Abstract: Techniques are disclosed relating to authentication using public key encryption. In one embodiment, a computing device includes a secure circuit, a processor, and memory. The secure circuit is configured to generate a public key pair usable to authenticate a user of the computing device. The memory has program instructions stored therein that are executable by the processor to cause the computing device to perform operations including authenticating the user with a server system by sending authentication information supplied by the user. The operations further include, in response to the server system verifying the authentication information, receiving a first token usable to register the public key pair with the server system and sending, to the server system, a request to register the public key pair for authenticating the user. In such an embodiment, the request includes the first token and identifies a public key of the public key pair.

Abstract: Techniques are disclosed relating to authentication using public key encryption. In one embodiment, a computing device includes a secure circuit, a processor, and memory. The secure circuit is configured to generate a public key pair usable to authenticate a user of the computing device. The memory has program instructions stored therein that are executable by the processor to cause the computing device to perform operations including authenticating the user with a server system by sending authentication information supplied by the user. The operations further include, in response to the server system verifying the authentication information, receiving a first token usable to register the public key pair with the server system and sending, to the server system, a request to register the public key pair for authenticating the user. In such an embodiment, the request includes the first token and identifies a public key of the public key pair.

Abstract: In some implementations, a computing device can transfer a playback queue between the computing device and a playback device. For example, the computing device can detect when the computing device is within a threshold distance of a playback device. The computing device can establish a connection to the playback device and receive state information describing the media playback state of the playback device. The computing device can determine the media playback state of the computing device. The computing device can present graphical user interfaces for initiating a transfer of a playback queue between the computing device and the playback device based on the playback state of the devices. The computing device can initiate a transfer of the playback queue in response to user input to one of the graphical user interfaces or automatically based on the context of the computing device.

Abstract: In some implementations, a computing device can transfer a playback queue between the computing device and a playback device. For example, the computing device can detect when the computing device is within a threshold distance of a playback device. The computing device can establish a connection to the playback device and receive state information describing the media playback state of the playback device. The computing device can determine the media playback state of the computing device. The computing device can present graphical user interfaces for initiating a transfer of a playback queue between the computing device and the playback device based on the playback state of the devices. The computing device can initiate a transfer of the playback queue in response to user input to one of the graphical user interfaces or automatically based on the context of the computing device.

Abstract: In some implementations, a computing system can be configured so that a first user device can delegate a first user's media account credentials to second user device corresponding to a second user. For example, a playback device may be configured with the second user's media account credentials for accessing media items through a network media service. A first user may wish to play media items associated with the first user's media account credentials on the playback device. To do so, the first user device can request a device identifier for the playback device, request and obtain a delegate token for the device identifier from the media service, and provide the delegate token along with media item information to the playback device. The playback device can then use the delegate token to request the media item associated with the first user's media access account.

Abstract: Systems and methods are described for rate-limiting a message-sending client interacting with a message service based on dynamically calculated risk assessments of the probability that the client is, or is not, a sender of a spam messages. The message service sends a proof of work problem to a sending client device with a difficulty level that is related to a risk assessment that the client is a sender of spam messages. The message system limits the rate at which a known or suspected spammer can send messages by giving the known or suspected spammer client harder proof of work problems to solve, while minimizing the burden on normal users of the message system by given them easier proof of work problems to solve that can typically be solved by the client within the time that it takes to type a message.

Abstract: In some implementations, a computing device can transfer a playback queue between the computing device and a playback device. For example, the computing device can detect when the computing device is within a threshold distance of a playback device. The computing device can establish a connection to the playback device and receive state information describing the media playback state of the playback device. The computing device can determine the media playback state of the computing device. The computing device can present graphical user interfaces for initiating a transfer of a playback queue between the computing device and the playback device based on the playback state of the devices. The computing device can initiate a transfer of the playback queue in response to user input to one of the graphical user interfaces or automatically based on the context of the computing device.

Abstract: In some implementations, a computing device can transfer a playback queue between the computing device and a playback device. For example, the computing device can detect when the computing device is within a threshold distance of a playback device. The computing device can establish a connection to the playback device and receive state information describing the media playback state of the playback device. The computing device can determine the media playback state of the computing device. The computing device can present graphical user interfaces for initiating a transfer of a playback queue between the computing device and the playback device based on the playback state of the devices. The computing device can initiate a transfer of the playback queue in response to user input to one of the graphical user interfaces or automatically based on the context of the computing device.

Abstract: In some implementations, a computing system can be configured so that a first user device can delegate a first user's media account credentials to second user device corresponding to a second user. For example, a playback device may be configured with the second user's media account credentials for accessing media items through a network media service. A first user may wish to play media items associated with the first user's media account credentials on the playback device. To do so, the first user device can request a device identifier for the playback device, request and obtain a delegate token for the device identifier from the media service, and provide the delegate token along with media item information to the playback device. The playback device can then use the delegate token to request the media item associated with the first user's media access account.

Abstract: In some implementations, a computing device can transfer a playback queue between the computing device and a playback device. For example, the computing device can detect when the computing device is within a threshold distance of a playback device. The computing device can establish a connection to the playback device and receive state information describing the media playback state of the playback device. The computing device can determine the media playback state of the computing device. The computing device can present graphical user interfaces for initiating a transfer of a playback queue between the computing device and the playback device based on the playback state of the devices. The computing device can initiate a transfer of the playback queue in response to user input to one of the graphical user interfaces or automatically based on the context of the computing device.

Abstract: Systems and methods are described for rate-limiting a message-sending client interacting with a message service based on dynamically calculated risk assessments of the probability that the client is, or is not, a sender of a spam messages. The message service sends a proof of work problem to a sending client device with a difficulty level that is related to a risk assessment that the client is a sender of spam messages. The message system limits the rate at which a known or suspected spammer can send messages by giving the known or suspected spammer client harder proof of work problems to solve, while minimizing the burden on normal users of the message system by given them easier proof of work problems to solve that can typically be solved by the client within the time that it takes to type a message.

Abstract: Techniques are disclosed relating to authentication using public key encryption. In one embodiment, a computing device includes a secure circuit, a processor, and memory. The secure circuit is configured to generate a public key pair usable to authenticate a user of the computing device. The memory has program instructions stored therein that are executable by the processor to cause the computing device to perform operations including authenticating the user with a server system by sending authentication information supplied by the user. The operations further include, in response to the server system verifying the authentication information, receiving a first token usable to register the public key pair with the server system and sending, to the server system, a request to register the public key pair for authenticating the user. In such an embodiment, the request includes the first token and identifies a public key of the public key pair.

Abstract: An obfuscated program can be configured to resist attacks in which an attacker directly calls a non-entry function by verifying that an execution path to the function is an authorized execution path. To detect an unauthorized execution order, a secret value is embedded in each function along an authorized execution path. At runtime, the secrets are combined to generate a runtime representation of the execution path, and the runtime representation is verified against an expected value. To perform the verification, a verification polynomial is evaluated using the runtime representation as input. A verification value result of zero means the execution path is an authorized execution path.

Abstract: Methods, media and systems that use an encoded opaque pointer in an API between a client process and a library process. An encoded opaque pointer, in one embodiment, can be received by the library process from the client process, and the library process can decode the opaque pointer to obtain an address in memory containing a data structure pointed to by the opaque pointer. The library process can operate on the data structure to create a revised or processed data structure, stored in the same or different address in heap memory or stack memory, and the library process can encode and return a new opaque pointer, for the processed data structure, to the client process.

Abstract: A method and an apparatus that provide rewriting code to dynamically mask program data statically embedded in a first code are described. The program data can be used in multiple instructions in the first code. A code location (e.g. an optimal code location) in the first code can be determined for injecting the rewriting code. The code location may be included in two or more execution paths of first code. Each execution path can have at least one of the instructions using the program data. A second code may be generated based on the first code inserted with the rewriting code at the optimal code location. The second code can include instructions using the program data dynamically masked by the rewriting code. When executed by a processor, the first code and the second code can generate identical results.

Abstract: Techniques, methods, systems, and computer-readable media for allocating and managing dynamically obfuscated heap memory allocations are described. In one embodiment a memory manager in a data processing system contains an addressor, to determine a first address of a program object in a first memory address space, and one or more encoders, to abstract memory access to the program object using the first address such that layout of the object data in the first address space differs from the layout of the object in a second address space. In one embodiment, a runtime system modifies object code of an executable file to include encoder routines to abstract memory accesses to data in an obfuscated heap. In one embodiment, a compiler system using an intermediate representation of a high level program generates an intermediate representation of a high level program capable of performing memory writes and memory reads using obfuscation encoder routines.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating data using instructions as a source of pseudorandom values. Obfuscation is performed by receiving instructions and data and compiling the instructions and the data into an executable file having a text section and a data section. The text section can include instructions and the data section can include data segments. The system obfuscates the data section iteratively by generating a hash of an address for a respective data segment, and based on the hash, identifying a corresponding address in the text section that includes at least one instruction. The system retrieves a mask key from the corresponding address and applies the mask key to the respective data segment, yielding a masked data segment. In one embodiment, integrity verification of obfuscated data is performed without exposing the data in an unprotected state by utilizing multiple mask keys.

Abstract: In one embodiment, a system wide static global stack pool in a contiguous range of random access memory is generated, a block of memory in the system global pool is assigned to a thread of a running process, and the thread stores local variable information in static global stack pool, such that the local variable is hidden from a stack frame back-trace. In one embodiment, a dynamically allocated data structure in system heap memory is generated, the data structure is locked to ensure atomic access, a block of memory in the data structure is assigned to a thread of a process, the data structure is unlocked, and the thread stores local variable information in static global stack pool, such that the local variable is hidden from a stack frame back-trace.

Abstract: A branch auditing system can be automatically injected into a computer program, in one embodiment, in response to a programming call provided in source code by a programmer who has selected a particular branch, in a set of possible branches, for auditing. The branch auditing system can record, in an obfuscated data structure, a path taken at the particular branch and the parameters associated with the branch and later an auditor can determine whether the path taken was valid, and if the path taken was invalid, operations can be performed to protect the program, system and/or user.

Abstract: An obfuscated program can be configured to resist attacks in which an attacker directly calls a non-entry function by verifying that an execution path to the function is an authorized execution path. To detect an unauthorized execution order, a secret value is embedded in each function along an authorized execution path. At runtime, the secrets are combined to generate a runtime representation of the execution path, and the runtime representation is verified against an expected value. To perform the verification, a verification polynomial is evaluated using the runtime representation as input. A verification value result of zero means the execution path is an authorized execution path.