Abstract: Described herein are methods, systems, and computer-readable storage media for generation of a secure and dynamically mutable operating system. Techniques include receiving a request to execute an application causing instantiation of an operating system by identifying one or more needed modules that include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application. Techniques may further include assigning a separate memory space with a separate virtual address for each of the one or more modules, generating a unique cryptographic key for each of the one or more modules, storing each virtual address and corresponding unique cryptographic key together. Further the operating system generation system encrypts each of the one or more modules using their corresponding unique cryptographic key.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include accessing a plurality of code segments developed for execution in a network environment, automatically identifying a first code segment from the plurality of code segments for analysis, automatically performing a first code-level security risk assessment for the first code segment, and determining a first security risk level for the first code segment based on the application programming interface risk level. The first code-level security risk assessment may be performed based on at least one of an application programming interface risk level, an embedded credentials risk level, and a target resource risk level. Further techniques may include determining a second security risk level for a modified version of the first code segment; and enabling a comparison between the first security risk level and the second security risk level.

Abstract: Described herein are methods, systems, and computer-readable storage media for participating in a validation process with the host computing device. Techniques include receiving, from the host computing device, a second key that is part of a cryptographic key pair comprising a first key and the second key. Techniques further include, encrypting, using the second key and as part of the validation process, data at the peripheral device and sending the encrypted data to the host computing device. Further, the host computing device validates an identity of the peripheral device based on a decryption, using the first key, of the encrypted data.

Abstract: Disclosed embodiments relate to systems and methods for securing the use of temporary access tokens in network environments. Techniques include identifying a request for an action involving a target network resource requiring a temporary access token; receiving, from the target network resource, a temporary access token; storing the temporary access token separate from the network identity; generating a customized replacement token having an attribute different from the temporary access token such that the customized replacement token cannot be used directly with the target network resource; providing the customized replacement token to the network identity; monitoring use of the customized replacement token to detect an activity identified as being at least one of potentially anomalous or potentially malicious; receiving an access request to access the target network resource; and based on the detected activity, denying the access request from the network identity.

Abstract: Disclosed embodiments relate implementing a runtime-based permissions management layer for application programming interface (API) calls. Techniques include identifying an application having a plurality of application programming interface (API) calls associated with the application; identifying, based on the application, a reference sequencing profile associated with the plurality of API calls; allowing at least one API call of a first group of API calls to be performed based on the reference sequencing profile; allowing at least one API call of a second group of API calls to be performed based on the reference sequencing profile; and denying the at least one API call of the first group of API calls.

Abstract: Disclosed embodiments relate to systems and methods for analysis of data associated with software instances. Techniques include obtaining data associated with a software instance; archiving delta data associated with software instance; analyzing one more previous states of the software instance based on the archived delta data; and performing a security action based on the analysis of the one or more previous states of the software instance based on the archived delta data.

Abstract: Described herein are methods, systems, and computer-readable storage media for dynamically configuring and deploying customizable secure wrappers. Techniques include identifying a code element and provisioning a first wrapper to execute the code element. Techniques further include allowing execution of the code element with the first wrapper, identifying a second wrapper for use in execution of the code element. The second wrapper is either customized for the code element or selected for the code element or both. Further, the code execution management system transitions from the first wrapper to the second wrapper, and allows execution of the code element with the second wrapper.

Abstract: Described herein are methods, systems, and computer-readable storage media for generation of a secure and dynamically mutable operating system. Techniques include receiving a request to execute an application causing instantiation of an operating system by identifying one or more needed modules that include core kernel modules and operating system service modules that are dynamically plugged-in or unplugged based on the execution of the application. Techniques may further include assigning a separate memory space with a separate virtual address for each of the one or more modules, generating a unique cryptographic key for each of the one or more modules, storing each virtual address and corresponding unique cryptographic key together. Further the operating system generation system encrypts each of the one or more modules using their corresponding unique cryptographic key.

Abstract: A computer-implemented system is provided that includes instructions that, when executed by at least one processor, cause the at least one processor to perform operations for utilizing unique sequencing profiles that uniquely identify applications, the operations comprising: identifying an application having a plurality of application programming interface (API) calls associated with the application; retrieving, based on the identification of the application, a reference sequencing profile based on a plurality of code elements of the application; comparing the reference sequencing profile to a unique sequencing profile of the application, the unique sequencing profile being based on the plurality of API calls; determining, based on the comparison, a security score for the application; and performing a security action based on the security score.

Abstract: A computer-implemented system is provided that includes instructions that, when executed by at least one processor, cause the at least one processor to perform operations for generating unique sequencing profiles for applications, the operations comprising: identifying a code element of an application; identifying a plurality of application programming interface (API) calls associated with the code element; determining a unique sequencing profile for the code element, the unique sequencing profile being based on at least one of: an order or hierarchy of the plurality of API calls, or execution timing data for the plurality of API calls; and assigning, based on the unique sequencing profile for the code element, a unique sequencing profile to the application.

Abstract: Disclosed embodiments relate to systems and methods for enabling recovery of deactivated virtual computing instances that were previously instantiated in a dynamic virtualized computing environment. Techniques include identifying a status change for a virtual computing instance; archiving a plurality of environment properties representing a chain of activities comprising a plurality of activities executed by a processor of the virtual computing instance; and reactivating the virtual computing instance. Reactivating the virtual computing instance may include reinstantiation of the virtual computing instance based on the plurality of environment properties and chain of activities such that the virtual computing instance is reinstantiated to a state at a time of the status change.

Abstract: Described herein are methods, systems, and computer-readable storage media for participating in a validation process with the host computing device. Techniques include receiving, from the host computing device, a second key that is part of a cryptographic key pair comprising a first key and the second key. Techniques further include, encrypting, using the second key and as part of the validation process, data at the peripheral device and sending the encrypted data to the host computing device. Further, the host computing device validates an identity of the peripheral device based on a decryption, using the first key, of the encrypted data.

Abstract: Techniques include securely accessing data associated with authorization of an identity, the identity being capable of accessing an access-controlled network resource based on assertion of an authentication credential to an entity associated with the access-controlled network resource; generating a secret data element based on the data associated with authorization of the identity and based on application of a first secret logic algorithm; and making the secret data element available to be embedded in the authentication credential. The entity associated with the access-controlled network resource is configured to: validate the identity based on the secret data element being included in the authentication credential; and access the data associated with authorization of the identity based on application of a second secret logic algorithm to the secret data element.

Abstract: Disclosed embodiments relate to systems and methods for composite risk scores for network resources. Techniques include retrieving data associated with multiple network resources. The retrieved data is used to perform a first assessment for each of the multiple network resources to estimate a vulnerability level for each of the multiple network resources. The retrieved dated is also used to perform a second assessment for each of the multiple network resources to estimate an importance level for each of the multiple network resources. Based on a result of the first assessment and a result of the second assessment, a composite risk score for each of the multiple network resources is determined. When needed, a security response is performed based on the determined composite risk score of a specific network resource among the multiple network resources.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include identifying a request for an action involving a target network resource requiring a temporary access token; receiving, from the target network resource, a temporary access token; storing the temporary access token separate from the network identity; generating a customized replacement token having an attribute different from the temporary access token such that the customized replacement token cannot be used directly with the target network resource; providing the customized replacement token to the network identity; monitoring use of the customized replacement token to detect an activity identified as being at least one of potentially anomalous or potentially malicious; receiving an access request to access the target network resource; and based on the detected activity, denying the access request from the network identity.

Abstract: Disclosed embodiments relate to systems and methods for analyzing and addressing least-privilege security threats on a composite basis. Techniques include identifying a permission associated with a secured resource, identifying attributes associated with the permission, weighting the attributes, and, based on the attributes and their weights, creating a normalized score corresponding to the risk presented by the permission. Further techniques include identifying attributes associated with the secured resource, identifying special risk factors, and creating weighted scores based on the resource attributes and special risk factors. Other techniques include aggregating the weighted scores and using the weighted scores to identify insecure areas within the system.

Abstract: Disclosed embodiments relate to systems and methods for centrally analyzing and managing source code. Techniques include identifying, at a centralized resource in a network environment, a first source code; identifying the first source code as a candidate for an execution of an access control action; identifying, at the centralized resource, a security risk indication for the first source code, the security risk indication being based on permissions associated with a functionality of the first source code; performing, based on the security risk indication, at least one of: developing a least privilege set of permissions for the source code, or modifying the least privilege set of permissions.

Abstract: Disclosed embodiments include techniques for automatically provisioning dynamic privileged access resources. Aspects may involve receiving a notification that an identity is seeking to participate in a privileged session with an access-restricted network resource, and automatically provisioning, in response to the notification, a privileged access resource for use by the identity in participating in the privileged session with the access-restricted network resource. Further, aspects may include determining that the privileged session with the access-restricted network resource has ended, and automatically deprovisioning, based on the determination, the privileged access resource.

Abstract: Techniques include securely accessing data associated with at least one identity capable of accessing one or more access-controlled network resources; generating an intermediate value based on the data associated with the at least one identity; generating, based on application of a secret logic algorithm to the intermediate value, a secret data element; making available, the secret data element, to be embedded in an authentication credential associated with the at least one identity; identifying an attempt to change the authentication credential, the attempt including new authentication credential data to replace data in the authentication credential; validating, conditional on a determination whether the new authentication credential data includes the secret data element in a predefined location, the attempt to change the authentication credential; and determining, based on the validating, whether to perform a control action based on the new authentication credential data.

Abstract: Disclosed embodiments relate to systems and methods for providing an end-to-end secure lifecycle of data. Techniques include receiving a request from a client to access data; reserving a designated memory region; protecting the designated memory region using access restriction to certain processes of an operating system; receiving data from a trusted source; injecting the data into the designated memory region in a zero-copy manner; sending the data to the client in a zero-copy manner; receiving an indication that the client performed an interaction; and in response to the indication, disposing of the data and the designated memory region.