Abstract: In an example, a computing device is described. The computing device comprises a processor. The processor is to generate a key using a value as an input to generate the key. The processor is further to, in response to generating the key, exclude the value from future use as the input. The processor is further to store an indication of a subsequent value to use as the input to generate a subsequent key. The indication is cryptographically associated with an entity to control third-party access to the indication.

Abstract: In an example, a computing device is described. The computing device comprises a memory to store a set of states and a corresponding set of non-overlapping time intervals. The computing device further comprises a timing unit to indicate a time at which a signature is to be produced. The computing device further comprises a processor to: identify which time interval of the set of non-overlapping time intervals includes the indicated time; generate a signing key based on a state associated with the identified time interval; and produce a signature, under a stateful signature scheme, with the signing key.

Abstract: In an example, a computing device is described. The computing device comprises a communication interface and a processor. The processor is to determine whether a signature, produced by a signer, is derived from a free state under a stateful signature scheme. The free state is a state that has not been used as an input to generate a signing key. The signature is encrypted by the signer. The processor is further to, in response to determining that the signature is derived from a free state, decrypt the encrypted signature. The processor is further to transmit the decrypted signature to a recipient via the communication interface.

Abstract: In an example, a computing device is described. The computing device comprises an interface to receive a request from a signer for a state. The state is to be used as an input to generate a key under a stateful signature scheme. The computing device further comprises a processor. The processor is to identify an available state that the signer is authorized to use in response to the request received via the interface. The available state is identified from a set of states that can be used by the signer to maintain statefulness of the stateful signature scheme. The processor is further to instruct a reply to be sent to the signer via the interface. The reply comprises an indication of the state that the signer is authorized to use.

Abstract: A method for monitoring control-flow integrity in a low-level execution environment, the method comprising receiving, at a monitor, a message from the execution environment indicating that the execution environment has entered a controlled mode of operation, receiving, at the monitor, a data packet representing execution of a selected portion of a control-flow process at the execution environment, identifying, using the data packet, a pathway corresponding to the selected portion of the control-flow process from a set of permissible control-flow pathways and determining whether the identified pathway corresponds to an expected control-flow behaviour.

Abstract: There is described a method including obtaining memory management configuration data, for example, from a memory management unit. The memory management configuration data is used to identify memory locations having a predetermined property. Content is monitored at the identified memory locations.

Abstract: There is provided a method for thread allocation in a multi-processor computing system. The method includes determining whether a thread for execution has a security requirement. The thread is allocated to one of a first processing unit or a second processing unit based on the determination. The thread is allocated for execution by the first processing unit based on the thread having the security requirement.

Abstract: Examples associated with process verification are described. One example includes a process operating in a general operating environment of the system. From an isolated environment, a protection module modifies the behavior of the process by modifying data associated with the process while the process is in operation. The protection module verifies whether the behavior of the process has changed in accordance with the modification. The protection module takes a remedial action upon determining the process has been compromised.

Abstract: An intrusion detection system, comprising a monitor to receive messages from a target over a low-latency communication link comprising a controlled access memory structure logically positioned between the target and the monitor using point-to-point interconnects, the controlled access memory structure to receive a message from the target indicating that the target has entered a controlled mode of operation.

Abstract: Examples include an example computing system comprising a first storage to store executable code, wherein the executable code comprises a plurality of instructions, a second storage to store a first parameter of the executable code, a processing unit to execute each of the instructions of the code, and a monitoring component to, upon execution of each of the instructions of the code by the processing unit, update a second parameter of the code based on that instruction, wherein the monitoring component is to compare the first parameter and the second parameter, and to control execution of further executable code by the processing unit based on the comparison.

Abstract: A method for secure hardware initialization during a start-up process comprises activating a protected portion of a physical memory, allocating a part of the protected portion of the physical memory for use by direct memory access, DMA, drivers and non-DMA related hardware initialization instructions, and using a memory management tool, allocating a first part of the physical memory, accessible by a device via the memory management tool, for use by data.

Abstract: A method for monitoring control-flow integrity in a low-level execution environment, the method comprising receiving, at a monitor, a message from the execution environment indicating that the execution environment has entered a controlled mode of operation, receiving, at the monitor, a data packet representing execution of a selected portion of a control-flow process at the execution environment, identifying, using the data packet, a pathway corresponding to the selected portion of the control-flow process from a set of permissible control-flow pathways and determining whether the identified pathway corresponds to an expected control-flow behaviour.

Abstract: Examples herein disclose a processor-based computing system. The system comprises at least one processor, a non-volatile memory comprising a basic input output system (BIOS), wherein the BIOS creates a data structure and sets up at least one verification software component executed by the processor, a controller communicatively linked to the at least one verification software component, and a memory comprising a system management memory coupled to the at least one processor and code which is executable by the processor-based system to cause the processor to validate the BIOS during a runtime of the processor-based system using the at least one verification software component and the controller.

Abstract: A method for secure hardware initialization during a start-up process comprises activating a protected portion of a physical memory, allocating a part of the protected portion of the physical memory for use by direct memory access, DMA, drivers and non-DMA related hardware initialization instructions, and using a memory management tool, allocating a first part of the physical memory, accessible by a device via the memory management tool, for use by data.

Abstract: Examples associated with process verification are described. One example includes a process operating in a general operating environment of the system. From an isolated environment, a protection module modifies the behavior of the process by modifying data associated with the process while the process is in operation. The protection module verifies whether the behavior of the process has changed in accordance with the modification. The protection module takes a remedial action upon determining the process has been compromised.

Abstract: Examples associated with basic input/output system (BiOS) security are described. One example includes detecting a mismatch between an active BiOS setting and a saved BIOS setting. An update previously applied to the active BiOS setting is validated. The update Is applied to the saved BIOS setting creating an updated BIOS setting. The saved BIOS setting is updated when the updated BIOS setting and the active BIOS setting match. The saved BIOS setting is updated to the active BIOS setting. A security action is taken when the updated BiOS setting and the active BiOS setting differ.

Abstract: In one example, a system for a system management mode (SMM) privilege architecture includes a computing device comprising: a first portion of SMM instructions to set up a number of resources and implement a privilege architecture for the SMM of a computing device and a second portion of SMM instructions to execute a number of functions during the SMM of the computing device, wherein the privilege architecture assigns the first portion of SMM instructions to a first privilege level and assigns the second portion of SMM instructions to a second privilege level.

Abstract: An intrusion detection system, comprising a monitor to receive messages from a target over a low-latency communication link comprising a controlled access memory structure logically positioned between the target and the monitor using point-to-point interconnects, the controlled access memory structure to receive a message from the target indicating that the target has entered a controlled mode of operation.

Abstract: A bus between a requester and a target component includes a portion dedicated to carry information indicating a privilege level, from among a plurality of privilege levels, of machine-readable instructions executed on the requester.

Abstract: Example implementations relate to command source verification. An example device can include instructions executable to send a command via a predefined path to a predefined location within a memory resource storing instructions executable to verify a source of the command using a predefined protocol and execute the command in response to the source verification.