Abstract: Many electronic medical devices include program design features that direct the operation of the device. The program design features of most electronic medical devices reside in the device itself and therefore are easily discovered by reverse engineering. In most cases, however, these features can be introduced into the device from an external source for only so long as necessary for each operation of the device, thereby making the reverse engineering of these features more difficult (or even impossible) and preserving a greater degree of design secrecy.

Abstract: Various embodiments are generally directed to the provision and use of a secure enclave defined within a storage of a computing device by a processor element thereof to store executable instructions of an OTP component implementing logic to generate and use one-time passwords (OTPs) to enable access to services provided by another computing device. An apparatus includes a storage; a first processor element; and first logic to receive a one-time password (OTP) routine, store the OTP routine within a first secure enclave defined by the first processor element within the storage, obtain a measure of the contents of the first secure enclave with the OTP routine stored therein, transmit the first measure to a computing device, and receive an OTP seed. Other embodiments are described and claimed.

Abstract: A network device is configured to receive a request, from a device, for private information associated with a user of a user device, on behalf of another user device. The network device may authenticate the device, the user device, and the other user device. The network device may request and receive the user's authorization to send the private information to the other user device. The network device may generate and send a token used to request the private information. The network device may receive the token from the device, determine that the token is valid, and send the private information.

Abstract: A method and system for use with a public cloud network is disclosed, wherein the public cloud network includes at least one private cloud server and at least one smart client device in communication therewith. The method and system comprise setting up the at least one private cloud server and the at least one smart client device in a client server relationship. The at least one private cloud server includes a message box associated therewith. The first message box is located in the public network. The at least one smart client includes a second message box associated therewith. The second message box is located on the public network. The method includes passing session based message information between the at least one private cloud server and the at least one smart client device via the first message box and the second message box in a secure manner. The session base information is authenticated by the private cloud server and the at least one smart client device.

Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.

Abstract: Concepts and technologies disclosed herein are for detecting and managing unauthorized use of cloud computing services from within an internal network of a business or other organization. A computer system may be configured to identify a plurality of Web resources that have been accessed by computing devices from within the internal network. The computer system may also be configured to obtain Internet protocol (“IP”) information from a network component of the internal network. The IP information may be used to determine whether each of the plurality of Web resources is a cloud computing service resource. The computer system may also be configured to block access to a cloud computing service resource of the plurality of Web resources upon determining that the IP information identifies the cloud computing service resource as being unauthorized.

Abstract: Embodiments of the present invention provide a workload optimization approach that measures workload performance across combinations of hardware (platform, network configuration, storage configuration, etc.) and operating systems, and which provides a workload placement on the platforms where jobs perform most efficiently. This type of placement may be based on performance measurements (e.g., throughput, response, and other such service levels), but it can also be based on other factors such as power consumption or reliability. In a typical embodiment, ideal platforms are identified for handling workloads based on performance measurements and any applicable service level agreement (SLA) terms.

Abstract: In an embodiment, mobile application downloaded and installed in a mobile device is launched for the first time. The mobile application automatically locates a configuration server and connects automatically to the located configuration server. After connection is established with the configuration server, appropriate configuration parameters set is identified and automatically fetched to the mobile device. The fetched configuration parameters set is automatically applied to the mobile application. After applying the configuration parameters set, automatically authenticate the mobile application to an enterprise server. Thus, when the user of the mobile device launches the installed mobile application for the first time, the zero-step auto-customization noted above takes place without manual intervention. The user is thus able to use the mobile application in a normal manner subject to the configurations applied.

Abstract: Provided are a system and method for software obfuscation for transforming a program from a first form to more secure form that is resistant to static and dynamic attacks. The method utilizes a sophisticated pre-analysis step to comprehend the function-call structure, the function-call layout, and the entire function call graph of the program, in order to determine strategic points in the program for changing the program. This provides resistance to static attacks by transforming the original function-call layout to a new layout. Changing the layout may include changing the function boundaries. The method also provides resistance to static attacks by transforming the original function-call structure to a new structure to be able to self modify as the transformed program executes in memory. Changing the function-call structure may include modifying when and how functions are called, and/or choosing random paths of execution that lead to the same result.

Abstract: An apparatus, method, computer readable storage medium are provided in one or more examples and comprise accessing an application, identifying an access token of the application, determining if the access token is a system token, and responsive to the access token failing to be a system token, enabling a runtime module.

Abstract: A computing system of an authentication service provider receives a federated identity protocol request triggered by a relying party to validate a user. The federated identity protocol request includes a user identifier of an authenticated identity. The computing system searches mapping data stored in a data store that is coupled to the computing system to identify a type of virtual token associated with the user identifier and authenticates the user by requesting the identified type of virtual token from a user device and verifying a virtual token received from the user device using the mapping data. The computing system sends second-factor authentication results to the relying party via the federated identity protocol.

Abstract: A method and apparatus is provided for securely obtaining input from a touchscreen. A secure execution environment may be implemented (e.g., at a processor), where the secure execution environment may include a touchscreen driver. A keypad image may be sent from the secure execution environment to be displayed by a touchscreen. An input location may be received at the secure execution environment from the touchscreen driver. Such input location may be converted at the secure execution environment into a character, symbol, or a request to change the keypad image displayed at the touchscreen. In one implementation, the secure execution environment may further implement a display driver which sends the keypad image to the touchscreen. The secure execution environment may implement driver keypad image mapping function that maps the keypad image to a character set.

Abstract: Systems and techniques for preventing malicious instruction execution are described herein. A first instance of an instruction for a graphics processing unit (GPU) may be received. The instruction may be placed in a target list. A notification that the instruction caused a problem with the GPU may be received. The instruction may be moved from the target list to a black list in response to the notification. A second instance of the instruction may be received. The second instance of the instruction may be prevented from executing on the GPU in response to the instruction being on the black list.

Abstract: In one embodiment, a mobile device performs an over-the-air firmware update by writing the updated firmware to a inactive system image partition, and rebooting the device. The security of the OTA update is maintained through checking a plurality of security signatures in an OTA manifest, and the integrity of the data is maintained by checking a hash value of the downloaded system image.

Abstract: Technologies managing cross ring memory accesses by a device driver on a computing device includes configuring a memory page table associated with the device driver to disable cross ring memory accesses by the device driver, trapping attempted cross ring memory accesses by the device driver, and denying the attempted cross ring memory access if the device driver is determined to be malicious. If the device driver is determined not to be malicious, the memory page table is updated to allow the attempted cross ring memory access. The device driver may be analyzed to determine whether the device driver is malicious by comparing the device driver and the attempted cross ring memory access to security data, such as a device driver fingerprint and/or cross ring memory access heuristics, stored on the computing device.

Abstract: According to one embodiment, an IC card includes a communication unit, data memory, selector, and inheriting unit. The communication unit performs data communication with an external apparatus. The data memory stores files managed by a hierarchical. structure, a folder as an upper layer of the files, and information concerning the inheritance of a security status between a plurality of folders. If information indicating the inheritance of a security status from the first folder to the second folder exists, the inheriting unit inherits, even while the second file is selected, the security status established while the first folder is selected.

Abstract: Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.

Abstract: A system and method for processing content access rights and/or entitlement rights are disclosed. A method, in one aspect, provides for receiving a selection of a content option, requesting access information associated with the selected content option, receiving access information comprising location information relating to a compatible format, requesting access rights from a first service associated with the location information, wherein the first service requests an access decision relating to the selected content option from a second service based upon the access rights, and receiving the access rights.

Abstract: A virtualization manager receives a permission request indicating a user and an entity in a virtual machine system. The virtualization manager flattens a permissions database to generate a flattened database view. Using the flattened database view, the virtualization manager determines whether the user has permission to access the entity in the virtual machine system and returns an indication of whether the user has permission to access the entity in the virtual machine system.

Abstract: A system, method, and apparatus for secure routing based on the physical location of routers are disclosed herein. The disclosed method for secure data transmission of at least one data packet through a plurality of network nodes involves defining a source network node, a destination network node, and at least one security constraint, which is based on the physical location of at least one of the network nodes. The method further involves comparing available network nodes with the security constraint(s) to determine which of the available network nodes meet the security constraint(s) and, thus, are qualified network nodes. Additionally, the method involves determining a route comprising at least one of the qualified network nodes to route the data packet(s) through from the source network node to the destination network node. Further, the method involves transmitting the data packet(s) through the route of the qualified network node(s).