Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.

Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.

Abstract: The present disclosure relates to devices and methods for protecting data from physical attacks. The devices and methods may establish an encryption protocol to encrypt data transmitted over a bus to one or more removable devices in communication with a computer device. The devices and methods may use the encryption protocol to communicate with the removal devices and perform storage requests at the removal devices. The devices and methods may also perform another layer of encryption on the data stored at the removal devices using a data at rest key stored on the removal devices.

Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.

Abstract: Devices and methods for protecting server devices from physical attacks use an encrypted overlay network to securely communicate between a trusted network and one or more host computer devices in communication with the trusted network. The devices and methods may generate VPN tunnels to communicate directly with individual host computer devices. The devices and methods may securely transmit data packets between the trusted network and the host computer devices using the VPN tunnels.

Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.

Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.

Abstract: Examples described herein generally relate to hosting virtual memory backed kernel isolated containers. A server includes at least one physical processor and at least one physical computer memory addressable via physical memory addresses. The at least one physical computer memory stores executable code configured to provide at least one host including a kernel and at least one kernel isolated container within the at least one host. The host allocates virtual memory having virtual memory addresses to a respective container of the at least one kernel isolated container. The host pins a subset of the virtual memory addresses to a subset of the physical memory addresses. The host performs a direct memory access operation or device memory-mapped input-output operation of the respective container on the subset of the physical memory addresses. At least part of the physical computer memory that is not pinned is oversubscribed.

Abstract: Examples described herein generally relate to a server for hosting process isolated containers within a virtual machine. The server includes at least one physical processor; at least one physical computer memory storing executable code for execution by the at least one physical processor, and a physical network interface controller, NIC. The executable code may be configured to provide a host virtual machine and at least one process isolated container within the host virtual machine. The physical NIC includes a physical NIC switch configured to distribute incoming data packets to a plurality of functions including a physical function and virtual functions. At least one of the virtual functions is assigned to an individual process isolated container within the virtual machine. The virtual function assigned to the individual process isolated container allows the physical NIC switch to distribute incoming data packets for the individual process isolated container at a hardware level.

Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.

Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.

Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.

Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.

Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.

Abstract: The present disclosure relates to devices and methods for protecting server devices from physical attacks. The devices and methods may use an encrypted overlay network to securely communicate between a trusted network and one or more host computer devices on network racks in communication with the trusted network. The devices and methods may generate VPN tunnels to communicate directly with individual host computer devices on the network racks. The devices and methods may securely transmit data packets between the trusted network and the host computer devices using the VPN tunnels.

Abstract: The present disclosure relates to devices and methods for protecting data from physical attacks. The devices and methods may establish an encryption protocol to encrypt data transmitted over a bus to one or more removable devices in communication with a computer device. The devices and methods may use the encryption protocol to communicate with the removal devices and perform storage requests at the removal devices. The devices and methods may also perform another layer of encryption on the data stored at the removal devices using a data at rest key stored on the removal devices.

Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.

Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.

Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.