Abstract: This disclosure relates to security assurance of cyber supply chains. An example method includes a downstream party obtaining information regarding a policy of an upstream party to be applied to data of the downstream party, and the downstream party generating credential criteria for trusted access to the data based on a representation of the policy. The example method also includes the downstream party providing to a security assurance facilitator the data in a form accessible in accordance with the credential criteria, and the downstream party obtaining a result from trusted computation implemented by the security assurance facilitator that applies the policy to the data.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: In a protected media path for delivering content from a source to a sink, a source authority (SOTA) on behalf of the source decides with regard to a policy corresponding to the content that a particular type of action with the content is to be refused, and provides a particular enabler to an application. The provided enabler includes information and methods necessary for the application to obtain data necessary to respond to the refusal. The application receives the enabler at an interface thereof and the interface applies a common interaction procedure to run the enabler to obtain the data necessary to respond to the refusal.

Abstract: A binary function database system is provided in which binary functions are extracted from compiled and linked program files and stored in a database as robust abstractions which can be matched with others using one or more function matching heuristics. Such abstraction allows for minor variations in function implementation while still enabling matching with an identical stored function in the database, or with a stored function with a given level of confidence. Metadata associated with each function is also typically generated and stored in the database. In an illustrative example, a structured query language database is utilized that runs on a central database server, and that tracks function names, the program file from which the function is extracted, comments and other associated information as metadata during an analyst's live analysis session to enable known function information that is stored in the database to be applied to binary functions of interest that are disassembled from the program file.

Abstract: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

Abstract: A list of computing components to be disabled can be distributed through a computer readable medium to computing devices. A process on these computing devices can read the list and disable listed components. The components can be permanently disabled, or disabled for a limited purpose. A list or list update may be provided with a digital media object that specifies a more or less stringent revocation policy for that object. A media object may also specify a maximum age for the list. This allows owners of digital media to control the stringency of media protection for their property. The process that accesses the list may prompt updates to the list, informing users of component disabling, and prompt replacement of disabled components. Finally, the invention provides techniques for securely transmitting and storing the list to protect it from alteration by unauthorized entities.

Abstract: A binary function database system is provided in which binary functions are extracted from compiled and linked program files and stored in a database as robust abstractions which can be matched with others using one or more function matching heuristics. Such abstraction allows for minor variations in function implementation while still enabling matching with an identical stored function in the database, or with a stored function with a given level of confidence. Metadata associated with each function is also typically generated and stored in the database. In an illustrative example, a structured query language database is utilized that runs on a central database server, and that tracks function names, the program file from which the function is extracted, comments and other associated information as metadata during an analyst's live analysis session to enable known function information that is stored in the database to be applied to binary functions of interest that are disassembled from the program file.

Abstract: Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Abstract: In a protected media path for delivering content from a source to a sink, a source authority (SOTA) on behalf of the source decides with regard to a policy corresponding to the content that a particular type of action with the content is to be refused, and provides a particular enabler to an application. The provided enabler includes information and methods necessary for the application to obtain data necessary to respond to the refusal. The application receives the enabler at an interface thereof and the interface applies a common interaction procedure to run the enabler to obtain the data necessary to respond to the refusal.

Abstract: In a protected media path for delivering content from a source to a sink, a source authority (SOTA) on behalf of the source decides with regard to a policy corresponding to the content that a particular type of action with the content is to be refused, and provides a particular enabler to an application. The provided enabler includes information and methods necessary for the application to obtain data necessary to respond to the refusal. The application receives the enabler at an interface thereof and the interface applies a common interaction procedure to run the enabler to obtain the data necessary to respond to the refusal.

Abstract: A list of computing components to be disabled can be distributed through a computer readable medium to computing devices. A process on these computing devices can read the list and disable listed components. The components can be permanently disabled, or disabled for a limited purpose. A list or list update may be provided with a digital media object that specifies a more or less stringent revocation policy for that object. A media object may also specify a maximum age for the list. This allows owners of digital media to control the stringency of media protection for their property. The process that accesses the list may prompt updates to the list, informing users of component disabling, and prompt replacement of disabled components. Finally, the invention provides techniques for securely transmitting and storing the list to protect it from alteration by unauthorized entities.

Abstract: In a protected media path for delivering content from a source to a sink, a source authority (SOTA) on behalf of the source decides with regard to a policy corresponding to the content that a particular type of action with the content is to be refused, and provides a particular enabler to an application. The provided enabler includes information and methods necessary for the application to obtain data necessary to respond to the refusal. The application receives the enabler at an interface thereof and the interface applies a common interaction procedure to run the enabler to obtain the data necessary to respond to the refusal.