Abstract: Methods and apparatus for a tree-oriented configuration service are disclosed. A system includes computing devices that generate a tree-structured representation of a plurality of configuration elements of a distributed application. The devices implement a programmatic interface allowing a client to request an operation on a configuration element via a network request that indicates a path from a root node of the tree to one or more nodes corresponding to the configuration element. In response to (a) a network request received via the programmatic interface to perform a particular operation on a configuration element associated with a specified node and (b) a determination that authorization information associated with the specified node permits the requested operation, the operation is performed.

Abstract: A system and method for automatically analyzing virtual machine bytecode of a software application and adding additional bytecode operable to determine information regarding network communication performed by the software application are described. According to one embodiment of the method, program code of a software application may be received, wherein the program code includes bytecode for a virtual machine. The bytecode may be automatically analyzed to detect network communication functionality. The method may operate to automatically add additional bytecode to the bytecode of the software application, where the added bytecode is operable to determine information regarding the network communication.

Abstract: In an example, a method of managing access to resources managed by heterogeneous resource servers having different policy document formats in a cloud services environment includes obtaining, at an identity and access management (IAM) service, a policy document describing privileges of an end user with respect to accessing at least one resource of the resources managed by a resource server of the heterogeneous resource servers; sending the policy document from the IAM service to an resource server endpoint designated by the resource server for validation; storing, by the IAM service, the policy document in a datastore in response to a determination by the resource server endpoint that the policy document is valid; and generating, by the IAM service, an indication that the policy document is invalid in response to a determination by the resource server endpoint that the policy document is invalid.

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives an electronic signature document on a mobile device, the signer may use a client module executing on the mobile device to import the document into the ESS. Once the document is imported into the ESS, the signer can access, review, and sign the document at the ESS via the mobile device. After signing the document, the signer can use the mobile device to cause the ESS to provide the signed document to one or more recipients.

Abstract: Scheduling techniques transform dataflow graphs (DFGs), for example, of digital signal processing (DSP) arrangements of filters, into efficient schedules for concurrent execution on processing resources coupled to a memory. A DSP arrangement may be represented by an executable model having interconnected filters represented by model elements. The techniques may apply scheduling transforms according to a classification of the model elements based on a lifetime of their internal states (e.g., finite or infinite). Exemplary scheduling transforms may include unfolding, coordinated loop scheduling and pipelining to parallelize a DFG and enhance overall performance, i.e., reduce average sample execution time of the DSP arrangement. Notably, the scheduling transforms may aggregate (i.e., merge) multiple finite state model elements for concurrent execution and repeat execution of infinite state model elements to achieve the overall improved performance.

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

Abstract: Improved techniques of performing authentication involve extracting metadata from posts made by legitimate users on a social networking website and generating authentication results based in part on the extracted metadata. For example, in response to an authentication request being made from a device of a legitimate user, an authentication server obtains metadata describing one or more posts made by the legitimate user on the social networking website. The authentication server may then input the metadata to a risk engine, along with information gathered from the user's device. The risk engine then generates a risk score that indicates a likelihood that the request is fraudulent, based at least in part of whether the metadata obtained from the social networking website is consistent with the information obtained from the user's device.

Abstract: Techniques for synchronizing a honey network configuration to reflect a target network environment are disclosed. In some embodiments, a system for synchronizing a honey network configuration to reflect a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual machine (VM) image library that includes one or more VM images; and a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target enterprise network using a VM image selected from the VM image library that is customized based on one or more attributes for a target device in the device profile data store.

Abstract: This invention relates to a method and apparatus for updating software. In particular this invention relates to a method, system and computer program for updating an operating system in a hypervisor comprising: determining a new version of a component of the operating system; installing the new component version; measuring an identifying characteristic of the component and making it available to an attestation system; notifying the attestation system that a component has been updated to a new version whereby, when the attestation system finds that the identifying characteristic of the new component does not match a pre-stored attestation value it is aware that a legitimate mis-match could have occurred.

Abstract: Provided are a device and a method for generating an identification key by using a process variation in a semiconductor process. A semiconductor is manufactured by adjusting a gate side edge position of a contact such that a difference between a probability that a gate of a transistor is shorted from a drain or a source by the contact and a probability that the gate is not shorted is less than or equal to a predetermined threshold. When the manufactured semiconductor does not have a separate process, whether there is a short circuit between the gate and the drain or the source is stochastically generated by the process variation, whether there is a short circuit is detected through a reader, and an identification key is provided.

Abstract: Methods for controlling a medical device using a software application on a mobile device are provided. In one aspect, a method includes receiving a request from the software application on the mobile device to open a communications channel for at least one of audio communication or text-based communication, and sending from the server an instruction to the medical device based on the request. The method also includes providing to the software application on the mobile device for display a result of the instruction. Systems, graphical user interfaces, and machine-readable media are also provided.

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

Abstract: Methods, systems, and computer program products for selecting a virtual machine to perform a task corresponding to a client request and performing the task at the virtual machine. After performing the task at the virtual machine, an indicator corresponding to a shutdown of the virtual machine is detected. After detecting the indicator and prior to the shutdown of the virtual machine, a memory space is preserved corresponding to the virtual machine. The preserved memory space is then scanned for malware.

Abstract: Systems and methods are provided for specifying transformations of JSON objects using other JSON objects. A first object is received specified using JavaScript Object Notation. The first object includes a set of one or more attributes where each attribute is of a predetermined JSON data type and has at least one value. A second object is also received specified using JavaScript Object Notation. The second object includes a set of one or more attributes each corresponding to at least one attribute in the set of attributes of the first object and having at least one value defining one or more transformations. A third object specified using JavaScript Object Notation is generated based on transforming the first object using the second object.

Abstract: A system for secure data storage and transmission is provided. The system comprises a first security module for protecting data in a first data at rest system and a second security module for protecting data in a second data at rest system. At least one encryption parameter for the second data at rest system differs from at least one encryption parameter for the first data at rest system so that a datum is reencrypted when the datum is transferred from the first data at rest system to the second data at rest system.

Abstract: Computer programming is aided by way of automatic code generation, and more specifically generation of deployment code automatically. An application can be analyzed and deployment code, including installation, maintenance (e.g., update/upgrade), and removal (e.g., un-install) code, can be generated as a function of the analysis as well as a particular execution environment.

Abstract: A method for protecting application servers from network-based attacks and verifying the security posture of end client systems is disclosed. A trust broker system receives a request from a user agent associated with a client system remote from the trust broker to connect to applications and resources associated with the trust broker. The trust broker system verifies the integrity of the client system and verifies the identity of a user of the client system. The trust broker system then determines the access level permitted to the identified user and based on the access level. The trust broker system establishes a connection with the user agent and transmits session information to the server system. The trust broker system sends the user agent connection information, wherein the connection information enables the requesting user agent to connect to the requested server system.

Abstract: Generating a scalable code division and workflow chart. Based on definition-and-use cases of variables in a code snippet to be represented by a graph, crossing references to the variables in the code are determined, where a crossing reference associated with a statement involves a definition of the variable before the statement and a use of the variable at or after the statement. The code snippet is divided, based on the crossing references.

Abstract: Systems and methods for analysis of execution patterns for applications executing on remote devices. In some implementations of the system, a knowledge base stores successful traces from a plurality of instances of an application and one or more computing processors in the system receive, via a network interface, call-stack information from an instance of the application executing on a remote device, call-stack information including periodic captures of an execution status for the instance of the application, and determine whether there is a similarity between the call-stack information received from the instance of the application and the stored plurality of successful traces. Responsive to determining a similarity, the computing processors add the remote device to a population of devices likely to execute the object and facilitate further actions specific to the device population.

Abstract: A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.