Abstract: A method includes generating pattern data including common chip design data and one or more bit spaces or place holders reserved for non-common chip design data or information related to the non-common chip design data. The method includes introducing the non-common chip design data or information related to the non-common chip design data into the one or more bit spaces or place holders of the pattern data before streaming the pattern data to the maskless pattern writer. The common chip design data defines a common design layout part of an electronic device to be created on a wafer using the maskless pattern writer. The non-common chip design data defines a non-common design layout part of the electronic device to be created on the wafer using the maskless pattern writer, the non-common design layout part being different from other electronic devices created on the wafer.

Abstract: Systems and techniques are provided for establishing a connection. For instance, a first chiplet root of trust (C-RoT) of a first chiplet of a plurality of chiplets can receive a request for a cryptographic key. The first C-RoT can generate the cryptographic key and wrap the cryptographic key using a wrapping key to generate a wrapped cryptographic key. The first C-RoT can output the wrapped cryptographic key and a second C-RoT of a second chiplet of the plurality of chiplets can receive the wrapped cryptographic key. The second C-RoT can unwrap the wrapped cryptographic key using the wrapping key and can perform an operation based on the cryptographic key.

Abstract: An end-to-end mechanism is disclosed herein for transporting encrypted messages over hypertext transport protocol (HTTP) sent to a group of recipients. In particular, the disclosed mechanism receives a message (e.g., as an input from a user) and encrypts that message using an encryption mechanism with a key unique to a particular user and to the message (e.g., different messages are encrypted using different keys). The encrypted message is then stored in a generated object along with other metadata needed for message processing. Once the object is generated, it is signed and encoded into a binary representation that is then sent to a server. The server system receives the binary representation and decodes it back into the object. The metadata of the object is then used to route the message to the correct recipient applications for decryption.

Abstract: In a general aspect, a cryptography system includes a multiple-key pair root certificate authority. In some aspects, a plurality of distinct cryptographic pairs of public keys and private keys of a root certificate authority are generated. A plurality of distinct self-signed root certificates of the root certificate authority are generated. The plurality of distinct self-signed root certificates are each based on and correspond to a respective one of plurality of distinct cryptographic key pairs. A cryptographically authenticated database is generated that includes the plurality of distinct self-signed root certificates and represents the root certificate authority. The cryptographically authenticated database includes validity information of each of the plurality of self-signed root certificates. The cryptographically authenticated database is distributed to entities in a public key infrastructure.

Abstract: Systems and methods include, receiving a request from a user to access an application; determining if the user meets one or more requirements, wherein responsive to the user meeting the one or more requirements, presenting the user with a login page; validating credentials of the user with one or more additional sources; responsive to successful validation of the users' credentials, authenticating the user and evaluating one or more access policies for the user; and initiating a connection between the user and the application based on the one or more access policies.

Abstract: Systems and methods for enhancing container security are provided. In one example, exposure of a containerize application to potential security vulnerabilities is reduced by identifying dynamically loaded symbols by the application via performance of static and/or dynamic symbol analysis to identify dynamically loaded symbols that are potentially and/or actually used, respectively, and that correspond to functions contained within shared libraries. Based on a shared library's usage of functions within a standard library and a known mapping between functions of the standard library and system calls, those system calls potentially and actually accessed by the application may be identified and a security policy may be generated and configured for enforcement by a kernel security module to limit system call usage accordingly. Additionally, removal of files or functions of libraries that are deemed unnecessary for proper execution of the applications may be performed to reduce the footprint of the application.

Abstract: The arrangements disclosed herein relate to systems, apparatus, methods, and non-transitory computer readable media for a network of plurality of roving cryptography devices. Each of the plurality of roving cryptography devices includes a locomotion system configured to move each of the plurality of roving cryptography devices to a respective one of a plurality of locations of the plurality of roving cryptography devices, a network interface circuit configured to provide wireless communication services to a user device of a plurality of user devices through a network of the plurality of roving cryptography devices, and a cryptography service system configured to provide cryptographic material to the user device. The plurality of roving cryptography devices at the plurality of locations form the network for providing the wireless communication services and the cryptographic materials to the plurality of user devices.

Abstract: A computer-implemented method of automatically securing a computer system or network against a suspect binary file (SBF) by, in response to detection of the SBF, initiating an automatic defence strategy comprising an action known to mitigate a known threat posed by a closest known malicious binary file (KMBF). The method further includes identifying the closest KMBF by comparing an SBF application programming interface (API) profile generated in respect of the SBF with respective KMBF API profiles generated in respect of each of a plurality of KMBFs, the SBF and KMBF API profiles being generated by: identifying any API calls in the respective binary file; and assigning each of said identified API calls to one of a plurality of API call categories defined by one or more actions known to be effective in mitigating one or more possible threats posed by the respective API call category.

Abstract: Techniques for preserving privacy while still allowing secure access to private resources. Among other things, the techniques may include receiving a request to provide a remote device with access to a private resource. In some instances, the request may be redirected to an identity provider service to authenticate the user of the remote device to maintain anonymity of an identity of the user. The techniques may also include receiving an indication of an entitlement-set provided by the identity provider service, the indication of the entitlement-set indicative of whether the user is entitled to access the resource without revealing the identity of the user. The techniques may also include at least one of authorizing the remote device to access the resource or refraining from authorizing the remote device to access the resource based at least in part on the indication of the entitlement-set.

Abstract: A communication system according to an embodiment includes an edge device generating edge data and a service device making use of the edge data. The edge device generates a message authentication code by using a shared key shared with the service device. The edge device transmits first communication data representing communication data in which the message authentication code is assigned to the edge data. The service device verifies source of generation of the edge data included in the first communication data. The verification is performed in accordance with verification result of verifying the message authentication code included in the first communication data by using a shared key shared with the edge device.

Abstract: The invention discloses a cross-architecture automated detection method and system for third-party components and security risks, comprising: identify and reverse the firmware of the IoT device, classify the resulting reverse products into binary and non-binary files; disassemble binary files to mine the semantic information in them; convert non-binary files into string text files; build a database containing third-party components and their known CVE; combine pattern matching to scan string text files automatically, collect third-party components in the firmware of IoT device, and collect and retrieve vulnerabilities of corresponding third-party components. Through organically combining the semantic information of the vulnerability assembly code and the semantic information of the firmware assembly code of IoT device, the similarity comparison across architectures and deep learning is realized, and the specific pattern vulnerability is mined and verified automatically.

Abstract: Connection authorization from a communication device (CD) to an application server (AS) uses an electronic device (ED) to provide a first dataset to a security server (SS) in response to a first request, the first dataset related to a certificate of the ED. The ED retrieves an intermediary certificate generated by the SS based on the first dataset and signed by the SS. When the ED is connected to a CD intended to be introduced in a secured network, the ED receives a second request from the CD including a second dataset related to a certificate of the CD. The ED then generates a third dataset related to a signature of certificate of the CD and to the intermediary certificate. The ED thereafter sends the third dataset to the CD to obtain authorization to access to the secure network from the AS by using the third dataset.

Abstract: A method for transmitting a report to a vehicle (10) comprises the following steps: —detecting, by a station (22), an anomaly relating to the vehicle; —transmitting to the vehicle (10) a report relating to the detected anomaly.

Abstract: A method and a computing device for identifying, in a network infrastructure, network devices compromised by DNS tunneling are provided. The method comprises: receiving a portion of traffic of the network infrastructure; identifying, from the traffic, a plurality of DNS queries having been generated by network devices of the network infrastructure; generating, by the processor, for a given one of the plurality of DNS queries, a respective set of feature; applying, by the processor, to the respective set of features, a pre-trained decision rule; in response to the pre-trained decision rule rendering a positive outcome, increasing a penalty score for a respective network device of the network infrastructure having transmitted the given one of the plurality of DNS queries; and in response to the penalty score associated with the respective network device exceeding a predetermined penalty score threshold, identifying the respective network device as being compromised.

Abstract: A method comprises; receiving original electronic information from a lesser trusted network in a first electrical zone; permitting electronic information to be transferred between the first electrical zone and the second electrical zone in one direction only; verifying the original electronic information for at least one predetermined characteristic within the second electrical zone so as to provide a verifier output status and verified electronic information; forwarding the verified electronic information to a third electrical zone. The original electronic information at the first electrical zone is received by the third electrical zone via the second electrical zone as verified electronic information in either a transformed state or an untransformed state. The transformed state or the untransformed state is selected dependent upon the verifier output status. The method further comprising creating an electronic key and providing the verified electronic information in dependence upon the electronic key.

Abstract: Techniques are disclosed for establishing a distributed virtual private network within a virtual bootstrap environment. A distributed computing system can generate a virtual cloud network in a data center of a host region. The virtual cloud network can include a plurality of host instances, including an instance hosting a virtual private network router. A second instance can provide a secondary network address to the virtual private network router. A third instance can send a request addressed to the secondary network address. The virtual cloud network may route the request to the virtual private network router according to a default route of a routing table. The request may then be forwarded by the virtual private network router to the secondary address using a networking tunnel established between the first instance and the second instance.

Abstract: An end-to-end mechanism is disclosed herein for transporting encrypted messages over hypertext transport protocol (HTTP) sent to a group of recipients. In particular, the disclosed mechanism receives a message (e.g., as an input from a user) and encrypts that message using an encryption mechanism with a key unique to a particular user and to the message (e.g., different messages are encrypted using different keys). The encrypted message is then stored in a generated object along with other metadata needed for message processing. Once the object is generated, it is signed and encoded into a binary representation that is then sent to a server. The server system receives the binary representation and decodes it back into the object. The metadata of the object is then used to route the message to the correct recipient applications for decryption.

Abstract: A system for continuous contextual policy-aware vulnerability mapping, security posture determination and attack planning and simulation, comprising an indexing service configured to create a dataset by processing and indexing source code of a project by a developer, perform a code audit on the indexed source code, store results from the code audit in the dataset, gather additional information relating to the provided project as intended and as operated, store the additional information in the dataset, and store the dataset into memory; and a monitoring service configured to continuously monitor the project for source code and operational changes and performance and make changes to the dataset as needed.

Abstract: A computer-implemented method of generating shares of a shared secret, wherein each of a group of participants has a respective first secret share of the shared secret, wherein the method is performed by a first participant of the group and comprises: generating a respective blinding share of a shared blinding secret, obtaining at least a threshold number of respective intermediary shares from each of the first group of participants, wherein each respective intermediary share is generated based on a respective blinding share and a respective first secret share; generating an intermediary value based on each of the obtained intermediary shares; and generating a respective second secret share of the shared secret, wherein the respective second secret shared is generated based on the intermediary value and the respective blinding share.

Abstract: This disclosure is directed to methods and systems that establish a secure data channel between a host and a disaggregated hardware device (“DHD”) of a data center. The system comprises an initiator host that runs objects, such as virtual machines and containers. The host includes an initiator smart network interface card (“SNIC”). The initiator SNIC includes a virtual device, a trust platform module (“TPM”) and a security engine. The system also comprises a target host equipped with a DHD and a target SNIC. The target SNIC includes a TPM and a security engine. The TPM and the security engine of the initiator SNIC and the TPM and the security engine of the target SNIC establish a secure data channel between an object running on the host and the DHD.