Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: Hardware based isolation for secure execution of virtual machines (VMs). At least one virtual machine is executed via operation of a hypervisor and an ultravisor. A first memory component is configured for access by the hypervisor and the ultravisor, and a second memory component is configured for access by the ultravisor and not by the hypervisor. A first mode of operation is operated, such that the virtual machine is executed using the hypervisor, wherein the first memory component is accessible to the virtual machine and the second memory component is not accessible to the virtual machine. A second mode of operation is operated, such that the virtual machine is executed using the ultravisor, wherein the first memory component and the second memory component are accessible to the virtual machine, thereby executing application code and operating system code using the second memory component without code changes.

Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: A private key of a public-private key pair with a corresponding identity is written to an integrated circuit including a processor, a non-volatile memory, and a cryptographic engine coupled to the processor and the non-volatile memory. The private key is written to the non-volatile memory. The integrated circuit is implemented in complementary metal-oxide semiconductor 14 nm or smaller technology. The integrated circuit is permanently modified, subsequent to the writing, such that further writing to the non-volatile memory is disabled and such that the private key can be read only by the cryptographic engine and not off-chip. Corresponding integrated circuits and wafers are also disclosed.

Abstract: Protection from malware download is provided. A first input is received to access one of an email attachment or a web site link using an application. A newly generated secure virtual machine is obtained from one of a network server or a cloud computing service. The one of the email attachment or the web site link is sent to the newly generated secure virtual machine for processing.

Abstract: Protection from malware download is provided. A first input is received to access one of an email attachment or a web site link using an application. A newly generated secure virtual machine is obtained from one of a network server or a cloud computing service. The one of the email attachment or the web site link is sent to the newly generated secure virtual machine for processing.

Abstract: An apparatus includes a memory to store a secure object comprising at least one of code and data that is encrypted when stored in the memory and a central processing unit (CPU) that is capable of executing an EnterSecureMode (esm) instruction that enables the decryption of the secure object's information when the secure object information is retrieved from the memory into the CPU. The CPU further comprises a feature to protect the secure object from code received from other software.

Abstract: A computer-implemented method, system, and/or computer program product protects access to hardware devices through use of a secure processor. A security computer receives a request from a requesting computer for access to a hardware device on a network. A secure processor within the security computer encrypts the request to generate an encrypted request, which is generated within a core of the secure processor. The secure processor protects a secure application that is used to process the request from other software on the secure processor. The security computer transmits the encrypted request to the hardware device, and then receives an encrypted acknowledgement of the encrypted request from a processor associated with the hardware device. The security computer then creates a communication session between the requesting computer and the hardware device.

Abstract: A computer-implemented method, system, and/or computer program product protects access to resources through use of a secure processor. A resource server receives an encrypted request from a requesting computer for access to a requested resource within the resource server. The requested resource is physically within an isolation area in the resource server that is initially communicatively protected from a network that connects the requesting computer to the resource server. The resource server establishes a communication session between a first secure processor in the resource server and a second processor in the requesting computer to provide secure communication between the requesting computer and the requested resource.

Abstract: Protection from malware download is provided. A first input is received to access one of an email attachment or a web site link using an application. A newly generated secure virtual machine is obtained from one of a network server or a cloud computing service. The one of the email attachment or the web site link is sent to the newly generated secure virtual machine for processing.

Abstract: A computer-implemented method, system, and/or computer program product protects access to hardware devices through use of a secure processor. A security computer receives a request from a requesting computer for access to a hardware device on a network. A secure processor within the security computer encrypts the request to generate an encrypted request, which is generated within a core of the secure processor. The secure processor protects a secure application that is used to process the request from other software on the secure processor. The security computer transmits the encrypted request to the hardware device, and then receives an encrypted acknowledgement of the encrypted request from a processor associated with the hardware device. The security computer then creates a communication session between the requesting computer and the hardware device.

Abstract: A computer-implemented method, system, and/or computer program product protects access to resources through use of a secure processor. A resource server receives an encrypted request from a requesting computer for access to a requested resource within the resource server. The requested resource is physically within an isolation area in the resource server that is initially communicatively protected from a network that connects the requesting computer to the resource server. The resource server establishes a communication session between a first secure processor in the resource server and a second processor in the requesting computer to provide secure communication between the requesting computer and the requested resource.

Abstract: A method (and structure) protects confidentiality and integrity of information in a secure object from other software on the system. An object-id value that identifies software currently executing on a CPU (Central Processing Unit) is stored, the value having a predetermined standard value when software that is not a secure object is executing. Each block of information in the cache is associated with an ownership value that is used to store an identification of the software that owns the information in the block. When software attempts to access information in one of the blocks, the object-id of the currently executing software is compared with the ownership value associated with the block being accessed. Access to the block is allowed if the object-id of the currently executing software matches the ownership value of the block.

Abstract: A smart card includes a processing circuit, a memory that contains a protected object, an activity detector that receives a signal that describes a planned activity of a person who is in physical possession of the smart card, and an activity analyzer that evaluates features of the planned activity. In response to the activity analyzer determining that a predefined risk associated with the planned activity exceeds a predetermined value, the activity analyzer issues an instruction to a user to provide a biomarker to a biosensor. A blending logic blends real-time biometric data with a security object to generate a hybrid security object. A conversion logic uses the hybrid security object to convert a protected object into a usable object that can be utilized by the processing circuit within the smart card. A matrix barcode generator generates a matrix barcode that contains information about the user of the smart card.

Abstract: A method, system, and/or computer program product enables secure debugging of a software application. A first computer receives a secure software application from a second computer. Access to data used by the secure software application is protected by a security object, which allows a processor to access the data used by the secure software application without permitting data to exit unprotected from the processor. The first computer receives from the second computer an encrypted secure sidecar debugging application that is designed to debug the secure software application. In response to detecting an error in execution of the secure software application within the first computer, the first computer transmits the secure software application and the secure sidecar debugging application to the second computer, such that the second computer is enabled to decrypt the secure sidecar debugging application and to debug the secure software application.

Abstract: A method and structure in a computer system, including a mechanism supporting a Secure Object that includes code and data that is cryptographically protected from other software on the computer system.

Abstract: A method, system, and/or computer program product enables secure debugging of a software application. A first computer receives a secure software application from a second computer. Access to data used by the secure software application is protected by a security object, which allows a processor to access the data used by the secure software application without permitting data to exit unprotected from the processor. The first computer receives from the second computer an encrypted secure sidecar debugging application that is designed to debug the secure software application. In response to detecting an error in execution of the secure software application within the first computer, the first computer transmits the secure software application and the secure sidecar debugging application to the second computer, such that the second computer is enabled to decrypt the secure sidecar debugging application and to debug the secure software application.

Abstract: A smart card includes a processing circuit, a memory that contains a protected object, an activity detector that receives a signal that describes a planned activity of a person who is in physical possession of the smart card, and an activity analyzer that evaluates features of the planned activity. In response to the activity analyzer determining that a predefined risk associated with the planned activity exceeds a predetermined value, the activity analyzer issues an instruction to a user to provide a biomarker to a biosensor. A blending logic blends real-time biometric data with a security object to generate a hybrid security object. A conversion logic uses the hybrid security object to convert a protected object into a usable object that can be utilized by the processing circuit within the smart card. A matrix barcode generator generates a matrix barcode that contains information about the user of the smart card.

Abstract: A method and structure for a cloud service includes an API (application programming interface) as tangibly embodied in a set of computer-executable instructions and selectively executable on a computer on a network. The API provides a user interface for a cloud environment comprising one or more virtual machines to be selectively instantiated on at least one computer in the network upon a user request. A library is accessible via the API, the library providing definitions of components available to be instantiated in the cloud environment. The API automatically instantiates an image of a virtual network of components, as defined by a user input request and provides at least one cloud portal providing the user an access to exercise the instantiated virtual network image.

Abstract: A smart card comprises: a processing circuit; a memory that contains a protected object; an activity detector that receives a signal that describes a planned activity of a person who is in physical possession of the smart card; and an activity analyzer that evaluates features of the planned activity. In response to the activity analyzer determining that a predefined risk associated with the planned activity exceeds a predetermined value, the activity analyzer: issues an instruction to the person who is in physical possession of the smart card to provide a biomarker to a biosensor that is physically contained within the smart card; and receives, from the biosensor, real-time biometric data for the person who is in physical possession of the smart card.