Abstract: Disclosed herein are computer-implemented methods; computer-implemented systems; and non-transitory, computer-readable media, for sending cross-chain messages. One computer-implemented method includes storing, through consensus of blockchain nodes of a first blockchain network, an authenticable message (AM) associated with a first account to a blockchain associated with the first blockchain network, where the AM comprises an identifier of the first blockchain network, information of the first account, information of a recipient of the AM, and content of the AM. The AM and location information is transmitted to a relay to be forwarded to the recipient located outside of the first blockchain network, where the location information identifies a location of the AM in the blockchain and the recipient includes one or more accounts outside of the first blockchain network.

Abstract: According to an embodiment, an information processing apparatus includes one or more processors. The one or more processors are configured to acquire a program identifier of a computer program disposed on a memory and serving as an execution target; read a calculation result corresponding to the acquired program identifier from a storage; and verify whether the computer program serving as the execution target is permitted to be executed, on the basis of the read calculation result and a white list.

Abstract: Apparatus and associated methods relate to authenticating a back-to-front-built configuration image. In an illustrative example, a circuit may include memory configured to store a signature S, a second hash H2, and a first data chunk C1. Signature S may be signed on a first hash H1. H1 may be the hash for H2 and C1. If signature S passes verification, a hash engine may perform hash functions on C1 and H2 to generate a hash H1?. H1? may be compared with H1 to indicate whether C1 has been tampered with or not. By using the incremental authentication, a signature that appears at the beginning of the image may be extended to the entire image while only using a small internal buffer. Advantageously, internal buffer may only need to store two hashes Hi, Hi+1, and a data chunk Ci, or, a signature S, a hash Hi, and a data chunk Ci.

Abstract: Examples of a data transmission method and apparatus in TEE systems are described. One example of the method includes: obtaining first data; obtaining a write offset address by reading a first address; obtaining a read offset address by reading a second address; determining whether the number of bytes in the first data is less than or equal to the number of writable bytes, where the number of writable bytes is determined based on the write offset address and the read offset address, and each address corresponds to one byte; when the number of bytes in the first data is less than or equal to the number of writable bytes, writing the first data into third addresses starting from the write offset address; and updating the write offset address in the first address.

Abstract: Technology for decrypting and using a security module in a processor cache in a secure mode such that dynamic address translation prevents access to portions of the volatile memory outside of a secret store in a volatile memory.

Abstract: An account lifecycle management system is provided. The system includes a discovery engine configured to discover and identify an account. The system further includes a policy engine configured to identify privileged access data granted to the account identified by the discovery engine. The system further includes a data modeling engine configured to associate the identified privileged access data with organizational information. The system further includes a remediation engine configured to remediate the account based on the associated privileged access data.

Abstract: A new computational machine is invented, called a clock machine, that is a novel alternative to computing machines (digital computers) based on logic gates. In an embodiment, computation is performed with one or more clock machines that use time. In an embodiment, a cryptographic cipher is implemented with random clock machines, constructed from a non-deterministic process, wherein the compiled set of instructions (i.e., the implementation of the cryptographic procedure) is distinct on each device or chip that executes the cryptographic cipher. In an embodiment, by using a different set of clock machines to execute two different instances of the same cryptographic procedure, each execution of a procedure looks different to malware that may try to infect and subvert the cryptographic procedure. This cryptographic process also makes timing attacks more challenging. In an embodiment, a detailed implementation of the Midori cipher with random clock machines is described.

Abstract: A computing device can install and execute a security agent that interacts with a remote security system as part of a detection loop aimed at detecting malicious attacks. The remote security system can receive observed activity patterns from the security agents associated with the computing devices. The remote security system can filter the observed activity patterns to identify “interesting” activity patterns, or activity patterns presenting indications of an attack, including any cross-machine activity. If a first host device is flagged for further threat analysis based on its filtered activity patterns, and at least one of the filtered activity patterns includes remotely accessing a second host device, then the second host device may also be flagged for further threat analysis.

Abstract: A method for authenticating radio access network devices is disclosed, comprising: authenticating, at a coordination server, a base station in a radio access network using a first authentication factor; selecting, following successful authentication of the base station using the first authentication factor, a challenge question based on historical information of the base station stored within a database; sending, from the coordination server to the base station, a request containing the challenge question to further authenticate the base station based on the historical information of the base station; receiving, from the base station at the coordination server, a response to the challenge question; verifying, at the coordination server, the correctness of the response using a key derived from the historical information; and granting the base station access to a core network of a mobile operator, thereby addressing security issues unsolved by one-factor authentication.

Abstract: An approach is disclosed for building a study cohort by collecting information related to a plurality of people according to a collection request from a user. An authority of the request from the user is validated and if validated, a file policy associated with each file containing personal data is checked to verify a type of processing consented by the corresponding individual for their data. The data is transformed, and information copied related to the plurality of people according to the collection request, the request assessment, the consent information as part of each file's metadata, and the privacy legal framework. The privacy legal framework is enforced by the OS and may be based on source files wherein each source file has a source file consent permission to form copied content. The copied content is used to process the collection request.

Abstract: Embodiments described herein are directed to securing network-based compute resources. The foregoing may be achieved by determining a tag representative of non-malicious network addresses. The tag is determined by analyzing network data traffic received by a plurality of compute resources. Machine-learning based techniques may be used to automatically classify each network address that communicates with a particular compute resource as being malicious or non-malicious. Determined non-malicious network addresses for a particular compute resource are automatically associated with a tag. The tag is used to configure a firewall application to prevent access to a corresponding compute resource by malicious network addresses not represented by the tag. The number of non-malicious network addresses associated with a tag may be expanded by clustering compute resources having a similar set of network addresses that communicate therewith.

Abstract: A method includes receiving a first message from a device via a network. The method includes determining a device type of the device. In response to determining that the device type satisfies a criterion, sending a second message granting the device limited access to the network subject to a first restriction level that limits bandwidth usage by the device to a first consumption threshold and sending a network access request to a second device associated with an operator of the access point. The method includes receiving a response to the network access request from the second device. The method also includes, responsive to the response indicating to grant the device access to the network subject to a second restriction level, allowing the device access to the network subject to the second restriction level, where the second restriction level limits bandwidth usage by the device to a second consumption threshold that is greater than the first consumption threshold.

Abstract: In scenarios where I/O ports of an IHS are not secured, malicious actors may exploit such I/O ports when a user of the IHS is unaware. Embodiments provide techniques for securing access to I/O ports of an IHS based on the context of the IHS, which includes the user context and the system context of the IHS. Upon initialization of the IHS, access to the I/O ports is configured based on a boot context policy. The operating system is booted and use of the IHS proceeds. Modifications to an IHS context are detected. Based on a policy applicable to the modified IHS context, modified access to the I/O ports is configured. In embodiments where the IHS is a convertible laptop, a system context may include the posture in which the system is physically configured. A user context may include whether a user is detected in proximity to the IHS.

Abstract: Disclosed are various approaches to automate vulnerability assessment implement policy-based mitigation. A plurality of vulnerability records from respective ones of a plurality of vulnerability feeds are aggregated. Each of the plurality of vulnerability records are stored in a standardized format. A plurality of enterprise-specific severity scores are generated by calculating an enterprise-specific severity score for each of the plurality of vulnerability records. Then, a web page can be created that includes at least a subset of the plurality of enterprise-specific severity scores and respective ones of the plurality of vulnerability records.

Abstract: In one embodiment, an apparatus includes a core to execute instructions, where in response to a first instruction, the core is to obtain an encrypted binary of a requester from a source location and store the encrypted binary to a destination location. The apparatus may further include a memory execution circuit coupled to the core that, in response to a request from the core and based on the first instruction, is to generate at least one integrity value for the binary and store the at least one integrity value in association with the binary.

Abstract: A system for establishing and maintaining a bi-directional chain of trust includes a root of trust (RoT) executing a root trusted server that can establish a trusted relationship between the RoT and a given node, and monitor the given node to ensure that the given node executes trusted operations and to ensure that authenticated code and static data for the given node are unchanged. The given node can include a trusted server that can monitor another node to ensure that the other node executes trusted operations and to ensure that authenticated code and static data for the other node are unchanged. The other node can include a trusted server that can monitor the given node to ensure that the given node executes trusted operations and to ensure that the authenticated code and static data for the given node are unchanged based on maintenance information received for the given node.

Abstract: To detect tampering in secure computation while maintaining confidentiality with a little communication traffic. A random number generation part (11) generates [{right arrow over (?)}ri], [{right arrow over (?)}si]. A random number multiplication part (12) computes [{right arrow over (?)}ti]:=[{right arrow over (?)}ri{right arrow over (?)}si]. A secret multiplication part (13) computes [{right arrow over (?)}z]:=[{right arrow over (?)}x{right arrow over (?)}y]. A random number verification part (14) discloses a pi,jth element of each of [{right arrow over (?)}ri], [{right arrow over (?)}si], [{right arrow over (?)}ti] and confirms whether the element has integrity as multiplication. A random number substitution part (15) randomly substitutes elements in each of [{right arrow over (?)}ri], [{right arrow over (?)}si], [{right arrow over (?)}ti] except for the pi,j-th element to generate [{right arrow over (?)}r?i], [{right arrow over (?)}s?i], [{right arrow over (?)}t?i].

Abstract: The presently disclosed technology provides a threat-specific network risk evaluation tailored to a client's security objectives. The present technology may include identifying a plurality of threats to a first component of a networked system and assigning a plurality of weighting values to the plurality of threats according to the client's security objectives. The present technology may include identifying a plurality of vulnerabilities of the first component and determining a set of relevant threats for the first vulnerability based on the nature of the vulnerability and the weighting values assigned to the plurality of threats. The set of relevant threats includes one or more of the plurality of threats. The present technology may include determining a set of relevant threats for each of the identified vulnerabilities of the first component and calculating a risk of the first component based on the sets of the relevant threats.

Abstract: In particular embodiments, a sensitive data management system is configured to remove sensitive data after a period of non-use. Credentials used to access remote systems and/or third-party systems are stored with metadata that is updated with each use of the credentials. After a period of non-use, determined based on credential metadata, the credentials are deleted. Personal data retrieved to process a consumer request is stored with metadata that is updated with each use of the personal data. After a period of non-use, determined based on personal data metadata, the personal data is deleted. The personal data is also deleted if the system determines that the process or system that caused the personal data to be retrieved is no longer in use. An encrypted version of personal data may be stored for later use in verifying proper consumer request fulfillment.

Abstract: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.