Abstract: According to an example, a client device determines at least one virus sample according to at least one anti-virus engine, transmits sample information of the at least one virus sample to a server, such that the server determines a first virus sample set needs to be reported according to the sample information of the at least one virus sample and a predefined sample information list in the server, and returns to the first virus sample set to the client device. The client device receives the first virus sample set needs to be reported and performs a virus reporting operation according to the virus sample set.

Abstract: A graphical user interface (GUI) for a unified software update display center is provided. The GUI includes a first display area for displaying a set of available security system software updates. The GUI includes a second display area for displaying a set of available non-security system software updates. The GUI includes a third display area for displaying a set of available application software updates. The GUI includes a single selection tool for installing all available security updates without installing any updates displayed in the second and third display areas. The GUI includes individual selection tools for installing individual updates displayed in the second and third display areas. The GUI includes a selection tool to receive further updates from a system update server and an application update server. The critical security updates are displayed with different display attributes or in different sections to distinguish them from other types of updates.

Abstract: A method and apparatus for updating an application on a group of nodes is presented. According to one embodiment, an application is updated at a first node. The first node updates a registry to indicate that an update was performed at the first node and propagates the update to the registry to one or more second nodes. At a second node, the second node determines that one or more application updates are available at the first node. Upon such a determination, the second node requests one or more update packages from the first node. Based on an update policy associated with the second node, the second node updates the application using the one or more update packages.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: A distribution method is disclosed. In a distribution method, a program to which a first signature is applied is divided. Control information including restore information pertinent to restoring the program and a second signature to secure divisional files of the program is attached to at least one of the divisional files. Each of the divisional files is sent via the Internet.

Abstract: A method and apparatus for tracking purged data includes at least one of a data deletion module and a data deletion registry that are used to compare data, records and files of at least one computing unit to determine of any of the data, records or files stored within the computing unit have previously been purged. If so, the data, record or file is re-purged. Purging can include deleting the entire data, record or file or just a portion to anonymize the data record or file. Alternatively, instead of deleting all or a portion of a data, record or file, an encryption key required to access all or a portion of the data, record or file may be deleted thereby rendering the encrypted information inaccessible. Differing schemes and method for purging data, records and files may be utilized within a network.

Abstract: A processor includes a plurality of general purpose registers and cryptographic logic to encrypt and decrypt information. The cryptographic logic is to support a Data Encryption Standard (DES) algorithm, a triple DES (3DES) algorithm, a Rivest-Shamir-Adleman (RSA) algorithm, and a Diffie Hellman algorithm. The processor also includes a plurality of memory partition registers to define a physical address range in a dynamic random access memory for use as a secure memory partition. The processor also includes a plurality of execution units coupled to the plurality of general purpose registers, the plurality of memory partition registers, and the cryptographic logic. The processor also includes secure partition enforcement logic coupled to the plurality of execution units and the memory partition registers, the secure partition enforcement logic to selectively permit read or write access to the dynamic random access memory.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: A computational engine may include an input configured to receive a first data packet and a second data packet, a context memory configured to store one or more contexts, and a set of computational elements coupled with the input and coupled with the context memory. The set of computational elements may be configured to generate a first output data packet by executing a first sequence of cryptographic operations on the first data packet, and generate a second output data packet by executing a second sequence of cryptographic operations on the second data packet and on a selected context of the one of the one or more contexts. The selected context may be associated with the second packet of data, and the context may be stored in the context memory prior to the execution of the first sequence of cryptographic operations.

Abstract: Provided is a system and method for authentication. The method includes receiving a subscription request from a user terminal, the subscription request executed by an authentication server communicating with the user terminal and including group discrimination data including a group code and information for discriminating a group from another, if it is determined that the group code and the information included in the group discrimination data correspond to each other, performing a group authentication procedure on the user terminal and processing the group authentication procedure as being successful, issuing a member session key to the user terminal, and providing a service requested by the user terminal in response to the service request including the member session key from the user terminal. In one embodiment, it is possible to prevent information on service users from being divulged.

Abstract: A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.

Abstract: A secured communication network can include a server including an authentication backend, the authentication backend configured to communicate with an authentication front end of a communication device. A server applet can be associated with the authentication backend. The server applet can authenticate an access right associated with the communication device and establish a security level for the communication with the communication device based on information received from the authentication front end.

Abstract: A server connectable to an apparatus providing contents and an image display apparatus includes an index information processing part configured to provide the image display apparatus with index information for causing a list of information items associated with the contents to be displayed by the image display apparatus, an image data processing part configured to provide the image display apparatus with image data for causing a content associated with an information item selected from the list to be displayed by the image display apparatus, and an apparatus authentication part configured to cause the index information processing part and the image data processing part to execute respective processes when the identification information of the image display apparatus that has requested to obtain the content associated with the selected information item by using access authority information regarding authority to access the content is managed in correlation with the access authority information.

Abstract: Customers wanting to deploy software packages, or updates to those packages, across a group of servers or other computing resources can rely upon a component such as a resource manager to manage the deployment. The resource manager can utilize a data structure that stores deployment information by Revision number, and merges information for each verified deployment into a Mainline for those resources. Each Deployment can involve an Individual Release or a Baseline Release, and the importance of those Releases can be determined with respect to a current snapshot of the Mainline. Such an approach enables important Release and Deployment information to be quickly determined and obtained, which can help with configuring and scheduling future Deployments.

Abstract: A method for digital immunity includes identifying a call graph of an executable entity, and mapping nodes of the call graph to a cipher table of obscured information, such that each node based on invariants in the executable entity. A cipher table maintains associations between the invariants and the obscured information. Construction of an obscured information item, such as a executable set of instructions or a program, involves extracting, from the cipher table, ordered portions of the obscured information, in which the ordered portions have a sequence based on the ordering of the invariants, and ensuring that the obscured information matches a predetermined ordering corresponding to acceptable operation, such as by execution of the instructions represented by the obscured information, or steganographic target program (to distinguish from the executable entity being evaluated). The unmodified nature of the executable entity is assured by successful execution of the steganographic target program.

Abstract: A system and method of generating a one-way function and thereby producing a random-value stream. Steps include: providing a plurality of memory cells addressed according to a domain value wherein any given domain value maps to all possible range values; generating a random domain value associated with one of the memory cells; reading a data value associated with the generated random domain value; generating dynamically enhanced data by providing an additional quantity of data; removing suspected non-random portions thereby creating source data; validating the source data according to a minimum randomness requirement, thereby creating a validated source data; and integrating the validated source data with the memory cell locations using a random edit process that is a masking, a displacement-in-time, a chaos engine, an XOR, an overwrite, an expand, a remove, a control plane, or an address plane module. The expand module inserts a noise chunk.

Abstract: In a network that includes one or a plurality of optical line terminals, a plurality of branches, and an optical routing unit, the optical network unit registration method includes a first process in which the optical line terminals transmit a discovery gate to the optical network units, and a second process in which, in response to the discovery gate, an unregistered optical network unit transmits a register request to a separate optical line terminal from the terminal that transmitted the discovery gate. A discovery window is provided in the optical line terminal that receives the register request. This optical line terminal receives the register request in the discovery window.

Abstract: A distributed fabric system has distributed line card (DLC) chassis and scaled-out fabric coupler (SFC) chassis. Each DLC includes a network processor and fabric ports. Each network processor of each DLC includes a fabric interface in communication with the fabric ports of that DLC. Each SFC includes at least one fabric element and SFC fabric ports. A fabric communication link connects each SFC fabric port to one DLC fabric port. Each fabric communication link includes cell-carrying lanes. Each fabric element of each SFC detects connectivity between each SFC fabric port of that SFC and one DLC fabric port over a fabric communication link. Each SFC includes program code that reads connectivity matrix from fabric element chips and sends connection information corresponding to the detected connectivity from that SFC to a central agent. A network element includes the central agent, which, when executed, constructs a topology of the distributed fabric system from the connection information sent from each SFC.

Abstract: A circuit for providing isolation in an integrated circuit is described. The circuit comprises a first circuit block having circuits associated with a first security level; a second circuit block having circuits associated with a second security level; and a third circuit block having programmable resources, the third circuit block providing isolation between the first circuit block and the second circuit block and being programmable to enable connections between the first circuit block and the second circuit block.

Abstract: An information processing apparatus includes an encrypting unit that encrypts a value to be kept secret with a predetermined cipher key. The information processing apparatus includes a converting unit that converts, when the value to be kept secret is an initial value written at the time of initialization of a storage device in which a value encrypted by the encrypting unit is stored, the value encrypted by the encrypting unit into a value which is reversibly convertible and is independent of the cipher key used by the encrypting unit. The information processing apparatus includes a storing unit that stores the value converted by the converting unit in the storage device.

Abstract: A system 100 for increasing data security comprises predetermined system data 104 to be protected. A cryptographic unit 108 is used for cryptographic processing of respective blocks of the content data in dependence on respective keys. A key provider 106 determines the respective key used for the processing of a respective block of the content data in dependence on a respective portion 112 of the predetermined system data 104, the portion not including all the predetermined system data, wherein different respective portions of the predetermined system data are selected for the respective blocks of content data. A server system 200 for increasing data security comprises an output 202 for providing processed content data 110 to a client system 100, the client system comprising predetermined system data 104 to be protected. The server system 200 also comprises a cryptographic unit 208 and a key provider 206.

Abstract: Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

Abstract: Attempts to update confirmation information or firmware for a hardware device can be monitored using a secure counter that is configured to monotonically adjust a current value of the secure counter for each update or update attempt. The value of the counter can be determined every time the validity of the firmware is confirmed, and this value can be stored to a secure location. At subsequent times, such as during a boot process, the actual value of the counter can be determined and compared with the expected value. If the values do not match, such that the firmware may be in an unexpected state, an action can be taken, such as to prevent access to, or isolate, the hardware until such time as the firmware can be validated or updated to an expected state.

Abstract: A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information.

Abstract: Disclosed is a method for implementing an encryption engine, which includes: when an engine binding interface is called, a hardware encryption engine establishes a connection with a hardware encryption equipment, acquires an algorithm list of said equipment, and fills a first data structure; when a key initialization interface is called, said engine, according to the transmitted first data structure, sets an encryption/decryption algorithm to be used by said equipment, and retrieves a corresponding algorithm key; and if no algorithm key is retrieved, said engine controls said equipment to create said algorithm key; when a data encryption/decryption interface is called, said engine, according to the currently set encryption/decryption algorithm and said algorithm key, controls said equipment to perform an encryption/decryption operation on the transmitted data. The present invention can add or extend the encryption/decryption algorithm that can only be implemented in hardware to a software algorithm library.

Abstract: A method of deploying a new operating system on a plurality of data processors. Hardware and driver information is determined from the data processors. A general disk image for all of the data processors is prepared in a preinstallation environment. Hardware and software components for a specific target data processor are added to or associated with the preinstallation environment to create an installation operating system for that data processor. The components of the installation operating system are installed on the target data processor, thereby replacing the data processor's operating system with the new operating system of the preinstallation environment.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. The system can extract content of interest from a file container, repackage the content of interest as another valid file type, perform hashes on the content of interest, associate the hash of the container with the hash of the repackaged content, transfer the repackaged content, and store the hash with other security-related information.

Abstract: A method and apparatus for authenticating a bitstream used to configure programmable devices are described. In an example, the bitstream is received via a configuration port of the programmable device, the bitstream including instructions for programming configuration registers of the programmable device and at least one embedded message authentication code (MAC). At least a portion of the instructions is initially stored in a memory of the programmable device without programming the configuration registers. At least one actual MAC is computed based on the bitstream using a hash algorithm. The at least one actual MAC is compared with the at least one embedded MAC, respectively. Each instruction stored in the memory is executed to program the configuration registers until any one of the at least one actual MAC is not the same as a corresponding one of the at least one embedded MAC, after which any remaining instructions in the memory are not executed.

Abstract: A memory system comprises an encryption engine implemented in the hardware of a controller. In starting up the memory system, a boot strapping mechanism is implemented wherein a first portion of firmware when executed pulls in another portion of firmware to be executed. The hardware of the encryption engine is used to verify the integrity of at least the first portion of the firmware. Therefore, only the firmware that is intended to run the system will be executed.

Abstract: A computer system image is executed on a computing node over a network. A system specification file transmitted over the network specifies the computer system image by specifying components of the computer system image. The components include an operating system and at least one resource. The system specification file also contains a signature associated with the resource. A resource is determined to be authorized to be incorporated into the computer system image by verifying the signature. A computer system image can then be formed based on the components specified by the system specification file and executed locally.

Abstract: This document describes methods and systems by which a data storage service migrates a volume of stored data from an unencrypted format to an encrypted format while still permitting user access to the data. The encryption process uses migration markers to identify records that have undergone the encryption process. When migration is complete, the service removes the migration markers and retains the encrypted data in a data storage facility.

Abstract: A computer security system may include a removable security device adapted to connect to the input/output port of a computer. The security device may include: a random access memory (RAM) cell; and a processor. The security system may further include: at least one encrypted update packet stored remotely from the security device and adapted to modify the contents of the RAM cell; and a private key located on the security device and adapted to decrypt the update packet; and at least one of a device driver, a software application, and/or a library stored remotely from, and in communication with, the security device and adapted to cause the contents of the at least one cell to be switched out of the cell, stored remotely from the cell, and loaded back into the cell.

Abstract: A technology is provided which ensures a high security without affecting a plant operation. A plant security managing device includes a determining unit that determines which one of control units multiplexed as a service system and a standby system associated with monitoring and controlling of a plant is the standby system, a security processing unit that performs a security process for detecting the presence/absence of a security abnormality on the control unit that is the standby system, and a change instructing unit that outputs an instruction for changing the control unit that is the standby system and the control unit that is the service system with each other after the completion of the security process by the security processing unit.

Abstract: Apparatuses and methods are disclosed for accessing and distributing data that includes a portable first device and a second device wherein both devices have unconscious capture capability. The first device has a first memory wherein at least one document is stored in the first memory of the first device. The first device has a transceiver, an identifier, and a public key to access a second device.

Abstract: A secure execution environment for execution of sensitive code and data including a secure asset management unit (SAMU) is described. The SAMU provides a secure execution environment to run sensitive code, for example, code associated with copy protection schemes established for content consumption. The SAMU architecture allows for hardware-based secure boot and memory protection and provides on-demand code execution for code provided by a host processor. The SAMU may boot from an encrypted and signed kernel code, and execute encrypted, signed code. The hardware-based security configuration facilitates preventing vertical or horizontal privilege violations.

Abstract: Option ROM updates are performed in a secure manner with centralized control through system initialization firmware, such as the system BIOS. An option ROM updater manages copying an option ROM update to an auxiliary subsystem if an update bit is set, such as by a secure system management interface with the BIOS. Upon detection of an update bit, the option ROM updater unlocks a write protect at the auxiliary subsystem firmware and copies an option ROM update to the auxiliary subsystem to update the option ROM. After completing the option ROM update, the option ROM updater locks write protection of the option ROM to maintain system security.

Abstract: Examples disclosed herein relate to systems and methods for validating the authenticity of one or more media associated with a gaming system. The systems and methods may utilize a public key in association with a ROM-based algorithm to validate such media. The systems and methods may: decrypt the encrypted game assets media signature; determine a verified game assets hash signature from the decrypted game assets media signature; determine a game assets verification range from the decrypted game assets media signature; calculate a game assets hash signature based on the game assets verification range; and/or determine if the game assets verified hash signature matches the game assets calculated hash signature.

Abstract: Authenticated hardware and authenticated software are cryptographically associated using symmetric and asymmetric cryptography. Cryptographically binding the hardware and software ensures that original equipment manufacturer (OEM) hardware will only run OEM software. Cryptographically binding the hardware and software protects the OEM binary code so it will only run on the OEM hardware and cannot be replicated or altered to operate on unauthorized hardware. In one embodiment, critical security information associated with the equipment is loaded from a memory at startup time. The critical security information is stored in the memory, in encrypted form, using a unique secret value. The secret value is used to retrieve a chip encryption key and one or more image authentication keys that can be used to associate program code with an original equipment manufacturer. These keys are used to authenticate the program code.

Abstract: Example embodiments provide various techniques for storing and recovering a cryptographic key identifier that may be used to recover encrypted data. The cryptographic key identifier may be stored with the encrypted data itself. In an example, the cryptographic key identifier may be stored in particular blocks on a logical disk that are specifically designated to store the cryptographic key identifier. To store the cryptographic key identifiers in the designated blocks, the data within the blocks is compressed to fit the cryptographic key identifiers within the blocks. This cryptographic key identifier can be recovered at a later time by locating the designated blocks and retrieving the cryptographic key identifier from the blocks.

Abstract: The present disclosure is directed to systems and methods related to hardware-enforced access protection. An example device may comprise a login agent module (LAM), an operating system login authentication module (OSLAM) and a secure user authentication module (SUAM). The LAM may be configured to cause a prompt requesting login information to be presented by the device. The LAM may then provide the login information to the OSLAM, which may be configured to authenticate the login information using known user information. If authenticated, the OSLAM may generate and transmit a signed login success message to the SUAM using a private key. The SUAM may be secure/trusted software loaded by device firmware, and may be configured to authenticate the signed login success message. If authenticated, the SUAM may transmit an encrypted authentication message to the OSLAM. If the encrypted authentication message is authenticated, the OSLAM may grant access to the device.

Abstract: An application installing method according to the present invention in which an application file includes at least two application encrypting data in which the executable files are respectively encrypted using different encryption algorithms, and a license file includes at least two license encryption data in which application decryption keys for decrypting the application encryption data are encrypted using respectively different encryption algorithms. The process execution apparatus includes a calculation unit configured to execute the executable file, and a storage unit configured to store the application file and the license file. The method includes a step of decrypting the application encryption data by use of the application decryption key with the calculation unit based on the level of priority of the predesignated application encryption data stored in the storage unit, and installing the executable file corresponding to the application encryption data.

Abstract: According to some embodiments, an electronic file security management platform may receive a request from a user to access a first electronic file associated with a first application, such as a word processing document. A security characteristic associated with the user may be determined, and an encrypted version of the first electronic file may be decrypted in accordance with the security characteristic. The electronic file security management platform may then arrange for the user to access the first electronic file via the first application such that: (i) a first portion of the first electronic file is available to the user based on a first security requirement associated with the first portion and the security characteristic, and (ii) a second portion of the first electronic file is not available to the user based on a second security requirement associated with the second portion and the security characteristic.

Abstract: A method of maintaining a version counter indicative of a version of memory content stored in a processing device. The method comprises selectively operating the device in a first or second mode. Access to the first mode is limited to authorized users and controlled separately from access to the second mode. In the first mode at least an initial integrity protection value is generated for cryptographically protecting an initial counter value of said version counter during operation of the processing device in the second mode; wherein the initial counter value is selected from a sequence of counter values, and the initial integrity protection value is stored as a current integrity protection value in a storage medium. In the second mode, a current counter value is incremented to a subsequent counter value; wherein incrementing includes removing the current integrity protection value from said storage medium.

Abstract: A memory system comprises: a memory device including an authentication data area storing authentication unit information and a verification value, and a contents data area storing contents; and a host device configured to receive the authentication unit information and the verification value from the memory device, and perform secure authentication of the memory device based on whether a result of decoding the verification value is equal to the authentication unit information.

Abstract: The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: Methods of authenticating a combination of a programmable IC and a non-volatile memory device, where the non-volatile memory device stores a configuration data stream implementing a user design in the programmable IC. A first identifier unique to the programmable IC is stored in non-volatile memory in the programmable IC. A second identifier unique to the non-volatile memory device is stored in the non-volatile memory device. As part of the process in which the configuration data stream is used to program the programmable IC with the user design, a function is performed on the two identifiers, producing a key specific to the programmable IC/non-volatile memory device combination. The key is then compared to an expected value. When the key matches the expected value, the user design is enabled. When the key does not match the expected value, at least a portion of the user design is disabled.

Abstract: Systems and methods for preventing the unauthorized access to data stored on removable media, such as software, include storing a predetermined signature in the area of non-volatile memory in a computer system. Upon initialization of the computer system, a check is made to verify the signature. Only if the signature is verified will decoding software operate.

Abstract: A method for authenticating a piece of firmware to be downloaded to a controller. The method includes signing the firmware or a first part of the firmware with a first private key at a first trusted source and signing the firmware or a second part of the firmware with a second private key at a second trusted source. The method also includes validating the signed firmware or the first part of the firmware using a first public key at the controller and validating the firmware or the second part of the firmware using a second public key at the controller. The method further includes authenticating the firmware if the firmware or the first part of the firmware is validated by the first public key at the controller and the firmware or the second part of the firmware is validated by the second public key at the controller.