Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: Techniques for devices in autonomous systems to utilize a protocol, such as a Border Gateway Protocol (BGP), to signal intent to instantiate services for establishing connections between the devices. For instance, first device(s) in a first autonomous system (AS) may determine to establish a connection with a second AS. The first device(s) may encode a service key into an Internet Protocol (IP) address where the service key indicates a service that is to be provisioned on second device(s) in the second AS. The first device(s) system may then advertise the IP address host-route using BGP, and the second device(s) may receive the BGP advertisement. The second device(s) may decode the service key from the IP address, and provision the service to establish the connection between the autonomous systems. Thus, the devices in may leverage existing protocols to signal intent to instantiate services and establish connections between autonomous systems.

Abstract: A methodology for requesting at least one signed security measurement from at least one module is provided. The methodology includes receiving the at least one signed security measurement from the at least one module; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: A methodology for requesting at least one signed security measurement from at least one module is provided. The methodology includes receiving the at least one signed security measurement from the at least one module; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

Abstract: A methodology for requesting at least one signed security measurement from at least one module with a corresponding cryptoprocessor is provided. The methodology includes receiving the at least one signed security measurement from the at least one module with the corresponding cryptoprocessor; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: In general, embodiments of the invention relate managing the interaction of applications with one or more file systems and/or data managed by the file systems. More specifically, embodiments of the invention relate to providing applications with access to an overlay file system (OFS) and then servicing OFS operations using a file system module and one or more underlay file systems (UFSes) that are not directly accessible to the applications.

Abstract: The present technology discloses systems, methods, and computer-readable media for requesting at least one signed security measurement from at least one module with a corresponding cryptoprocessor, the at least one module existing within a device; receiving the at least one signed security measurement from the at least one module with the corresponding cryptoprocessor; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

Abstract: A method and system for deploying applications. The method includes deploying an application image of an application to a computing device, where the application is accessible using a first uniform resource locator (URL). The method also includes sending an application creation message to an authoritative domain name system (DNS) server to create a record mapping the first URL to a second URL. The first URL is in a first domain and the second URL is in a second domain. The method further includes providing, to the computing device, a digital certificate associated with the application. The method further includes generating certificate data using the digital certificate and sending, to a remote application server, the second URL and certificate data. A client software module may establish a connection to the application on the computing device using the second URL and the certificate data.

Abstract: A first system manager operating on a first node of a distributed routing system, receives data indicating a current state of the distributed routing system. The first system manager may determine, based at least in part on the current state of the distributed routing system and a set of rules for an application, an updated state of the distributed routing system. Furthermore, the first node may send the updated state of the distributed routing system to a second node of the distributed routing system. Responsive to receiving the updated state of the distributed routing system, a second system manager on the second node may modify a state of the second node. Modifying the state of the second node may comprise at least one of: starting the application on the second node, stopping the application on the second node, or modifying a state of the application on the second node.

Abstract: A method for logging events of computing devices. The method includes receiving, by a management service, a log event message from a computing device. The log event message includes a log event associated fingerprint. The method further includes reconstructing, by the management service, an object corresponding to the log event associated fingerprint and reconstructing, by the management service, at least one parent object of the object corresponding to the log event associated fingerprint. The method also includes gathering, by the management service, configuration information from the object corresponding to the log event associated fingerprint, and from the at least one parent object.

Abstract: A method and system for verifying integrity of computing devices. The method includes providing a first integrity associated with a server executing on a computing device to a management service, and receiving, in response to providing the first integrity measurement, a first mutual attestation value from the management service. The method further includes providing a second integrity associated with a network adaptor executing on a computing device to a management service, and receiving, in response to providing the second integrity measurement, a second mutual attestation value from the management service. The method further includes performing a mutual attestation between the server and the network adaptor using the first mutual attestation value and the second mutual attestation value, and notifying the management service that the mutual attestation has been successfully completed.

Abstract: A method and system for configuring computing devices. The method includes receiving, by a computing device, a first cache list object from a management service. The method also includes comparing the first cache list object to a second cache list object on the computing device, and based on the comparing, identifying a first object fingerprint that is present in the first cache list object and that is not present in the second cache list object. The method further includes obtaining, from a location that is external to the computing device, a first object corresponding to the first object fingerprint; and updating a configuration of the computing device using the first object.

Abstract: A method and system for key management. The method includes receiving, by a control domain on a server, a request for a tenant key, and obtaining an authorization secret from a management service, where the management service is external to the server. The method further includes, in response to the request, decrypting, after obtaining the authorization secret, an encrypted platform master key to obtain a platform master key, decrypting an encrypted tenant key to obtain the tenant key using the platform master key, and providing the tenant key to an entity that issued the request.

Abstract: A method and system for authenticating applications. The method includes receiving, by a service virtual machine (SVM), a secret from a management service. The SVM is executing on a computing device. The method also includes providing, by the SVM, the secret to an application executing on an application virtual machine (AVM). The AVM is executing on the computing device. The method further includes providing, by the application, the secret to a remote application server in order for the remote application server to authenticate the application.

Abstract: In general, embodiments of the invention relate to a method and system for managing network access for applications. More specifically, embodiments of the invention provide mock Internet Protocol (IP) addresses to the applications, where the applications may use the mock IP addresses to communicate with other systems (e.g., other computing devices, the management service, or any other system that is accessible via the network). Each mock IP address may be associated with one or more policies, where the policies dictate how packets that includes the mock IP address are processed. In one or more embodiments of the invention, the mock IP addresses may be used to maintain a class of service (CoS) between applications executing on the computing devices and an application service provider (ASP).

Abstract: A method and system for accessing local resources. The method includes intercepting, by a proxy, a request from an application to access a local resource, where the application is executing in an application virtual machine (AVM) on a computing device and where the proxy is executing on a service virtual machine (SVM) on the computing device. The method further includes replacing, by the proxy, a placeholder credential in the request with a local resource credential to obtain a second request. The method also includes sending, by the proxy, the second request to the local resource, receiving, by the proxy, a response to the second request from the local resource, and providing the response to the application.