Abstract: Embodiments of a method and apparatus for monitoring activity on a virtual machine are generally described herein. The activity may be monitored by a first hypervisor and the virtual machine may be controlled by a second hypervisor. In some embodiments, the method includes setting a breakpoint in a kernel function of the virtual machine. The method may further include generating a page fault, responsive to the virtual machine halting execution at the breakpoint, to cause the second hypervisor to page in contents of a memory location accessed by the kernel function. The method may further include inspecting the contents of the memory location to detect activity in the virtual machine.

Abstract: Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.

Abstract: A method of increasing processing diversity on a computer system includes: loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent; executing, in a context, a first stream of the plurality of instruction streams; stopping execution of the first stream at a first location of the first stream; and executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream.

Abstract: Embodiments of methods and network devices for securing data within a network are generally described herein. One such method includes a key aggregation server receiving a request for an encryption key to secure the data. The server may query a plurality of network devices for a respective key from each queried network device. The server may then receive the respective key from each of the plurality of network devices and select a key element from each of the plurality of keys. An encryption key may be constructed from the key elements and transmitted to a client.

Abstract: A method of increasing processing diversity on a computer system includes: loading a plurality of instruction streams, each of the plurality of instruction streams being equivalent; executing, in a context, a first stream of the plurality of instruction streams; stopping execution of the first stream at a first location of the first stream; and executing, in the context, a second stream of the plurality of instruction streams at a second location of the second stream, the second location corresponding to the first location of the first stream.

Abstract: A method of randomizing locations of variables in a stack includes: identifying a plurality of stack locations corresponding to a plurality of variables; shuffling the stack locations of the variables to produce shuffled stack locations; and updating the stack locations of the variables with the shuffled stack locations.

Abstract: A method for detecting foreign code injected into a computer system including a processor and memory, the processor being configured to execute instructions stored in the memory, includes: detecting, on the computer system, an illegal instruction error; recording the illegal instruction error; determining whether a threshold condition is met; and generating an alert if the threshold condition is met.

Abstract: In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware.

Abstract: A method for distributing execution of a computer program to a plurality of hardware architectures of different types including: analyzing the computer program to identify a plurality of execution boundaries; selecting one or more execution boundaries from the plurality of execution boundaries; linking the computer program to the selected one or more execution boundaries; executing the computer program with linked execution boundaries; saving a hardware agnostic state of the execution of the computer program, when the execution encounters a boundary from the selected one or more execution boundaries; and transmitting the hardware agnostic state to a remote hardware architecture to be executed on the remote hardware architecture, responsive to the hardware agnostic state.

Abstract: According to one aspect, a science, technology, engineering and mathematics (STEM) based cyber security education system is provided. A training component, a knowledge component, and a collaborative component are interfaced to a distance learning component to form a STEM-based cyber security education system interface on an educational content server. The educational content server is coupled to a content database configured to access STEM-based cyber security educational content associated with one or more of: the training component, the knowledge component, and the collaborative component. Asynchronous delivery of the STEM-based cyber security educational content is provided to an end user computer in response to a user request. An interactive session is established between one or more experts and the end user computer to provide synchronous delivery of STEM-based cyber security materials.