Abstract: This document describes, among other things, systems and methods for more efficiently resuming a client-to-origin TLS session through a proxy layer that fronts the origin in order to provide network security services. At the time of an initial TLS handshake with an unknown client, for example, the proxy can perform a set of security checks. If the client passes the checks, the proxy can transmit a ‘proxy token’ upstream to the origin. The origin can incorporate this token into session state data which is passed back to and stored on the client, e.g., using a TLS session ticket extension field, pre-shared key extension field, or other field. On TLS session resumption, when the client sends the session state data, the proxy can recover its proxy token from the session state data, and upon successful validation, bypass security checks that it would otherwise perform against the client, thereby more efficiently handling known clients.

Abstract: A method including storing, by a device in a database, a trusted fingerprint determined based at least in part on encrypting trusted connection information included in a trusted transmission packet received from a trusted source application; determining, by the device, a current fingerprint based at least in part on encrypting current connection information included in a current transmission packet received from a current source application; comparing, by the device, the current fingerprint with the trusted fingerprint; and processing, by the device, the current transmission packet based at least in part on a result of comparing the current fingerprint with the trusted fingerprint. Various other aspects are contemplated.

Abstract: Approaches presented herein enable detection of security vulnerabilities in software containers. More specifically, a software container comprising a build script and a base image is received. An instance of the software container is instantiated in an encapsulated environment using the build script and the base image. The instance of the software container is executed in the encapsulated environment, and the execution of the software container instance is monitored in the encapsulated environment to detect one or more security vulnerabilities.

Abstract: Systems and methods are provided for performing privacy transformation of data to protect privacy in data analytics under the multi-access edge computing environment. In particular, a policy receiver in an edge server receives privacy instructions. Inference determiner in the edge server in a data analytics pipeline receives data from an IoT device and evaluates the data to recognize data associated with personally identifiable information. Privacy data transformer transforms the received data with inference for protecting data privacy by preventing exposure of private information from the edge server. In particular, the privacy data transformer dynamically selects a technique among techniques for removing information that is subject to privacy protection and transforms the received data using the technique.

Abstract: An ultrasonic transceiver system includes a transmitter block, a receiver block, a state machine, and a computing unit. The transmitter block contains circuitry configured to drive an ultrasound transducer. The receiver block contains circuitry configured to receive signals from the ultrasound transducer and convert the signals into digital data. The state machine is coupled to the transmitter and receiver blocks and contains circuitry configured to act as a controller for those blocks. The computing unit is coupled to the transmitter block, the receiver block, and the state machine and is configured to drive the transmitter block and process data received from the receiver block by executing instructions of a program. The program memory is coupled to the computing unit and is configured to store the program. The computing unit is configured to be reprogrammed with one or more additional programs stored in the program memory.

Abstract: A multi-country data pipeline keeps all of the PII received from a user that is in a first country in the first country. The data pipeline allows the non-personal data received from the user to be transmitted and analyzed in a second country. The method further allows the results of the analysis in the second country to be transmitted back to the first country where the PII is added to the results of the analysis. The data pipeline allows the results of the analysis in the second country to be used to take a desired action for the user in the first country, all while the PII of the user never leaves the first country.

Abstract: The disclosed technology is generally directed to the authentication of software. In one example of the technology, a private attestation key is stored in hardware. In some examples, during a sequential boot process a hash is calculated, in an order in which the software stages are sequentially booted, of each software stage of a plurality of software stages. The hashes of each software stage of the plurality may be cryptographically appended to an accumulation register. The accumulation register may be used to attest to validity of the software stages. The plurality of software stages may include a first bootloader, a runtime for a first core of a multi-core processor, and a runtime for a first execution environment for a second core of the multi-core processor.

Abstract: A computer-implemented method for building trusted executable software using trusted building units, wherein a path between the building units is untrusted, is disclosed. The method comprises generating, by each of the trusted building units, an identifier for identifying an output of the respective trusted building unit, wherein the respective trusted building unit also generates a signed confirmative certificate comprising the identifier. The method comprise as well utilizing, by each of the distributed trusted building units, output results of at least one of a predecessor build unit of the trusted building unit as input, validating that each of the signed confirmative certificates conforms to a predefined set of policy rules, and upon a failed validating of the signed confirmative certificate of one of the trusted building units, terminating the building of the trusted executable software.

Abstract: A computing device includes a memory and a processor configured to receive credentials stored on a client device for a website responsive to the client device initiating a launch of the website through a first browser at the client device. The processor runs a second browser to launch the website for display at the client device using the received credentials and some state information is synchronized between them for the duration of the session. The second browser isolates the website from access to other data of the client device.

Abstract: A secure data collaboration communication system and apparatus provides secure communication of data to multiple users of client systems to enable data collaboration. The secure data collaboration communication system and apparatus generate, share, receive, and utilize widget references to generate a common dataset. To accommodate varying levels of data access to a common dataset, in at least one embodiment, each user of the secure data collaboration communication system is associated with an access policy defining the level of data access for the user. The secure data collaboration communication system and apparatus apply the access policy to the dataset generated using the widget reference to limit exposure to data in the dataset commensurate with the user's data access level. Thus, a secure data collaboration communication system and apparatus provides a technical solution to the technical problem of providing secure collaborative data access to users having diverse levels of data access authorization.

Abstract: An electronic resource tracking and storage computer system is provided that communicates with a distributed blockchain computing system that includes multiple computing nodes. The system includes a storage system, a transceiver, and a processing system. The storage system includes an resource repository and transaction repository that stores submitted blockchain transactions. A new resource issuance request is received, and a new resource is added to the resource repository in response. A new blockchain transaction is generated and published to the blockchain. In correspondence with publishing to the blockchain, the transaction storage is updated with information that makes up the blockchain transaction and some information that was not included as part of the blockchain transaction. The transaction storage is updated when the blockchain is determined to have validated the previously submitted blockchain transaction.

Abstract: A method comprises initializing, by an accelerator device of the computing device, an authentication tag in response to an initialization command from a trusted execution environment of the computing device, initiating a transfer, by the accelerator device, of data between a host memory and an accelerator device memory in response to a descriptor from the trusted execution environment, wherein the descriptor comprises a target memory address and is indicative of a transfer direction, comparing, in a memory range selection engine comprising at least one comparator to compare the target memory address with a plurality of address ranges and select a cryptographic key from the plurality of plurality of address range registers based on the target memory address, performing, by the accelerator device, a cryptographic operation with the data in response to transferring the data, updating, by the accelerator device, the authentication tag in response to transferring the data, and finalizing, by the accelerator device

Abstract: Techniques for authentication of digital recordings are provided. An element of encrypted data is output in a recording environment. The element of encrypted data, embedded in a digital recording comprising at least one of audio data and image data captured in the recording environment, is extracted. A decrypted value is generated based on a private key and the first element of encrypted data, and the first decrypted value and a stored value associated with a first element of the digital recording are compared. The digital recording is authenticated based on the first decrypted value substantially matching the stored value.

Abstract: A method of checking the authenticity of at least a first portion of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element is disclosed. The method includes starting the microcontroller with instructions stored in a first secure memory area associated with the microcontroller and starting the secure element. The secure element has a plurality of decipher keys, each associated with a portion of the content of a second reprogrammable non-volatile memory area associated with the microcontroller. The secure element performs a signature check on a first portion of the content of the second area. If the signature is verified, the secure element sends the decipher key associated with the first portion to the microcontroller. If the signature is not verified, the secure element executes a signature check on another portion of the content of the second memory area.

Abstract: The present disclosure relates to a computer implemented method for executing an application. The method comprises: executing a bootloader in a trusted execution environment, wherein the executing comprises: decrypting received encrypted secrets using decryption keys of the boot loader, storing the decrypted secrets in a storage accessible by the application, creating a proof record indicating the application, the secrets and the trusted execution environment, storing the proof record in the storage, and deleting the decryption keys. The application may be executed in the trusted execution environment using the decrypted secrets. The proof record may be provided by the application for proving authenticity.

Abstract: A method of boot-loading an electronic device. The method comprises boot-loading a trusted execution environment (TEE) in a trusted security zone of a processor of the electronic device, where the TEE boot-loads before a rich execution environment (REE) boot-loads, launching a boot-loader authentication application by the TEE in the trusted security zone, determining a signature value of an REE boot-loader by the boot-loader authentication application over the instructions of the REE boot-loader, comparing the signature value of the REE boot-loader to an authentication signature value stored in the TEE, and, in response to the signature value of the REE boot-loader not matching the authentication signature value, taking action by the boot-loader authentication application.

Abstract: The disclosure is directed to systems and methods for secure policies-based information governance. In various embodiments exemplary methods include displaying a Graphical User Interface (GUI), the graphical user interface receiving a business rule input from a business user; receiving a policy from a policy engine based on the business rule input, the policy engine generating a policy hierarchy; and defining a plurality of domain objects and a plurality of domain object representations in the Graphical User Interface (GUI) based on the policy and the policy hierarchy. Furthermore, exemplary methods include defining an extensible hierarchical domain model definition using the policy hierarchy, the extensible hierarchical domain model definition being modified using the plurality of domain object representations in the Graphical User Interface (GUI); and defining a Policy Enforcement Point (PEP) in an application based on the extensible hierarchical domain model definition.

Abstract: Systems and methods include obtaining a file associated with a user for processing; utilizing a combination of policy for the user and machine learning to determine whether to i) quarantine the file and scan the file in a sandbox, ii) allow the file to the user and scan the file in the sandbox, and iii) allow the file to the user without the scan; responsive to the quarantine of the file and the sandbox determining the file is malicious, blocking the file; and, responsive to the quarantine of the file and the sandbox determining the file is benign, allowing the file.

Abstract: Disclosed embodiments are related to information security and scripting-language technologies, and in particular, to technologies for providing secure membranes and cross namespace communication between isolated components in a scripting environment. Other embodiments may be described and/or claimed.

Abstract: A method, non-transitory computer readable medium, and device that transmits a cryptographic variable input to a detachably coupled smart card. Execution of at least one of protected cryptographic algorithm operation by the smart card which requires the cryptographic variable input and a cryptographic constant input stored on the smart card to generate one or more cryptographic products is requested. The one or more generated cryptographic products from the smart card are received. An encrypted signal simulation based on execution of a simulator using the received one or more generated cryptographic products is generated and is output.