Abstract: A method for keystroke-based behavioral verification of user identity of a subject user of a computer system includes obtaining an enrollment signature corresponding to an identified user and serving as a unique identifier of the identified user, the enrollment signature including an enrollment determinate vector generated based on supplying enrollment keystroke data to a deep neural network for processing. The method further includes obtaining verification determinate vector(s), the verification determinate vector(s) for comparison to the enrollment signature to determine whether the subject user is the identified user.

Abstract: A method for gait-based behavioral verification of user identity of a subject user of a computer system includes obtaining an enrollment signature corresponding to an identified user and serving as a unique identifier of the identified user, the enrollment signature including an enrollment determinate vector generated based on supplying enrollment gait data to a deep neural network for processing. The method further includes obtaining verification determinate vector(s), the verification determinate vector(s) for comparison to the enrollment signature to determine whether the subject user is the identified user.

Abstract: Dedicating hardware devices to virtual machines includes dedicating, by a hypervisor executing on a computer system, a set of hardware devices of the computer system to a first virtual machine of the hypervisor, the first virtual machine executing a guest operating system, and the set of hardware devices for use by the guest operating system in execution of the guest operating system, and dedicating network device hardware of the computer system to a second virtual machine of the hypervisor, the second virtual machine being a different virtual machine than the first virtual machine, wherein network communication between the guest operating system and a network to which the computer system is connected via the network device hardware occurs via the second virtual machine.

Abstract: A method includes monitoring system call invocations made to an operating system of a computer system by an application as the application renders a digital file. The method automatically featurizes the system call invocations into a set of features corresponding to the digital file, and compares each feature set against benign features of a set of known benign features. The comparing includes, for each feature of the set of features, applying entity resolution between the feature and benign feature(s) of the set of known benign features to find a correlation between the feature and a benign feature representing a common semantic interaction between the application and the operating system. The method identifies a number of features that do not correlate to the benign features, and determines maliciousness of the digital file based on the identified number of features that do not correlate to the benign features.

Abstract: An update is deployed to a guest virtual machine of a hypervisor during runtime of the guest virtual machine. An executing thread of the guest virtual machine is identified and execution of the thread is redirected to a function to open a handle to a file, of the guest virtual machine, to which data of the update is to be written. The data is provided to a component of the guest virtual machine, and then execution of the thread is redirected to a function to write the data provided to the component to the file.

Abstract: Authentication processing for a plurality of self-encrypting storage devices, e.g. SEDs) of a computer system is provided. The authentication processing for the SEDs includes obtaining authentication information for one SED of the plurality of SEDs, performing authentication processing for the one SED based on the obtained authentication information for the one SED; and based on the authentication processing for the one SED, performing authentication processing for each additional SED of one or more additional SEDs of the plurality of SEDs. A pre-boot configuration environment (PBA) to facilitate the authentication processing, and methods for installing the PBA are provided.

Abstract: Obtaining, in association with origination of outbound network traffic to be sent by a system, user account information of a user account on behalf of which the outbound network traffic is generated, and performing filtering of the outbound network traffic based on the obtained user account information of the user account on behalf of which the outbound network traffic is generated, where the filtering is further based on one or more rules, and the filtering includes determining whether to block or allow sending of the outbound network traffic from the system.

Abstract: Authentication processing for a plurality of self-encrypting storage devices, e.g. SEDs) of a computer system is provided. The authentication processing for the SEDs includes obtaining authentication information for one SED of the plurality of SEDs, performing authentication processing for the one SED based on the obtained authentication information for the one SED; and based on the authentication processing for the one SED, performing authentication processing for each additional SED of one or more additional SEDs of the plurality of SEDs. A pre-boot configuration environment (PBA) to facilitate the authentication processing, and methods for installing the PBA are provided.

Abstract: A determination is made as to whether an attempt to send a data packet from a computer system has deviated from an established protocol for sending data packets from the computer system is made. The determination includes obtaining a data structure describing the data packet, and, based on invocation of a function to deliver the data packet to a module of a stack of the computer system, the module interfacing network hardware for sending the data packet, checking for presence of a tag placed in the data structure by a component of the stack and indicative of whether the attempt to send the data packet has deviated from the established protocol. Processing is then performed based on the determination of whether the attempt has deviated from the established protocol.

Abstract: Provided are facilities for secure execution of an encrypted executable comprising an encrypted instruction. The secure execution includes obtaining the encrypted instruction, decrypting the encrypted instruction using a decryption key being maintained in a secure location within a processor, and storing the decrypted instruction to a secure storage for execution, where the decryption key remains in the secure location during the decrypting and the storing to facilitate maintaining security of the decryption key.

Abstract: Run-time, event-driven virtual machine introspection of the target guest virtual machine is facilitated as described herein. A component can specify events that are of interest to the component for introspection of a target guest virtual machine of a hypervisor. The hypervisor detects an introspection event generated by a target guest virtual machine and determines whether the introspection event is of interest for handling by a component coupled to the hypervisor. If so, the hypervisor alerts the component about the introspection event and provides information associated with the introspection event to the component. The component thereby receives notification of occurrence of the introspection event from the hypervisor and may obtain information associated with the introspection event.

Abstract: An update is deployed to a guest virtual machine of a hypervisor during runtime of the guest virtual machine. An executing thread of the guest virtual machine is identified and execution of the thread is redirected to a function to open a handle to a file, of the guest virtual machine, to which data of the update is to be written. The data is provided to a component of the guest virtual machine, and then execution of the thread is redirected to a function to write the data provided to the component to the file.

Abstract: A determination is made as to whether an attempt to send a data packet from a computer system has deviated from an established protocol for sending data packets from the computer system is made. The determination includes obtaining a data structure describing the data packet, and, based on invocation of a function to deliver the data packet to a module of a stack of the computer system, the module interfacing network hardware for sending the data packet, checking for presence of a tag placed in the data structure by a component of the stack and indicative of whether the attempt to send the data packet has deviated from the established protocol. Processing is then performed based on the determination of whether the attempt has deviated from the established protocol.

Abstract: User interaction with multiple domains is facilitated while preventing cross-domain transfer of data from those domains. A compositioning domain facilitates this interaction in a secure manner in which cross-domain transfer of data is prevented. This includes obtaining pixel information from the domains via one or more read-only communication paths, providing a user interface to the user, which includes providing a display buffer including at least some of the pixel information obtained from each domain of the domains for display to the user, and maintaining an in-focus domain state. The in-focus domain state indicates which domain of the domains is currently in-focus. User input from the user based on the user interface is provided by a user input handler directly to the currently in-focus domain indicated by the in-focus domain state absent transfer of the user input to the compositioning domain.

Abstract: Provided are facilities for secure execution of an encrypted executable comprising an encrypted instruction. The secure execution includes obtaining the encrypted instruction, decrypting the encrypted instruction using a decryption key being maintained in a secure location within a processor, and storing the decrypted instruction to a secure storage for execution, where the decryption key remains in the secure location during the decrypting and the storing to facilitate maintaining security of the decryption key.

Abstract: Run-time, event-driven virtual machine introspection of the target guest virtual machine is facilitated as described herein. A component can specify events that are of interest to the component for introspection of a target guest virtual machine of a hypervisor. The hypervisor detects an introspection event generated by a target guest virtual machine and determines whether the introspection event is of interest for handling by a component coupled to the hypervisor. If so, the hypervisor alerts the component about the introspection event and provides information associated with the introspection event to the component. The component thereby receives notification of occurrence of the introspection event from the hypervisor and may obtain information associated with the introspection event.

Abstract: Verification of trustworthiness of a computing platform is provided. The trustworthiness of the computing platform is dynamically assessed to determine whether a root of trust exists on the computing platform. Responsive to determining existence of the root of trust, data is unsealed from a sealed storage facility. The sealed storage facility is unsealed responsive to a root of trust being determined to exist on the computing platform. The data can be used to attest to the trustworthiness of the computing platform to other device on a network.

Abstract: Trusted execution of a self-modifying executable is facilitated. An attempt to access a data portion of a self-modifying executable during execution of the self-modifying executable is detected. The self-modifying executable includes the data portion, for storing data to be accessed during execution of the self-modifying executable, and an instruction portion including instructions for execution of the self-modifying executable. The attempt to access the data portion is retargeted to a separate portion of memory space that is separate from another portion of memory space in which the self-modifying executable is loaded for execution. Meaningful measurability of the integrity of the self-modifying executable is thereby provided.

Abstract: User interaction with multiple domains is facilitated while preventing cross-domain transfer of data from those domains. A compositioning domain facilitates this interaction in a secure manner in which cross-domain transfer of data is prevented. This includes obtaining pixel information from the domains via one or more read-only communication paths, providing a user interface to the user, which includes providing a display buffer including at least some of the pixel information obtained from each domain of the domains for display to the user, and maintaining an in-focus domain state. The in-focus domain state indicates which domain of the domains is currently in-focus. User input from the user based on the user interface is provided by a user input handler directly to the currently in-focus domain indicated by the in-focus domain state absent transfer of the user input to the compositioning domain.

Abstract: Trusted execution of a self-modifying executable is facilitated. An attempt to access a data portion of a self-modifying executable during execution of the self-modifying executable is detected. The self-modifying executable includes the data portion, for storing data to be accessed during execution of the self-modifying executable, and an instruction portion including instructions for execution of the self-modifying executable. The attempt to access the data portion is retargeted to a separate portion of memory space that is separate from another portion of memory space in which the self-modifying executable is loaded for execution. Meaningful measurability of the integrity of the self-modifying executable is thereby provided.