Abstract: Method for distributing content to endpoint computers by sending signed content from a content-providing server to customer special-user workstations each including an enclave networked to its own subpopulation of endpoint computers which is a subset of the endpoint computers' population; and/or, in each enclave, authenticating that content received was signed by the server and then generating non-identical copies of the content received to be used by endpoint computers belonging to the individual enclave's subpopulation, signing the non-identical copies and sending the non-identical signed copies to endpoint computer/s in the enclave's subpopulation of endpoint computers, and/or in at least one enclave, authenticating that content received was signed by the given special-user workstation and then using the content received that was signed by the given special-user workstation, on or in the endpoint computer/s.

Abstract: A technique of proofing against tampering with a computer including a chassis with a plurality of fasteners. The technique includes obtaining by the computer data indicative of a sequence of implication events associated with the fasteners of the plurality of fasteners, generating a pattern corresponding to the sequence of implication events, matching between data corresponding to the generated pattern and a reference data, and initiating one or more anti-tampering actions responsive to a mismatching result. The method can further include generating a cryptographic signature corresponding to the generated pattern, wherein matching between data corresponding to the generated pattern and the reference data includes matching the generated cryptographic signature to a cryptographic reference corresponding to the reference data. Alternatively, or additionally, the generated cryptographic signature can be usable for secure access to information stored on the computer.

Abstract: There is provided a computerized method of secure communication between a source computer and a destination computer, the method performed by an inspection computer and comprising: receiving data sent by the source computer to the destination computer; inspecting the received data using one or more filtering mechanisms, giving rise to one or more inspection results; separately signing each of the one or more inspection results; determining, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof, and providing signing of the at least one manual inspection result; and analyzing signed inspection results and performing additional verification of the signed inspection results when a result of the analyzing meets a predefined criterion specified by the inspection management policy.

Abstract: A method for providing a secured client computer that includes peripheral components. Each peripheral component processes a corresponding peripheral component data of a data type that is not compatible with peripheral component data types processed by a processor of other peripheral components. The processor of each peripheral component codes the corresponding data of the data type for establishing a secured peer-to-peer communication with other peripheral components.

Abstract: There is provided a secured computer system, comprising a processing and memory unit (PMU) operatively connected to an input peripheral and an output peripheral. The PMU comprises a system memory comprising a protected memory and a shared memory, and a processor operatively coupled to the system memory, the processor including a set of instructions for enabling secure data storage and execution via the protected memory. The PMU further comprises an operating system and a group of modules executable by the operating system, each module in the group of modules having a designated secure region to be executed within the protected memory, the group of modules is configured to create authentication and share the input data securely via the shared memory accessible thereto using a composite key, the composite key generated within the group using data sharing mechanism between the designated secure regions enabled by the set of instructions.

Abstract: A computing system comprising: one or more processors configured to execute one or more computing environments (CEs) to access shared resources; a processor-based computing environment inspector unit (CEIU) operably connected to the one or more CEs and configured to inspect data generated by the one or more CEs; a processor-based mitigator unit (MET); and a storage medium; wherein the CEIU is further configured, responsive to detecting CE-generated data that is indicative of a compromise of a first CE, to notify the MU of the compromise of the first CE, and wherein the MU is configured, responsive to receiving notification of a compromise of the first CE, to disable access to the shared resources by the first CE.

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: A method for providing a secured client computer that includes peripheral components. Each peripheral component processes a corresponding peripheral component data of a data type that is not compatible with peripheral component data types processed by a processor of other peripheral components. The processor of each peripheral component codes the corresponding data of the data type for establishing a secured peer-to-peer communication with other peripheral components.

Abstract: A computer implemented method for providing communication between a secured client computer and a remote computer. There is provided a client computer that includes peripheral components. Each peripheral component is configured, by a processor, to process a corresponding peripheral component data of a data type that is not compatible with peripheral component data types processed by a processor of other peripheral components. The processor of each peripheral component is further configured to code the corresponding data of the specified data type. Each peripheral component is configured, by the processor, to establish a secured peer-to-peer communication channel between the peripheral component and the remote computer that is authorized to communicate with the client computer, and is further configured to code data that is communicated between the authorized remote computer and the peripheral component through the secured communication channel.

Abstract: There is provided a computerized method of secure communication between a source computer and a destination computer, the method performed by an inspection computer and comprising: receiving data sent by the source computer to the destination computer; inspecting the received data using one or more filtering mechanisms, giving rise to one or more inspection results; separately signing each of the one or more inspection results; determining, based on an inspection management policy, whether to send at least some of the inspection results and/or derivatives thereof for manual inspection; upon a positive determination, providing manual inspection of the at least some inspection results and/or derivatives thereof, and providing signing of the at least one manual inspection result; and analyzing signed inspection results and performing additional verification of the signed inspection results when a result of the analyzing meets a predefined criterion specified by the inspection management policy.

Abstract: There is provided a secured computer system, comprising a processing and memory unit (PMU) operatively connected to an input peripheral and an output peripheral. The PMU comprises a system memory comprising a protected memory and a shared memory, and a processor operatively coupled to the system memory, the processor including a set of instructions for enabling secure data storage and execution via the protected memory. The PMU further comprises an operating system and a group of modules executable by the operating system, each module in the group of modules having a designated secure region to be executed within the protected memory, the group of modules is configured to create authentication and share the input data securely via the shared memory accessible thereto using a composite key, the composite key generated within the group using data sharing mechanism between the designated secure regions enabled by the set of instructions.

Abstract: There is provided a method of communication among at least two processes miming on the same computer. The method comprises: generating, by at least one process of the at least two processes, a group key usable for encrypting/decrypting a data unit retrieved from/stored to shared access memory, wherein the generating utilizes, at least, a nonce provided by each of the at least two processes, and wherein the nonces are provided as encrypted integrity-protected data according to, at least, a platform-provided hiding function, wherein each process executes in a protected container, the processes are signed by a single signing authority, and the protected container infrastructure enables use of encrypted, integrity-protected data according to a platform-provided hiding function and a platform-provided revealing function; and verifying, by at least one process of the at least two processes, that a data unit read from shared access memory is successfully decrypted using the group key.

Abstract: There is provided a technique of proofing against tampering with a computer comprising a chassis with a plurality of fasteners. The technique comprises: obtaining by the computer data indicative of a sequence of implication events associated with the fasteners of the plurality of fasteners; generating a pattern corresponding to the sequence of implication events; matching between data corresponding to the generated pattern and a reference data; and initiating one or more anti-tampering actions responsive to a mismatching result. The method can further comprise generating a cryptographic signature corresponding to the generated pattern, wherein matching between data corresponding to the generated pattern and the reference data comprises matching the generated cryptographic signature to a cryptographic reference corresponding to the reference data. Alternatively or additionally, the generated cryptographic signature can be usable for secure access to information stored on the computer.

Abstract: A computer implemented method for providing communication between a secured client computer and a remote computer. There is provided a client computer that includes peripheral components. Each peripheral component is configured, by a processor, to process a corresponding peripheral component data of a data type that is not compatible with peripheral component data types processed by a processor of other peripheral components. The processor of each peripheral component is further configured to code the corresponding data of the specified data type. Each peripheral component is configured, by the processor, to establish a secured peer-to-peer communication channel between the peripheral component and the remote computer that is authorized to communicate with the client computer, and is further configured to code data that is communicated between the authorized remote computer and the peripheral component through the secured communication channel.