Abstract: Systems, methods and computer-readable mediums are disclosed for providing secure access in a microcontroller system. In some implementations, a microcontroller system comprises a system bus and a secure central processing unit (CPU) coupled to the system bus. The secure CPU is configured to provide secure access to the system bus. A non-secure CPU is also coupled to the system bus and is configured to provide non-secure access to the system bus. A non-secure memory is coupled to the system bus and is configured to allow the secure CPU and the non-secure CPU to exchange data and communicate with each other. A peripheral access controller (PAC) is coupled to the system bus and configured to enable secure access to a peripheral by the secure CPU while disabling non-secure access to the peripheral based upon a non-secure state of the non-secure CPU.

Abstract: The present disclosure relates to methods and devices for mitigating the impact from Internet attacks in a Radio Access Network, RAN, using Internet transport. This object is obtained by a method performed in network node in a RAN, using Internet transport. The method comprises obtaining intrusion detection information informing the network node that the RAN is under attack. The method further comprises selecting, based on the intrusion detection information, a mitigation action, the mitigation action mitigating the impact of the attack on the RAN service. Further the method comprises performing the selected mitigation action to mitigate the impact on the RAN service level.

Abstract: A method and system for securing a VXLAN environment, including configuring a default network policy, associated with interfaces of the network device, for dropping all VXLAN frames including a VXLAN attribute; obtaining, by the network device, registered VTEP identifiers; determining, using the registered VTEP identifiers, that an interface of the network device is operatively connected to a registered VTEP associated with a registered VTEP identifier; disassociating the default network policy from the interface based on the determination; receiving, at the interface, a frame; performing a first verification that the frame is a VXLAN frame by examining the frame to determine that the frame includes the VXLAN attribute; performing a second verification to determine that the VXLAN frame includes a registered VTEP identifier; allowing, based on the first verification and the second verification, the network device to process the VXLAN frame; and processing the VXLAN frame.

Abstract: For multi-node encryption, a method communicates communication data from a first upstream node to a first downstream node in response to the first upstream node initiating secure communication with the first downstream node. The method further generates a downstream node nonce from communication data exchanged with the first downstream node. The method generates a first downstream message transformation as a function of the downstream node nonce. The method receives a request encrypted with the first downstream message transformation through the first downstream node. The method communicates the upstream message transformation encrypted with the first downstream message transformation through the first downstream node to the destination node in response to the request. In addition, the method generates a tunnel transformation at the destination node as a function of one or more upstream message transformations and the first downstream message transformation.

Abstract: A method includes performing operations as follows on a processor: receiving a request for a content item from a mobile device, determining that the content item is protected by a security policy, the security policy comprising an environmental factor associated with the use of the mobile device, ghosting a portion of the content item based on the security policy, and sending the content item and the security policy to the mobile device.

Abstract: A method for determining a cryptographic key for a MEMS device includes identifying physical properties for the device. A feature vector having a plurality of values is determined. Each of the values correspond to different physical properties. The cryptographic key is determined from the feature vector. The cryptographic key can be determined using a fuzzy extractor. The cryptographic key can be determined using different feature vectors corresponding to different channels in a device or different MEMS structures in the device.

Abstract: A novel method for out-of-band key verification that improves on both the usability and the security of the numeric-code method is provided. The method use portions of the generated keys as inputs to perform procedural image generation to produce a visualization at each of the two devices that the user can visually compare and confirm. This visualization can be a static image or a motion animation. The method can uses more of the key data to generate visualizations with more features to reduce the likelihood of false matches. The method can also use less key data to allow for quicker comparison and confirmation.

Abstract: Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register.

Abstract: A device may include countermeasure circuitry that provides a countermeasure check that protects device logic. The device may also include enforcement circuitry that non-deterministically enforces the countermeasure check on the device logic so that the device logic is not always protected by a countermeasure action within the countermeasure check. The device may non-deterministically enforce the countermeasure check according to an enforcement rate, and the device may adjust the enforcement rate depending on a priority of the device logic or device logic portion protected by a particular countermeasure check.

Abstract: According to one embodiment, a system includes a processor and logic integrated with and/or executable by the processor, the logic being configured to identify a security issue affecting a first peer in one or more secure transmission control protocol/user datagram protocol (TCR/UDP) sessions, inform a second peer about the security issue using the first peer of the one or more TCP/UDP sessions, and perform at least one action in response to identifying and/or being informed about the security issue. In another embodiment, a method for providing a secure TCP/UDP session includes identifying a security issue affecting a first peer in one or more TCP/UDP sessions, informing a second peer about the security issue using the first peer of the one or more TCP/UDP sessions, and performing at least one action in response to identifying and/or being informed about the security issue.

Abstract: A system for operating an enterprise computer network including multiple network objects, said system comprising monitoring and collection functionality for obtaining continuously updated information regarding at least one of access permissions and actual usage of said network objects, and entitlement review by owner functionality operative to present to at least one owner of at least one network object a visually sensible indication of authorization status including a specific indication of users which were not yet authorized by said at least one owner of said at least one network object.

Abstract: Systems and methods are provided for providing generating and managing profiles. Such systems and methods may be implemented to control access to a function of a web server or site based on a level of trust associated with a user or device profile. According to one exemplary method, session information associated with a request to access a function of a web server is identified. At least one processor determines whether the request is associated with a trusted device profile based on the at least the session information. Access to the requested function is provided when the request is associated with a trusted device profile.

Abstract: A cryptographic system includes a memory device and a processor. The memory device has at least two sections, including a first section and a second section. The processor is configured to determine a mode of operation, receive a signal, and selectively zeroize at least one section of the memory device based at least in part on the received signal and the determined mode of operation.

Abstract: A camera includes logic to capture images and video (collectively, ‘media’) and to store the captured media internally to the camera in an encrypted format; the encrypted format including multiple regions encrypted with different keys, each key corresponding to a human subject or object identified in the media.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: A method includes retrieving, from a memory accessible by a computer, a document comprising a workload definition document that defines an intended virtual configuration to include at least one virtual machine and at least one network appliance to be associated with at least one of the virtual machines in the intended virtual configuration, each network appliance respectively serving a role in the intended virtual configuration of transforming, inspecting, filtering, or otherwise manipulating all the network traffic, before it reaches an intended virtual machine, for purpose other than a data packet forwarding in a virtual configuration. The workload definition document is parsed to extract attributes of each of the network appliances, including one or more security policy to be applied to each network appliance. Configuration data is extracted from the parsed workload definition document that is related to any security policy of any of the network appliances to be deployed.

Abstract: An approach is provided for displaying moving graphic objects on the display screen of the information handling system that are selected by a user while the objects are moving. The system is unlocked in response to the set of graphic objects selected by the user and the selection order matching an expected set of graphic objects and an expected selection order. Unlocking of the system allows the user to interact with one or more applications of the information handling system and to access data stored on the information handling system.

Abstract: A network device and method may provide secure fallback operations. The device includes a port allowing the device to communicate with a network and a processor to generate a security credential, provide the security credential to a call manager during initialization, and provide the security credential to a secondary device during fallback operations. The network device may include a memory to store the security credential and routing information for fallback operations.

Abstract: Associating a network packet with biometric information for a user includes identifying biometric identification information for a user of a network device, including an identifier of the biometric identification information in at least one of a header and a trailer of a network packet without including biometric identification information in a payload of the network packet, and sending the packet via a network, wherein the identifier identifies the network packet as having originated from the user.

Abstract: Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.