Abstract: Systems and methods related to flush plus reload cache side-channel attack mitigation are described. An example method for mitigating a side-channel timing attack in a system including a processor having at least one cache is described. The method includes receiving a first instruction, where the first instruction, when executed by the processor, is configured to flush at least one cache line from the at least one cache associated with the processor. The method further includes, prior to execution of the first instruction by the processor, automatically mapping the first instruction to a second instruction such that the at least one cache line is not flushed from the at least one cache even in response to receiving the first instruction.

Abstract: An example system includes a processor to generate regular expressions representing textual pattern facets of sub-formats of a composite format, and a regular expression representing a composite textual pattern of the composite format based on sub-format and composition type. The processor can search the data using generated regular expression representing composite textual patterns to detect occurrences of candidate matches. The processor can recursively match and validate the detected occurrences with the composite format and hierarchically match and validate sub-formats in the detected occurrence. The processor can mask in place the detected occurrence of the composite format in the data using ranking-based integer format preserving masking.

Abstract: Methods, apparatus, and software for efficient encryption in virtual private network (VPN) sessions. A VPN link and an auxiliary link (and associated sessions) are established between computing platforms to support end-to-end communication between respective application running on the platforms. The VPN link may employ a conventional VPN protocol such as TLS or IPsec, while the auxiliary link comprises a NULL encryption VPN tunnel. To transfer data, a determination is made to whether the data are encrypted or non-encrypted. Encrypted data are transferred over the auxiliary link to avoid re-encryption of the data. Non-encrypted are transferred over the VPN link. TLS and IPsec VPN agents may be used to assist in setting up the VPN and auxiliary sessions. The techniques avoid double encryption of VPN traffic, while ensuring that various types of traffic transferred between platforms is encrypted.

Abstract: A comparison means compares a first risk analysis result with a second risk analysis result. The first risk analysis result includes a first risk evaluation value. The second risk analysis result includes a second risk evaluation value. Based on the result of the comparison, a display means displays the first risk evaluation value in such a manner that a first risk evaluation value for which there is a second risk evaluation value, in the second risk analysis result, for an attack step of which an attack destination coincides with an asset included in the first risk analysis result and an attack method coincides with an attack method included in the first risk analysis result can be distinguished from a first risk evaluation value for which there is no such second risk evaluation value.

Abstract: The disclosed computer-implemented method for enforcing strict network connectivity and storage access during online payments may include (i) determining that a webpage in a tab of a browser application executing on the computing device includes a payment page for an e-commerce website, (ii) based on determining that the webpage includes a payment page, providing formjacking attack protection by monitoring network connectivity and storage access by the browser tab, (iii) based on the formjacking attack protection, identifying a potentially malicious attempt to hijack information entered into at least one web form included in the payment page, and (iv) in response to identifying the potentially malicious attempt, preventing the potentially malicious attempt from hijacking the information entered into the at least one web form included in the payment page. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods are described for securely and efficiently processing electronic content. In one embodiment, a first application running on a first computing system establishes a secure channel with a second computing system, the secure channel being secured by one or more cryptographic session keys. The first application obtains a license from the second computing system via the secure channel, the license being encrypted using at least one of the one or more cryptographic session keys, the license comprising a content decryption key, the content decryption key being further encrypted using at least one of the one or more cryptographic session keys or one or more keys derived therefrom.

Abstract: A method of securing operating instructions for a driver assistance system of a motor vehicle. The method including: a) implementing a distributed blockchain including a plurality of blocks, a copy of the blockchain being stored on each of a plurality of nodes. Wherein, each block includes a different version of the operating instructions, b) performing a verification routine including checking that the copies of the blockchain are identical. And, where a fault copy of the blockchain is not identical, flagging the fault copy as insecure. And preventing use of the fault copy, thus preventing installation of the operating instructions comprised in the blocks of the fault copy.

Abstract: This disclosure relates generally to wireless communications and, more particularly, to systems and methods for radio resource control (RRC) connection management in a network sharing configuration, including an RRC resume from an RRC inactive state, and RRC re-establishment. In one embodiment, a method performed by a communication node, includes: receiving a request from a communication device to establish a current connection associated with a prior connection between the communication device and a prior communication node, wherein the request comprises communication device authentication information; and establishing the current connection based on a determination that communication node authentication information matches the communication device authentication information, wherein the communication node authentication information is based on a predetermined subset of input parameters, and wherein the determination is performed at the communication node or at the prior communication node.

Abstract: An information processing device includes: a hardware processor that executes a license check of software, wherein the hardware processor detects a request for remote access to the software, extracts a description about remote access from a license agreement of the software to which a request for remote access is requesting access, and determines, based on the extracted description about the remote access, whether the remote access is a license violation.

Abstract: A server can receive a device public key and forward the device public key to a key server. The key server can perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using the device public key and a network private key to derive a secret X1. The key server can send the secret X1 to the server. The server can derive an ECC PKI key pair and send to the device the server public key. The server can conduct a second ECDH key exchange using the derived server secret key and the device public key to derive a secret X2. The server can perform an ECC point addition using the secret X1 and secret X2 to derive a secret X3. The device can derive the secret X3 using (i) the server public key, a network public key, and the device private key and (ii) a third ECDH key exchange.

Abstract: A first network component in a first wireless network may be configured to: receive a first request from a core network component in the first wireless network, to authenticate a User Equipment device (UE); and attempt to authenticate the UE. When the attempt to authenticate the UE is successful, the first component may send a first reply to the core network component. The first reply may indicate that the UE is successfully authenticated. When the attempt to authenticate the UE is not successful, the first component may send a second request to authenticate the UE to a second network component in a second wireless network; and receive a response to the second request from the second network component. The response may indicate whether the UE is successfully authenticated at the second network component.

Abstract: Systems and methods of generating a security key for an integrated circuit device include generating a plurality of key bits with a physically unclonable function (PUF) generator. Unstable bits of the plurality of key bits are identified, and a security key is generated based on the plurality of key bits, wherein the security key excludes the identified unstable bits.

Abstract: Systems and methods for enabling constant plaintext space in bootstrapping in fully homomorphic encryption (FHE) are disclosed. A computer-implemented method for producing an encrypted representation of data includes accessing a set of encoded digits. The method includes applying an inverse linear transformation to the set of encoded digits to obtain a first encoded polynomial. The method includes applying a modulus switching and dot product with bootstrapping key to add an error term to each of the encoded digits in the first polynomial to obtain a second encoded polynomial. The method includes applying a linear transformation to the second encoded polynomial to obtain a first batch encryption. The method includes applying digit extraction to the first batch encryption to obtain a second batch encryption, the second batch encryption corresponding to the set of encoded digits without the error term.

Abstract: A server system in communication with a plurality of machines that form a linear communication orbit establishes a direct duplex connection between the server system and a first endpoint machine. The server system enrolls the first endpoint machine as a satellite endpoint machine, which enables the satellite endpoint machine to execute one or more function modules. Typically, the server system authenticates, via the direct duplex connection, the first endpoint machine, and, after authenticating the first endpoint machine, sends, to the first endpoint machine, an instruction for executing a function module. The server system receives a report including information obtained by the first endpoint machine executing the function module. At least one of the establishing a direct duplex connection, sending the instruction, and receiving the report includes sending or receiving a communication between the first endpoint machine and the server system via the linear communication orbit.

Abstract: The application relates to a method of attesting a state of a computing environment comprising a plurality of components and a plurality of dependency relationships between the plurality of components. The method comprising the steps of A) generating a directed acyclic graph comprising a plurality of nodes and a plurality of directed edges connecting the nodes, comprising and B) generating an attest of the state of the computing environment using the directed acyclic graph. Generating a directed acyclic graph comprises: A1) associating a node with each component; A2) associating a node with each dependency relationship and assigning the node with a hash value of data descriptive of said dependency relationship; A3) connecting, using directed edges—each node associated with a dependency relationship to a node(s) associated with a component(s) included in the respective dependency relationship; and A4) assigning each node with a hash value of all of its subnodes.

Abstract: There is disclosed a system and method of detecting security threats for an enterprise, including: filtering a first set of endpoint metadata records to identify a subset of metadata records, wherein filtering includes identifying endpoint security metadata records that are uncommon in context of the enterprise; and designating the subset of metadata records as indicating a potential security threat including designating the subset of metadata records for human analysis.

Abstract: Methods and apparatus for real-time security monitoring on a computing device are presented. A system may define privileges to access hardware interfaces for each process of a plurality of processes executing on a computing device. The privileges may be defined in a privileged operating system level that controls root access to an operating system. In response to a determination that a process is attempting to access a hardware interface, the system may determine whether the process is privileged to access the hardware interface by checking the privileges. In response to determining that the process is not privileged to access the hardware interface, the intrusion detection agent may terminate the process.

Abstract: Systems, methods, and computer-readable storage media for improving cybersecurity protections across entities. One system includes a response system including one or more processing circuits including memory and at least one processor configured to generate a decentralized identity passport for each of a plurality of entities. The at least one processor further configured to attach or embed a plurality of proof of controls to the decentralized identify passport of an entity of the plurality of entities, the plurality of proof of controls corresponding to one or more cybersecurity protection actions implemented by the entity. The at least one processor further configured to record the plurality of proof of controls on a distributed ledger or data source as one or more exchanges linked to the decentralized identity passport.

Abstract: A uniform protocol can facilitate secure, authenticated communication between a controller device and an accessory device that is controlled by the controller. An accessory and a controller can establish a pairing, the existence of which can be verified at a later time and used to create a secure communication session. The accessory can provide an accessory definition record that defines the accessory as a collection of services, each service having one or more characteristics. Within a secure communication session, the controller can interrogate the characteristics to determine accessory state and/or modify the characteristics to instruct the accessory to change its state.

Abstract: Systems, methods, and computer-readable media for performing threat remediation through a switch fabric of a virtualized network environment. Data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric is monitored. A network threat introduced through at a least a portion of the data traffic is identified at the switch fabric. One or more remedial measures are performed in the network environment based on the identification of the network threat in the virtualized network environment.