Abstract: Techniques for establishing one or more end-to-end secure channels in a data center are provided. A method according to these techniques includes obtaining, at a secure module (SM) associated with a virtual machine (VM) operating on a node of the data center, a VM-specific signature key for the VM from a Hardware Security Module (HSM), and performing a cryptographic signing operation at the SM associated with establishing an end-to-end secure channel between the VM and another networked entity using the VM-specific signature key responsive to a request from the VM.

Abstract: Methods, systems, and devices for wireless communication are described for precursory client configuration for network access. A configurator station (STA) may receive, from a key management device, an identity key of a client STA and may receive, from the client STA, a network configuration probe that includes a first cryptographic value based at least in part on the identity key and a request for network access. The configurator STA may apply a cryptographic function to the identity key to generate a second cryptographic value. The configurator STA may configure the client STA to access a network based at least in part on a match between the first cryptographic value and the second cryptographic value.

Abstract: Techniques for preventing side-channel attacks on a cache are provided. A method according to these techniques includes executing a software instruction indicating that a portion of software requiring data protection is about to be executed, setting the cache to operate in a randomized mode to de-correlate cache timing and cache miss behavior from data being processed by the portion of software requiring data protection responsive to the instruction indicating that the portion of software requiring data protection is about to be executed, executing the portion of software requiring data protection, storing the data being processed by the portion of software requiring data protection, and setting the cache to operate in a standard operating mode responsive to an instruction indicating that execution of the portion of software requiring data protection has completed.

Abstract: Techniques for mitigating the transitive data problem using a secure asset manager are provided. These techniques include generating a secure asset manager compliant application by tagging source code for the application with a data tag to indicate that a data element associated with the source code is a sensitive data element, accessing a policy file comprising transitive rules associated with the sensitive data element, and generating one or more object files for the application from the source code. These techniques also include storing a sensitive data element in a secure memory region managed by a secure asset manager, and managing the sensitive data element according to a policy associated with the sensitive data element by an application from which the sensitive data element originates, the policy defining transitive rules associated with the sensitive data element.

Abstract: Techniques for encrypting the data in the memory of a computing device are provided. An example method for protecting data in a memory according to the disclosure includes encrypting data associated with a store request using a memory encryption device of the processor to produce encrypted data. Encrypting the data includes: obtaining a challenge value, providing the challenge value to a physically unclonable function module to obtain a response value, and encrypting the data associated with the store request using the response value as an encryption key to generate the encrypted data. The method also includes storing the encrypted data and the challenge value associated with the encrypted data in the memory.

Abstract: Techniques for protecting data in a processor are provided. An example method according to these techniques includes performing one or more operations on encrypted data using one or more functional units of a data path of the processor to generate an encrypted result. Performing the one or more operations includes: receiving at least one encrypted parameter pair at a functional unit, each encrypted parameter pair comprising an encrypted parameter value and a challenge value associated with the encrypted parameter value, the encrypted parameter being encrypted using a homomorphic encryption technique, the challenge value being used to recover a key used to encrypt the encrypted parameter value, and performing a mathematical computation on the at least one encrypted parameter. The method also includes outputting the encrypted result.

Abstract: A distributed technique for implementing a cryptographic process performs operations in parallel on both valid and irrelevant data to prevent differentiation of the operations based on an encryption key content. A control entity switches or points valid data to appropriate CPU(s) that are responsible for operations such as squaring or multiplying. Irrelevant data is also switched or pointed to appropriate CPU(s) that execute operations in parallel with the CPU(s) operating on the valid data. The distributed technique contributes to obscuring side channel analysis phenomena from observation, such that cryptographic operations cannot easily be tied to the content of the encryption key.

Abstract: Methods and system for detecting anomalous behavior in a home network is performed by an access point. The access point passively monitors, within the home network, network traffic corresponding to each of a number of devices associated with it, without an approval from any of the number of devices. In another aspect, the access point passively monitors, within the home network, individual traffic flows between the access point and the number of devices associated with it. The access point then compares, for each of the devices, one or more characteristics of the corresponding network traffic or the individual traffic flows with a baseline model of network behavior and identifies which of the number of devices is associated with anomalous behavior based on the comparison.

Abstract: Techniques for mitigating the transitive data problem using a secure asset manager are provided. These techniques include generating a secure asset manager compliant application by tagging source code for the application with a data tag to indicate that a data element associated with the source code is a sensitive data element, accessing a policy file comprising transitive rules associated with the sensitive data element, and generating one or more object files for the application from the source code. These techniques also include storing a sensitive data element in a secure memory region managed by a secure asset manager, and managing the sensitive data element according to a policy associated with the sensitive data element by an application from which the sensitive data element originates, the policy defining transitive rules associated with the sensitive data element.

Abstract: In one example, a device for recommending an optimization strategy for software includes a memory storing data for a sparse matrix including empty cells and non-empty cells, wherein non-empty cells of the sparse matrix represent ratings for optimization strategies previously applied to programs, and one or more hardware-based processors configured to predict values for empty cells of a sparse matrix, fill the empty cells with the predicted values to produce a complete matrix, determine, for a current program that was not included in the programs of the sparse matrix, a recommended optimization strategy that yields a highest rating from the complete matrix, and provide an indication of the recommended optimization strategy.

Abstract: In an aspect, a method for protecting software includes obtaining a payload including at least one of instructions or data, establishing a realm in a memory device, encrypting the payload based on an ephemeral encryption key (EEK) associated with the realm, and storing the encrypted payload in the realm of the memory device. In another aspect, a method for protecting software includes receiving a memory transaction associated with the memory device, the memory transaction including at least a realm identifier (RID) and a realm indicator bit, obtaining the EEK associated with the RID when the RID indicates the realm and when the realm indicator bit is enabled, decrypting an instruction and/or data retrieved from the realm based on the EEK when the memory transaction is a read transaction, and encrypting second data for storage in the realm based on the EEK when the memory transaction is a write transaction.

Abstract: Aspects of the disclosure are related to a method, apparatus, and system for dynamic register virtualization, comprising: detecting a subroutine call; generating a register virtualization mapping for the subroutine call; applying the register virtualization mapping to instructions within the subroutine call; detecting a return of the subroutine call; and stopping the register virtualization mapping for the subroutine call at the return of the subroutine call.

Abstract: A method includes: decrypting, in a device, a first subset of encrypted data using a cryptographic device key associated with the device to produce first plain text, where a set of encrypted data comprises the first subset of encrypted data and a second subset of encrypted data, and where the first subset of encrypted data and the second subset of encrypted data each contain less encrypted data than the set of encrypted data and are different from each other; decrypting, in the device, the second subset of encrypted data using the cryptographic device key to produce second plain text; encrypting, in the device, the first plain text using a first ephemeral key to produce first re-encrypted data; and encrypting, in the device, the second plain text using a second ephemeral key to produce second re-encrypted data, the second ephemeral key being different from the first ephemeral key.

Abstract: Techniques for protecting software in a computing device are provided. A method according to these techniques includes receiving a request from a non-secure software module to execute an instruction of a secure software module comprising encrypted program code, determining whether the instruction comprises an instruction associated with a controlled point of entry to the secure software module accessible outside of the secure software module, executing one or more instructions of the secure software module responsive to the instruction comprising an instruction associated with the controlled point of entry to the secure software module, and controlling exit from the secure software module to return execution to the non-secure software module.

Abstract: Aspects include computing devices, systems, and methods for implementing generating a cache memory configuration. A server may apply machine learning to context data. The server may determine a cache memory configuration relating to the context data for a cache memory of a computing device and predict execution of an application on the computing device. Aspects include computing devices, systems, and methods for implementing configuring a cache memory of the computing device. The computing device may classify a plurality of cache memory configurations, related to a predicted application execution, based on at least a hardware data threshold and a first hardware data. The computing device may select a first cache memory configuration from the plurality of cache memory configurations in response to the first cache memory configuration being classified for the first hardware data, and configuring the cache memory at runtime based on the first cache memory configuration.

Abstract: In an aspect, a cache memory device receives a request to read an instruction or data associated with a memory device. The request includes a first realm identifier and a realm indicator bit, where the first realm identifier enables identification of a realm that includes one or more selected regions in the memory device. The cache memory device determines whether the first realm identifier matches a second realm identifier in a cache tag when the instruction or data is stored in the cache memory device, where the instruction or data stored in the cache memory device has been decrypted based on an ephemeral encryption key associated with the second realm identifier when the first realm identifier indicates the realm and when the realm indicator bit is enabled. The cache memory device transmits the instruction or data when the first realm identifier matches the second realm identifier.

Abstract: Techniques for encrypting the data in the memory of a computing device are provided. An example method for protecting data in a memory according to the disclosure includes encrypting data associated with a store request using a memory encryption device of the processor to produce encrypted data. Encrypting the data includes: obtaining a challenge value, providing the challenge value to a physically unclonable function module to obtain a response value, and encrypting the data associated with the store request using the response value as an encryption key to generate the encrypted data. The method also includes storing the encrypted data and the challenge value associated with the encrypted data in the memory.

Abstract: Techniques for protecting data in a processor are provided. An example method according to these techniques includes performing one or more operations on encrypted data using one or more functional units of a data path of the processor to generate an encrypted result. Performing the one or more operations includes: receiving at least one encrypted parameter pair at a functional unit, each encrypted parameter pair comprising an encrypted parameter value and a challenge value associated with the encrypted parameter value, the encrypted parameter being encrypted using a homomorphic encryption technique, the challenge value being used to recover a key used to encrypt the encrypted parameter value, and performing a mathematical computation on the at least one encrypted parameter. The method also includes outputting the encrypted result.

Abstract: Techniques for mitigating the transitive data problem using a secure asset manager are provided. These techniques include generating a secure asset manager compliant application by tagging source code for the application with a data tag to indicate that a data element associated with the source code is a sensitive data element, accessing a policy file comprising transitive rules associated with the sensitive data element, and generating one or more object files for the application from the source code. These techniques also include storing a sensitive data element in a secure memory region managed by a secure asset manager, and managing the sensitive data element according to a policy associated with the sensitive data element by an application from which the sensitive data element originates, the policy defining transitive rules associated with the sensitive data element.

Abstract: In one example, a device for recommending an optimization strategy for software includes a memory storing data for a sparse matrix including empty cells and non-empty cells, wherein non-empty cells of the sparse matrix represent ratings for optimization strategies previously applied to programs, and one or more hardware-based processors configured to predict values for empty cells of a sparse matrix, fill the empty cells with the predicted values to produce a complete matrix, determine, for a current program that was not included in the programs of the sparse matrix, a recommended optimization strategy that yields a highest rating from the complete matrix, and provide an indication of the recommended optimization strategy.