Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: Aspects of the present disclosure include methods, systems, and non-transitory computer readable media for identifying a first sector proximal to a reader and a second sector proximal to the reader, receiving one or more parameters associated with at least one of a minimum sector count setting, an opposite sector threshold setting, or a suppression threshold setting, applying, to the reader, the one or more parameters associated with the at least one of the minimum sector count setting, the opposite sector threshold setting, or the suppression threshold setting, and detecting a tag based on the one or more parameters.

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.

Abstract: Aspects of the present disclosure include methods, systems, and non-transitory computer readable media for identifying a first sector proximal to a reader and a second sector proximal to the reader, receiving one or more parameters associated with at least one of a minimum sector count setting, an opposite sector threshold setting, or a suppression threshold setting, applying, to the reader, the one or more parameters associated with the at least one of the minimum sector count setting, the opposite sector threshold setting, or the suppression threshold setting, and detecting a tag based on the one or more parameters.

Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.

Abstract: Techniques for implementing a key vault as an enclave are presented. The techniques include securely storing, in a key vault enclave, a key for an encryption system according to a key use policy; sending an vault attestation report of a key vault enclave to a vault client; and performing an operation in the key vault enclave with the key. Some embodiments further include receiving, at the key vault enclave, a client attestation report of the vault client wherein the vault client and key vault enclave are hosted on different native enclave platforms.

Abstract: A nested enclave identity is presented. A nested identity is indicative of one or more possible enclave instantiations according to one or more identity types. Enclave identities may be nested such that a lower level identity type corresponds to a subset of the possible enclave instantiations that a higher level identity type corresponds to. Techniques disclosed include instantiating an enclave with a nested identity at a software interface to an enclave platform, and performing an operation related to the instantiated enclave using the nested identity.

Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

Abstract: Techniques for instantiating an enclave from dependent enclave images are presented. The techniques include identifying a first set of dependent enclave indicators from a primary enclave image, identifying a first dependent enclave image corresponding to one of the first set of dependent enclave indicators, creating a secure enclave container, and copying at least a portion of the primary enclave image and at least a portion of the first dependent enclave image into the secure enclave container.

Abstract: A database transaction is executed in a computer of a system of networked computers having secure processing enclaves. Within the secure processing enclave, a database transaction log record for the executed database transaction is generated and cryptographically secured using a private key held in secure storage of the secure processing enclave. A state of the distributed database is recorded in a series of transaction log records which is replicated in distributed computer storage accessible to the networked computers. Consensus messages are transmitted and received via secure communication links between the secure processing enclaves of the networked computers, to incorporate the database transaction log record into the series of transaction log records in accordance with a distributed consensus protocol, which is implemented based on consensus protocol logic held within the secure processing enclave.

Abstract: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.

Abstract: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.

Abstract: Abstraction programming models of enclave security platforms are described, including receiving a request from an enclave according to an enclave abstraction protocol, converting the request into a native enclave protocol, and sending the converted request to a native platform. The request may be, for example: to create an attestation report, to seal data to the enclave, a request to call a function in a client of the enclave, read a monotonic counter, to take a trusted time measurement, or to allocate memory that is shared with both the enclave and the enclave client.

Abstract: Abstraction programming models of enclave security platforms are described, including receiving a request from an enclave client according to a client abstraction protocol, converting the request into a native enclave protocol, and sending the converted request to a native platform. The request may be, for example: a request to instantiate an enclave, verify an attestation report of an enclave, a request to call into an enclave, or a request to allocate memory that is shared with both the enclave and the enclave client.

Abstract: The present invention relates to a method for producing a bag in the interior space of a container and for testing said bag, and to a system for this purpose, to a computer program product for execution, and to the use of the system for the methods.