Abstract: There is provided a method to protect applications running in a hostile environment, including against trampoline based attacks which use dll injection and code modification. The method includes protecting an application when access is performed from injected dll, and protecting the application when access is performed from modified codes.

Abstract: A self-powering tamper detection system architecture includes a power source, a tamper detector configured to identify a tamper event, a tamper switch electrically connected to the power source and mechanically connected to the tamper detector, a tamper controller configured to produce a tamper response when the tamper event is identified, and program memory configured to store program data. The tamper detector is configured to mechanically actuate the tamper switch when a tamper event occurs, and the tamper response provides a disruption of the program data. The tamper detector and the tamper switch can include printed circuit board and embedded transformer, whereby the embedded transformer includes an axially-moveable ferromagnetic core.

Abstract: A self-powering tamper detection system architecture includes a power source, a tamper detector configured to mechanically actuate a tamper switch when a tamper event occurs, a tamper switch electrically connected to the power source and mechanically connected to the tamper detector, a tamper unlock system configured to provide a tamper unlock signal when an authorized maintenance condition exists, a tamper controller configured to produce a tamper response when the tamper event is identified, and to not produce the tamper response when the tamper unlock signal is provided, and program memory configured to store program data. The tamper response produces a disruption of the program data.

Abstract: According to an aspect of the present disclosure, the records of an audit log are stored using blockchain technology. The audit log is accordingly rendered immutable and thus tamper proof. According to another aspect of the present disclosure, the identity of each user is mapped to a corresponding code value using a one-way-function (that is, the user identity cannot be practically be deciphered from the code value). A table is maintained with entries mapping the user identifiers to the code value. The records in the audit log are stored with the user identifiers substituted by the code values. The log records corresponding to the user are made unidentifiable associated with the user by deleting the table entry corresponding to the user identifier of the user. Accordingly the ‘right to be forgotten’ may be supported. Another aspect extends such a right to general records.

Abstract: A method of obfuscated performance of a predetermined function, wherein for the predetermined function there is a corresponding plurality of first functions so that, for a set of inputs for the function, a corresponding set of outputs may be generated by (a) representing the set of inputs as a corresponding set of values, wherein each value comprises at least part of each input of a corresponding plurality of the inputs, (b) generating a set of one or more results from the set of values, where each result is generated by applying a corresponding first function to a corresponding set of one or more values in the set of values, and (c) forming each output as either a part of a corresponding one of the results or as a combination of at least part of each result of a corresponding plurality of the results; wherein the method comprises: obtaining, for each value in the set of values, one or more corresponding transformed versions of said value, wherein a transformed version of said value is the result of applying

Abstract: This disclosure is directed to a computing system that performs techniques relating to the secure storage, maintenance, and retrieval of data. Techniques described in this disclosure may prevent, limit, or otherwise insulate the data from unauthorized access by hackers, rogue devices, and unauthorized users. In some examples, a computing system may store a file by fracturing the file into multiple data blocks, encrypting the data blocks or the data stored within the data blocks, and storing the data blocks in scattered locations on a network. Further, the computing system may occasionally move at least some of the stored data blocks, and may, upon moving such data blocks, reencrypt the moved data blocks with a different encryption key. Still further, the computing system may inject fake data and/or fake data blocks into the system.

Abstract: A relay-proxy device has first and second interfaces allowing connection to a first node and a second node respectively, wherein the relay-proxy device is configured with at least one key, and the relay-proxy device is operable to: receive a traffic flow in an encrypted transport protocol on the first interface; decrypt a first part of the traffic flow with said key, wherein a second part of the traffic flow cannot be decrypted with said key; perform a management function based on a content of the decrypted first part of the traffic flow; and forward at least the second part of the encrypted traffic flow to the second interface.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a performance monitoring unit (PMU); and one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to provide a kernel space threat detection engine to: receive a PMU event; correlate the PMU event to a computer security threat including extracting artifacts from the PMU event, and correlating the artifacts to an artifact profile for a known attack; and identify a process associated with the PMU event as a potential attack.

Abstract: The present disclosure relates to a smart contract-based data transfer method, comprising the steps of: a data source encrypting data to be transferred based on a first mechanism to form encrypted data, and sending the encrypted data to a smart contract terminal; the smart contract terminal decrypting the encrypted data based on a second mechanism corresponding to the first mechanism to form the decrypted data, and processing the decrypted data by using at least one logic unit to form the resulting data; and the smart contract terminal sending the resulting data to a data-related party; wherein the at least one logic unit executes an instruction set to implement a contract logic, and the instruction set is stored in a blockchain.

Abstract: A method of granting access to a wireless network is provided allowing approval by a trusted authenticator. The method includes receiving a request to join a wireless network at a gateway from a client device, determining with the gateway whether the client device is within a predefined trusted zone, sending a notification of a potential new connection with the client device from the gateway to the trusted authenticator. The trusted authenticator then provides a response regarding the potential new connection, wherein the gateway denies network access to the client device when the gateway determines that the client device is outside the trusted zone or when the response from the trusted authenticator rejects the potential new connection, and wherein the gateway grants network access to the client device when the gateway determines that the client device is inside the trusted zone and when the response from the trusted authenticator approves the potential new connection.

Abstract: A set of cryptographic keys are synchronized across a set of HSMs that are configured in an HSM cluster. The set of cryptographic keys is maintained in a synchronized state by HSM cluster clients running on client computer systems with corresponding client applications. If the HSM cluster becomes unsynchronized, an HSM cluster client attempts to lock the HSM cluster and reestablish synchronization of the cryptographic keys across the HSM cluster. HSMs within the HSM cluster are able to establish an encrypted communication channel to other HSMs without revealing the contents of their communications to their respective host computer systems. Individual HSMs in the HSM cluster may include features that assist the HSM cluster client in determining whether each HSM is up-to-date, identifying particular keys that are not up-to-date, and copying keys from one HSM to another HSM within the HSM cluster.

Abstract: An attack detection device includes: a receiver configured to receive a massage that includes target identification information transmitted in a network; and a processor. The processor predicts a number of massages to be received by the receiver in a specified monitor period based on a transmission cycle so as to generate a predicted value. The processor counts a number of massages received by the receiver in the monitor period so as to generate a count value. When the count value is larger than the predicted value and smaller than or equal to a reference value that is obtained by adding an early-arrival acceptable value to the predicted value, the processor decides whether the network has been attacked according to a result of a comparison between the predicted value and the count value after an early-arrival grace period corresponding to the early-arrival acceptable value elapses.

Abstract: The present disclosure discloses a virtual reality (VR) scene-based authentication method, a VR device, and a storage medium. The method includes: receiving an authentication request in a VR scene; collecting to-be-authenticated fingerprint information by using a fingerprint collection device in a physical scene; sending the to-be-authenticated fingerprint information to an authenticator in the physical scene; and receiving, in the VR scene, authentication result information sent by the authenticator, where the authentication result information is used to indicate whether the to-be-authenticated fingerprint information has passed the authentication.

Abstract: A compliance application automatically produces certification controls by translating framework controls. The framework controls are common certification controls used in production of the certification. The application retrieves framework controls including metadata from a compliance framework data store. Metadata of the framework controls map the framework controls to the certification. In addition, the application retrieves certification parity data associated with the metadata. Certification controls are produced based on the framework controls and the certification parity data. A view of the certification including the certification controls is provided to a customer requesting the certification.

Abstract: A flow controller selects a direction (encryption/decryption) for an AES core according to quality of service parameters and a number of data words in encryption and decryption data buffers. A direction ratio may be calculated as a function of the quality of service parameters and the number of data words in the encryption and decryption data buffers. The flow controller selects the direction to reduce a cost function. The cost function may be at a minimum when a ratio of words in the encryption and decryption data buffers is the same as the direction ratio. A key management unit supplies keys according to the selected direction to the AES cores. Multiple AES cores may be used.

Abstract: An attack detection device includes: a receiver configured to receive messages that are periodically transmitted from a communication device in a network; and a processor. The processor predicts a number of messages to be received by the receiver in a specified monitor range based on a transmission cycle of the messages so as to generate a predicted value. The processor counts a number of messages received by the receiver in the specified monitor range so as to generate a count value. The processor detects an attack in the network according to a result of a comparison between the predicted value and the count value.

Abstract: Aspects of the present disclosure relate to systems and methods for partitioning an OS or hypervisor utilized on a computing device from the process of proxy control. For example, a proxy may be installed on a separation kernel or firmware on a computing device that routes all data traffic received via a network connection to a cloud which performs various services such as IP reputation management, URL reputation detection and validation, malicious file filtering through potential malware detection.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or hypervisor fingerprinting. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a CPU ID instruction handler (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it). The CPU ID instruction handler may perform processing, inter alia, to return configurable values different from the actual values for the physical hardware. The virtualization assistance layer may further contain virtual devices, which when probed by guest operating system code, return the same values as their physical counterparts.

Abstract: Apparatuses, systems, and methods of the present disclosure may provide access security in a process control system. For example, current biometric data representative of a user may be acquired and compared to stored biometric data representative of previously identified users. Access to the process control system may be authorized when the current biometric data matches stored biometric data.

Abstract: In some implementations, a computing system can be configured so that a first user device can delegate a first user's media account credentials to second user device corresponding to a second user. For example, a playback device may be configured with the second user's media account credentials for accessing media items through a network media service. A first user may wish to play media items associated with the first user's media account credentials on the playback device. To do so, the first user device can request a device identifier for the playback device, request and obtain a delegate token for the device identifier from the media service, and provide the delegate token along with media item information to the playback device. The playback device can then use the delegate token to request the media item associated with the first user's media access account.