Abstract: Embodiments are directed toward techniques to detect a first function associated with an address space initiating a call instruction to a second function in the address space, the first function to call the second function in a deprivileged mode of operation, and define accessible address ranges for segments of the address space for the second function, each segment to a have a different address range in the address space where the second function is permitted to access in the deprivileged mode of operation, Embodiments include switching to the stack associated with the second address space and the second function, and initiating execution of the second function in the deprivileged mode of operation.

Abstract: An example operation may include one or more of generating a data block for a hash-linked chain of blocks stored on a distributed ledger and accessible to a plurality of computing nodes of a blockchain network, storing governance policies within the data block, the governance polices governing interaction with the hash-linked chain of blocks, and transmitting the generated data block with the encoded governance policies therein to a plurality of peer nodes of the distributed ledger.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obtaining identity verification information of a patient. Verifying the patient's identity by: obtaining an indication that the patient identification document is authentic, and verifying that the representation of a biometric of the patient corresponds to a biometric indicated on the patient identification document. Determining that a physical location of a computing device is proximate to a physical location of the patient. In response to verifying the patient and determining that the physical location of the computing device is proximate to the physical location of the patient, determining eligibility of the patient to receive services from the service provider.

Abstract: Techniques are presented for (a) securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers, (b) receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing, and (c) in response to successfully authenticating the cryptographic request: (1) obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier, (2) cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data, and (3) sending the cryptographically-processed data from the computing device across the network to the remote device.

Abstract: An embodiment of restricted command set management permits a storage controller to execute commands of a restricted command set if authorized. A command determined to be within the restricted command set is encrypted by a host prior to sending the encrypted command to a storage controller for execution. The command may be encrypted using a key shared between the host and the storage controller. The shared key may be generated by the host and encrypted by the host using a public key of a public-private key maintained by the storage controller. The encrypted shared key may be decrypted by the storage controller using the private key of the public-private key maintained by the storage controller. Execution of commands of the restricted command set is prevented absent proper decryption of the commands sent by the host. Other features and aspects may be realized, depending upon the particular application.

Abstract: Disclosed are various approaches for retrieving contacts from a plurality of federated services. A query is received from a client application executing on a client device, the query comprising a single sign-on token that identifies a user and a character string. A number of federated services that the user has permission to access are then identified. A plurality of authentication tokens are then retrieved from an authentication service, each of the plurality of authentication tokens identifying the user to a respective one of the plurality of federated services. Next, the authentication token and the character string are provided to a respective connector for each of the plurality of federated services that the user has permission to access. A plurality of responses are received, each of the plurality of responses being received from the respective connector corresponding to each of the plurality of federated services that the user has permission to access.

Abstract: The disclosed computer-implemented method for enhancing user privacy may include (i) intercepting, by a privacy-protecting network proxy, network traffic between a client device and a server device, the client device being protected by a network-based privacy solution that inhibits browser fingerprinting through the privacy-protecting network proxy, (ii) detecting, at the privacy-protecting network proxy, that the network traffic indicates an attempt by a browser fingerprinting service to perform browser fingerprinting on the client device, and (iii) modifying, at the privacy-protecting network proxy based on the detecting of the attempt to perform browser fingerprinting, the intercepted network traffic such that browser fingerprinting performed by the browser fingerprinting service is at least partially inhibited. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A device may receive a file that has been downloaded, or is to be downloaded, to a user device, and that is to be subject to a malware detection procedure. The device may obtain, based on one or more file identification properties of the file, metadata identifying user interactions associated with the file. The metadata may include a first group of user interactions performed when the file was accessed on the user device or a second group of user interactions performed when the file was accessed on one or more other user devices. The device may test the file in a sandbox environment to obtain a result by performing the user interactions identified by the metadata and executing the malware detection procedure to determine whether the file is malware. The device may provide a notification to cause the user device to perform actions when the file is malware.

Abstract: A device may receive a network policy, the network policy specifying: a matching criteria and an action to be performed on network traffic that matches the matching criteria. The device may generate type-length-value (TLV) data based on the network policy, a value portion of the TLV data including data specifying the network policy. In addition, the device may add the TLV data to a Connectivity Fault Management (CFM) packet and transmit the CFM packet to a separate device to cause the network policy to be implemented on the separate device.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: Methods and apparatus for hardware based file/document expiry timer enforcement is disclosed. An example method includes instructing, by executing an instruction with a processor, a trusted execution environment to generate an encryption key and a certificate for a document, the certificate including expiry information for the document, the certificate associated with identification information of the document, and the expiry information indicative of a time period for which the encryption key is valid to decrypt the document; encrypting, by executing an instruction with the processor, the document using the encryption key; transmitting the certificate to a first remote network storage device; and transmitting the document to a second remote network storage device.

Abstract: Particular embodiments described herein provide for a network element that can be configured to receive, from an electronic device, a request to access a network service. In response to the request, the network element can send data related to the network service to the electronic device and add a test link to the data related to the network service. The network element can also be configured to determine if the test link was successfully executed and classify the electronic device as untrusted if the test link was not successfully executed.

Abstract: A method for processing a data request is performed by an access device, and includes receiving, from a user terminal, the data request including data information of target data, obtaining the data information from the data request, searching for a storage device identifier and first authentication information, based on the data information, and sending the first authentication information and the data information, to a storage device corresponding to the storage device identifier, to enable the storage device to perform authentication on the first authentication information, and to enable the storage device to, in response to the authentication succeeding, obtain the target data indicated by the data information. The method further includes receiving, from the storage device, the target data, and sending the target data to the user terminal, to respond to the data request.

Abstract: In a storage system that includes a plurality of storage devices configured into one or more write groups, quorum-aware secret sharing may include: encrypting a device key for each storage device using a master secret; generating a plurality of shares from the master secret such that a minimum number of storage devices required from each write group for a quorum to boot the storage system is not less than a minimum number of shares required to reconstruct the master secret; and storing the encrypted device key and a separate share of the plurality of shares in each storage device.

Abstract: Systems and methods of the present disclosure enable for a delayed, two-factor authentication to occur in networked devices. The system and methods can enable the immediate delivery of digital components, which results in fewer abandoned requests, and saves network resources. The system and methods can enable the authorization of data transmissions in networked computer devices that include limited user interfaces, such as voice-based interfaces.

Abstract: Methods and apparatus, including computer program products, are provided for processing analyte data. In some example implementations, a method may include receiving, at a first processing system including a user interface, an installation package including a plug-in and code configured to provide at the first processing system an interface between a sensor system configured to measure an analyte concentration level in a host and a second processing system; storing, by the first processing system, the installation package in a location based on a role of a user initiating the installation of the code; installing the plug-in for the user interface to enable the plug-in to control one or more aspects of an installation of the code; and initiating, by at least the plug-in, the installation of the code at the first processing system to provide the interface. Related systems, methods, and articles of manufacture are also disclosed.

Abstract: In one aspect, a computer-implemented method is disclosed. The computer-implemented method may include determining a sketch matrix that approximates a matrix representative of a reference dataset. The reference dataset may include at least one computer program having a predetermined classification. A reduced dimension representation of the reference dataset may be generated based at least on the sketch matrix. The reduced dimension representation may have a fewer quantity of features than the reference dataset. A target computer program may be classified based on the reduced dimension representation. The target computer program may be classified to determine whether the target computer program is malicious. Related systems and articles of manufacture, including computer program products, are also disclosed.

Abstract: A document production system may construct a document from fragments based on a theme associated with the document. The theme may contain section(s), each section having an access control list (ACL) associated therewith. The ACL may specify role-based user group(s) and permission(s) for the role-based user group(s). The system may evaluable rules applicable to the document. At least one rule may pertain to the ACL(s). The evaluation may include, at least in part, utilizing user login information received over a network from a client device. In constructing the document, the system may assemble the document in accordance with the rules and utilizing the fragments and meta information that describes the document. The system may render the document thus assembled utilizing the ACL, generate a view of the document, and communicate the view of the document over the network to the client device for presentation on the client device.

Abstract: Apparatus, system, methods, and articles of manufacture are disclosed to identify media using hash keys. An example system includes a hybrid hash key analyzer to access a metered hash key of an exposure record obtained from a meter, access reference records representative of respective portions of a plurality of media, and determine reference confirmation data candidates from respective ones of the reference records that include hash keys matching the metered hash key. The example system includes an impression logger to, when first confirmation data associated with the exposure record matches one of the reference confirmation data candidates, store an impression record that associates the media identification data associated with the matching one of the reference confirmation data candidates with a meter identifier of the exposure record. The impression logger also is to credit at least a portion of the media corresponding to the media identification data with an exposure credit.

Abstract: The present invention discloses an access control method, apparatus, and system, and belongs to the communications field. The method includes: receiving a virtual extensible local area network VXLAN request packet sent by an access device; parsing the VXLAN request packet to obtain an IP address of the access device and authentication information of a user; sending the IP address of the access device and the authentication information of the user to an authentication server, so that the authentication server authenticates the user; receiving an authentication result sent by the authentication server; and controlling the user according to the authentication result. According to the present invention, the user is authenticated according to access information of the user in a VXLAN scenario.