Abstract: An embedding system and an embedding method are provided. The embedding system includes: a cooling container defining a cavity having an opening; a cooling liquid contained in the cavity of the cooling container; a mold arranged in the cavity and at least partially immersed in the cooling liquid, when cooled by the cooling container; and an embedding medium arranged in the mold and a sample enclosed in the embedding medium, when the mold is cooled by the cooling container. The mold is configured to exchange heat with the cooling liquid in such a manner that the embedding medium is cooled and solidified by the cooling liquid to embed the sample in the embedding medium.

Abstract: An integrated circuit chip can provide protection with registers of a register file. A processor can be part of general or security-oriented (e.g., root-of-trust (RoT)) circuitry. In described implementations, the processor includes multiple register blocks for storing multiple register values. The processor also includes multiple integrity blocks for storing multiple integrity codes. A respective integrity block is associated with a respective register block. The respective integrity block can store a respective integrity code that is derived from a respective register value that is stored in the respective register block. The integrity code can enable detection or correction of one or more corrupted bits in the register value. An integrity controller of the processor can monitor the register value regularly or in response to an access by an execution unit. The controller can take a protective action if corruption is detected. This enables information protection to extend to processor execution units.

Abstract: An IC chip can provide silicon root of trust (RoT) functionality. In described implementations, the IC chip includes a processor, an interconnect, and multiple peripheral devices. These comportable circuit components are designed to facilitate interoperability and consistent, expected communications for security circuitry. Each peripheral device includes an interface that adheres to a common framework for interacting with the processor and with other peripheral devices. The interface includes an interconnect interface coupling the peripheral device to the interconnect and an inter-device interface coupling the peripheral device to at least one other peripheral device. The peripheral device is realized based on a peripheral device design code that indicates inter-device signaling in accordance with an inter-device scheme of an interface specification.

Abstract: An apparatus with an integrated circuit (IC) chip can provide protection against attacks on a read-only memory (ROM), such as a boot ROM for security circuitry. An attacker can gain control of an IC by modifying ROM contents and/or redirecting ROM reads. To combat these attacks, example implementations store encrypted ROM data in the ROM array. A ROM controller is used to cryptographically tie the address of each ROM line to the corresponding encrypted ROM datum. To access the encrypted ROM datum, cryptographic circuitry decrypts the encrypted ROM datum using a key that is generated based on the corresponding ROM address. As part of an integrity checking procedure, a digest can be computed based on the encrypted ROM data. To further thwart would-be attacks, the ROM address can be adjusted (e.g., scrambled) before the controller uses the adjusted address to read encrypted data from the ROM array.

Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.

Abstract: The present disclosure relates to a cassette and a tissue embedding method using the cassette. The cassette includes a frame, a cover and a base. The frame defines an accommodating cavity through a first face and a second face of the frame arranged oppositely in a first direction. The cover is detachably mounted to the frame. The base is detachably mounted to the frame, and the base and the cover are configured to hold and orient a tissue sample therebetween. The base is slidable relative to the frame in a second direction different from the first direction to open and close the accommodating cavity.

Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.

Abstract: An apparatus with an integrated circuit (IC) chip can provide protection against attacks on a cryptographic coprocessor. An attacker can compromise a cryptographic coprocessor by, for instance, obtaining a private encryption key or instruction code. To combat these attacks, example implementations store information in encrypted form. The information may correspond to data, instruction code, or intermediate values located in state registers. To securely and quickly “erase” such stored information, the cryptographic coprocessor can change the encryption key. In other example implementations, random numbers are provided with two different levels of “randomness quality” that is appropriate for different types of procedures. A cryptographic coprocessor can include two registers that store randomized bits in accordance with the two different quality levels for rapid access during cryptographic operations.

Abstract: This document discloses aspects of secure serial peripheral interface (SPI) communication. In some aspects, a secure SPI communication module monitors communications transmitted by a host to a peripheral block that is coupled to the host via a SPI interconnect. The module compares respective commands of the communications sent by the host to information indicating commands that the peripheral block is not authorized to execute. Based on the comparing, the module determines that one of the respective commands is one of the commands that the peripheral block is not authorized to execute. The module then prevents the peripheral block from receiving at least a portion of the respective command of the communication. By so doing, the module can prevent the peripheral block from executing unauthorized commands, which may compromise security of the peripheral block.

Abstract: An apparatus with an integrated circuit (IC) chip can provide protection against attacks on a read-only memory (ROM), such as a boot ROM for security circuitry. An attacker can gain control of an IC by modifying ROM contents and/or redirecting ROM reads. To combat these attacks, example implementations store encrypted ROM data in the ROM array. A ROM controller is used to cryptographically tie the address of each ROM line to the corresponding encrypted ROM datum. To access the encrypted ROM datum, cryptographic circuitry decrypts the encrypted ROM datum using a key that is generated based on the corresponding ROM address. As part of an integrity checking procedure, a digest can be computed based on the encrypted ROM data. To further thwart would-be attacks, the ROM address can be adjusted (e.g., scrambled) before the controller uses the adjusted address to read encrypted data from the ROM array.

Abstract: In one aspect, a method of detecting database anomalies, includes reading historical data in a destination database at an end of a data pipeline, determining bounds including an upper bound and a lower bound based on the read historical data, reading current data for a first specified time period in the destination database, responsive to determining the upper or the lower bound is exceeded, determining database transactions that caused the exceeding, and transmitting alerts to owners of the database transactions.

Abstract: This document discloses aspects of secure chip-wide communication. In some aspects, a host of a system generates integrity metadata for a command payload issued to a destination over an interconnect of the system. The integrity metadata can be generated based on respective values of bits that form the command payload, such as plaintext data bits. The destination validates the integrity of the command payload based on the integrity metadata before consuming the command payload. In some cases, the destination stores the integrity metadata with data of the command payload, which may be returned to the host along the data when requested. By so doing, the host and destinations of the system can use the integrity metadata to implement secure-chip wide communication, which may prevent fault injection attacks on the command payloads or response data during transit or at temporal storage locations within the system.

Abstract: An IC chip can provide silicon root of trust (RoT) functionality. In described implementations, the IC chip includes a processor, an alert handler, and multiple peripheral devices, which generate alert indications. The alert handler processes the alert indications, which have security implications. The alert handler includes multiple alert receiver modules to communicate with the multiple peripheral devices. The alert handler also includes a controller, multiple accumulation units, multiple escalation timers, and multiple escalation sender modules. These components can be organized into a hierarchy of increasing escalation severity. In operation, the controller classifies an alert and flexibly implements an adaptable alert handler path that is established through the escalation components responsive to the classification and based on a source of the alert. A path can conclude with an escalation sender module commanding an escalation handler to implement a security countermeasure.

Abstract: This document describes techniques and systems for providing trusted computing for digital devices. The techniques and systems may use cryptographic algorithms to provide trusted computing and processing. By doing so, the techniques help ensure authentic computation and prevent nefarious acts. For example, a method is described that receives a signature associated with a designee and validates the signature. The signature may be associated with a designee of a host computing device, and the signature may be generated according to firmware associated with an integrated circuit of the host computing device and a first private key of a first asymmetric key pair. Signature validation may be based on a second asymmetric key pair having a second private key and a second public key, the second private key stored in write-once memory of the host computing device.

Abstract: This document includes techniques, apparatuses, and systems related to an interface for revision-limited memory, which can improve various computing aspects and performance. In aspects, confidentiality, integrity, and availability may be ensured while increasing the performance of revision-limited memory. In this example, the techniques also enable the digital computing device to interact with information related to the revision-limited memory.

Abstract: In one aspect, a method of detecting database anomalies, includes reading historical data in a destination database at an end of a data pipeline, determining bounds including an upper bound and a lower bound based on the read historical data, reading current data for a first specified time period in the destination database, responsive to determining the upper or the lower bound is exceeded, determining database transactions that caused the exceeding, and transmitting alerts to owners of the database transactions.

Abstract: This document includes techniques, apparatuses, and systems related to an interface for revision-limited memory, which can improve various computing aspects and performance. In aspects, confidentiality, integrity, and availability may be ensured while increasing the performance of revision-limited memory. In this example, the techniques also enable the digital computing device to interact with information related to the revision-limited memory.

Abstract: Provided herein is an air monitoring system with a venturi pump including an air supply passageway, a sample passageway, and a discharge passageway, the discharge passageway in fluid communication with the air supply passageway and the sample passageway, and a detection device including a biochip, a light emitting source, a photodetector, and a controller electronically coupled to the photodetector. Also provided herein is a photonic biogel and uses thereof for spectroscopic detection of airborne pathogens.

Abstract: This document includes techniques, apparatuses, and systems related to an interface for revision-limited memory, which can improve various computing aspects and performance. In aspects, confidentiality, integrity, and availability may be ensured while increasing the performance of revision-limited memory. In this example, the techniques also enable the digital computing device to interact with information related to the revision-limited memory.

Abstract: An integrated circuit chip can provide protection with registers of a register file. A processor can be part of general or security-oriented (e.g., root-of-trust (RoT)) circuitry. In described implementations, the processor includes multiple register blocks for storing multiple register values. The processor also includes multiple integrity blocks for storing multiple integrity codes. A respective integrity block is associated with a respective register block. The respective integrity block can store a respective integrity code that is derived from a respective register value that is stored in the respective register block. The integrity code can enable detection or correction of one or more corrupted bits in the register value. An integrity controller of the processor can monitor the register value regularly or in response to an access by an execution unit. The controller can take a protective action if corruption is detected. This enables information protection to extend to processor execution units.