Abstract: In one aspect, an apparatus includes at least one processor and storage accessible to the at least one processor. The storage includes instructions executable by the at least one processor to use an ultra-wideband (UWB) transceiver to determine a current location of a device and to, based on the current location as determined using the UWB transceiver, restrict how the device can be used while the device is located at the current location.

Abstract: Aspects relate to changing at least one communication parameter. In some examples, the at least one communication parameter may include at least one of an association identifier (AID), a packet number (PN), a sequence number (SN), a traffic identifier (TID), a timing synchronization function (TSF) value, or a combination thereof. In some examples, a first apparatus provides an indication of a change associated with at least one of the AID, the PN, the SN, the TID, the TSF value, or a combination thereof to a second apparatus.

Abstract: A trusted execution environment obtains an attestation request. The attestation request includes at least an attestation key. Based on obtaining the attestation request, one or more integrity measurements are computed, and the computing uses at least the attestation key. The one or more integrity measurements are provided to an entity, and the one or more integrity measurements are to be used to verify that a secure guest has been started using a selected secure guest image and selected secure guest metadata.

Abstract: Disclosed in some examples are methods, systems, and devices for authenticating a firmware object on a device and in some examples to safeguard the attestation process from the execution of malicious firmware. In some examples, a firmware update process may, in addition to updating the firmware on the device, write a hash of the authentic firmware code in a secure storage device (e.g., a register). This may be done in some examples in a protected environment (e.g., a trusted execution environment or a protected firmware update process). Upon first boot after the update, a firmware update checker compares the firmware object that is booted with the value of the secure storage device. If the values match, the alias certificate may be regenerated, and the boot continues. If the values do not match, then the alias certificate may not be regenerated, and the system may have an authenticity failure because the key and the certificate do not match.

Abstract: In some implementations, a distributed database management system may monitor data operations performed by a plurality of user devices, wherein the data operations are associated with a distributed database. The distributed database management system may detect that a user device is to perform a data operation associated with a data structure of the distributed database. The distributed database management system may determine identification information associated with the user device. The distributed database management system may generate, based on the data operation, evidence information associated with the data operation, wherein the evidence information includes the identification information. The distributed database management system may store the evidence information in an immutable data structure to record that the user device is associated with the data operation.

Abstract: Techniques for creating consent contracts for devices that indicate whether the devices consent to receiving network-based communications from other devices. Further, the techniques include enforcing the consent contracts such that network-based communications are either allowed or disallowed in the network-communications layer prior to the network communications reaching the devices. Rather than simply allowing a device to communicate with any other device over a network, the techniques described herein include building in consent for network-based communications where the consent is consulted at one or more points in a communication process to make informed decisions about network-based traffic.

Abstract: Compiling a compression function of a lattice-based cryptographic mechanism by (i) basing the compression function on a lossy compression function, (ii) determining an error based on a loss introduced by an integer division, and (iii) determining an output of the compression function based on the error.

Abstract: A method that automatically generates blacklists for a sandbox application. The method first obtains a set of disassembled operating system (OS) dynamic-link libraries (DLLs) and then identifies application programming interfaces (API) functions that have respective kernel interruptions. The identified API functions that have kernel instructions are saved to an interrupt list. Based on the interrupt list, a processor generates a blacklist that includes for each of the DLLs, the identified API functions in the interrupt list, all API functions that directly or indirectly invoke one of the identified API functions in the interrupt list via one or more nested API functions. The method outputs the blacklist to the sandbox application that operates on a sample file to emulate API functions of the sample file that match the blacklist. All other APIs not identified as being blacklisted, are then considered whitelisted and are allowed to run natively.

Abstract: Various arrangements for wireless network provisioning using a pre-shared key (PSK) are presented. A plurality of wireless network access profiles that indicate a plurality of PSKs may be stored. An access point may receive, from a wireless device, a first value based at on the PSK. The access point can transmit the first value to a cloud-based provisioning system. A plurality of values based on the plurality of PSKs of the plurality of wireless network access profiles may be created and a match between a second value of the plurality of values and the transmitted first value may be identified. A third value may be provided to the access point based on the PSK of the wireless network access profile of the plurality of wireless network access profiles used to generate the value. Network access can then be granted based on the third value.

Abstract: An information handling system may include at least one processor and a memory. The information handling system may be configured to determine names for a plurality of other information handling systems that are on-premises at a particular datacenter having a local network associated therewith; poll a selected subset of the plurality of other information handling systems via the local network; based on results of the polling, determine whether the information handling system is on-premises at the particular datacenter; and in response to a determination that the information handling system is on-premises at the particular datacenter, enable access to at least one sensitive administration operation associated with the particular datacenter.

Abstract: Techniques for providing access to scope-delimited sensitive data are disclosed. A user provides sensitive data to a first party associated with a payment service provider. The first party stores the sensitive data with the payment service provider, and the payment service provider provides the first party merchant with an encoding of the payment data. The first party provides a purchasing opportunity to the user for goods offered by a third party also associated with the payment service provider. The first party transmits a sensitive data grant request to the payment service provider. In response, the payment service provides a scope-delimited encoding of the sensitive data. The first party provides the scope-delimited encoding of the payment data to the third party. The third party merchant creates a transaction using the scope-delimited encoding of the sensitive data. At some time later, access to the scope-delimited encoding of the sensitive data is revoked.

Abstract: Systems and methods include aggregating wireless control of electronic devices associated with a multi-tenant structure to enable a user to engage in wireless control of the electronic devices. Embodiments of the present disclosure relate to identifying the electronic devices associated with the multi-tenant structure that are under wireless control based on a unique identifier. Partitioned electronic devices are determined that provide the user with wireless control based on associated permissions granted to the user. The partitioned electronic devices have the associated permissions granting wireless control of the partitioned electronic devices to the user.

Abstract: One example method includes receiving a data stream at a node of a data confidence fabric that comprises a group of nodes that are each operable to assign trust metadata to data of the data stream, inspecting the data stream to determine a data type of data in the data stream, accessing a configuration file that applies to all the nodes of the data confidence fabric, and obtaining an equation from the configuration file, mapping the equation to the data, performing a trust insertion process on the data, as specified in the equation, and generating trust metadata that is associated with the data and based on the trust insertion process.

Abstract: A computer-implemented method of replacing a security-relevant unencrypted data string by a placeholder. The steps involved include: providing a plurality of mutually different replacement tables, wherein specified in each of the plurality of replacement tables for each character of the alphabet is precisely one replacement character from the same alphabet and wherein the replacement characters in each of the plurality of replacement tables are all different from each other; receiving the security-relevant unencrypted data string, wherein the data string is formed from a plurality of characters of an alphabet; and generating the placeholder replacing the unencrypted data string, and outputting the placeholder. To provide a method which is distinguished by enhanced performance with comparable cryptographic security it is proposed. Generation of the placeholder includes the specifically identified steps.

Abstract: Performing controlled access to data stored in a secure partition is described herein, including: associating a predetermined exception with an exception handling program in an operating system; restricting a user program to execution by a normal privilege user; and designating a secure partition and restricting the secure partition to be accessible by a highest privilege user; wherein, when executed in user space corresponding to the normal privilege user, the user program generates the predetermined exception, and wherein the predetermined exception triggers execution of the exception handling program in kernel space, and the exception handling program is configured to read data from the secure partition and deliver the data after processing to the user program.

Abstract: Systems, devices, and methods are provided for implementing a cloud-based mainframe service. A cloud-based mainframe service may utilize various resources, including an operating system that is provisioned with an authorization interceptor that uses a first set of security policies stored in a policy database to determine whether to grant or deny access to resources managed by the operating system. The authorization interceptor may use the security policies of the policy database to determine whether to grant access to operating system resources. A database management system may use a second set of security policies stored in the policy database to determine whether to grant or deny access to resources managed by the database system. Security policies for a mainframe service may be centrally stored in a policy database managed by a policy management service.

Abstract: A method for private wireless communication from a broadcaster to an observer, including determining a maximum time error between broadcaster and observer and defining a time unit T exceeding the maximum time error, and sharing a secret s with the broadcaster and the observer. At the broadcaster, the method includes transmitting a message containing a security code c, and at the observer, receiving the message and assessing its genuineness by comparing the security code c with a value h(s, t120) of a predefined function h for a combination of the secret s and a current epoch t120, wherein the current epoch is an integer multiple of the time unit T.

Abstract: A method and an apparatus for secure interaction between terminals, where the method includes indicating or indirectly indicating, by a companion terminal with an embedded Universal Integrated Circuit Card (eUICC), a Hypertext Transfer Protocol (HTTP) over Secure Socket Layer (HTTPS) Uniform Resource Locator (URL) including security information to a primary terminal such that the primary terminal initiates establishment of a local Transport Layer Security (TLS) connection according to the HTTPS URL, receiving, by the companion terminal, an HTTP request from the primary terminal using the local TLS connection, completing establishment of an HTTPS session when the companion terminal determines that the HTTP request includes the security information, and receiving, by the companion terminal, an operation instruction for the eUICC from the primary terminal using the HTTPS session.

Abstract: In general, techniques are described for distributed route and packet flow evaluation within a cloud exchange fabric. In some examples, a routing engine is operative to: establish sessions between a first network and a second network to exchange message data identifying destinations in the second network; and verify routing information comprising routes from endpoints in the first network to the destinations based upon the message data, including, for each route of the routes: evaluating a source or a destination for indicia of illegitimate origination, and in response to detecting an illegitimate endpoint at the at least one of a source or a destination based upon identifying one or more of the indicia of illegitimate origination, dropping a corresponding route from the routing information.

Abstract: A method of providing information for display, from a portable electronic device, includes displaying information on a display of the portable electronic device, identifying a portion for redacting from the information displayed on the display of the portable electronic device, extracting the portion from the information to provide redacted information and an extracted portion, storing the redacted information, protecting and storing the extracted portion in association with a location identification in a file, and sending the redacted information and sending the file including extracted portions associated with the location identifiers.