Abstract: A hypervisor runs on a host computer system and defines at least one virtual machine. An address space of the virtual machine resides on physical memory of the host computer system under control of the hypervisor. A guest operating system runs in the virtual machine. At least one of a host operating system and the hypervisor sets parts of the address space of the host computer system corresponding to parts of the address space of the virtual machine to a locked state in which those parts can be read but not written to.

Abstract: A hypervisor runs on a host computer system and defines at least one virtual machine. An address space of the virtual machine resides on physical memory of the host computer system under control of the hypervisor. A guest operating system runs in the virtual machine. At least one of a host operating system and the hypervisor sets parts of the address space of the host computer system corresponding to parts of the address space of the virtual machine to a locked state in which those parts can be read but not written to.

Abstract: A computer system comprises a first region including a base image in the form of machine readable code stored on a non-volatile storage medium, a second region including a machine image in the form of machine readable code stored on a non-volatile storage medium, and a deduplicator. The second region machine image comprises a base part sufficiently similar to the base image for deduplication, and a part special to the second region machine image. The first region base image and the second region machine image are deduplicated by the deduplicator. The second region special part is encrypted by full disk encryption using a key not available to the first region. Methods of, and computer programs for, implementing such a system are described.

Abstract: A security token has multiple independent application enclaves, on which different application providers can install encryption keys and/or other data to authenticate a user of the token to their respective applications.

Abstract: A host computer cloud has a processor and supports a virtual machine. An agent under control of a user is in communication with the cloud over a network. A key management server is in communication with the cloud over a network. The cloud stores the virtual machine in the form of a virtual encrypted disk on a non-volatile storage medium. When commanded by the agent, the cloud requests a disk-wrapping key from the key management server and decrypts the encrypted disk using the disk-wrapping key.

Abstract: Software application protection methods and systems for protecting and verifying licensing of an original application. The system reads the original application executable, and generates a shelled application comprising the original application and a shell containing the license information. The shelled application implements license APIs, and establishes secure communications within the shelled application between the original application and the shell. Licensing for the original application can be verified by the shelled application alone.

Abstract: A system and method for obfuscating a database's schema while preserving its functionality by modifying the original table names, column names, table order, column order, and/or data character set such that the standard order of the original characters is maintained.

Abstract: A method and apparatus for high assurance boot processing is disclosed. A trusted processor is used to authenticate a trusted boot program and in conjunction with a selector, to provide the authenticated boot program to a boot memory where it can be accessed by a main processor to execute the bootup sequence. The trusted processor also provides a command for the main processor to write a data sequence to a hard drive or similar device, and monitors the data written by the main processor to verify that the data has not been tampered with or otherwise compromised.

Abstract: A method for distributing data over a network includes the steps of establishing a secure connection between a client and a server; issuing a certificate and a private key to the client for identifying the client in a transaction; storing the certificate and the private key in a portable token of the client and used by the client during a transaction, the portable token including a unique distinguishing number and being a physical device removeably coupleable to a client computer; and generating a message linking the data being distributed to the client with at least part of the distinguishing number for the token used by the client during a transaction.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: A method of securely utilizing downloaded data includes the steps of opening a media player; opening a data file; requesting a portable token from and used by a client, the portable token being a physical device removeably coupleable to a client computer; reading a distinguishing number from the token; and verifying a digital message linking the data file to the token using the media player, the distinguishing number, and a private key in the token. The digital message is required to access the data.

Abstract: Software application protection methods and systems for protecting and verifying licensing of an original application. The system reads the original application executable, and generates a shelled application comprising the original application and a shell containing the license information. The shelled application implements license APIs, and establishes secure communications within the shelled application between the original application and the shell. Licensing for the original application can be verified by the shelled application alone.

Abstract: A computer-implemented method of generating an elliptic curve cryptosystem (ECC) signature includes the steps of: generating a first random key (k1) having n bits, where n is a natural number; calculating a first ECC point (V) from k1 and a base point; and storing k1 and V securely in a computer-readable medium. To digitally sign electronic data, the method further includes the steps of generating a second random key (k2), where k2 has fewer than n bits; calculating a second ECC point (Q) from V and k2; and digitally signing electronic data using Q.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: In an embodiment of a method of making a conditional jump in a computer running a program, an input is provided, conditional on which a substantive conditional branch is to be made. An obfuscatory unpredictable datum is provided. Code is executed that causes an obfuscatory branch conditional on the unpredictable datum. At a point in the computer program determined by the obfuscatory conditional branch, a substantive branch is made that is conditional on the input.

Abstract: A method and apparatus are provided for protecting sensitive information within server or other computing environments. Numerous electronic requests addressed to a server system are received over network couplings and evaluated. The evaluation scans for sensitive information including credit card information and private user information. Upon detecting sensitive data, cryptographic operations are applied to the sensitive data. When the sensitive data is being transferred to the server system, the cryptographic operations encrypt the sensitive data prior to transfer among components of the server system. When sensitive data is being transferred from the server system, the cryptographic operations decrypt the sensitive data prior to transfer among the network couplings. The cryptographic operations also include hash, and keyed hash operations.

Abstract: The detection of locking of a free running oscillator (FRO) is disclosed, including taking periodic samples of the FRO output, storing each new sample in a sample storage medium, each time a new sample is stored searching the stored samples for at least one repeating pattern, counting consecutive sampling instances in which a repeating pattern is found, and indicating when the count reaches a preselected threshold number.

Abstract: A system and method for obfuscating a database's schema while preserving its functionality by modifying the original table names, column names, table order, column order, and/or data character set such that the standard order of the original characters is maintained.

Abstract: A system for balancing a distribution of allocations for protected software over a communication network is disclosed. The system is comprised of at least one client computer and a pool of license servers coupled to the communication network. The client computers request authorizations to use the protected software, while a distribution of allocations is managed among the pool of servers for tracking and managing available allocations for using the protected software. One license server in the pool is designated as the current leader server. When a particular license server does not have a selectable minimum amount of available allocations, the current leader server re-assigns, where possible, the allocations within the pool by updating memory containing the distribution tables of license servers in the pool, to give at least one additional allocation to the particular license server.

Abstract: A technique for protecting secrets may involve enclosing master secret keys in an encapsulation module functioning like an envelope on a host that may run an untrusted operating system. The encapsulation module itself can be obfuscated and protected with various software security techniques, such as anti-debugging techniques, which make reverse-engineering more difficult. Session or file keys could then be derived from the master key stored in the encapsulation module on the host, wherein each of the keys protects a session or a file on the host. Additionally, a code can be provided to prevent the master secret and the keys from being swapped to a non-volatile storage device of the host.