Abstract: A storage device for booting a host computing device includes a first storage memory region having a first storage memory controller, a second storage memory region having a second storage memory controller, and a resilient boot controller. The resilient boot controller is configured to store boot code in the first storage memory region, prevent write access by the host computing device through the first storage memory controller to the first storage memory region, detect a reset of the host computing device through the input/output interface, copy at least a portion of the boot code from the first storage memory region to the second storage memory region, responsive to detection of the reset of the host computing device, and enable read access of the copied boot code by the host computing device through the second storage memory controller of the second storage memory region, responsive to the copy operation.

Abstract: A storage device for booting a host computing device includes a first storage memory region having a first storage memory controller, a second storage memory region having a second storage memory controller, and a resilient boot controller. The resilient boot controller is configured to store boot code in the first storage memory region, prevent write access by the host computing device through the first storage memory controller to the first storage memory region, detect a reset of the host computing device through the input/output interface, copy at least a portion of the boot code from the first storage memory region to the second storage memory region, responsive to detection of the reset of the host computing device, and enable read access of the copied boot code by the host computing device through the second storage memory controller of the second storage memory region, responsive to the copy operation.

Abstract: A storage device for booting a host computing device includes a first storage memory region having a first storage memory controller, a second storage memory region having a second storage memory controller, and a resilient boot controller. The resilient boot controller is configured to store boot code in the first storage memory region, prevent write access by the host computing device through the first storage memory controller to the first storage memory region, detect a reset of the host computing device through the input/output interface, copy at least a portion of the boot code from the first storage memory region to the second storage memory region, responsive to detection of the reset of the host computing device, and enable read access of the copied boot code by the host computing device through the second storage memory controller of the second storage memory region, responsive to the copy operation.

Abstract: A computing device's trusted platform module (TPM) is configured with a cryptographic watchdog timer which forces a device reset if the TPM fails to solve a cryptographic challenge before the expiration of the timer. The computing device's TPM is configured to generate the cryptographic challenge, to which the computing device does not possess the cryptographic token for resolution. While the watchdog timer counts down, the computing device requests a cryptographic token from a remote service to solve the challenge. The remote service transmits the cryptographic token to the computing device so long as the remote service identifies no reason to withhold the token, such as the computing device being infected with malware. The interoperability of the computing device and remote service enables the remote service to exercise control and reset capabilities over the computing device.

Abstract: A storage device for booting a host computing device includes a first storage memory region having a first storage memory controller, a second storage memory region having a second storage memory controller, and a resilient boot controller. The resilient boot controller is configured to store boot code in the first storage memory region, prevent write access by the host computing device through the first storage memory controller to the first storage memory region, detect a reset of the host computing device through the input/output interface, copy at least a portion of the boot code from the first storage memory region to the second storage memory region, responsive to detection of the reset of the host computing device, and enable read access of the copied boot code by the host computing device through the second storage memory controller of the second storage memory region, responsive to the copy operation.

Abstract: A computing device's trusted platform module (TPM) is configured with a cryptographic watchdog timer which forces a device reset if the TPM fails to solve a cryptographic challenge before the expiration of the timer. The computing device's TPM is configured to generate the cryptographic challenge, to which the computing device does not possess the cryptographic token for resolution. While the watchdog timer counts down, the computing device requests a cryptographic token from a remote service to solve the challenge. The remote service transmits the cryptographic token to the computing device so long as the remote service identifies no reason to withhold the token, such as the computing device being infected with malware. The interoperability of the computing device and remote service enables the remote service to exercise control and reset capabilities over the computing device.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: The various embodiments described below are directed to providing authenticated and confidential messaging from software executing on a host (e.g. a secure software application or security kernel) to and from I/O devices operating on a USB bus. The embodiments can protect against attacks that are levied by software executing on a host computer. In some embodiments, a secure functional component or module is provided and can use encryption techniques to provide protection against observation and manipulation of USB data. In other embodiments, USB data can be protected through techniques that do not utilized (or are not required to utilize) encryption techniques. In accordance with these embodiments, USB devices can be designated as “secure” and, hence, data sent over the USB to and from such designated devices can be provided into protected memory. Memory indirection techniques can be utilized to ensure that data to and from secure devices is protected.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: The subject disclosure is directed towards securing network data traffic through a trusted partition of the computing environment. A proxy service may communicate transaction data from a client to security-critical code within the trusted partition, which compares the transaction data to a security policy from a commercial electronic entity. If the transaction data includes malicious content, a security component framework of the trusted partition may reject the transaction data and terminate communications with the client. If the transaction data does not include malicious content, the security component framework may communicate a secured version of the transaction data and retrieve response data from the commercial electronic entity, which may be further communicated back to the client.

Abstract: Methods for enforcing confidentiality and integrity of code and data while running the code over the data in a distributed computing system are described. In an embodiment each machine which processes data within the system provides a secure sub-system which is protected from other parts of the machine and which receives encrypted data and encrypted code, processes the data using the received code and outputs encrypted data. When establishing the secure sub-systems, keys are exchanged between the client and secure sub-systems and the secure sub-systems provide an attestation confirming the identity of the code running in the secure sub-systems and confirming that the code is running on genuine secure sub-systems. In another embodiment a data-flow computation system is described in which chunks of input data, each comprising an identifier, are authenticated/encrypted. The identifiers are used within the system to confirm that each chunk is processed exactly once.

Abstract: Aspects of the subject disclosure are directed towards detecting instances within a web application where code and data are not separated, e.g., inline code in the application. One or more implementations automatically transform the web application into a transformed version where code and data are clearly separated, e.g., inline code is moved into external files. The transformation protects against a large class of cross-site scripting attacks.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: The described implementations relate to computer memory. One implementation provides a technique that can include providing stealth memory to an application. The stealth memory can have an associated physical address on a memory device. The technique can also include identifying a cache line of a cache that is mapped to the physical address associated with the stealth page, and locking one or more other physical addresses on the memory device that also map to the cache line.

Abstract: Implementations for providing a persistent secure execution environment with a hosted computer are described. A host operating system of a computing system provides an encrypted checkpoint to a persistence module that executes in a secure execution environment of a hardware-protected memory area initialized by a security-enabled processor. The encrypted checkpoint is derived at least partly from another secure execution environment that is cryptographically certifiable as including another hardware-protected memory area established in an activation state to refrain from executing software not trusted by the client system.