Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: Included within a shared housing are at least one user interface element; a first isolated computational entity; a second isolated computational entity; and a switching arrangement. The switching arrangement is configured to, in a first mode, connect the first isolated computational entity to the at least one user interface element; and, in a second mode, connect the second isolated computational entity to the at least one user interface element.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system.

Abstract: A system and method for workload generation include a processor for identifying a workload model by determining each of a hierarchy for workload generation, time scales for workload generation, and states and transitions at each of the time scales, and defining a parameter by determining each of fields for user specific attributes, application specific attributes, network specific attributes, content specific attributes, and a probability distribution function for each of the attributes; a user level template unit corresponding to a relatively slow time scale in signal communication with the processor; an application level template corresponding to a relatively faster time scale in signal communication with the processor; a stream level template corresponding to a relatively fastest time scale in signal communication with the processor; and a communications adapter in signal communication with the processor for defining a workload generating unit responsive to the template units.

Abstract: Techniques for mapping at least one physical system and at least one virtual system into at least two separate execution environments are provided. The techniques include discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system, using the discovered policy to create an enforceable isolation policy, and using the isolation policy to map the at least one physical system and at least one virtual system into at least two separate execution environments. Techniques are also provided for generating a database of one or more isolation policies.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Abstract: A method of converting an original application into a cloud-hosted application includes splitting the original application into a plurality of application components along security relevant boundaries, mapping the application components to hosting infrastructure boundaries, and using a mechanism to enforce a privacy policy of a user. The mapping may include assigning each application component to a distinct virtual machine, which acts as a container for its assigned component.

Abstract: A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant.

Abstract: A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer's configured virtual machine. The host machine creates an image from the customer's configured virtual machine. The host machine unwraps a sealed customer's symmetric key to form a customer's symmetric key. The host machine encrypts the customer's configured virtual machine with the customer's symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.

Abstract: A method for association of a mobile terminal with an access point (AP) includes determining a set of available APs. The AP from among the available APs that has the coverage area that is likely to encompass the mobile terminal for the greatest period of time or distance is selected. The selected AP is associated with the mobile terminal.

Abstract: Included within a shared housing are at least one user interface element; a first isolated computational entity; a second isolated computational entity; and a switching arrangement. The switching arrangement is configured to, in a first mode, connect the first isolated computational entity to the at least one user interface element; and, in a second mode, connect the second isolated computational entity to the at least one user interface element.

Abstract: Techniques for transmitting data according to at least one quality of service requirement. A message path is calculated specifying a sequence of broker computers selected from a network of interconnected broker computers. The message path is statistically estimated to fulfill the at least one quality of service requirement. Quality of service metrics are received about the network of interconnected broker computers. If the message path is determined not to fulfill the quality of service requirement, a new message path is calculated specifying a new sequence of broker computers selected from the network of interconnected broker computers. The new message path is statistically estimated to fulfill the at least one quality of service requirement.

Abstract: Systems and methods are provided to determine an allocation of network resources in a distributed on-demand information technology (IT) systems using existing control mechanisms for other operating system resources in order to achieve a desired operating point within the IT system. This desired operating point is obtained by optimizing a goal-based objective function while taking into account system constraints. The relationship between utilization of all system resources, i.e. network resources and processing resources, and attainment of performance objectives is autonomously obtained for a plurality of actions that could be required by a range of system applications. This relationship is used to allocate network resources to applications while maintaining desired performance objectives. The allocation is enforced using existing control mechanisms.

Abstract: A host machine provisions a virtual machine from a catalog of stock virtual machines. The host machine instantiates the virtual machine. The host machine configures the virtual machine, based on customer inputs, to form a customer's configured virtual machine. The host machine creates an image from the customer's configured virtual machine. The host machine unwraps a sealed customer's symmetric key to form a customer's symmetric key. The host machine encrypts the customer's configured virtual machine with the customer's symmetric key to form an encrypted configured virtual machine. The host machine stores the encrypted configured virtual machine to non-volatile storage.

Abstract: An apparatus includes a memory to store a secure object comprising at least one of code and data that is encrypted when stored in the memory and a central processing unit (CPU) that is capable of executing an EnterSecureMode (esm) instruction that enables the decryption of the secure object's information when the secure object information is retrieved from the memory into the CPU. The CPU further comprises a feature to protect the secure object from code received from other software.

Abstract: A system, method, and computer program product for benchmarking a stream processing system are disclosed. The method comprises generating a plurality of correlated test streams. A semantically related data set is embedded within each of the test streams in the plurality of correlated test streams. The plurality of correlated test streams is provided to at least one stream processing system. A summary is generated for each of the semantically related embedded data sets. A common identifier, which is transparent to the system being tested, is embedded within each stream in the plurality of correlated test streams. The common identifier is extracted from the output data set generated by the stream processing system. At least one of the stored copies of the summaries and the common identifier are compared to an output data set including a set of zero or more correlation results generated by the stream processing system.

Abstract: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system.