Abstract: Systems and methods are disclosed for securely executing user-defined functions within a cloud data platform. A method involves receiving, via hardware processors, a request to execute a user-defined function (UDF) contained within a sandbox process. The UDF comprises code for performing specified operations that necessitate access to external resources. To facilitate this access, a secure egress path is established using an overlay network designed to isolate the UDF's network traffic from other processes. Authentication and authorization details for the UDF are managed externally to the sandbox process, ensuring that the UDF's functionality remains orthogonal to the cloud data platform's operations. This approach enables the secure and controlled execution of UDFs, allowing them to interact with external systems while maintaining the integrity and security of the cloud data platform environment.

Abstract: Methods, systems, and computer programs are presented for enabling any sandboxed user-defined function code to securely access the Internet via a cloud data platform. A remote procedure call is received by a cloud data platform from a user-defined function (UDF) executing within a sandbox process. The UDF includes code related to at least one operation to be performed. The cloud data platform provides an overlay network to establish a secure egress path for UDF external access. The cloud data platform enables the UDF executing in the sandbox process to initiate a network call.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving, at a first computing node, a request to create a virtual machine instance, the request identifying a disk image to be associated with the virtual machine instance; determining a set of computing nodes from which to transfer the disk image on a locality of the first computing node to each computing node in the set of computing nodes, generating a set of requests for a plurality of portions of the disk image, sending at least one request from the set of requests to each computing node in the set of computing nodes; and receiving, from at least one of the set of computing nodes, one or more portions of the disk image.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving a request to create a virtual machine instance identifying a disk image; determining one or more storage devices storing the disk image; determining a distance measurement between each of a plurality of computing nodes and the one or more storage devices storing the disk image; selecting a computing node on which to create the virtual machine instance based on a locality of the computing node to a storage device from the one or more storage devices storing the disk image, the locality including the distance measurement between the computing node and the storage device; and creating the virtual machine instance on the computing node using the disk image from the storage device.

Abstract: Methods, systems, and apparatus, including a method for providing data. The method comprises receiving a first request from a first virtual machine (VM) to store data, obtaining the data and an access control list (ACL) of authorized users, obtaining a data key that has a data key identifier, encrypting the data key and the ACL using a wrapping key to generate a wrapped blob, encrypting the data, storing the wrapped blob and the encrypted data, and providing the data key identifier to users on the ACL. The method further comprises receiving a second request from a second VM to obtain a data snapshot, obtaining an unwrapped blob, obtaining the data key and the ACL from the unwrapped blob, authenticating a user associated with the second request, authorizing the user against the ACL, decrypting the data using the data key, and providing a snapshot of the data to the second VM.

Abstract: Dynamic language checking includes identifying questionable language usage; creating a query in dependence upon the questionable language usage; querying a search engine with the query; receiving from the search engine search result statistics describing the search results for the query; and determining, in dependence upon search results statistics returned by the search engine, whether the questionable language usage is proper language usage.

Abstract: Methods, systems, and apparatus, including a method for providing data. The method comprises receiving a first request from a first virtual machine (VM) to store data, obtaining the data and an access control list (ACL) of authorized users, obtaining a data key that has a data key identifier, encrypting the data key and the ACL using a wrapping key to generate a wrapped blob, encrypting the data, storing the wrapped blob and the encrypted data, and providing the data key identifier to users on the ACL. The method further comprises receiving a second request from a second VM to obtain a data snapshot, obtaining an unwrapped blob, obtaining the data key and the ACL from the unwrapped blob, authenticating a user associated with the second request, authorizing the user against the ACL, decrypting the data using the data key, and providing a snapshot of the data to the second VM.

Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.

Abstract: Safe deposit boxes, services, and methods for physically secure data storage are provided that include securing a network-enabled computer within a safe deposit box, receiving, in the network-enabled computer, data transmitted from a remote computer coupled for data communications with the network-enabled computer; and storing the data in the memory of the network-enabled computer. Securing a network-enabled computer within a safe deposit box may be carried out by providing a locked safe deposit box having the networked enabled computer stored within. Securing a network-enabled computer within a safe deposit box may be carried out by providing a lockable safe deposit box having the networked enabled computer integrated within.

Abstract: Dynamic language checking includes identifying questionable language usage; creating a query in dependence upon the questionable language usage; querying a search engine with the query; receiving from the search engine search result statistics describing the search results for the query; and determining, in dependence upon search results statistics returned by the search engine, whether the questionable language usage is proper language usage.

Abstract: Methods, systems, and computer program products are disclosed for dynamic language checking. Embodiments include identifying questionable language usage; creating a query in dependence upon the questionable language usage; querying a search engine with the query; receiving from the search engine search result statistics describing the search results for the query; and determining, in dependence upon search results statistics returned by the search engine, whether the questionable language usage is proper language usage.

Abstract: An online key stored by a remote service is generated or otherwise obtained, and a storage media (as it applies to the storage of data on a physical or virtual storage media) master key for encrypting and decrypting a physical or virtual storage media or encrypting and decrypting one or more storage media encryption keys that are used to encrypt a physical or virtual storage media is encrypted based at least in part on the online key. A key protector for the storage media is stored, the key protector including the encrypted master key. The key protector can be subsequently accessed, and the online key obtained from the remote service. The master key is decrypted based on the online key, allowing the one or more storage media encryption keys that are used to decrypt the storage media to be decrypted.

Abstract: Systems, methods and computer program products for generating anonymous assertions. Exemplary embodiments include a method for generating anonymous assertions, the method comprising engaging anonymous role authentication via one or more authenticator services, generating an assertion token on a trusted assertion device that is booted into a trusted configuration, and processing the assertion and validating a right of the user to make the assertion for the event.

Abstract: Systems, methods and computer program products for generating anonymous assertions. Exemplary embodiments include a method for generating anonymous assertions, the method comprising engaging anonymous role authentication via one or more authenticator services, generating an assertion token on a trusted assertion device that is booted into a trusted configuration, and processing the assertion and validating a right of the user to make the assertion for the event.

Abstract: The present invention provides a method and apparatus for conducting a confidential search. The method comprises accessing one or more terms associated with one or more nodes of a network, encrypting the accessed one or more terms and receiving an encrypted search term from a user. The method further comprises comparing the received encrypted search term with at least a portion of the encrypted accessed terms and providing a result of the comparison to the user.

Abstract: Safe deposit boxes, services, and methods for physically secure data storage are provided that include securing a network-enabled computer within a safe deposit box, receiving, in the network-enabled computer, data transmitted from a remote computer coupled for data communications with the network-enabled computer; and storing the data in the memory of the network-enabled computer. Securing a network-enabled computer within a safe deposit box may be carried out by providing a locked safe deposit box having the networked enabled computer stored within. Securing a network-enabled computer within a safe deposit box may be carried out by providing a lockable safe deposit box having the networked enabled computer integrated within.

Abstract: A method for voting in a trusted electronic voting system under the control of an election authority, the method comprising: casting a ballot having ballot information, the ballot information representing votes by a voter; receiving a request to cast the ballot by a voting machine, the voting machine running as a trusted computing platform; tallying the votes in a tally module; displaying the status of the vote tallying on the voting machine.

Abstract: A method for a paper-free, verifiable, electronic voting system, the method comprising the steps of submitting votes by a voter using a direct-recording electronic voting machine, requesting a ballot summary from the direct-recording electronic voting machine, creating a ballot summary in a verification subsystem, displaying the ballot summary by the voting machine, casting a ballot by the voter, tallying votes by the electronic voting system, requesting the ballot summary be saved by the voting machine, saving the ballot summary securely by the verification subsystem, and displaying a cast ballot message on the voting machine.

Abstract: An apparatus for executing a trusted electronic voting system under the control of an election authority comprising: at least one electronic voting machine; an election configuration for the voting machine in the electronic voting system; and a trusted computing platform for the voting machine in the electronic voting system.

Abstract: An apparatus for a paper-free, verifiable, electronic voting system, comprising an electronic voting machine including at least one direct recording electronic device, at least one ballot summary, where each of the ballot summaries representing selections of a voter, at least one ballot verification subsystem that creates, displays, and stores said ballot summaries, at least one ballot summary storage repository for storing said ballot summaries as saved ballot summaries, and an optional network for communication among components of the electronic voting system.