Abstract: A root-of-trust of geolocation is provided for an apparatus that includes a trust anchor module with a cryptographic processor and a secure memory. The apparatus further includes a main processor coupled to the trust anchor module and configured to receive a digital geolocation certificate, the geolocation certificate including information identifying the apparatus, information regarding a physical location of the apparatus, information identifying an authorized entity that has verified the physical location of the apparatus, and a digital signature of the authorized entity. The main processor is further configured to cause the trust anchor module to store the digital geolocation certificate in the secure memory such that the digital geolocation certificate is cryptographically bound to the apparatus. The trust anchor module may also include, or otherwise communicate over a secure channel with, a movement sensor associated with the apparatus.

Abstract: A plurality of pages of code executing via a container host operating system are monitored. The plurality of pages of code include pages of code from a plurality of container applications configured to utilize the container host operating system. A determination is made that a page of code of the plurality of pages of code violates a security policy configured to apply security within the container host operating system. A container application of the plurality of container applications is identified as a source of the page of code of the plurality of pages of code. The security policy is applied to the container application of the plurality of container applications in response to identifying the container application of the plurality of container applications as the source of the page of code.

Abstract: A plurality of pages of code executing via a container host operating system are monitored. The plurality of pages of code include pages of code from a plurality of container applications configured to utilize the container host operating system. A determination is made that a page of code of the plurality of pages of code violates a security policy configured to apply security within the container host operating system. A container application of the plurality of container applications is identified as a source of the page of code of the plurality of pages of code. The security policy is applied to the container application of the plurality of container applications in response to identifying the container application of the plurality of container applications as the source of the page of code.

Abstract: A root-of-trust of geolocation is provided for an apparatus that includes a trust anchor module with a cryptographic processor and a secure memory. The apparatus further includes a main processor coupled to the trust anchor module and configured to receive a digital geolocation certificate, the geolocation certificate including information identifying the apparatus, information regarding a physical location of the apparatus, information identifying an authorized entity that has verified the physical location of the apparatus, and a digital signature of the authorized entity. The main processor is further configured to cause the trust anchor module to store the digital geolocation certificate in the secure memory such that the digital geolocation certificate is cryptographically bound to the apparatus. The trust anchor module may also include, or otherwise communicate over a secure channel with, a movement sensor associated with the apparatus.

Abstract: Techniques are presented herein for attesting the trustworthiness of devices in a secure network during run-time operation. A security management device is configured to perform network trust attestation operations in order to generate an access control policy that defines access rights for a device in a network. The access control policy is assured by creating a hash value for the access control policy and then signing the hash value to generate a signed hash value. The signed hash value is integrated with the access control policy, and the access control policy is sent with the signed hash value to the operator device for verification.

Abstract: Techniques are presented herein for attesting the trustworthiness of devices in a secure network during run-time operation. A security management device is configured to perform network trust attestation operations in order to generate an access control policy that defines access rights for a device in a network. The access control policy is assured by creating a hash value for the access control policy and then signing the hash value to generate a signed hash value. The signed hash value is integrated with the access control policy, and the access control policy is sent with the signed hash value to the operator device for verification.

Abstract: A system for monitoring congestion at processors includes queues and a congestion monitor. The queues receive packets, and each queue is associated with a processor. For each queue, the congestion monitor establishes whether a time-averaged occupancy of a queue exceeds a time-averaged occupancy threshold. The congestion monitor provides a notification if the time-averaged occupancy exceeds the time-averaged occupancy threshold.

Abstract: Controlling a transmission rate of packet traffic includes receiving packets from a network processor. The packets are stored in a buffer associated with a processor. If an occupancy level of the buffer is greater than a predetermined threshold, it is determined that the processor is congested. A message is transmitted to the network processor indicating the processor is congested.

Abstract: Controlling a transmission rate of packet traffic includes receiving packets from a network processor. The packets are stored in a buffer associated with a processor. If an occupancy level of the buffer is greater than a predetermined threshold, it is determined that the processor is congested. A message is transmitted to the network processor indicating the processor is congested.

Abstract: A system for monitoring congestion at processors includes queues and a congestion monitor. The queues receive packets, and each queue is associated with a processor. For each queue, the congestion monitor establishes whether a time-averaged occupancy of a queue exceeds a time-averaged occupancy threshold. The congestion monitor provides a notification if the time-averaged occupancy exceeds the time-averaged occupancy threshold.