Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a computing device includes: a processor, a memory, and a network interface. The computing device executes a first binary within a first region of the memory, executes a separate second binary within a second region of the memory, and prevents the second binary from accessing the first region of the memory. The first binary implements a kernel configured to control the network interface, while the separate second binary implements a network stack that is restricted to communicate only with an identified set of trusted servers.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: hardware, including a network interface; a memory; and a processor. The memory is adapted to store run-time data for the device. The memory includes at least a first memory region and a second memory region. The processor that is adapted to execute processor-executable code including a first binary in the first memory region and a second binary in the second memory region. The first binary includes at least one application and a kernel. The kernel is configured to control the hardware. The second binary is configured to operate, upon execution, as a network stack. The device is configured such that the first memory region is protected such that the first memory region is inaccessible to the second binary.

Abstract: A unique embedded system is disclosed that locally operates an application virtual machine (VM) and a system VM in isolation from each other. The application VM executes application-specific code for a given purpose of the embedded system. The system VM executes a host operating system (OS) and various security, compatibility, and updating functions independent of the application VM. Each VM is connected to its own unique hardware on the embedded system to ensure that changes to the application code or the system code do not impact the other.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: a memory that is adapted to store run-time data for the device, and a processor. The processor is adapted to execute processor-executable code including a first binary that includes at least one application and a kernel, and a second binary. The second binary is configured to perform networking functions exclusively, including networking functions of one more of layers three through seven of the Open Systems Interconnection (OSI) model.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: a memory that is adapted to store run-time data for the device, and a processor. The processor is adapted to execute processor-executable code including a first binary that includes at least one application and a kernel, and a second binary. The second binary is configured to perform networking functions exclusively, including networking functions of one more of layers three through seven of the Open Systems Interconnection (OSI) model.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: hardware, including a network interface; a memory; and a processor. The memory is adapted to store run-time data for the device. The memory includes at least a first memory region and a second memory region. The processor that is adapted to execute processor-executable code including a first binary in the first memory region and a second binary in the second memory region. The first binary includes at least one application and a kernel. The kernel is configured to control the hardware. The second binary is configured to operate, upon execution, as a network stack. The device is configured such that the first memory region is protected such that the first memory region is inaccessible to the second binary.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Technologies are described herein for providing a persona-based application experience. In some configurations, an application can be adapted with a persona package selected from multiple persona packages. The persona packages may include persona-specific user settings, persona-specific application storage settings, or persona-specific application state settings. A persona package may be selected based on a current persona of a user, a time of day, and/or a location of the user. The selected persona package comprises a setting to adapt the execution of the application. In some configurations, a computer determines, a current persona of the user. The computer also receives a selected persona package comprising a user setting of the software application. The selection of the persona package is based on the current persona of the user and established credentials associated with the user. The computer adapts the execution of the software application according to the selected persona package.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Technologies are described herein for providing a persona-based application experience. A query for a location of a persona package is received from a virtualization client. When the query is received, a current persona of a user requesting execution of a virtualized application is determined. The location of the persona package corresponding to the current persona of the user is determined. The location of the persona package is sent to the virtualization client in response to the query. The virtualization client is configured to execute the virtualized application adapted to the persona package.

Abstract: Systems, methods, and computer-readable storage media are provided for securely storing and accessing content within a public cloud. A processor manufacturer provides processors having secure enclave capability to a cloud provider. The provider makes available a listing of processor identifiers (CPUIDs) for processors available for storing content and having secure enclave capability. A content owner provides CPUIDs for desired processors from the listing to the manufacturer which provides the content owner with a processor-specific public code encryption key (CEK) for encrypting content to be stored on each processor identified. Each processor is constructed such that content encrypted with the public CEK may only be decrypted within a secure enclave thereof. The content owner encrypts the desired content with the public CEK and returns the encrypted content and the CPUID for the appropriate processor to the cloud provider. The cloud provider then stores the encrypted content on the particular processor.

Abstract: Technologies are described herein for providing; a persona-based application experience. A query for a location of a persona package is received from a virtualization client. When the query is received, a current persona of a user requesting execution of a virtualized application is determined. The location of the persona package corresponding to the current persona of the user is determined. The location of the persona package is sent to the virtualization client in response to the query. The virtualization client is configured to execute the virtualized application adapted to the persona package.

Abstract: Technologies are described herein for providing; a persona-based application experience. A query for a location of a persona package is received from a virtualization client. When the query is received, a current persona of a user requesting execution of a virtualized application is determined. The location of the persona package corresponding to the current persona of the user is determined The location of the persona package is sent to the virtualization client in response to the query. The virtualization client is configured to execute the virtualized application adapted to the persona package.