Abstract: A method and system is provided for securing micro-architectural instruction caches (I-caches). Securing an I-cache involves maintaining a different substantially random instruction mapping policy into an I-cache for each of multiple processes, and for each process, performing a substantially random mapping scheme for mapping a process instruction into the I-cache based on the substantially random instruction mapping policy for said process. Securing the I-cache may further involve dynamically partitioning the I-cache into multiple logical partitions, and sharing access to the I-cache by an I-cache mapping policy that provides access to each I-cache partition by only one logical processor.

Abstract: A Security Enhanced Linux (SELinux) system implementing extended policy models and method for their enforcement, is provided. Extended attributes are defined to specify extended policies. The SELinux policy model is extended to include the extended policies. The extended policies are enforced in addition to SELinux Type Enforcement. In one implementation, defining extended attributes involves defining TC-related attributes to specify TC-related policies. Further, extending the SELinux policy model includes extending the SELinux policy model to include the TC-related policies, in addition to SELinux Type Enforcement. Furthermore, enforcing the extended policies includes enforcing the TC-related policies in addition to SELinux Type Enforcement.

Abstract: A method and system is provided for securing micro-architectural instruction caches (I-caches). Securing an I-cache involves providing security critical instructions to indicate a security critical code section; and implementing an I-cache locking policy to prevent unauthorized eviction and replacement of security critical instructions in the I-cache. Securing the I-cache may further involve dynamically partitioning the I-cache into multiple logical partitions, and sharing access to the I-cache by an I-cache mapping policy that provides access to each I-cache partition by only one logical processor.

Abstract: In one embodiment, cryptographic transformation of a message is performed by first performing a table initiation phase. This may be accomplished by creating a permutation of an order of powers and then performing a table initiation phase using a part of a key and the permuted order of powers to populate a data structure.

Abstract: In one embodiment, cryptographic transformation of a message is performed by first performing a table initiation phase. Then an exponentiation phase is performed, wherein the exponentiation phase includes two or more parsing steps, wherein each of the parsing steps includes parsing a part of a cryptographic key into a window of size n, wherein n is a difficult to predict number.

Abstract: In one embodiment, cryptographic transformation of a message is performed by first performing a table initiation phase to populate a data structure. Then, a first random number multiplied by a public key is added to each value in the data structure, in modulo of a second random number multiplied by the public key. Then an exponentiation phase is performed, wherein each modular multiplication and square operation in the exponentiation phase is performed in modulo of the second random number multiplied by the public key, producing a result. Then the result of the exponentiation phase is reduced in modulo of the public key. The introduction of the random numbers aids in the prevention of potential security breaches from the deduction of operands in the table initiation phase by malicious individuals.

Abstract: A method, apparatus, and system, the apparatus including, in some embodiments, a printed circuit board (PCB), an integrated circuit (IC) positioned over and electrically connected to the PCB, a chip positioned between the PCB and the IC, and a closed boundary barrier between and contacting the PCB and the IC to define an inner containment area that completely contains the chip within the inner containment area.

Abstract: Techniques for hashing and decompression of data are disclosed. Hashing and decompression of compressed data can be integrated in order to effectively hash and decompress the compressed data at the same time. The integrated hashing and decompression techniques of the invention are useful for any computing environment and/or system where compressed data is hashed and decompressed. The invention is especially useful for safe computing environment and/or system (e.g., a Trusted Computing (TC) computing environment) where hashing decompression of compressed data can be routinely performed. The Integrity of a computing environment and/or system can be protected by integrating the decompressing and hashing of the compressed data or effectively hashing and decompressing the compressed data at the same time. A combined hashing and decompression function can be provided based on conventional hashing and compression functions by integrating their similar components and in an efficient manner.

Abstract: In a method for modular multiplication using a multiplication look-ahead process for computing a multiplication shift value and a reduction look-ahead process for computing a reduction shift value, a modulus is first transformed into a transformed modulus that is greater than said modulus. The transformation is carried out such that a predetermined fraction of the transformed modulus has a higher-order digit with a first predetermined value that is followed by at least one low-order digit having a second predetermined value. During the iterative working off of the modular multiplication using the multiplication look-ahead process and the reduction look-ahead process, the transformed modulus is utilized so as to obtain at the end of the iteration a transformed result for the modular multiplication. Finally, the transformed result is re-transformed by modular reduction using the original modulus.

Abstract: Apparatus and methods for reducing information leakage between processes sharing a cache are disclosed. In one embodiment, an apparatus includes execution logic, a cache memory, and cache security logic. The execution unit is to execute a plurality of processes. The cache memory is to be shared between the plurality of processes. The cache security logic is to cause a stored cache state to be loaded into the cache memory.

Abstract: Executable computer code sections can be effectively evicted from secondary memory (e.g., instruction cache) during execution time in order to reduce the observable changes to the state of the secondary memory, thereby enhancing the security of computing systems that use secondary memory in addition the primary (main) memory to support execution of computer code. In particular, codes sections considered to be critical to security can be identified and effectively mapped to the same section of an instruction cache (I-cache) as provided in more modern computing systems in order to improve the efficiency of execution, thereby allowing use of the I-cache in a more secure manner.

Abstract: Executable computer code sections can be stored in the same section of secondary memory (e.g., instruction cache) during execution time in order to reduce the observable changes to the state of the secondary memory, thereby enhancing the security of computing systems that use secondary memory in addition the primary (main) memory to support execution of computer code. In addition, size of code sections can also be effectively adjusted so that code sections that are mapped to the same section of the secondary memory appear to have the same size, thereby further reducing the observable changes to the state of the secondary memory. As a result, the security of computing system can be further enhanced. It should be noted that code sections can be effectively relocated to cause them to map to the same section of secondary memory. It will be appreciated that mapping code sections considered to be critical to security can be especially useful to improving security.

Abstract: Security can be enforced in a consistent manner with respect to various computing environments that may be operable in a computing system. Consistent security criteria can be generated, based on input security criterion, in a computer readable and storable form and stored in a computer readable storage medium, thereby allowing the consistent security criterion to be effectively provided to a computing system for enforcement of the input security criterion in a consistent manner with respect to, for example, (a) a first executable computer code effectively supported by an Operating System (OS), and (b) a second computer code effectively supported by the Virtual Computing Environment (VCE). A Trusted Component (TC) can effectively provide a consistent security criterion as a part and/or form that is suitable for a particular computing environment.

Abstract: An architectural model can use integrated and/or flat (or extended) approaches. An “integrated application and OS” component can effectively integrate at least one computer application program with one or more OS functions, in an integrated approach. The integrated application and OS component can be provided in or as an upper level system (or layer) in relation to a lower level system (or layer). The lower level system can include an OS operable to perform a reduced set of operating system functions not including one or more functions that can be performed by the integrated application and OS component of the upper layer. Furthermore, the OS may be specialized and/or optimized for the components of the upper level system including the integrated application and OS component. By way of example, the OS may be specialized and/or optimized for Web-based and/or Browser-based applications of the integrated application and OS component.

Abstract: Techniques for hashing and decompression of data are disclosed. Hashing and decompression of compressed data can be integrated in order to effectively hash and decompress the compressed data at the same time. The integrated hashing and decompression techniques of the invention are useful for any computing environment and/or system where compressed data is hashed and decompressed. The invention is especially useful for safe computing environment and/or system (e.g., a Trusted Computing (TC) computing environment) where hashing decompression of compressed data can be routinely performed. The Integrity of a computing environment and/or system can be protected by integrating the decompressing and hashing of the compressed data or effectively hashing and decompressing the compressed data at the same time. A combined hashing and decompression function can be provided based on conventional hashing and compression functions by integrating their similar components and in an efficient manner.

Abstract: Techniques for Inter-Process Communication (IPC) in a more secure manner are disclosed. A communication component operating outside of an operating system can obtain operating-system data pertaining to processes that also operate outside of the operating system. The operating-system data can be more reliable than information that may have been provided by the processes, thereby allowing more secure IPC and consequently a more secure computing environment and/or system. A communication component can also be operable to make control decisions regarding the IPC data (e.g., IPC messages) based on the information provided and/or originated by the operating system (or operating-system data) and/or effectively provide the operating-system data pertaining to a sender process to its intended recipient process. A recipient process can also be operable to obtain the operating-system data pertaining to a sender process.

Abstract: Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours.

Abstract: Techniques for representation and verification of data are disclosed. The techniques are especially useful for representation and verification of the integrity of data (integrity verification) in safe computing environments and/or systems (e.g., Trusted Computing (TC) systems and/or environments). Multiple independent representative values can be determined independently and possibly in parallel for respective portions of the data. The independent representative values can, for example, be hash values determined at the same time for respective distinct portions of the data. The integrity of the data can be determined based on the multiple hash values by, for example, processing them to determine a single hash value that can serve as an integrity value.

Abstract: A device for calculating a multiplication of a multiplier and a multiplicand includes a first performer that performs an exact three operand addition and a second performer that performs an approximated operand addition and a calculator that calculates current look-ahead parameters using the approximated intermediate results. The first performer is further implemented to perform an exact three operand addition in the current iteration step using the exact intermediate result for the current iteration step and using the look-ahead parameters calculated for the current iteration step.

Abstract: A method, apparatus, and system, the apparatus including, in some embodiments, a printed circuit board (PCB), an integrated circuit (IC) positioned over and electrically connected to the PCB, a chip positioned between the PCB and the IC, and a closed boundary barrier between and contacting the PCB and the IC to define an inner containment area that completely contains the chip within the inner containment area.