Abstract: A method that automatically generates blacklists for a sandbox application. The method first obtains a set of disassembled operating system (OS) dynamic-link libraries (DLLs) and then identifies application programming interfaces (API) functions that have respective kernel interruptions. The identified API functions that have kernel instructions are saved to an interrupt list. Based on the interrupt list, a processor generates a blacklist that includes for each of the DLLs, the identified API functions in the interrupt list, all API functions that directly or indirectly invoke one of the identified API functions in the interrupt list via one or more nested API functions. The method outputs the blacklist to the sandbox application that operates on a sample file to emulate API functions of the sample file that match the blacklist. All other APIs not identified as being blacklisted, are then considered whitelisted and are allowed to run natively.

Abstract: Compiling a compression function of a lattice-based cryptographic mechanism by (i) basing the compression function on a lossy compression function, (ii) determining an error based on a loss introduced by an integer division, and (iii) determining an output of the compression function based on the error.

Abstract: Various arrangements for wireless network provisioning using a pre-shared key (PSK) are presented. A plurality of wireless network access profiles that indicate a plurality of PSKs may be stored. An access point may receive, from a wireless device, a first value based at on the PSK. The access point can transmit the first value to a cloud-based provisioning system. A plurality of values based on the plurality of PSKs of the plurality of wireless network access profiles may be created and a match between a second value of the plurality of values and the transmitted first value may be identified. A third value may be provided to the access point based on the PSK of the wireless network access profile of the plurality of wireless network access profiles used to generate the value. Network access can then be granted based on the third value.

Abstract: Techniques for providing access to scope-delimited sensitive data are disclosed. A user provides sensitive data to a first party associated with a payment service provider. The first party stores the sensitive data with the payment service provider, and the payment service provider provides the first party merchant with an encoding of the payment data. The first party provides a purchasing opportunity to the user for goods offered by a third party also associated with the payment service provider. The first party transmits a sensitive data grant request to the payment service provider. In response, the payment service provides a scope-delimited encoding of the sensitive data. The first party provides the scope-delimited encoding of the payment data to the third party. The third party merchant creates a transaction using the scope-delimited encoding of the sensitive data. At some time later, access to the scope-delimited encoding of the sensitive data is revoked.

Abstract: An information handling system may include at least one processor and a memory. The information handling system may be configured to determine names for a plurality of other information handling systems that are on-premises at a particular datacenter having a local network associated therewith; poll a selected subset of the plurality of other information handling systems via the local network; based on results of the polling, determine whether the information handling system is on-premises at the particular datacenter; and in response to a determination that the information handling system is on-premises at the particular datacenter, enable access to at least one sensitive administration operation associated with the particular datacenter.

Abstract: Systems and methods include aggregating wireless control of electronic devices associated with a multi-tenant structure to enable a user to engage in wireless control of the electronic devices. Embodiments of the present disclosure relate to identifying the electronic devices associated with the multi-tenant structure that are under wireless control based on a unique identifier. Partitioned electronic devices are determined that provide the user with wireless control based on associated permissions granted to the user. The partitioned electronic devices have the associated permissions granting wireless control of the partitioned electronic devices to the user.

Abstract: One example method includes receiving a data stream at a node of a data confidence fabric that comprises a group of nodes that are each operable to assign trust metadata to data of the data stream, inspecting the data stream to determine a data type of data in the data stream, accessing a configuration file that applies to all the nodes of the data confidence fabric, and obtaining an equation from the configuration file, mapping the equation to the data, performing a trust insertion process on the data, as specified in the equation, and generating trust metadata that is associated with the data and based on the trust insertion process.

Abstract: A computer-implemented method of replacing a security-relevant unencrypted data string by a placeholder. The steps involved include: providing a plurality of mutually different replacement tables, wherein specified in each of the plurality of replacement tables for each character of the alphabet is precisely one replacement character from the same alphabet and wherein the replacement characters in each of the plurality of replacement tables are all different from each other; receiving the security-relevant unencrypted data string, wherein the data string is formed from a plurality of characters of an alphabet; and generating the placeholder replacing the unencrypted data string, and outputting the placeholder. To provide a method which is distinguished by enhanced performance with comparable cryptographic security it is proposed. Generation of the placeholder includes the specifically identified steps.

Abstract: Performing controlled access to data stored in a secure partition is described herein, including: associating a predetermined exception with an exception handling program in an operating system; restricting a user program to execution by a normal privilege user; and designating a secure partition and restricting the secure partition to be accessible by a highest privilege user; wherein, when executed in user space corresponding to the normal privilege user, the user program generates the predetermined exception, and wherein the predetermined exception triggers execution of the exception handling program in kernel space, and the exception handling program is configured to read data from the secure partition and deliver the data after processing to the user program.

Abstract: Systems, devices, and methods are provided for implementing a cloud-based mainframe service. A cloud-based mainframe service may utilize various resources, including an operating system that is provisioned with an authorization interceptor that uses a first set of security policies stored in a policy database to determine whether to grant or deny access to resources managed by the operating system. The authorization interceptor may use the security policies of the policy database to determine whether to grant access to operating system resources. A database management system may use a second set of security policies stored in the policy database to determine whether to grant or deny access to resources managed by the database system. Security policies for a mainframe service may be centrally stored in a policy database managed by a policy management service.

Abstract: A method and an apparatus for secure interaction between terminals, where the method includes indicating or indirectly indicating, by a companion terminal with an embedded Universal Integrated Circuit Card (eUICC), a Hypertext Transfer Protocol (HTTP) over Secure Socket Layer (HTTPS) Uniform Resource Locator (URL) including security information to a primary terminal such that the primary terminal initiates establishment of a local Transport Layer Security (TLS) connection according to the HTTPS URL, receiving, by the companion terminal, an HTTP request from the primary terminal using the local TLS connection, completing establishment of an HTTPS session when the companion terminal determines that the HTTP request includes the security information, and receiving, by the companion terminal, an operation instruction for the eUICC from the primary terminal using the HTTPS session.

Abstract: A method for private wireless communication from a broadcaster to an observer, including determining a maximum time error between broadcaster and observer and defining a time unit T exceeding the maximum time error, and sharing a secret s with the broadcaster and the observer. At the broadcaster, the method includes transmitting a message containing a security code c, and at the observer, receiving the message and assessing its genuineness by comparing the security code c with a value h(s, t120) of a predefined function h for a combination of the secret s and a current epoch t120, wherein the current epoch is an integer multiple of the time unit T.

Abstract: In general, techniques are described for distributed route and packet flow evaluation within a cloud exchange fabric. In some examples, a routing engine is operative to: establish sessions between a first network and a second network to exchange message data identifying destinations in the second network; and verify routing information comprising routes from endpoints in the first network to the destinations based upon the message data, including, for each route of the routes: evaluating a source or a destination for indicia of illegitimate origination, and in response to detecting an illegitimate endpoint at the at least one of a source or a destination based upon identifying one or more of the indicia of illegitimate origination, dropping a corresponding route from the routing information.

Abstract: A method of providing information for display, from a portable electronic device, includes displaying information on a display of the portable electronic device, identifying a portion for redacting from the information displayed on the display of the portable electronic device, extracting the portion from the information to provide redacted information and an extracted portion, storing the redacted information, protecting and storing the extracted portion in association with a location identification in a file, and sending the redacted information and sending the file including extracted portions associated with the location identifiers.

Abstract: Replicating data using inferred trust, including: receiving, by a first storage system from a computing device, data encrypted using a first encryption key; decrypting, by the first storage system, the encrypted data using the first encryption key; encrypting, by the first storage system, the decrypted data using a second encryption key; storing, on the first storage system, the data encrypted using the second encryption key; sending, from the first storage system to the second storage system, the data; and servicing, by the second storage system, an input/output (‘I/O’) operation directed to the data.

Abstract: A method for executing a computer program includes incorporating, into metadata of a block containing a line of code to be accessed using a pointer, a first pointer identifier associated with the line of code to be accessed, then obtaining a pointer including a first range of bits containing the address of the line of code to be accessed, and a different second range of bits containing a second pointer identifier, then verifying that the second pointer identifier contained in the obtained pointer corresponds to the first pointer identifier associated with the line of code to be accessed and contained in the metadata of the loaded block, and when the first and second pointer identifiers do not correspond, then the security module triggers signaling of an execution fault.

Abstract: A computer-implemented method is disclosed. The method includes: receiving, via a computing device in a locked state, input of a first PIN; determining that the first PIN is associated with a first cryptographic key that is stored in a memory; responsive to determining that the first PIN is associated with the first cryptographic key, retrieving, from the memory, an encrypted form of a first credential that is associated with the first cryptographic key; recovering the first credential from the encrypted form using the first cryptographic key; and causing the computing device to be unlocked using the recovered first credential.

Abstract: Non-transitory computer readable storage mediums have instructions executed by processors to access a first random data element at a first computing device. A first vector and a second vector are generated at a second computing device. A communication channel is utilized to execute a secure multiparty computation protocol between the first computing device and the second computing device. The first computing device alternately identifies a polynomial relations satisfied state and a polynomial relations unsatisfied state. A first selected instruction set is executed at the first computing device in response to the polynomial relations satisfied state. A second selected instruction set is executed at the first computing device in response to the polynomial relations unsatisfied state.

Abstract: A device includes a bottom housing that includes a printed circuit board, a processor formed on the printed circuit board, a probe tip coupled to the processor, and a first wall. The first wall includes a front side surface, a backside surface, and an opening extending from the front side surface to the backside surface. The printed circuit board is coupled to the front side surface of the first wall. The printed circuit board includes a plurality of electrical contacts located on the back surface and coupled to the processor. The electrical contacts on the backside surface of the printed circuit board are visible through the opening formed in the first wall of the bottom housing. The electrical contacts are sealed from fluid penetration and can connect to the electrical contacts of a battery connected to the device.

Abstract: A method, system, and program product for controlling power associated with connectivity between devices is provided. The method includes scheduling a copy function associated with copying data from a production hardware device to a secure hardware device at a specified time period. A first hardware connection between the production hardware device and a production network associated with the production hardware device is disabled during the specified time period and a second hardware connection between the production hardware device and the secure hardware device is enabled. A subsequent copy function is enabled for copying the data from the production hardware device to the secure hardware device. The second hardware connection between the production hardware device and the secure hardware device is disabled after the copy function has completed. In response, the first hardware connection between the production hardware device and the production network is enabled.