Abstract: In an embodiment of the present invention, a technique is provided for remote attestation. An interface maps a device via a bus to an address space of a chipset in a secure environment for an isolated execution mode. The secure environment is associated with an isolated memory area accessible by at least one processor. The at least one processor operates in one of a normal execution mode and the isolated execution mode. A communication storage corresponding to the address space allows the device to exchange security information with the at least one processor in the isolated execution mode in a remote attestation.

Abstract: An approach for determining a type of credential card in a reader and, for some aspects, implementing a protection approach based on the determined type of credential card. For one aspect, an indication that a credential card has been received at a credential reader is received. In response, an instruction to be received by the credential card is provided, the instruction being recognizable by a first type of credential card, but not by a second type of credential card. The card is determined to be the first type of credential card if the response indicates that the instruction was recognized by the credential card. A protection policy may then be implemented for some aspects depending on the type of card detected.

Abstract: A method and system to exchange a private encryption key via a rusted path between a device and an application executed in a trusted platform of a computer system to generate a session key. In one embodiment, the session key is used to encrypt data to be exchanged via an non-trusted channel within the computer system.

Abstract: In one embodiment, a method of remote attestation for a special mode of operation. The method comprises storing an audit log within protected memory of a platform. The audit log is a listing of data representing each of a plurality of IsoX software modules loaded into the platform. The audit log is retrieved from the protected memory in response to receiving a remote attestation request from a remotely located platform. Then, the retrieved audit log is digitally signed to produce a digital signature for transfer to the remotely located platform.

Abstract: A computing system includes a wireless wide area network (WWAN) module and an identity module reader external to and accessible by the WWAN module to receive an identity card to provide credentials to be accessed by the WWAN module. A platform to test such a system includes a WWAN module, an identity module reader external to the WWAN module to receive an identity card storing credentials to be accessed by the WWAN module and an identity card interface component coupled to the WWAN module and identity module reader, the identity module interface component to substantially emulate an interface between the WWAN module and the identity module reader in a computing platform in which the WWAN module and identity module reader are to be implemented.

Abstract: A platform and method for secure handling of events in an isolated execution environment. A processor executing in isolated execution “IsoX” mode may leak data when an event occurs as a result of the event being handled in a traditional manner based on the exception vector. By defining a class of events to be handled in IsoX mode, and switching between a normal memory map and an IsoX memory map dynamically in response to receipt of an event of the class, data security may be maintained in the face of such events.

Abstract: A method for providing security to a computer system is described. Specifically, the computer periodically polls for a Bluetooth electronic device or other similar wireless electronic device. If the computer locates such a Bluetooth electronic device, the computer requests authentication from the Bluetooth electronic device. The user of the electronic device is given access to the computer system only if the computer recognizes the identification of the Bluetooth electronic device and is able to validate the authentication information provided by the Bluetooth electronic device through an encrypted channel.

Abstract: A user-authentication sub-system and approach for user authentication. The user authentication sub-system of one aspect includes at least a first input mechanism to receive first multi-factor authentication data associated with Z authentication factors, a cryptographic engine to encrypt the first multi-factor authentication data, and a separated user authentication, non-volatile data store to store the encrypted first multi-factor authentication data. The sub-system further includes a processing unit to determine whether second authentication data received via the at least first input mechanism matches a subset of the first multi-factor authentication data, the second authentication data associated with N authentication factors where N is less than or equal to Z.

Abstract: An example processing system comprises a processor to execute in an isolated execution mode in a ring 0 operating mode. The processor also supports one or more higher ring operating modes, as well as a normal execution mode. The processing system also comprises memory, as well as a machine-accessible medium having instructions. When the processing system executes the instructions, the processing system configures the processor to run in the isolated execution mode, configures the processing system to establish an isolated memory area in the memory, and loads initialization software into the isolated memory area. The processing system may provide a manifest that represents the initialization software. The initialization software may be verified, based at least in part on the manifest.

Abstract: A function call is executed during execution of a program. In response, a return address of the call is saved in a first stack and in a second stack, allocated by the operating system. After the called function is executed, the return addresses stored in the first and second stack are compared to determine if they match.

Abstract: Embodiments of the present invention relate to selectively re-executing instructions in a computer processor based on their association with a particular cache miss.

Abstract: An approach for providing services to an open platform implementing Subscriber Identity Module (SIM) capabilities without the need for a discrete, physical SIM device. For one aspect, a protected communications channel is established with a computing system, the computing system providing SIM Authentication, Authorization and Accounting (AAA) capabilities without the use of a discrete hardware SIM device. SIM secret data is provisioned to the computing system over the protected communications channel.

Abstract: An approach for providing Subscriber Identity Module (SIM) capabilities in an open platform without the need for a discrete, physical SIM device. For one aspect, a computing system provides for secure provisioning of SIM data and algorithms, for example, protected storage of SIM secret data objects, and protected execution of SIM algorithms that provide for Authentication, Authorization and Accounting (AAA) capabilities currently associated with discrete hardware SIM devices.

Abstract: A method and system for multiple branch paths in a microprocessor is described. The method includes assigning an identification number (ID) to each of a plurality of micro-operations (uops) to identify a branch path to which the uop belongs, determining whether one or more branches are predicted correctly, determining which of the one or more branch paths are dependent on a mispredicted branch, and determining whether one or more of the plurality of uops belong to a branch path that is dependent on a mispredicted branch based on their assigned IDs.

Abstract: In one embodiment, a method is provided. The method comprises encountering a function call instruction that calls a called function during program execution; saving a return address in a first stack and in a second stack, the return address containing an instruction to be executed after execution of the called function; executing the called function; and determining if the return address stored in the first stack matches the return address stored in the second stack.

Abstract: In one embodiment, the invention provides a method comprising storing user authentication information in a hardware structure of a computer system, the hardware structure including a security mechanism to protect the stored authentication information from unauthorized access, and authenticating a user of the computer system by comparing user input authentication information with the stored authentication information.