if so, decrypting the file.

Optionally, performing the security check comprises determining whether the application is signed with a correct digital signature.

Optionally, the application is determined to be healthy and unmodified if the digital signature is correct.

Optionally, performing the security check comprises identifying the application using a secure hash algorithm.

Optionally, the secure hash algorithm is SHA-1.

Optionally, performing the security check comprises determining whether the application is patched in memory.

Optionally, determining whether the tile type is associated with the application comprises reading the file extension of the file.

Optionally, determining whether the tile type is associated with the application comprises determining the identity of the application.

Optionally, determining the identity of the application comprises reading a process name associated with the application.

Optionally, determining the identity of the application comprises undertaking a process image path check.

Optionally, determining whether the tile type is associated with the application comprises checking a look up table comprising a list of file types accessible by an application.

Optionally, the look up table is stored on a computer device.

Optionally, the look up table is defined by an enterprise policy device.

Optionally, the enterprise policy system is an active directory or a policy manager.

Optionally, the memory is part of a computer device, and wherein the computer device is part of a local computer network, and the application is running on a processor located within the local computer network.

Optionally, if the file is decrypted, it is decrypted on the fly whilst the application is reading it.

Optionally, a message is generated and transmitted to a system administrator if the file is not decrypted.

According to the invention in a second aspect, there is provided a non-transitory computer readable medium comprising computer readable code configured, when read by a computer, to carry out any of the methods described above.

According to the invention in a third aspect, there is provided a system for selectively decrypting encrypted files stored in a computer memory. The system comprises a memory configured to store files and a processor in electrical communication with the memory via a drive crypto. The processor is configured to allow applications to have controlled access to the files by way of the drive crypto. Each application is associated with one or more files. The processor is also configured to, when an application seeks to access a file via the drive crypto, determine whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.

According to the invention in a fourth aspect, there is provided a device for selectively decrypting encrypted files stored in a computer memory. The device comprises a processor in electrical communication with a memory via a drive crypto. The processor is configured to allow applications to have controlled access to files stored on a memory by way of the drive crypto. Each application is associated with one or more files. The processor is also configured to, when an application seeks to access a file via the drive crypto, determine whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.

According to the invention in a fifth aspect, there is provided a method for selectively decrypting encrypted files stored in a computer memory, the method comprising: determining a file type of a file stored in the memory; determining an identity of an application requesting access to the file; determining whether the file is one that is associated with the application based on the file type and the identity of the application; determining a security parameter of the application; selectively decrypting the file based on whether the tile is one that is associated with the application and the determined security parameter.

Brief description of the figures

Exemplary embodiments of the invention are described herein with reference to the accompanying drawings! in which: Figure 1 is a flow diagram showing a method for providing restricted access to a file stored in a memory of a computer device; and Figure 2 is a system for providing restricted access to a file stored in a memory of a computer device.

Description

Generally, described herein are methods and apparatus for controlling access to a file stored in a computer memory, that is, any memory or disk drive readable by a computer. The file may be stored, for example, in a file system. The stored file may be encrypted to provide an increased level of security. Therefore, also described herein are methods and apparatus for selectively decrypting files. In such cases, providing controlled access may comprise decrypting the file if an application requesting access to the file meets certain criteria.

The inventors have appreciated that known systems for controlling access to files do not provide protection from attacks emanating from inside a computer system in which a file is stored and in which the file may have been created or modified and is required to be available for further modification. A computer system may, for example, be a computer device or a network of computer devices. Further, the inventors have appreciated that known systems typically do not protect against attacks from users having access rights corresponding to those of a genuine user or an administrator.

Typically, known systems provide protection against attacks emanating from outside a system or attacks without user privileges and do not allow a user to modify protected files.

In addition, the inventors have appreciated that current access control methods and apparatus are user rights based, which means that maiware operating with administrator rights or with authorised user rights can access files stored on a computer system. Process based access control methods may not help against attacker with administrator rights, as the attacker can modify access rights to desired files and access them. The inventors have appreciated that by controlling file decryption on an application basis it is possible to protect against a hostile process that has administrator level rights.

Further, the inventors have appreciated that protection is required for documents stored within a computer system that has been infected by an attacker application. The inventors have also appreciated that it may be desirable to allow any user to read and modify a file that has been protected in this way.

In general, the methods and apparatus disclosed herein control access to and/or decryption of files at an application level rather than a user level.

Referring to Figure 1, a method for controlling access to a file by selective file encryption/decryption is shown. The method controls access to files so that only applications that are permitted to access the files can do so. To other applications, access is blocked.

Controlled access to files is provided by way of a drive crypto. The term "drive crypto" encompasses a process (making use of appropriate software and/or hardware) that controls access to one or more blocks of memory. Files being written to such memory are encrypted on-the-fly by the drive crypto, whilst files being read from the memory are decrypted on-the-fly by the drive crypto. The drive crypto may be locked and unlocked for example using a user or system administrator password, dongle, smart card, etc. In the following discussion it is assumed that the drive crypto is in the unlocked state, i.e. it is available to encrypt and decrypt files subject to other authorisation requirements being met.

When an application requests access! via the drive crypto, to a file stored in a computer memory, it is determined whether the file type of the file is one that is associated with the application. In the exemplary method of Figure 1, this is done by determining 100 the file type of the file and the identity of the application.

When determining the file type, the file extension of the file may be read. For example, if the file extension is.doc then the file type may be determined to be a Word document file. Further examples of file extensions and their associated file types will be known to the skilled person. Alternatively, the file type may be determined by analysing the file format. Typically, this means conducting a check of one or more identifying bytes in a file header or footer. In some cases, this can include a full check of the file header structure and any manifest or catalogue file sections in the file.

The identity of the application requesting access to the file is also determined 102. The identity of the requesting application may be determined by reading the process name of the application. A process may broadly be defined as an instance of running a program on a computer processor. Therefore, the application requesting access to the file will be associated with at least one process, as the application is run on a computer processor of the computer system. Each process running on a processor has a name, which, in the case of an application, indicates the identity of the application itself. For example, the name of the process running Word is word.exe" and the name of the process running Outlook is "outlook.exe".

The identity of the application may be determined using a process image path check.

When an application is running on the system it is associated with metadata identifying a process from which it has been launched. For example, Microsoft Word is typically launched from c:\Program Files (x86)\Microsoft Office\Officel 2\windoword.exe This information is contained within the metadata.

When checking the identity of application trying to access file, the image path information, comprising the metadata is checked. It is then possible to check the root of the image path to analyse whether the ".exe' file is a valid Microsoft Word file and not malware disguising itself as a Microsoft Word file.

Analysis of the image path typically comprises: checking a digital signature of the application, if present; checking version information metadata; conducting a hash based lookup to one or more servers; checking any DLLs linked by the application; and conducting signature based identification.

The file type and the application identity are used to determine 104 whether the application is one that would normally be permitted to access the requested file. That is, whether the file type of the requested file is associated with, and is therefore accessible by, the application. For example, Word, Outlook backup software and Windows Explorer are exemplary applications that may access Word document file types and Powerpoint is an application that is permitted to access ".ppt" file types.

The association of the file type to the application may be determined by referring to a look up table. The look up table may include a plurality of entries relating to a plurality of applications. Each entry in the look up table may identify one or more file types that an application may normally be allowed access to and is, therefore, associated with.

For example, an entry in the look up table for the application Word may identify that, among others, ".doc", ".docx", ".rtf" and ".xls" file types may be accessed. It is noted that ".doc", ".docx", ".rtf" are used here to represent file types, which can be identified either by extension or by file analysis as described above.

The look up table may be stored locally on a computer device of the computer system.

Alternatively, the look up table may be defined by an enterprise policy system, such as an active directory or policy manager. In such cases, files are stored on a central server rather than at a user's workstation, which asks the central server whether an application (e.g. Microsoft Word) is allowed to access a file type (e.g. a Word document).

In certain exemplary systems, access to the file may be granted (and the file decrypted) by way of a drive crypto based on whether the requested file is associated with the requesting application.

In other exemplary methods, a further check may be required. Specifically, and in the method of Figure 1, a security check is performed 106 on the application. The security check may yield a security parameter of the application. Exemplary security parameters may determine the health of an application. Additionally, or alternatively, exemplary security parameters may determine whether the application has been modified. The health of an application may be linked to whether the application has been modified. That is, if an application has been modified by, for example, malware, it is thereby rendered unhealthy. However, a modified application is not necessarily an unhealthy application if, for example, it has been modified by a trustworthy application.

Some applications modify the memory of other applications in a way that is benign.

Exemplary methods and apparatus may be configured to block all modified applications. However, in other exemplary methods and apparatus modifications may be inspected and the application white-listed if the modifications are benign.

Typical modifications of applications that may result in access to files being denied comprise: modifying memory of application by code injection or hooking; modifying libraries loaded by application; injecting macro or script code into a default template or other file that is always loaded by an application; and launching an application with a local document that contains a macro or script that reads other files and transmits them from the system.

The security check therefore provides information relating to the trustworthiness of the application.

Performing the security check may comprise determining whether the application has a correct digital signature. A correct digital signature in this context is one that comprises one or more of the following features: it passes a signature check algorithm that proves that an application is not modified; it belongs to a correct company, for example, a certificate that is used to sign winword.exe should be from Microsoft; it has a correct certification authority signature to ensure that an attacker has not just generated a certificate which has the text "Microsoft" in it.

In such exemplary methods, an application is digitally signed using a type of asymmetric cryptography in which the digital signature is dependent on the application being unmodified. That is, the digital signature is determined based on the unmodified application and, therefore, is only correct if the application is unmodified. The digital signature may therefore give an indication of the integrity of the application. If an attacker attempts to modify an application such that it is configured to copy and transmit files from a computer device (or for some other malicious intent), the digital signature will appear incorrect. If the digital signature is correct, then the application may be determined to be healthy and unmodified.

Additionally or alternatively, performing the security check may comprise identifying the application using a secure hash algorithm, such as SHA-1. This may comprise calculating an SHA-1 hash of the application and checking the calculated hash against a server, which contains database of known applications identifying that an application is healthy and what that application actually is.

Additionally or alternatively, performing the security check may comprise determining whether the application is patched in memory. The term "patched in memory" encompasses scenarios in which an attacker has modified the program in some fashion when it is running in computer memory. When an attacker does so, an application can be controlled to undertake tasks under the attacker's control. If applications stored in memory have been modified they may be considered unhealthy.

Decryption of the file is controlled 108 based on whether the file type of the requested file is associated with the application and, optionally, the outcome of the security check.

If the association of the file type with respect to the application does not permit the application to open the requested file, then access to the file is denied in that the drive crypto is controlled not to decrypt the file. However, in certain exemplary methods, if the association of the file type with respect to the application does permit the application to open the requested file, then access to the file is granted and the file is decrypted.

In other exemplary methods, if the association of the file type with respect to the application does permit the application to open the requested file, a security check may be performed. If the security check identifies that the application is not healthy and/or has been modified, then the requested file is not decrypted by the drive crypto. In such embodiments, the requested file is decrypted if the file type is associated with the application and the security check identifies that the application is healthy and unmodified.

In exemplary methods and systems, the files to which access is controlled are encrypted. In this way, if an attacker application is able to circumvent the protection provided by the methods described above, only the encrypted file content will be obtained. Files corresponding to the file types to which access is to be controlled may be identified and encrypted before it is determined whether access to the files should be granted. The files to be encrypted may be identified either by file type or by location in memory. Additionally, newly created files having a file type to which access is to be controlled may be encrypted as they are stored.

In exemplary methods, transparent access is provided to the files that are stored on the computer system and to which access is restricted. That is, the files will be read by applications running on the computer system without any knowledge that the file is encrypted and that a controlled decryption algorithm is in operation.

In exemplary methods and systems in which the stored files are encrypted, if access to a file is granted, the file may be decrypted on the fly by the drive crypto when it is being read by the application that has been granted access to the file. If access to the file is denied a message may be transmitted to alert a third party (e.g. a computer system administrator) that access to the file has been denied. Such an alert may be indicative of an attempt to infiltrate a computer system and to obtain files from a computer system.

Referring to Figure 2, a system is shown for providing controlled decryption of a file stored on a computer memory. The system comprises a plurality of computer devices 200a-d each in electrical communication with a network 202. The network may be a local network, such as an intranet within a company. The term local network" encompasses a network that is separate from the wider Internet and is self contained, for example within a building, a company or a collection of individual computer devices.

The network may be a secure network. The computer devices 200a-d may therefore be in electrical communication with each other via the network 202. In exemplary systems, the network 202 may be further connected to other networks, which may be external to the network 202, for example the Internet.

The computer devices 200a-d may be end user devices, servers, memory devices or databases. An exemplary computer device 200a is enlarged to show the features of the device 200a more clearly. The computer device 200a comprises a network interface 204 in electrical communication with the network 202. A processor 206 is in electrical communication with the network interface 204, a drive crypto 207 and a user interface 210. The drive crypto 207 is in electrical communication with a computer memory 208.

In use, the memory 208 is configured to store files that have been encrypted by the drive crypto 207 and the decryption of which is to be controlled. The processor 206 is configured to run an application that may request access to the files stored on the computer memory. An application may request access to a file stored in the memory, and it is determined whether the file should be decrypted and access should be granted based on the method disclosed above. The method may be undertaken by the processor 206.

In exemplary systems, an application may be run on a processor of a computer device 200a-d that is different to the computer device on which the file is stored. In such cases, access to the file may be requested over the network 202.

The skilled person will be able to envisage other embodiments without departing from the scope of the appended claims.

Claims (25)

  1. CLAIMS: 1. A method of selectively decrypting encrypted files stored on a computer memory, the method comprising: allowing applications to have controlled access to the files by way of a drive crypto, wherein each application is associated with one or more files; and when an application seeks to access a file via the drive crypto, determining whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.
  2. 2. A method according to claim 1, wherein using the result to control the drive crypto to selectively decrypt the file comprises controlling the drive crypto to decrypt the file if the file is one of those associated with the application.
  3. 3. A method according to claim 1, wherein using the result to control the drive crypto to selectively decrypt the file comprises, if the file is one of those associated with the application, performing a security check on the application and controlling the drive crypto to decrypt the tile if the application passes the security check.
  4. 4. A method according to claim 3, wherein the file is decrypted if the security check indicates that the application is unmodified.
  5. 5. A method according to claim 3, further comprising, if the security check indicates that the application is modified, checking whether the modification is benign, and, if so, decrypting the file.
  6. 6. A method according to any of claims 3 to 5, wherein performing the security check comprises determining whether the application is signed with a correct digital signature.
  7. 7. A method according to claim 6, wherein the application is determined to be healthy and unmodified if the digital signature is correct.
  8. 8. A method according to any of claims 3 to 7, wherein performing the security check comprises identifying the application using a secure hash algorithm.
  9. 9. A method according to claim 8, wherein the secure hash algorithm is SHA-1.
  10. 10. A method according to any of claims 3 to 9, wherein performing the security check comprises determining whether the application is patched in memory.
  11. 11. A method according to any preceding claim, wherein determining whether the file type is associated with the application comprises reading the file extension of the file.
  12. 12. A method according to any preceding claim, wherein determining whether the file type is associated with the application comprises determining the identity of the application.
  13. 13. A method according to claim 12, wherein determining the identity of the application comprises reading a process name associated with the application.
  14. 14. A method according to claim 12 or 13, wherein determining the identity of the application comprises undertaking a process image path check.
  15. 15. A method according to any preceding claim, wherein determining whether the file type is associated with the application comprises checking a look up table comprising a list of file types accessible by an application.
  16. 16. A method according to claim 15, wherein the look up table is stored on a computer device.
  17. 17. A method according to claim 15 wherein the look up table is defined by an enterprise policy device.
  18. 18. A method according to claim 17, wherein the enterprise policy system is an active directory or a policy manager.
  19. 19. A method according to any preceding claim, wherein the memory is part of a computer device, and wherein the computer device is part of a local computer network, and wherein the application is running on a processor located within the local computer network.
  20. 20. A method according to any preceding claim, wherein, if the file is decrypted, it is decrypted on the fly.
  21. 21. A method according to any preceding claim, wherein a message is generated and transmitted to a system administrator if the file is not decrypted.
  22. 22. A non-transitory computer readable medium comprising computer readable code configured, when read by a computer, to carry out the method according to any preceding claim.
  23. 23. A system for selectively decrypting encrypted files stored in a computer memory, the system comprising: a memory configured to store files; and a processor in electrical communication with the memory via a drive crypto, the processor configured to: allow applications to have controlled access to the files by way of the drive crypto, wherein each application is associated with one or more files; and when an application seeks to access a file via the drive crypto, determining whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.
  24. 24. A device for selectively decrypting encrypted files stored in a computer memory, the device comprising: a processor in electrical communication with a memory via a drive crypto, the processor configured to: allow applications to have controlled access to files stored on a memory by way of the drive crypto, wherein each application is associated with one or more files; and when an application seeks to access a file via the drive crypto, determining whether a file type of the file is one of those associated with the application and using the result to control the drive crypto to selectively decrypt the file.
  25. 25. A method for selectively decrypting encrypted files stored in a computer memory, the method comprising: determining a file type of a file stored in the memory; determining an identity of an application requesting access to the file; determining whether the file is one that is associated with the application based on the file type and the identity of the application; determining a security parameter of the application; selectively decrypting the file based on whether the file is one that is associated with the application and the determined security parameter.
GB1217610.3A 2012-10-02 2012-10-02 Method of selectively decrypting encrypted files Withdrawn GB2506604A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1217610.3A GB2506604A (en) 2012-10-02 2012-10-02 Method of selectively decrypting encrypted files

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1217610.3A GB2506604A (en) 2012-10-02 2012-10-02 Method of selectively decrypting encrypted files

Publications (2)

Publication Number Publication Date
GB201217610D0 GB201217610D0 (en) 2012-11-14
GB2506604A true GB2506604A (en) 2014-04-09

Family

ID=47225548

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1217610.3A Withdrawn GB2506604A (en) 2012-10-02 2012-10-02 Method of selectively decrypting encrypted files

Country Status (1)

Country Link
GB (1) GB2506604A (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009095413A2 (en) * 2008-01-31 2009-08-06 International Business Machines Corporation Method and system for encrypted file access

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009095413A2 (en) * 2008-01-31 2009-08-06 International Business Machines Corporation Method and system for encrypted file access

Also Published As

Publication number Publication date
GB201217610D0 (en) 2012-11-14

Similar Documents

Publication Publication Date Title
US10515211B2 (en) Use of an application controller to monitor and control software file and application environments
US9665708B2 (en) Secure system for allowing the execution of authorized computer program code
US9961049B2 (en) Protecting documents using policies and encryption
US9680654B2 (en) Systems and methods for validated secure data access based on an endorsement provided by a trusted third party
Hashizume et al. An analysis of security issues for cloud computing
JP5980366B2 (en) Access control using identifiers in links
KR101811758B1 (en) Methods and apparatus to securely share data
Checkoway et al. Iago attacks: why the system call API is a bad untrusted RPC interface
EP3195556B1 (en) Distributed data storage by means of authorisation token
US20160378994A1 (en) Systems and methods of risk based rules for application control
US9584517B1 (en) Transforms within secure execution environments
US8799651B2 (en) Method and system for encrypted file access
Sengupta et al. Cloud computing security--trends and research directions
US8688980B2 (en) Trust verification schema based transaction authorization
CN104683336B (en) A kind of Android private data guard method and system based on security domain
US8954758B2 (en) Password-less security and protection of online digital assets
EP3175575B1 (en) Secure content packaging using multiple trusted execution environments
US9805210B2 (en) Encryption-based data access management
US10063594B2 (en) Network access control with compliance policy check
US9325705B2 (en) Trusted internet identity
ES2619957T3 (en) Procedure and management control device for virtual machines
JP6182589B2 (en) System and method for secure third party data storage
US8555089B2 (en) Program execution apparatus, control method, control program, and integrated circuit
US20140258725A1 (en) Systems and methods for implementing transparent encryption
US8689015B2 (en) Portable secure data files

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)