Abstract: An apparatus, system and method for protecting the confidentiality and integrity of a secure object running on a computer system by protecting the memory pages owned by the secure object, including assigning a secure object an ID, labeling the memory pages owned by a secure object with the ID of the secure object, maintaining an Access Control Monitor (ACM) table for the memory pages on the system, controlling access to memory pages by monitoring load and store instructions and comparing information in the ACM table with the ID of the software that is executing these instructions; and limiting access to a memory page to the owner of the memory page.

Abstract: An exemplary additive manufacturing method includes receiving a build file comprising instructions for controlling the manufacturing hardware to generate an object, receiving a material identifier indicating a particular lot of manufacturing media, validating the build file and the material identifier via a distributed ledger to verify both an author of the build file and an origin of the particular lot of manufacturing media, causing manufacturing hardware to generate the object using the build file and the particular lot of manufacturing media, generating an object manufactured transaction to the distributed ledger indicating a result of the validation of the origin of the at least one of the build file or the material identifier, and certifying the object in response to verifying the author of the build file and the origin of the particular lot of manufacturing media, and wherein the object manufactured transaction indicates that the object is certified.

Abstract: Some aspects are directed to additive manufacturing systems. An example additive manufacturing system controller is configured to receive a build file comprising instructions for controlling the manufacturing hardware to generate the object, receive a material identifier indicating a particular lot of manufacturing media, validate the build file and the material identifier via a distributed ledger to verify at least one of an author of the build file or an origin of the particular lot of manufacturing media, control the manufacturing hardware using the build file to generate the object using the particular lot of manufacturing media, and in response to completion of the generation of the object, generate an object manufactured transaction to the distributed ledger indicating a result of the validation of the origin of the at least one of the build file or the material identifier.

Abstract: An exemplary additive manufacturing method includes receiving a build file comprising instructions for controlling the manufacturing hardware to generate an object, receiving a material identifier indicating a particular lot of manufacturing media, validating the build file and the material identifier via a distributed ledger to verify both an author of the build file and an origin of the particular lot of manufacturing media, causing manufacturing hardware to generate the object using the build file and the particular lot of manufacturing media, generating an object manufactured transaction to the distributed ledger indicating a result of the validation of the origin of the at least one of the build file or the material identifier, and certifying the object in response to verifying the author of the build file and the origin of the particular lot of manufacturing media, and wherein the object manufactured transaction indicates that the object is certified.

Abstract: An apparatus, system and method for protecting the confidentiality and integrity of a secure object running on a computer system by protecting the memory pages owned by the secure object, including assigning a secure object an ID, labeling the memory pages owned by a secure object with the ID of the secure object, maintaining an Access Control Monitor (ACM) table for the memory pages on the system, controlling access to memory pages by monitoring load and store instructions and comparing information in the ACM table with the ID of the software that is executing these instructions; and limiting access to a memory page to the owner of the memory page.

Abstract: A processor in a computer system, the processor including a mechanism supporting a Secure Object that comprises information that is protected so that other software on said computer system cannot access or undetectably tamper with said information, thereby protecting both a confidentiality and an integrity of the Secure Object information while making the Secure Object information available to the Secure Object itself during execution of the Secure Object. The mechanism includes a crypto mechanism that decrypts and integrity-checks Secure Object information as said Secure Object information moves into the computer system from an external storage system, and encrypts and updates an integrity value for Secure Object information as said Secure Object information moves out of the computer system to the external storage system, and a memory protection mechanism that protects the confidentiality and integrity of Secure Object information when that information is in the memory of the computer system.

Abstract: A method, computer-readable medium, and system including an inside container module to communicate with an inside network internal to a system; an outside container module to communicate with an outside network external to the system; and an inspector module to communicate with the inside container module and the outside container module, the inspector container to control communication of all data between the inside container module and the outside container module; and the inspector module, the inside container module, and the outside container module each being self-contained and to operate independent of each other.

Abstract: A method, computer-readable medium, and system including an inside container module to communicate with an inside network internal to a system; an outside container module to communicate with an outside network external to the system; and an inspector module to communicate with the inside container module and the outside container module, the inspector container to control communication of all data between the inside container module and the outside container module, including enforcing single direction data flow directionality between the inspector module and at least one of the outside container module and the inside container module; and the inspector module, the inside container module, and the outside container module each being self-contained and to operate independent of each other.

Abstract: A system, computer-readable medium, and method including receiving, during a development of a container based application proxy firewall system, application source code for an application; analyzing, during the development of the container based application proxy firewall system, the source code to determine a data flow for the application; generating, during the development of the container based application proxy firewall system, inspection rules for a application specific proxy firewall; and incorporating the generated inspection rules into the application specific proxy firewall system.

Abstract: Some aspects are directed to additive manufacturing systems. An example additive manufacturing system controller is configured to receive a build file comprising instructions for controlling the manufacturing hardware to generate the object, receive a material identifier indicating a particular lot of manufacturing media, validate the build file and the material identifier via a distributed ledger to verify at least one of an author of the build file or an origin of the particular lot of manufacturing media, control the manufacturing hardware using the build file to generate the object using the particular lot of manufacturing media, and in response to completion of the generation of the object, generate an object manufactured transaction to the distributed ledger indicating a result of the validation of the origin of the at least one of the build file or the material identifier.

Abstract: A processor in a computer system, the processor including a mechanism supporting a Secure Object that comprises information that is protected so that other software on said computer system cannot access or undetectably tamper with said information, thereby protecting both a confidentiality and an integrity of the Secure Object information while making the Secure Object information available to the Secure Object itself during execution of the Secure Object. The mechanism includes a crypto mechanism that decrypts and integrity-checks Secure Object information as said Secure Object information moves into the computer system from an external storage system, and encrypts and updates an integrity value for Secure Object information as said Secure Object information moves out of the computer system to the external storage system, and a memory protection mechanism that protects the confidentiality and integrity of Secure Object information when that information is in the memory of the computer system.

Abstract: A system for identifying unauthorized and/or misconfigured wireless access points (WAPs) in a communication network includes multiple network endpoints and multiple agents running on endpoints. The agents are adapted to periodically locate WAPs and to report located WAPs to a central entity. The system further includes a central entity operative to receive information from the agents regarding located WAPs, to determine whether at least a given one of the located WAPs needs to be probed, and to initiate active probing of located WAPs when it is determined that the given one of the located WAPs needs to be probed.

Abstract: A method for identifying unauthorized and/or misconfigured wireless access points (WAPs) in a communication network includes the steps of: an agent running on an endpoint in the communication network locating one or more WAPs in the communication network; the agent reporting at least one located WAP to a central entity; and the central entity performing steps of applying prescribed criteria to determine whether the located WAP needs to be probed, and initiating active probing of the located WAP when it is determined that the located WAP needs to be probed to thereby determine whether the located WAP is unauthorized and/or misconfigured.

Abstract: An intrusion detection mechanism is provided for flexible, automatic, thorough, and consistent security checking and vulnerability resolution in a heterogeneous environment. The mechanism may provide a predefined number of default intrusion analysis approaches, such as signature-based, anomaly-based, scan-based, and danger theory. The intrusion detection mechanism also allows a limitless number of intrusion analysis approaches to be added on the fly. Using an intrusion detection skin, the mechanism allows various weights to be assigned to specific intrusion analysis approaches. The mechanism may adjust these weights dynamically. The score ration can be tailored to determine if an intrusion occurred and adjusted dynamically. Also, multiple security policies for any type of computing element may be enforced.

Abstract: An intrusion detection mechanism is provided for flexible, automatic, thorough, and consistent security checking and vulnerability resolution in a heterogeneous environment. The mechanism may provide a predefined number of default intrusion analysis approaches, such as signature-based, anomaly-based, scan-based, and danger theory. The intrusion detection mechanism also allows a limitless number of intrusion analysis approaches to be added on the fly. Using an intrusion detection skin, the mechanism allows various weights to be assigned to specific intrusion analysis approaches. The mechanism may adjust these weights dynamically. The score ration can be tailored to determine if an intrusion occurred and adjusted dynamically. Also, multiple security policies for any type of computing element may be enforced.

Abstract: An intrusion detection mechanism is provided for flexible, automatic, thorough, and consistent security checking and vulnerability resolution in a heterogeneous environment. The mechanism may provide a predefined number of default intrusion analysis approaches, such as signature-based, anomaly-based, scan-based, and danger theory. The intrusion detection mechanism also allows a limitless number of intrusion analysis approaches to be added on the fly. Using an intrusion detection skin, the mechanism allows various weights to be assigned to specific intrusion analysis approaches. The mechanism may adjust these weights dynamically. The score ration can be tailored to determine if an intrusion occurred and adjusted dynamically. Also, multiple security policies for any type of computing element may be enforced.

Abstract: A method for restricting access to an encryption key of an encrypted file system (EFS), whereby access is provided only when a computer system is booted in a trusted state. The EFS encrypts the files within a TPM chip according to TCPA specifications and simultaneously creates the encryption key, which is also stored in the TPM. The key is sealed to one or more platform control register (PCR) states (i.e., the TPM will export the key only when the PCRs are in a pre-defined state.). The original PCR states are modified during boot up of the computer system via a secure hashing algorithm, which extends a value of one PCR to a next PCR at each stage of the boot process and then hashes the value with the remaining content of the next PCR. When the system boot process is completed and before control passes to the user, the values within the PCRs are compared to values stored in a PCR table within the TPM, and the encryption key is exported to the OS kernel only when the PCR values match the table values.

Abstract: A method, computer program product and computer system for securing alterable data. A computer that is remotely managed may be equipped with a protected storage that is accessible only by BIOS code. The protected storage may have the capacity to store a symmetrical encryption key. An EEPROM, which normally contains the BIOS code, may be used to store accessible configuration data as well as remotely unaccessible sensitive access information (e.g., passwords). The remotely unaccessible sensitive data is encrypted with the symmetrical encryption key by the BIOS code. Remote access to the sensitive data is accomplished via change requests submitted to the BIOS code over a secure channel. The BIOS code then determines whether the request is valid. If so, then sensitive data is decrypted, altered, encrypted, and re-written into the EEPROM. Normal access to accessible data is unaffected and remote access is allowed without changing the computer system architecture.

Abstract: A computer system, method of operation, and program product which gives a clear indication to a user when a computer system has transitioned to a trusted state.

Abstract: A method, computer program product, and data processing system for constructing a self-managing distributed computing system comprised of “autonomic elements” is disclosed. An autonomic element provides a set of services, and may provide them to other autonomic elements. Relationships between autonomic elements include the providing and consuming of such services. These relationships are “late bound,” in the sense that they can be made during the operation of the system rather than when parts of the system are implemented or deployed. They are dynamic, in the sense that relationships can begin, end, and change over time. They are negotiated, in the sense that they are arrived at by a process of mutual communication between the elements that establish the relationship.