Abstract: A method, computer program product, and a system where a secure interface control determines whether an instance of a secure guest image can execute based on metadata. The secure interface control (“SC”) obtains metadata linked to an image of a secure guest of an owner and managed by the hypervisor that includes control(s) that indicates whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on system setting(s) in the computing system. The SC intercepts a command by the hypervisor to initiate the instance. The SC determines the presence or the absence of system setting(s) in the computing system. The SC determines if the hypervisor is permitted to execute the instance. If so, the SC enables initiation of the instance by the hypervisor. If not, the SC ignores the command.

Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.

Abstract: The present application provides example terminal chips. One example terminal chip includes a security element, an application processor, and an interface module configured to transfer information between the application processor and the security element. The terminal chip includes a first power interface configured to receive power outside the terminal chip. A first power input port of the security element is connected to the first power interface, and at least one of the application processor or the interface module is connected to the first power interface. In the example terminal chip, a power supply port of the security element is connected to a power supply port of the application processor or the interface module of the terminal chip.

Abstract: A communication system includes a plurality of processors coupled with a network, each of the processors having a predefined encryption method for a communication with a server. Each of the processors configured to determine a primary processor of the processors based on at least one of a processability of the processor, network distance to the processor, or cipher strengths, when the processor is not determined as the primary processor, transfer unencrypted communication data through the network to the primary processor, and when the processor is determined as the primary processor, perform an encryption of unencrypted communication data received, and an encrypted communication with the server by the encryption method of the primary processor.

Abstract: A vulnerability evaluation apparatus includes an input unit configured to input a source code of a program to be evaluated, information indicating assets which are desired to be preserved and an attack accomplishment condition where the assets are not preserved, information indicating an attack determination position at which whether the condition where the assets are not preserved is satisfied can be determined, and input information for the program, an input position designating unit configured to designate an input position indicating a position at which the input information for the program is input, an attack determination position designating unit configured to designate the attack determination position, and an attack path analyzing unit configured to analyze a path from the attack determination position to the input position and specify an attack path where the attack accomplishment condition is satisfied.

Abstract: Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment are described herein.

Abstract: Techniques are disclosed to obtain device posture of a third party managed device. In various embodiments, a unique identifier of the third party managed device is embedded in a registration communication sent from a third party managed device to an access node associated with a first party management entity. The registration communication is sent from the third party managed device to the access node. The access node is configured to store data associating the unique identifier with the third party managed device, and to use the unique identifier to obtain from the third party management entity device posture information for the third party managed device.

Abstract: Systems, methods, and apparatuses for implementing super community and community sidechains with consent management for distributed ledger technologies in a cloud based computing environment are described herein.

Abstract: Methods, computer readable mediums, and systems for securing network traffic data. The method of securing network traffic data may include obtaining a network traffic data unit, that includes: a payload; forwarding information, that includes: a first forwarding portion; and a second forwarding portion that indicates a network tunnel; encryption type information; and encryption location information; analyzing a first segment of the first forwarding portion to obtain a first forwarding location; modifying the network traffic data unit, based on the encryption type information and the encryption location information, to obtain a modified network traffic data unit; and transmitting the modified network traffic data unit to the first forwarding location.

Abstract: A device can include a plurality of regions, each region including a plurality of nonvolatile memory cells; a permission store configured to store a set of permission values, including at least one permission value for each region in a nonvolatile fashion; and access control circuits configured to control access to each region according to the permission value for the region, including one or more of requiring authentication to access the region, encrypting data read from the region, and decrypting data for storage in the region. Related methods and systems are also disclosed.

Abstract: Disclosed herein are methods, systems, and processes for dynamically deploying deception computing systems based on network environment lifecycle. Based on available lifecycle metadata associated with honeypots, a determination is made as to whether honeypot deployment criteria require maintaining a likelihood that a malicious attacker will target a given honeypot and/or preventing the malicious attacker from determining if a target is a protected host or the given honeypot. If a honeypot deployment criteria requires maintaining a likelihood that the malicious attacker will target the given honeypot, a ratio management operation is performed. In addition, if another honeypot deployment criteria requires preventing the malicious attacker from determining if the target is the protected host or the given honeypot, a host replacement operation is performed.

Abstract: Some embodiments are directed to a compiler device (400) arranged for obfuscation of a computer program. The compiler device performs a live variable analysis on the computer program representation, and modifies the computer program representation to encode a first variable using at least a second variable as an encoding parameter.

Abstract: Provided is a method for bypassing an analysis evasion technique, which includes: loading a dummy DEX file; parsing a dummy method containing a dummy code from the dummy DEX file; a bypass point identifying step of determining whether a function to be currently called is a bypass target function to which the analysis evasion technique is applied; a branch target point changing step of changing information according to the determination result so that the dummy code is executed instead of the call target function; and a dummy code executing step of transmitting the dummy code to a framework of the application, so that a modulated framework is executed with a bypass code.

Abstract: Embodiments of systems and methods for implementing data sovereignty safeguards in a distributed services network architecture are disclosed. Embodiments of a distributed services system may have a number of distributed nodes that each implements a set of services. When a user requests a service at a particular node of a distributed services system, the node is configured to determine if that node is not (or is) data sovereign for a region associated with the user. If the node is not data sovereign for the user's region, the user may be directed to a corresponding service at a node of the distributed service system that is data sovereign for the user's region.

Abstract: Systems, methods, and storage media for obfuscating a computer program by representing the control flow of the computer program as data that is not source code are disclosed. Exemplary implementations may: receive source code of a computer program; parse the source code; extract the control flow of the source code; represent at least a portion of the control flow as a control flow model using a mathematical modeling language; store the control flow model as control flow data that represents the control flow of the program and is not executable code; and remove the at least a portion of the control flow from the source code, to thereby obfuscate the control flow of the source code and render the source code more resistant to tampering.

Abstract: Computer systems and methods are disclosed to implement a role manager that automatically analyzes code accessing various resources to generate a role with the necessary resource permissions to execute the code. In embodiments, the role manager may be implemented as part of a workflow orchestration or resource provisioning system that employs code requiring access to different types of resources. In embodiments, the role manager may analyze a code segment to identify the different resources accessed by the code segment and the permissions needed for each access, and generate a role that has the needed permissions. In embodiments, the role manager may automatically manage these roles based on changes to associated code segments. Advantageously, the disclosed role manager removes the need to manually create roles need by code segments ahead of time, and creates roles with minimal privileges required for the code, thereby simplifying achievement of system security.

Abstract: A hypervisor receives an outbound network packet from a first virtual machine for secure communication with a second virtual machine, wherein the network packet includes source and destination logical network addresses, a first payload, and a network packet integrity value determined using a cryptographic session key for a current secure session between the first and second virtual machines. The hypervisor transforms the outbound network packet by replacing the logical network addresses with current physical network addresses and subsequently recalculating the network packet integrity value. The transformed outbound network packet in then transmitted onto a network for delivery to the second virtual machine.

Abstract: There is disclosed in one example a computer-implemented anti-ransomware method, including: selecting a file for inspection; assigning the file to a type class according to a file type identifier; receiving an expected byte correlation for the type class; computing, according to a byte distribution of the file, a byte correlation for the file; comparing, via statistical analysis, the byte correlation to the expected byte correlation; and determining that the file has been compromised, including determining that the file has a byte correlation that deviates from the expected byte correlation by more than a threshold, taking a ransomware remediation action for the file.

Abstract: Various embodiments of systems and methods allow a distributed database to be maintained to store records of activities that may promote purchasing a product and determine whether such promotions should be rewarded. Using anonymous identifiers and a permission-based system, identities of users, products, content, content distribution systems, and marketplaces can be made available only to parties with rights to know such identities. Furthermore, systems can be put in place so that activities with a certain product, content item, etc. can be monitored without ever disclosing the identity of the product, content item, etc. In some embodiments, the database can be an immutable, append-only, distributed database such as a blockchain ledger.

Abstract: A container intrusion detection and prevention system includes a memory, a physical processor in communication with the memory, and an image scanner executing on the physical processor. The image scanner scans an image of a container in a container image registry. The container includes an application. The image scanner creates an image tag of the container and a set of generic rules for the container. The image scanner packages the image tag of the container with the set of generic rules to form a tuple and stores the tuple in an application rule registry.