Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a computing device includes: a processor, a memory, and a network interface. The computing device executes a first binary within a first region of the memory, executes a separate second binary within a second region of the memory, and prevents the second binary from accessing the first region of the memory. The first binary implements a kernel configured to control the network interface, while the separate second binary implements a network stack that is restricted to communicate only with an identified set of trusted servers.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: hardware, including a network interface; a memory; and a processor. The memory is adapted to store run-time data for the device. The memory includes at least a first memory region and a second memory region. The processor that is adapted to execute processor-executable code including a first binary in the first memory region and a second binary in the second memory region. The first binary includes at least one application and a kernel. The kernel is configured to control the hardware. The second binary is configured to operate, upon execution, as a network stack. The device is configured such that the first memory region is protected such that the first memory region is inaccessible to the second binary.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: a memory that is adapted to store run-time data for the device, and a processor. The processor is adapted to execute processor-executable code including a first binary that includes at least one application and a kernel, and a second binary. The second binary is configured to perform networking functions exclusively, including networking functions of one more of layers three through seven of the Open Systems Interconnection (OSI) model.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: a memory that is adapted to store run-time data for the device, and a processor. The processor is adapted to execute processor-executable code including a first binary that includes at least one application and a kernel, and a second binary. The second binary is configured to perform networking functions exclusively, including networking functions of one more of layers three through seven of the Open Systems Interconnection (OSI) model.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a device includes: hardware, including a network interface; a memory; and a processor. The memory is adapted to store run-time data for the device. The memory includes at least a first memory region and a second memory region. The processor that is adapted to execute processor-executable code including a first binary in the first memory region and a second binary in the second memory region. The first binary includes at least one application and a kernel. The kernel is configured to control the hardware. The second binary is configured to operate, upon execution, as a network stack. The device is configured such that the first memory region is protected such that the first memory region is inaccessible to the second binary.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Software updates within one or more regions of a multi-tenant cloud are coordinated. Tenant vs. tenant conflicts, tenant vs. infrastructure provider conflicts, and conflicts between security and another priority are identified and resolved using a shared update coordinator, update priority specifications, and availability specifications. An infrastructure update request may be presented to tenants for approval. Postponed infrastructure updates may be prioritized higher. Preventing exploits of zero-day vulnerabilities may be prioritized over meeting availability targets. Updates may be merged to reduce downtime, even when the updates originate from independently controlled entities. Maximum downtime, minimum fault domains, minimum virtual machines, permitted update start times, and other availability criteria may be specified. Updates may be preempted, or allowed to complete, based on their relative priorities.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a pre-determined type of blockchain or other security protocol code is stored in a trusted execution environment (TEE) of the processor. TEE attestation is used to verify that the blockchain or other security protocol code stored in the TEE is the pre-determined type of blockchain or other security protocol code. A blockchain or other transaction is received and processed. Based on the processing of the transaction, an official state of the transaction on a consortium network is directly updated for the network. The updated official state of the processed transaction is broadcasted to the consortium network.

Abstract: Technologies for managing fault recovery in a cloud computing environment may be used after faults of various sizes, including faults which put total functioning capacity below subscribed capacity. Computing services have repair priorities. A fault recovery manager selects a higher priority service whose capacity is below a minimum availability, and chooses a lower priority service still above its minimal availability, and reassigns capacity from the lower priority service to the higher priority service without depriving the lower priority service of operability. Capacity reassignment continues at least until the higher priority service is at or above minimal availability, or the lower priority service is at minimal availability. Lower priority services may also be terminated entirely to free up resources for higher priority services. New deployments may be prevented until all services are at or above minimal availability. Spare capacity may be reserved against demand fluctuations or further faults.

Abstract: A database management system (DBMS) comprises one or more transaction processing engines (such as SQL engines) configured to execute a series of database transactions, each being executed according to one or more commands received in at least one transaction execution message so as to cause a change of state of the database from a previous state to a new state. The DBMS is configured to generate a series of transaction log records and provide the series of transaction log records to a blockchain network for storing in a blockchain secured by the blockchain network. Each transaction log record corresponds to one of the database transactions and comprises (i) the one or more commands according to which it was executed and (ii) results of its execution. The series of transaction log records constitutes an immutable audit log from which database is fully recoverable for auditing purposes.

Abstract: The disclosed technology is generally directed to blockchain technology. In one example of the technology, a modified block is provided in response to at least an edit transaction that indicates a transaction in an original block in a blockchain. The modified block includes: transactions of the original block except the indicated transaction, a hash of the indicated transaction, and a header that includes a link to a hash of a block that precedes the original block. A new block is provided. The new block includes a reference associated with the edit transaction, and that the reference may include a link to the modified block. The original block may be caused to be deleted.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: The disclosed technology is generally directed to blockchain technology. In one example of the technology, a modified block is provided in response to at least an edit transaction that indicates a transaction in an original block in a blockchain. The modified block includes: transactions of the original block except the indicated transaction, a hash of the indicated transaction, and a header that includes a link to a hash of a block that precedes the original block. A new block is provided. The new block includes a reference associated with the edit transaction, and that the reference may include a link to the modified block. The original block may be caused to be deleted.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: Embodiments of the present invention relate to systems, methods, and computer storage media for concurrently maintaining a spanned virtual hard drive across two or more computer-storage media and a non-spanned virtual hard drive on one of computer-storage media. The method includes storing data of the spanned virtual hard drive across the computer-storage media utilizing volume spanning. While the spanned virtual hard drive is maintained on the computer storage media, the method includes storing data of the non-spanned virtual hard drive on one of the computer-storage media.

Abstract: Technologies for managing fault recovery in a cloud computing environment may be used after faults of various sizes, including faults which put total functioning capacity below subscribed capacity. Computing services have repair priorities. A fault recovery manager selects a higher priority service whose capacity is below a minimum availability, and chooses a lower priority service still above its minimal availability, and reassigns capacity from the lower priority service to the higher priority service without depriving the lower priority service of operability. Capacity reassignment continues at least until the higher priority service is at or above minimal availability, or the lower priority service is at minimal availability. Lower priority services may also be terminated entirely to free up resources for higher priority services. New deployments may be prevented until all services are at or above minimal availability. Spare capacity may be reserved against demand fluctuations or further faults.

Abstract: Certain embodiments of computing systems, devices, components, modules, routines, and processes for implementing distributed operational control in a computing fabric are described herein. In one embodiment, a method includes receiving, at a control cluster, a tenant request for a cloud-based computing service at the computing system. The method also includes creating an application configured to provide the requested cloud-based computing service based on the tenant request and pushing configuration data of the created application to the execution cluster to be executed at the execution cluster without further intervention from the control cluster.

Abstract: Technologies for managing fault recovery in a cloud computing environment may be used after faults of various sizes, including faults which put total functioning capacity below subscribed capacity. Computing services have repair priorities. A fault recovery manager selects a higher priority service whose capacity is below a minimum availability, and chooses a lower priority service still above its minimal availability, and reassigns capacity from the lower priority service to the higher priority service without depriving the lower priority service of operability. Capacity reassignment continues at least until the higher priority service is at or above minimal availability, or the lower priority service is at minimal availability. Lower priority services may also be terminated entirely to free up resources for higher priority services. New deployments may be prevented until all services are at or above minimal availability. Spare capacity may be reserved against demand fluctuations or further faults.

Abstract: The disclosed technology is generally directed to blockchain and other authentication technology. In one example of the technology, a pre-determined type of blockchain or other authentication protocol code and a pre-determined type of consensus code are stored in a trusted execution environment (TEE) of a processor. In some examples, TEE attestation is used to verify that the blockchain or other authentication protocol code stored in the TEE is the pre-determined type of blockchain or other authentication protocol code, and to verify that the consensus code stored in the TEE is the pre-determined type of consensus code. A request to alter the pre-determined type of blockchain or other authentication protocol code may be received. A determination may be made as to whether to change the pre-determined type of blockchain or other authentication protocol code based on the pre-determined consensus code.