Abstract: Methods and apparatus to provide isolated execution environments are disclosed. In some examples, the methods and apparatus identify a request from a host application. In some examples, the methods and apparatus, in response to identifying the request from the host application, load a microcode application into memory when excess micro operations exist in a host instruction set architecture, the microcode application being a fragment of code. In some examples, the methods and apparatus execute the microcode application. In some examples, the methods and apparatus, in response to completed execution of the microcode application, unload the microcode application from memory.

Abstract: A trusted computing device (TCD) includes an isolated environment, host interface, secure interface, and program instructions. The environment includes an isolated environment processor (IEP), memory (secure and non-secure partition), and an auxiliary processor (AP). Memory and AP are connected for data communication with the IEP, and communicate with a host only through the IEP. The host interface and each secure interface are connected for data communication with the IEP.

Abstract: The invention relates to a device for decrypting protected content and for providing the decrypted content for playback. The device comprises one or more system software modules providing functions for facilitating the decryption of the protected content and at least one client software module assigned to a provider of protected content. The client software module is adapted to access functions of the system software modules in order to control the system software to decrypt the protected content of the provider. Moreover, the device is adapted to validate the system software and/or a further client software module and to prevent the decryption and/or provision of the protected content of the provider, if the system software and/or the further client software module are not validated successfully.

Abstract: Systems and methods for transmitting AT commands indicating whether Evolved Packet System (EPS) Session Management (ESM) information should be transmitted securely are disclosed herein. A Terminal Equipment (TE) may transmit an AT command to a Mobile Termination (MT). The AT command may indicate whether protocol configuration options (PCO) should be ciphered and/or whether an access point name (APN) is provided. In some embodiments, the AT command may be a dedicated command and may only include a <securePCO> parameter and an <APNprovided> parameter. Alternatively, or in addition, the AT command may include a <securePCO> parameter, an <APN> parameter, and/or additional parameters serving additional functions. Whether the APN is provided may be determined based on whether the <APN> parameter is present and includes a non-null value. The AT command may be related to a single packet data network (PDN) connection or may relate to a plurality of PDN connections.

Abstract: A method of unlocking an electronic device having a touch-sensitive display includes at least the following steps: controlling the touch-sensitive display to have unlocking objects displayed at different locations for different time points; and when at least one contact is detected on the touch-sensitive display, determining whether to unlock the electronic device by referring to a contact status on the touch-sensitive display. Besides, a computer readable medium storing a program code is also provided, where the program code causes a processor to perform following steps when executed by the processor: controlling the touch-sensitive display to have unlocking objects displayed at different locations for different time points; and when at least one contact is detected on the touch-sensitive display, determining whether to unlock an electronic device by referring to a contact status on the touch-sensitive display.

Abstract: Responsive to a request to retrieve or store a file, a transformation pipeline may be created to efficiently transform file data one unit at a time in memory. The transformation pipeline includes a sequence of transformation streams, each containing a write method, a read method, and a transformation to be applied. The write method moves a unit of data, for instance, from a memory buffer into an associated stream. The read method reads the unit of data from the stream, calls an associated transformation, and passes the unit of data thus transformed to the next stream or a destination. This process is repeated until all desired and/or required transformations such as compression, encryption, tamper protection, conversion, etc. are applied to the unit of data.

Abstract: The disclosed computer-implemented method for detecting text display manipulation attacks may include (1) extracting a file name from a file that is under evaluation for malicious content, (2) inspecting, by a software security system, the file name for at least one control character that manipulates how the file name is displayed, (3) determining, based on inspecting the file name, that the file name includes the control character that manipulates how the file name is displayed, and (4) performing, by the software security system, a security action based at least in part on the determination that the file name includes the control character. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method, apparatus and computer program product are disclosed for establishing secure off-network communications between first and second Secure Cellular Devices that each have a cellular identity. The second Secure Cellular Device may assume the role of Remote Device for interaction with the NAF keyserver and may obtain a local key. The first Secure Cellular Device may derive the local key and the two devices may conduct secure communications using the shared local key. The two Secure Cellular Devices may alternate the roles of Secure Host and Remote Device, each twice obtaining or deriving a shared local key such that there are two such keys. The devices may employ one key for secure communication in one direction and the other for communication in the other direction. Alternatively, the devices may derive a unique shared key as a function of the two shared keys.

Abstract: An online computer system including a database uses an encrypted table that allows for write protection its contents. Middleware logic operating on the system acts as an interface for access to the database, so that any business logic on the system accesses the database through simple procedural calls to the middleware rather than directly to the database itself. The middleware logic abstracts logic that helps implement write protection with the encrypted table. Data to be encrypted that has been traditionally written to other tables is migrated to the encrypted table, where the data encrypted using an authenticated encryption with additional data (AEAD) algorithm. To implement AEAD, the original table, column, and primary key indicating where the data would have otherwise been stored are together used as additional authenticated data (AAD). This tuple of information is also stored in the encrypted table.

Abstract: The invention relates to a device for validating data using a root certificate, wherein a plurality of root certificates is stored in the device, each root certificate having a rank. The device is configured to receive revocation information indicating at least one revoked root certificate, to validate the revocation information using one of the root certificates stored in the device and to block the use of the revoked root certificate if the revocation information is successfully validated using a root certificate having a higher rank than the revoked root certificate. Moreover, the invention relates to a method for revoking a root certificate stored in a device.

Abstract: Systems and methods for transmitting AT commands indicating whether Evolved Packet System (EPS) Session Management (ESM) information should be transmitted securely are disclosed herein. A Terminal Equipment (TE) may transmit an AT command to a Mobile Termination (MT). The AT command may indicate whether protocol configuration options (PCO) should be ciphered and/or whether an access point name (APN) is provided. In some embodiments, the AT command may be a dedicated command and may only include a <securePCO> parameter and an <APNprovided> parameter. Alternatively, or in addition, the AT command may include a <securePCO> parameter, an <APN> parameter, and/or additional parameters serving additional functions. Whether the APN is provided may be determined based on whether the <APN> parameter is present and includes a non-null value. The AT command may be related to a single packet data network (PDN) connection or may relate to a plurality of PDN connections.

Abstract: A device includes one or more communication interfaces that communicate via at least one link or a network; a device memory; a device processing unit; and a Trusted Execution Environment (TEE) that is secure from the device processing unit and the device memory. The TEE obtains a public encryption key and a private encryption key pair, stores the private encryption key in a secure memory in the Trusted Execution Environment (TEE), and executes a first trusted application, within the TEE, to perform a PKI function using the private encryption key.

Abstract: Embodiments for tracking multi-layer secured transactions include systems for providing a dedicated secure transaction channel to a user and sending pre-authorization code to the user via the transaction channel. The systems allow the user to encrypt transaction data and receive the encrypted transaction data from the user via the transaction channel. The systems further unlock the encrypted data and match the sent pre-authorization code to the received pre-authorization code. The systems send a post verification notification to the user comprising the one or more transactions via the transaction channel and receive a post verification confirmation from user in response to the post verification notification.

Abstract: An address generation section (111) receives an acquisition request including a file name of a target content and a device ID of a device (113) as a place where the target content is stored, from an application execution section (112) that executes a viewing application. Then, the address generation section (111) specifies the current file path and IP address of the target content in content information and device information each managed by a management section (107) on the basis of the received acquisition request, and generates an acquisition address for acquiring the target content from the device (113) on the basis of the specified file path and IP address.

Abstract: The security control apparatus includes a network control unit for receiving a security protocol-based packet that includes a protocol control header and data and that is transmitted between a cloud-based virtual desktop interaction remote agent unit and a virtual machine of a cloud-based virtual desktop interaction device, and blocking network traffic between cloud-based virtual desktop interaction remote agent unit and the virtual machine, depending on received results of checking. A policy checking unit checks whether information extracted from the security protocol-based packet is compliant with control policies, and transmits results of checking to the network control unit. If the information is not compliant with the control policies, a security solution interaction unit transmits the extracted information to an external security solution, and transmits results of checking by a corresponding security solution to the network control unit.

Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.

Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.

Abstract: Embodiments for tracking multi-layer secured transactions include systems for providing a dedicated secure transaction channel to a user and sending pre-authorization code to the user via the transaction channel. The systems allow the user to encrypt transaction data and receive the encrypted transaction data from the user via the transaction channel. The systems further unlock the encrypted data and match the sent pre-authorization code to the received pre-authorization code. The systems send a post verification notification to the user comprising the one or more transactions via the transaction channel and receive a post verification confirmation from user in response to the post verification notification.

Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”.

Abstract: The present invention relates to a security management system of a computer network, which includes a center server and two or more relay servers. The relay servers receives at least some of data stored in the center server and stores the received at least some of data. A first relay server stores access authentication information and transmits data requested by the client to the client, when access information received from a client does not match with the access authentication information. The center server transmits a ‘block relay’ command to the first relay server and a ‘start relay’ command to a second relay server, when the center server receives information on the malicious access. Accordingly, the second relay server performs a relay function instead of the first relay server.