Abstract: A software security layer may be used to protect a system against exploitation of a hardware encoder accelerator by malicious data embedded in the one or more frames of encoded digital streaming data. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: A method includes receiving a request at a first hypervisor from an application within a virtual machine. The virtual machine is executed within a virtualization layer supported by a second hypervisor, and the virtual machine and the hypervisors are executed by a computing node. The method also includes interrupting execution of the application and determining an authorization key using hashing operations performed by the first hypervisor based on measurements associated with the computing node and data associated with the first hypervisor. The method further includes storing the authorization key and resuming execution of the application. In addition, the method could include performing the receiving, interrupting, determining, storing, and resuming steps at each of multiple computing nodes in a computing cloud, where each computing node executes first and second hypervisors. The first hypervisors in the computing nodes can bind the virtual machine to the computing cloud.

Abstract: Location, time, and other contextual mobile application policies are disclosed. Access state information associated with a managed set of applications may be determined based at least in part on environmental context data associated with a mobile device and one or more contextual policies associated with the managed set of applications. The access state information may be provided to at least one application included in the managed set of applications, wherein at least one application in the managed set of applications is configured to use the access state information to regulate use of the application in a manner required by the one or more contextual policies.

Abstract: The present invention provides a method for scanning information to be scanned in a computer device, the information to be scanned needing multiple scans, and the method comprising the steps of: a. determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of the computer device; and b. scanning the information to be scanned according to the delay duration. According to the solution of the present invention, by determining a delay duration from the end of a scan for the information to be scanned to the start of a next scan according to current performance information about the CPU of a computer device, and scanning according to the delay duration, problems such as slow running due to high occupancy ratio of CPU resources during scanning can be avoided.

Abstract: A method and system are provided for automatic wireless connection to a digital device in a portable terminal, wherein information about the portable terminal is acquired. The information about the portable terminal is commonly used for automatic wireless connection to the digital device. A state of a Wireless Local Area Network (WLAN) is checked and activated, and the WLAN is set to an Ad-hoc mode. A Service Set Identifier (SSID) of the WLAN is set using the acquired portable terminal information, a security key of the WLAN is set using the acquired portable terminal information, and an Internet Protocol (IP) address of the WLAN is automatically set using the acquired portable terminal information.

Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: A system and method is provided to permit a first computer to interact with computers in different security domains without forming covert channels. Separate GPUs are provided for each computer. An image routing map (IRM) determines which security domain is the subject of an I/O event to determine to which security domain to send the I/O event. A response is transmitted to the associated GPU and multiplexor and another response used to update the IRM, which is then provided to the MUX. The MUX uses the updated IRM to adjust the content on the monitor. Content from the security domains are able to be displayed on the monitor and in a similar manner as by the computer in each security domain.

Abstract: A computing device may be configured to generate and execute a task that includes one or more blocking constructs that each encapsulate a blocking activity and a notification handler corresponding to each blocking activity. The computing device may launch the task, execute one or more of the blocking constructs, register the corresponding notification handler for the blocking activity that will be executed next with the runtime system, perform the blocking activity encapsulated by the blocking construct to request information from an external resource, cause the task to enter a blocked state while it waits for a response from the external resource, receive an unblocking notification from an external entity, and invoke the registered notification handler to cause the task to exit the blocked state and/or perform clean up operations to exit/terminate the task gracefully.

Abstract: A processing device receives a permission request indicating a user and an entity. The processing device modifies a permissions database to generate a modified database view. Using the modified database view, the processing device determines whether the user has permission to access the entity and returns an indication of whether the user has permission to access the entity.

Abstract: In a case where a processing request corresponding to an instruction transmitted from a data processing apparatus is accepted from an external apparatus, an appropriate processing based on a processing request corresponding to an instruction made by a user who operates the data processing apparatus is performed.

Abstract: A virtual hard disk drive containing a guest operating system is bound to a source computing device through encryption. When the virtual hard drive is moved to a difference computing device, a virtual machine manager instantiates a virtual machine and causing the virtual machine to boot the operating system from the virtual hard disk drive. Because the guest operating system is encrypted by an encryption device on a source computing device, the virtual machine causing the decryption of the guest operating system with a copy of the key. The virtual hard disk is bound to the target computing device through encryption based on a hardware on the target computing device.

Abstract: In a general aspect, shared secrets for lattice-based cryptographic protocols are generated. In some aspects, a public parameter (a) is obtained, where the public parameter is an array defined for a lattice-based cryptography system. A first secret value (s) and a second secret value (b) are obtained. The first secret value is a second array defined for the lattice-based cryptography system, and is generated based on sampling an error distribution. The second secret value is a third array defined for the lattice-based cryptography system, and is a product of the first and second arrays (b?as). A public key ({circumflex over (b)}) is then generated by applying a compression function to the second secret value (b), and the public key is sent to an entity. A shared secret (?) is then generated based on information received from the entity in response to the public key.

Abstract: A system and method for changing authority for a secure booting operation and an electronic device thereof are provided. The system includes a memory including a plurality of key bit areas in each of which a root key can be received, and a processor core configured to input a new root key to one of the plurality of key bit areas of the memory in response to an external input.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A resource owner or administrator submits a request to a permissions management service to create a permissions grant which may include a listing of actions a user may perform on a resource. Accordingly, the permissions management service may create the permissions grant and use a private cryptographic key to digitally sign the created permissions grant. The permissions management service may transmit this digitally signed permissions grant, as well as a digital certificate comprising a public cryptographic key for validating the permissions grant, to a target resource. The target resource may use the public cryptographic key to validate the digital signature of the permissions grant and determine whether a user is authorized to perform one or more actions based at least in part on a request from the user to perform these one or more actions on the resource.

Abstract: One feature pertains to biometric authentication of a user between devices. In one aspect, an ad hoc personal wireless network may include a primary device and one or more secondary devices using grouping policies such proximity policies and other permissions. The primary device shares a biometric authentication value of a user with the one or more secondary devices. Each secondary device may then perform additional authentication of the same user using a relatively low reliability biometric sensor such as a digital camera for facial recognition, a microphone for voice recognition or an accelerometer for gesture recognition. The secondary authentication results may be combined with the biometric authentication score/level from the primary device to form a final authentication score/level of the secondary device, which is used to authenticate the user of the secondary device for one or more transactions such as consumer purchases, secure content access, or secure control.

Abstract: A set of compliance policy updates are received. The compliance policy updates are sent to workloads for application. A status of the application of the compliance policies to the workloads is received from the workloads and output.

Abstract: A method for providing secret delegation may comprise receiving a credential secret applied to an algorithm associated with a distributed application in a trusted execution environment, causing delegation of the credential secret from one communication device to at least one other communication device, and modifying the credential secret prior to transfer of a modified version of the credential secret to the at least one other communication device in a manner that enables a generation of the credential secret to be determined. An apparatus and computer program product corresponding to the method are also provided.

Abstract: System and method for determining, by a security application, whether an examined software code is a malware, according to which the system detects whenever the examined process code performs system calls and further detects a call site. Pieces of code in the surrounding area of the site and/or in branches related to the site are analyzed and the properties of the analyzed pieces of code are compared with a predefined software code patterns, for determining whether the examined process code corresponds to one of the predefined software code patterns. Then the examined process code is classified according to the comparison results.

Abstract: A communication apparatus comprises an obtainment unit configured to obtain authentication information from each of a first other communication apparatus and a second other communication apparatus; an authentication unit configured to, based on the authentication information obtained by the obtainment unit, perform authentication processing; and a provision unit configured to provide, based on a result of the authentication processing, information of a third other communication apparatus associated with the first other communication apparatus to a fourth other communication apparatus associated with the second other communication apparatus.