Abstract: A bare metal resource includes a trusted portion and an untrusted portion. The trusted portion includes trusted hardware, an image repository, and a clearance manager. The clearance manager is executable during bootup of the bare metal resource to perform a clearance process on the untrusted portion, including deleting the BIOS in the untrusted portion and loading a trusted BIOS from the image repository on the untrusted hardware, to place the untrusted portion in a trusted state. The bare metal resource may be provisioned to a tenant of a cloud provider after being placed in the trusted state.

Abstract: Technologies for secure I/O include a compute device having a processor, a memory, an input/output (I/O) device, and a filter logic. The filter logic is configured to receive a first key identifier from the processor, wherein the first key identifier is indicative of a shared memory range includes a shared key identifier range to be used for untrusted I/O devices and receive a transaction from the I/O device, wherein the transaction includes a second key identifier and a trust device ID indicator associated with the I/O device. The filter logic is further configured to determine whether the transaction is asserted with the trust device ID indicator indicative of whether the I/O device is assigned to a trust domain and determine, in response to a determination that the transaction is not asserted with the trust device ID indicator, whether the second key identifier matches the first key identifier.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for providing passive continuous session authentication. An example method includes authenticating a session for a user of a client device. The example method further includes capturing a video stream and sensor data over a duration of time. The example method further includes deriving, from the captured video stream, a set of biometric attributes of the user. The example method further includes deriving, from the captured sensor data, a set of behavioral attributes of the user. Subsequently, the example method includes re-authenticating the session based on the derived set of biometric attributes and the derived set of behavioral attributes.

Abstract: A method for controlling a device includes: sending a command signed by an operator's signature to a server; verifying, in the server, that the operator is authenticated to transmit the command; assigning, in the server, a criticality level and an authorization level to the command; depending on the criticality level and the authorization level, sending an approval request relating to the command to at least one control user; approving or denying the approval request by at least a subset of the at least one control user; sending the denied or approved approval request back to the server; determining, in the server, whether the command was approved by sufficiently many control users based on the criticality level and the authorization level; and sending the command to the device for being carried out by the device in case the command was approved by sufficiently many control users, wherein at last one of the at least one control user and the operator is remote from each other.

Abstract: The present invention relates to a method to securely load set of sensitive data hardware registers with sensitive data on a chip supporting hardware cryptography operations, said method comprising the following steps monitored by software instructions, at each run of a software: select a set of available hardware registers listed in a predefined list listing, in the chip architecture, the unused hardware registers and other relevant hardware registers not handling sensitive data and not disrupting chip functionality when loaded, establish an indexible register list of the address of the sensitive data hardware registers and of the hardware registers in the set of available hardware registers, in a loop, write each hardware register in this register list with random data, a random number of times, in random order except the last writing in each of the sensitive data hardware registers where a part of the sensitive data is written.

Abstract: Techniques are disclosed relating to biometric authentication, e.g., facial recognition. In some embodiments, a device is configured to verify that image data from a camera unit exhibits a pseudo-random sequence of image capture modes and/or a probing pattern of illumination points (e.g., from lasers in a depth capture mode) before authenticating a user based on recognizing a face in the image data. In some embodiments, a secure circuit may control verification of the sequence and/or the probing pattern. In some embodiments, the secure circuit may verify frame numbers, signatures, and/or nonce values for captured image information. In some embodiments, a device may implement one or more lockout procedures in response to biometric authentication failures. The disclosed techniques may reduce or eliminate the effectiveness of spoofing and/or replay attacks, in some embodiments.

Abstract: In one embodiment, the present disclosure is directed to a system for digital authentication, the system including a server and a device. The device includes a first processor and a second processor separate and distinct from the first processor and dedicated solely to security functionality. The second processor is programmed to generate a public key and a private key, and to use the private key and to-be-signed signature data to generate digital signatures, including a first digital signature. The device transmits the public key and the first digital signature to the server. The server stores the public key to uniquely identify the device or a user of the device in subsequent communications between the server and device.

Abstract: A user device can verify a user's identity to a server while protecting user privacy by not sharing personal data with any other device. To ensure user privacy, the user device performs an enrollment process in which the user performs an action sequence. The user device collects action data from the action sequence and uses the action data locally to generate a set of public/private key pairs (or other representation) from which information about the action sequence cannot be extracted. The public keys, but not the underlying action data, are sent to a server to store. To verify user identity, a user device can repeat the collection of action data and the generation of the key pairs. If the device can prove to the server its possession of the private keys to a sufficient degree, the user's identity can be verified.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: A processor device with a white-box masked implementation of the cryptographic algorithm AES implemented thereon, which comprises a SubBytes transformation. The white-box masked implementation is hardened in that white-box round input values x? are supplied at the round input of rounds instead of the round input values x, said white-box round input values being formed from a concatenation of: (i) the round input values x that are masked by means of the invertible masking mapping A and (ii) obfuscation values y that are likewise masked with the invertible masking mapping A; wherein from the white-box round input values x? only the (i) round input values x are fed to the SubBytes transformation T, and (ii) the masked obfuscation values y are not.

Abstract: A method of defining distributed firewall rules in a group of datacenters is provided. Each datacenter includes a group of data compute nodes (DCNs). The method sends a set of security tags from a particular datacenter to other datacenters. The method, at each datacenter, associates a unique identifier of one or more DCNs of the datacenter to each security tag. The method associates one or more security tags to each of a set of security group at the particular datacenter and defines a set of distributed firewall rules at the particular datacenter based on the security tags. The method sends the set of distributed firewall rules from the particular datacenter to other datacenters. The method, at each datacenter, translates the firewall rules by mapping the unique identifier of each DCN in a distributed firewall rule to a corresponding static address associated with the DCN.

Abstract: A pseudo-random cipher stream is used to band-spread an optical carrier signal with coded data. A legitimate receiver uses an agreed-upon key to modulate its local oscillator and a resulting beat signal uncovers the band-spread signal. An eavesdropper who does not have the key finds the spread signal with too low signal-to-noise ratio to perform any useful determination of the message sequence. Theoretical bounds based on Shannon's Theory of Secrecy are used to show strength of the encoding scheme and predict it to be superior to the prior art.

Abstract: Duplicate processing of events registered at a root server is avoided. An electronic subscriber identity module (eSIM) server pushes, to a root server, data in the form of notification data portions indicating that commands or events need to be processed by a device. The device includes an embedded universal integrated circuit card (eUICC). The device pulls a notification list from the root server. The notification list includes one or more notification data portions. The device checks a given notification data portion to see if it represents a duplicate before communicating with the eSIM server to perform further processing related to the event. The device bases the check for duplication on an event history and/or on a hash value where the hash value is based on one or more eSIMs installed in the eUICC. The device is able to prioritize notification data portions before processing them.

Abstract: Systems and methods for credential character selection are provided. The system includes one or more sensors configured to detect a character selection and generate a character selection signal, and detect a character selection completion and generate a character selection completion signal. The system also includes one or more processors coupled to the one or more sensors, the one or more processors configured to receive the character selection signal and the character selection completion signal, and generate an output signal based on the received character selection signal that includes components of a credential. The system also includes a network interface component configured to transmit the output signal. The credential characters may be components of a PIN or password. Moreover, the credential character selections may be made on one device, but displayed on a separate coupled device. The character selections may be a selection of a character or a modification of character.

Abstract: A computer-implemented method includes retrieving, by a bridge device communicatively linked to a blockchain network node of a blockchain network, a first set of blockchain blocks from the blockchain network node using a first set of threads of the bridge device; storing, by the bridge device, the first set of blockchain blocks in the bridge device; and verifying, by the bridge device, a second set of blockchain blocks that are stored in the bridge device using a second set of threads of the bridge device; and wherein retrieving the first set of blockchain blocks and verifying the second set of blockchain blocks are performed asynchronously using the first set of threads and the second set of threads.

Abstract: Embodiments of the present invention provide techniques, systems, and methods for remote, agent-less enterprise computer threat data collection, malicious threat analysis, and identification and reporting of potential and real threats present on an enterprise computer system. Specifically, embodiments are directed to a system that securely identifies and maps sensitive information from computers across the enterprise. Secure and sensitive information may be internally encrypted and analyzed for indicators of compromise, threatening behavior, and known vulnerabilities. The remote, agent-less collection, analysis, and identification process can be repeated periodically to detect and map additional sensitive information over time, and may delete itself after completion to avoid detection.

Abstract: Some embodiments provide a method for distributing firewall configuration in a datacenter comprising multiple host machines. The method retrieves a rule in the firewall configuration for distribution to the host machines. The firewall rule is associated with a minimum required version number. The method identifies a high-level construct in the firewall rule. The method queries a translation cache for the identified high-level construct. The translation cache stores previous translation results for different high-level constructs. Each stored translation result is associated with a version number. When the translation cache has a stored previous translation result for the identified high-level construct that is associated with a version number that is equal to or newer than the minimum required version number, the method uses the previous translation result stored in the cache to translate the identified high-level construct to a low-level construct.

Abstract: A processor-implemented system and method for enabling a relying party device associated with a relying party to verify an identity of a user. The method includes the steps of (i) generating, using a cryptographic processor on a user device associated with the user, a first set of credentials including a public-private key pair associated with the user, (ii) receiving at least one cryptographic challenge from the relying party device associated with the relying party, (iii) verifying at least one of a biometric or a PIN code, (iv) responding to the at least one cryptographic challenge by performing the at least one cryptographic operation on the cryptographic challenge using the user private key to form a result of the at least one cryptographic operation and (v) transmitting the result of the at least one cryptographic operation as a cryptographic challenge response to the relying party device.

Abstract: Some embodiments provide a method for managing firewall protection in a datacenter that includes multiple host machines that each hosts a set of data compute nodes. The method maintains a firewall configuration for the host machines at a network manager of the data center. The firewall configuration includes multiple firewall rules to be enforced at the host machines. The method aggregates a first set of updates to the firewall configuration into a first aggregated update and associates the first aggregated update with a first version number. The method distributes a first host-level firewall configuration update to a first host machine based on the first aggregated update and associates the first host machine with the first version number. The method aggregates a second set of updates to the firewall configuration into a second aggregated update and associates the second aggregated update with a second version number.

Abstract: Telemetry associated with a system call denoting that a program has been invoked via a process is received. A determination is made that the invoked process is a shell. Subsequent to determining that the invoked program is a shell, additional information comprising at least one of a determination that the program has attempted to obtain terminal information, and keystroke timing information is received. Based at least in part on the received additional information, a determination is made that the program is an interactive shell. In response to determining that the program is an interactive shell, an action is taken.