Abstract: The invention relates to a secure element device comprising at least one processor, at least one communication interface, at least one memory RAM and NVM and at least one bus access controller, wherein the bus access controller defines at least a first area PBL, a second area SBL and a secure area MZ. The first area comprises a first loader program capable of loading a program package in the second area. The secure area comprises an authentication key capable of authenticating the program package loaded in the second area. After authentication of the program package loaded in the second area, the access right of the first loader program is changed in such a way that a program in the first area can no more access the second area.

Abstract: Various example embodiments of a reliable firewall are presented herein. Various example embodiments of a reliable firewall may be configured to provide a single, stateful firewall spanning multiple routers. Various example embodiments of a reliable firewall spanning multiple routers may be configured to provide a reliable firewall configured to protect high-availability network services, network services using multipath routing, or the like, as well as various combinations thereof. Various example embodiments of a reliable firewall spanning multiple routers may be configured to provide a reliable firewall by supporting synchronization of firewall synchronization information (e.g., firewall policy information, firewall session state information, or the like, as well as various combinations thereof) across the multiple routers.

Abstract: Systems and methods for providing a privacy screen to a network application accessed via an embedded browser of a client application are described. The method includes establishing, by a client application on a client device, a session to a network application hosted on a third party server. The client application includes an embedded browser for accessing the network application. The method further includes identifying, by the client application, a policy for providing a privacy screen to one or more portions of the network application, detecting, by the embedded browser, that the one or more portions of the network application are to be rendered on a display of the client device, and displaying a privacy screen including one or more masks displayed over at least the one or more portions of the network application rendered on the display of the client device via the embedded browser.

Abstract: A method and system are described for controlling access to online applications using memetic authenticators that are de-identified and passwordless. The method includes curating, issuing ownership, and registering memetic authenticators. The method involves assembling an authenticator package including a fingerprint hash value, matched pairs of user-selected memetic authenticator records, a timer, and encrypting the package using a cipher issued and uniquely-assigned by a service provider. Ciphers may be regenerated on each authentication event providing for episodic re-verification. Fingerprints assign ownership for memetic authenticators, with such associations stored on networked nodes of a distributed database. On authenticating, the client-supplied authenticator package is decrypted and compared to ownership records on an identity network for verification and granting or denying access.

Abstract: Embodiments of the present disclosure are directed to techniques for deriving collaborative intelligence based on constraint computing or constraint querying. At a high level, a data trustee can operate a trustee environment that derives collaborative intelligence subject to configurable constraints, without sharing raw data. The trustee environment can include a data privacy pipeline through which data can be ingested, fused, derived, and sanitized to generate collaborative data without compromising data privacy. The collaborative data can be stored and queried to provide collaborative intelligence subject to the configurable constraints. In some embodiments, the data privacy pipeline is provided as a cloud service implemented in the trustee environment and can be spun up and spun down as needed.

Abstract: Methods, apparatus, and systems for automatically determining the access rights to be granted to a telecommunication device to the assets in a first network as a function of the access rights previously granted to that same device in another network.

Abstract: A process for improving network performance in systems that utilize secure domain name system (DNS) schemes. Encrypted DNS requests from devices in a local area network (LAN), such as a home or office, are submitted to a local proxy which stores cached DNS records. The proxy decrypts or examines at least a portion of the DNS request in order search for a matching record in its storage. Matching records are retrieved, encrypted, and supplied to the requesting device to satisfy the DNS request. If the proxy does not contain a matching record, the DNS query is encrypted and submitted to an external DNS server for resolution. The matching record can optionally be saved by the proxy prior to being supplied to the requesting device.

Abstract: An authenticated data transfer system may include generating, after entry of one or more processors of a transmitting device into a communication field, a link, the link comprising a near field communication data exchange format uniform resource locator including identifier data and user data; transmitting, to a first application comprising instructions for execution on a first device, the link to initiate data transfer; authenticating a user associated with the first device by activating one or more actions based on the link; transmitting one or more requests for confirmation of quantity and recipient data associated with the data transfer; receiving one or more notifications that are based on the one or more requests for confirmation of quantity and recipient data associated with the data transfer; and performing one or more login credentials that are responsive to the one or more notifications so as to complete the data transfer.

Abstract: An on-demand database system may receive a request to create a user account associated with a subdomain of the database system. The system may identify a pre-existing user account associated with a different subdomain of the database system where the pre-existing user account is associated with a personal communications address identified in the request. The system may create the requested account using personal information retrieved from the pre-existing user account.

Abstract: A System on a Chip (SoC) includes a plurality of general purpose processors, a plurality of application specific processors, a plurality of SoC support processing components, a security processing subsystem (SCS), a general access Network on a Chip (NoC) coupled to and servicing communications between the plurality of general purpose processors and the plurality of SoC support components, and a proprietary access NoC coupled to and servicing communications for the plurality of application specific processors and the SCS. The SoC may further include a safety processor subsystem (SMS) coupled to the proprietary access NoC, wherein the proprietary access NoC further services communications for the SMS and isolates communications of the SMS from communications of the plurality of general purpose processors. The general access NoC and the proprietary access NoC isolate communications of the SCS and the SMS from communications of the plurality of general purpose processors.

Abstract: Embodiments of the present disclosure are directed to techniques for constraint querying that allow data consumers to query collaborative data in a trustee environment, subject to configurable constraints, to derive collaborative intelligence without exposing underlying raw data provided by the tenants or collaborative data shielded by the trustee environment. Constraints can be applied in response to a query in multiple ways, including reformatting a query prior to execution, applying constraints after executing a query, constraining eligible queries for execution, applying access constraints prior to execution, and others. To reformat a query subject to constraints, the query can be parsed into an execution tree, which can be reformatted into a constrained execution tree by replacing executable units of logic inconsistent with a particular constraint with custom executable units of logic consistent with the constraint.

Abstract: Embodiments of the present disclosure are directed to techniques for constructing and configuring a data privacy pipeline to generate collaborative data in a data trustee environment. An interface of the trustee environment can serve as a sandbox for parties to generate, contribute to, or otherwise configure a data privacy pipeline by selecting, composing, and arranging any number of input datasets, computational steps, and contract outputs. (e.g., output datasets, permissible named queries on collaborative data). The interface may allow a contributing party to use one or more unspecified “placeholder” elements, such as placeholder datasets or placeholder computations, as building blocks in a pipeline under development. Parameterized access control may authorize designated participants to access, view, and/or contribute to designated portions of a contact or pipeline.

Abstract: Embodiments of the present disclosure are directed to techniques for monitoring and orchestrating the use and generation of collaborative data in a trustee environment subject to configurable constraints. A user interface can be provided to enable tenants to specify desired computations and constraints on the use and access to their data. A constraint manager can communicate with various components in the trustee environment to implement the constraints. For example, requests to execute an executable unit of logic such as a command or function call may be issued to the constraint manager, which can grant or deny permission. Permission may be granted subject to one or more conditions that implement the constraints, such as requiring the replacement of a particular executable unit of logic with a constrained executable unit of logic. As constraints are applied, any combination of schema, constraints, and/or attribution metadata can be associated with the data.

Abstract: Embodiments include methods performed by a key management node in a communication network. Such methods can include receiving, from an application function, a request for a security key specific to an application session for a particular user. The request can include a representation of the following information associated with the particular user: a first identifier of a non-application-specific anchor security key, and a second identifier related to a network subscription. Such methods can also include, based on the representation, determining an authentication server function that generated the non-application-specific anchor security key. Other embodiments include complementary methods performed by application functions, authentication server functions, and unified data management functions in the communication network. Other embodiments include network nodes configured to perform such methods.

Abstract: A genomic data decoder may jointly compress and encrypt genomic data alignment information while preserving the privacy of sensitive genomic data elements at retrieval stage. Genomic data alignment information organized as a read-based alignment data stream may be transposed into a position-based alignment data stream. The position-based alignment information may been coded into a reference-based alignment data stream. The reference-based alignment data stream may be encrypted with a combination of order-preserving encryption of the genomic position information and symmetric encryption of the reference-based alignment differential data. Differential encoding and entropy coding schemes may further compress the reference-based alignment data stream. The resulting compressed and encrypted stream may be indexed and stored in a biobank storage unit.

Abstract: A hardware agent is a hardware device attached to, embedded in, or otherwise associated with a good. In particular, the hardware agent is bound to the good in such a way that information held by the agent may be confidently associated with the good. The hardware agent is constructed to securely hold information about the good, and information about stakeholders, such that the agent may autonomously make binding decisions regarding the good, including sales and financial transactions. Although the hardware agent may perform many functions autonomously, it often will have communication capabilities enabling it to share information with stakeholders, or to others as allowed.

Abstract: A method for communication in a WLAN includes onboarding, authenticating, and configuring respective BSSs of multiple access points in a multi-AP network. Respective cryptographic keys are generated for the multi-AP agents in the network by carrying out a handshaking procedure between the multi-AP controller and the multi-AP agents over the backhaul network. Upon detecting a predefined rekeying event in communications between the multi-AP controller and any given multi-AP agent, a new cryptographic key is generated for the given multi-AP agent by repeating the handshaking procedure, and applying the new cryptographic key in encrypting and authenticating messages following the rekeying event.

Abstract: Examples associated with storage monitoring are described. One example system includes generating an encryption key and transmitting the encryption key to a basic input/output system (BIOS) security module. The BIOS security module uses the encryption key as a basis for a heartbeat. A provisioning module receives a signal identifying a monitored storage and generates an enforced storage associated with the monitored storage. The provisioning module also creates a manifest describing the relationship between the enforced storage and the monitored storage. The provisioning module transmits the manifest to the BIOS security module. A versioning module assigns a first access policy for the monitored storage and a second access policy to the enforced storage based on the manifest. The versioning module performs versioning for the monitored storage using the enforced storage, and periodically verifies operation to the BIOS security module using the heartbeat.

Abstract: A server device for managing privilege delegation to control execution of commands thereon is described. Execution of a command, according to first privileges, by a remote management (RM) server on the server device is requested from a RM client on a client device. An agent plug-in, chained to a command execution plug-in of the RM server, intercepts the request and forwards related information to an agent service cooperating with an operating system of the server device. The agent service determines whether to execute the command according to second privileges, different from the first privileges and if permitted, delegates the second privileges to the command, and causes, via the agent plug-in chained to the command execution plug-in, the command to be executed according to the second privileges.

Abstract: Various technologies described herein pertain to detecting operation of an autonomous vehicle on an untrusted network. The autonomous vehicle retrieves a beacon token from a data store of the autonomous vehicle. The beacon token comprises an identifier for the autonomous vehicle and an identifier for a server computing device. The autonomous vehicle generates a data packet based upon the beacon token, wherein the data packet includes the identifier for the autonomous vehicle. The autonomous vehicle transmits the data packet to the server computing device. When the data packet is transmitted via a trusted network, networking rules of the trusted network prevent the data packet from being received by the server computing device. When the data packet is transmitted via the untrusted network, the server computing device receives the data packet. Responsive to receiving the data packet, the server computing device generates and transmits an alert to a computing device.