Abstract: Method for distributing content to endpoint computers by sending signed content from a content-providing server to customer special-user workstations each including an enclave networked to its own subpopulation of endpoint computers which is a subset of the endpoint computers' population; and/or, in each enclave, authenticating that content received was signed by the server and then generating non-identical copies of the content received to be used by endpoint computers belonging to the individual enclave's subpopulation, signing the non-identical copies and sending the non-identical signed copies to endpoint computer/s in the enclave's subpopulation of endpoint computers, and/or in at least one enclave, authenticating that content received was signed by the given special-user workstation and then using the content received that was signed by the given special-user workstation, on or in the endpoint computer/s.

Abstract: A technique of proofing against tampering with a computer including a chassis with a plurality of fasteners. The technique includes obtaining by the computer data indicative of a sequence of implication events associated with the fasteners of the plurality of fasteners, generating a pattern corresponding to the sequence of implication events, matching between data corresponding to the generated pattern and a reference data, and initiating one or more anti-tampering actions responsive to a mismatching result. The method can further include generating a cryptographic signature corresponding to the generated pattern, wherein matching between data corresponding to the generated pattern and the reference data includes matching the generated cryptographic signature to a cryptographic reference corresponding to the reference data. Alternatively, or additionally, the generated cryptographic signature can be usable for secure access to information stored on the computer.

Abstract: There is provided a computerized method of secure communication between a source computer and a destination computer, the method performed by an inspection computer and comprising: receiving data sent by the source computer to the destination computer; inspecting the received data using one or more filtering mechanisms, giving rise to one or more inspection results; separately signing each of the one or more inspection results; determining, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof, and providing signing of the at least one manual inspection result; and analyzing signed inspection results and performing additional verification of the signed inspection results when a result of the analyzing meets a predefined criterion specified by the inspection management policy.

Abstract: A computing system comprising: one or more processors configured to execute one or more computing environments (CEs) to access shared resources; a processor-based computing environment inspector unit (CEIU) operably connected to the one or more CEs and configured to inspect data generated by the one or more CEs; a processor-based mitigator unit (MET); and a storage medium; wherein the CEIU is further configured, responsive to detecting CE-generated data that is indicative of a compromise of a first CE, to notify the MU of the compromise of the first CE, and wherein the MU is configured, responsive to receiving notification of a compromise of the first CE, to disable access to the shared resources by the first CE.

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: There is provided a computerized method of secure communication between a source computer and a destination computer, the method performed by an inspection computer and comprising: receiving data sent by the source computer to the destination computer; inspecting the received data using one or more filtering mechanisms, giving rise to one or more inspection results; separately signing each of the one or more inspection results; determining, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof, and providing signing of the at least one manual inspection result; and analyzing signed inspection results and performing additional verification of the signed inspection results when a result of the analyzing meets a predefined criterion specified by the inspection management policy.

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: There is provided a technique of proofing against tampering with a computer comprising a chassis with a plurality of fasteners. The technique comprises: obtaining by the computer data indicative of a sequence of implication events associated with the fasteners of the plurality of fasteners; generating a pattern corresponding to the sequence of implication events; matching between data corresponding to the generated pattern and a reference data; and initiating one or more anti-tampering actions responsive to a mismatching result. The method can further comprise generating a cryptographic signature corresponding to the generated pattern, wherein matching between data corresponding to the generated pattern and the reference data comprises matching the generated cryptographic signature to a cryptographic reference corresponding to the reference data. Alternatively or additionally, the generated cryptographic signature can be usable for secure access to information stored on the computer.

Abstract: The presently disclosed subject matter includes a computerized method and system of implementing a secret management scheme. According to the proposed approach, values derived from a secret are not distributed to the participating entities. Instead, each participating entity provides a respective preexisting identifier that is not derived from the secret.

Abstract: The presently disclosed subject matter includes a computer system and method that enable to encrypt and persist data stored on a volatile memory during an event that may result in the data being unavailable or destroyed. According to the disclosed technique, once the computer system regains its ability to safely store data on the volatile memory, the encrypted data is copied from the non-volatile memory used for persisting the data “as is” i.e. without being decrypted. The decryption is performed by the system's processing circuitry external to the non-volatile memory.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that enable a device such as a disk drive, to receive a configuration message including an error in implementing an operation on the device and a statistical frequency of an occurrence of the error. Upon configuration, the device can receive multiple requests for the operation, and at the statistical frequency, respond to a given one of the requests with the error. In some embodiments the device may convey an error message indicating an occurrence of the error. Alternatively, the device may fail to complete the operation, delay in completing the operation or perform the operation incorrectly.

Abstract: The presently disclosed subject matter includes a computerized method and system of implementing a secret management scheme. According to the proposed approach, values derived from a secret are not distributed to the participating entities. Instead, each participating entity provides a respective preexisting identifier that is not derived from the secret.

Abstract: A communications network system, comprising: a first user device, wherein the first user device uses a first communications protocol; a second user device, wherein the second user device uses a second communications protocol, different from the first communications protocol; and, a server, in operative communication with the first user device and the second user device, and wherein the server comprises a processor for translating the first communications protocol into the second communications protocol.

Abstract: A communications network system, comprising: a first user device, wherein the first user device uses a first communications protocol; a second user device, wherein the second user device uses a second communications protocol, different from the first communications protocol; and, a server, in operative communication with the first user device and the second user device, and wherein the server comprises a processor for translating the first communications protocol into the second communications protocol.