Abstract: Aspects of the present disclosure relate to an apparatus comprising interface circuitry to interface with a device that is to be provisioned by the apparatus; and secure enclave circuitry. The secure enclave circuitry is configured to: maintain provisioning data with which the device is to be provisioned; establish a secure connection with the device; perform, with the device and via the secure connection, an attestation process in respect of said provisioning data; and subsequent to successfully completing said attestation process, provisioning the device with the provisioning data, via the secure connection.

Abstract: Various implementations described herein are directed to a device having a write circuit that provides data for storage. The device may include a memory circuit that stores the data in leaky bitcells with capacitive elements that gradually discharge over a pre-determined period of time. The device may include a read circuit that enables the leaky bitcells to operate as one or more memory storage elements. The device may include a query circuit that identifies matches between a query data and output data provided by the read circuit.

Abstract: A method is provided that includes receiving a computer program comprising regions of code, each region of code including at least one function, pruning a search space of the received computer program by applying a high-level model recognizing potential software vulnerabilities to the computer program to determine a region of the code of the regions of code that includes a potential software vulnerability, performing a localized static analysis on the region of the code that include the potential software vulnerability to determine a local condition that causes the potential software vulnerability to be expressed in the computer program, and generating a report that includes the region of the code that includes the potential software vulnerability including a location of the region of the code within the computer program and the local condition that causes the potential software vulnerability to be expressed in the computer program.

Abstract: A method includes receiving precursor alerts from a precursor detector that detects events from a processing unit, wherein each precursor alert comprises information of an event from the processing unit, the information of an event from the processing unit, detecting a first event in the precursor alerts indicating undesirable behavior and including a first score that is above a first value, setting a first timer for a first period of time, accumulating a score update with the first score of the first event. Upon the score update reaching or exceeding a first threshold value within the first period of time, generating a refined alert.

Abstract: A method is provided that includes receiving a source code block of a source code and a sensor configuration associated with the source code block, performing instrumentation on the source code block at least two times to generate corresponding at least two differently instrumented code blocks from the source code block, creating a corresponding model of the sensor configuration for each differently instrumented code block, and receiving a request for an instrumented variant of the source code block for execution by a processing element and deploying the instrumented variant of the source code block to the processing element. The instrumented variant of the source code block comprises one of the at least two differently instrumented code blocks from the source code block.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving, for execution by a processing element, a relocatable instrumented code block, the relocatable instrumented code block being code that has undergone instrumentation for a monitoring system, duplicating at least one function of the relocatable instrumented code block to produce a plurality of duplicate relocatable code blocks, allocating the instrumented code block and each duplicate relocatable code block of the plurality of duplicate relocatable code blocks to different locations in a memory on a computing device, creating a relocated mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in the memory, and transmitting a copy of the mapping of the instrumented code block and each duplicate relocatable code block to their corresponding locations in memory to the monitoring system.

Abstract: A behavioral sensor for creating consumable events can include: a feature extractor coupled to receive an event stream of events performed by a circuit, wherein the feature extractor identifies features of a particular event of the event stream and associates the particular event with a time; and a classifier coupled to receive the features of the particular event from the feature extractor, wherein the classifier classifies the particular event into a classified event associated with the time using predefined categories based on the received features of the particular event; whereby the classified event and subsequent classified events extracted from the event stream within a time frame are appended in a time series forming the consumable events.

Abstract: There is provided an apparatus and method, the apparatus comprising storage circuitry to store event information associated with instructions occurring between instrumentation points. The event information indicates a plurality of different types of events expected to occur during execution of the instructions. The event information comprises, for each event, type information indicating a type of that event and an expected number of occurrences of that event. The apparatus is also provided with monitoring circuitry comprising a plurality of programmable counters. The monitoring circuitry is responsive to a start instrumentation point, to assign at least a subset of the plurality of programmable counters to measure, during execution of the program instructions, occurrences of the plurality of different types of events identified in the event information.

Abstract: A method to mitigate an attack initiated by a malicious actor by migration of the attacked process is provided. The method includes monitoring a process being executed from a first computing location on a computing device for a trigger indicating a potential attack and detecting the trigger indicating the potential attack. Responsive to detecting the trigger indicating the potential attack, initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. A computing device is also provided that includes a processor, a memory, and instructions stored on the memory that when executed by the processor direct the computing device to monitor a process being executed from a first computing location on the computing device for a trigger indicating a potential attack and detect the trigger indicating the potential attack.

Abstract: A method of malware detection includes performing, by a second device of a plurality of devices on a network, a fuzzy matching between a second sequence of events occurring at the second device and a first sequence of captured events that occurred at a first device of the plurality of devices on the network; determining, by the second device, that a result of the fuzzy matching reaches a first threshold; and in response to determining that the result of the fuzzy matching reaches the first threshold, initiating a detailed instrumentation at the second device. The method can further include determining, by the second device, that a first condition is satisfied; and in response to determining that the first condition is satisfied: generating a second malware behavior package including information from the detailed instrumentation; and communicating the second malware behavior package over the network.

Abstract: An apparatus and method are described for providing a trusted execution environment. The apparatus comprises processing circuitry to execute program code, and interrupt controller circuitry, responsive to receipt of one or more interrupt requests, to select a given interrupt request from amongst the one or more interrupt requests, and to issue an interrupt signal to the processing circuitry identifying a given interrupt service routine providing program code to be executed by the processing circuitry to service the given interrupt request. The interrupt controller circuitry is responsive to the given interrupt request being a trusted execution environment (TEE) interrupt request, to issue the interrupt signal to identify as the given interrupt service routine a TEE interrupt service routine, and to inhibit issuance of any further interrupt signal until the TEE interrupt service routine has been executed by the processing circuitry.

Abstract: A behavioral system level detector and method that filters local alerts to generate system alerts with an increased confidence level is provided. The method includes receiving local alerts from a local detector that detects events from a processing unit, wherein each local alert comprises information of an event from the processing unit and a timing relationship for the event, filtering the local alerts to determine events indicating an undesirable behavior or attack, and responsive to the determination that there are events indicating the undesirable behavior or the attack, generating a system alert. The behavioral system-level detector includes a shared data structure for storing local alerts received from at least one local detector and system processing unit coupled to the shared data structure to receive the local alerts and coupled to receive state information from the processing units.

Abstract: There is provided an apparatus and method, the apparatus comprising storage circuitry to store event information associated with instructions occurring between instrumentation points. The event information indicates a plurality of different types of events expected to occur during execution of the instructions. The event information comprises, for each event, type information indicating a type of that event and an expected number of occurrences of that event. The apparatus is also provided with monitoring circuitry comprising a plurality of programmable counters. The monitoring circuitry is responsive to a start instrumentation point, to assign at least a subset of the plurality of programmable counters to measure, during execution of the program instructions, occurrences of the plurality of different types of events identified in the event information.

Abstract: Provided is a technology including an apparatus and a machine-implemented method for operating a content sending apparatus attachable to a network, comprising acquiring a sequence comprising at least two content blocks; generating at least one authentication metadata block comprising at least one signed digest derived by a chaining digest technique from the sequence of content blocks; deriving a content transform encoding for each of the content blocks; and sending the at least one authentication metadata block and at least one content transform encoding to at least one of a set of recipient devices, the at least one device being operable to apply an inverse transformation to the content transform encoding and to authenticate at least one resultant content block according to the authentication metadata block.

Abstract: A 1-hot path signature accelerator includes a register, first and second accumulator, and an outer product circuit. The register stores an input frame, where the input frame has, at most, one bit of each element set. The first accumulator calculates a present summation by adding the input frame to a previous sum of previous input frames inputted to the 1-hot path signature accelerator within a timeframe. The outer product circuit receives each element of the present summation from the first accumulator and each element of the input frame stored in the register to output a present outer product. Since the input frame has at most one bit of each element set, the outer product circuit is reduced to a logical operation. The second accumulator outputs a present second-layer summation by adding the present outer product to a previous second-layer sum of outputs from the outer product circuit within the timeframe.

Abstract: A computer implemented method is provided. The computer implemented method includes receiving an intermediate representation of a source code, intentionally injecting a weak code path at a point within the intermediate representation to create a modified intermediate representation, performing a path profiling on the modified intermediate representation to generate a particular path identifier for each path within the modified intermediate representation, and identifying the particular path identifier of the weak code path for use by a monitoring system. A monitoring system is also provided. The monitoring system monitors an executable code during runtime for execution of a path having a particular path identifier corresponding to the injected intentionally weak code path.

Abstract: A method to distribute verification of attestation evidence and a verifiable system are provided. Method includes receiving, at a secondary verifier operating in a verifiable system, a request from a relying party to perform a verification process with respect to attestation evidence of a device in communication with the relying party, communicating self-attestation evidence, by the secondary verifier, to a trusted verifier to generate an attestation report of the verifiable system, communicating the attestation report of the verifiable system or other indicator of trustworthiness to the relying party to indicate trustworthiness of the secondary verifier with respect to performing the verification process, and performing, by the secondary verifier, the verification process on the attestation evidence of the device in communication with the relying party.

Abstract: An apparatus and method are described for providing a trusted execution environment. The apparatus comprises processing circuitry to execute program code, and interrupt controller circuitry, responsive to receipt of one or more interrupt requests, to select a given interrupt request from amongst the one or more interrupt requests, and to issue an interrupt signal to the processing circuitry identifying a given interrupt service routine providing program code to be executed by the processing circuitry to service the given interrupt request. The interrupt controller circuitry is responsive to the given interrupt request being a trusted execution environment (TEE) interrupt request, to issue the interrupt signal to identify as the given interrupt service routine a TEE interrupt service routine, and to inhibit issuance of any further interrupt signal until the TEE interrupt service routine has been executed by the processing circuitry.

Abstract: A behavioral sensor for creating consumable events can include: a feature extractor coupled to receive an event stream of events performed by a circuit, wherein the feature extractor identifies features of a particular event of the event stream and associates the particular event with a time; and a classifier coupled to receive the features of the particular event from the feature extractor, wherein the classifier classifies the particular event into a classified event associated with the time using predefined categories based on the received features of the particular event; whereby the classified event and subsequent classified events extracted from the event stream within a time frame are appended in a time series forming the consumable events.

Abstract: Systems, mechanisms and processes are provided to allow law-enforcement officials, when encountering the potential use of prepaid payment cards in the furtherance of a crime or in relation to criminal activities, to (1) attempt to check the balances on such prepaid payment cards, including the ability to perform aggregate balance checks on a group of such prepaid cards, (2) attempt to freeze the funds on such prepaid payment cards, and/or (3) attempt to seize the funds on such prepaid payment cards.