Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment to retrieve protected content from mutually-untrusted devices. An example method may include: establishing, by a processor, a trusted execution environment in a computing device, wherein the trusted execution environment uses memory encryption and comprises executable code; providing, by the processor, attestation data to a set of computing devices, the attestation data representing the executable code in the trusted execution environment; receiving, by the processor, cryptographic key data from the set of computing devices; and causing, by the processor, the executable code to execute in the trusted execution environment and to initiate an operation using the cryptographic key data.

Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment in an untrusted mobile device to distribute protected content to computing devices at different locations. An example method may include: establishing, by a processor of a mobile device, a trusted execution environment in the mobile device, wherein the trusted execution environment uses memory encryption; loading data of a computing device into the trusted execution environment in the mobile device, wherein the data comprises protected content and comprises executable code to control access to the protected content; receiving, by the mobile device, authentication data from a set of computing devices; and executing, by the mobile device, the executable code in the trusted execution environment to analyze the authentication data and to provide one or more of the computing devices of the set with access to the protected content.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key. An example method may include: transmitting combined key data that is based on a cryptographic key data of a second computing device to a third computing device; deriving a cryptographic key from combined key data received from the third computing device, the received combined key data being based on the cryptographic key data of the second computing device and cryptographic key data of the third computing device; and causing the trusted execution environment to use the cryptographic key to access sensitive data on a persistent storage device.

Abstract: The technology disclosed herein provides a cryptographic key wrapping system for verifying device capabilities. An example method may include: accessing, by a processing device, a wrapped key that encodes a cryptographic key; executing, by the processing device in a trusted execution environment, instructions to derive the cryptographic key in view of the wrapped key, wherein the executing to derive the cryptographic key comprises a task that consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

Abstract: A method for providing randomized encryption for file blocks including receiving a plurality of file blocks, selecting at least one encryption scheme for the plurality of file blocks, determining a first encryption order for the plurality of file blocks, encrypting, at a first time, the plurality of file blocks with the at least one encryption scheme in the first encryption order to produce a first plurality of encrypted file blocks, determining a second encryption order for the plurality of file blocks, the second encryption order being different from the first encryption order, and encrypting, at a second time, the plurality of file blocks with the at least one encryption scheme in the second encryption order to produce a second plurality of encrypted file blocks.

Abstract: The technology disclosed herein enable a consumer to verify the integrity of services running in trusted execution environments. An example method may include: receiving, by a broker device, a request to verify that a service is executing in a trusted execution environment, wherein the request comprises data identifying the service; determining, by the broker device, a computing device that is executing the service; initiating, by the broker device, a remote integrity check of the computing device executing the service; receiving, by the broker device, integrity data of the trusted execution environment of the computing device; and providing, by the broker device, the integrity data to a consumer device associated with the service.

Abstract: Systems and methods for implementing multi-factor system-to-system authentication using secure execution environments. An example method comprises: determining, by a first computing system, using a secure execution environment, a measure of one or more computing processes running on the first computing system; presenting, to a second computing system, a first authentication factor derived from the measure; computing, using the secure execution environment, a second authentication factor derived from at least one of: one or more first data items received from the second computing system, one or more confidential second data items received from one or more third computing systems, or one or more public data items received from one or more fourth computing systems; and presenting the second authentication factor to the second computing system.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: Systems and methods are disclosed for establishing controlled remote access to debug logs. An example method may comprise: receiving, by a first computing device, from a second computing device, an encrypted file comprising a debug log; running, within a trusted execution environment of the first computing device, a log access application; sending, to the second computing device, a request for access to the debug log by the log access application, wherein the request comprises a validation measurement generated by the trusted execution environment with respect to the log access application; receiving, from the second computing device, an access key; and accessing the debug log using the access key.

Abstract: Systems and methods for detecting and handling attacks on processes executing within a trusted execution environment (TEE) are disclosed. In one implementation, a processing device may detect by a first process an event indicating that a first process executing in a TEE of a host computer system is under attack from a second process executing on the host computer system. the processing device may set a flag within a memory region of the TEE indicating that the first process is under attack. The processing device may further perform, in view of an attack response policy associated with the first process, an action responsive to detecting the event.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment in an untrusted device to distribute executable image data (e.g., network bootable image) to a set of one or more computing devices. An example method may include: establishing, by a processor, the trusted execution environment in a first computing device, wherein the trusted execution environment comprises an encrypted memory area; loading executable code into the trusted execution environment, wherein the executable code controls access to protected content and wherein the protected content comprises executable image data; and causing the executable code to execute in the trusted execution environment to analyze data of a second computing device and to provide the second computing device access to the protected content.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key. An example method may include: transmitting combined key data that is based on a cryptographic key data of a second computing device to a third computing device; deriving a cryptographic key from combined key data received from the third computing device, the received combined key data being based on the cryptographic key data of the second computing device and cryptographic key data of the third computing device; and causing the trusted execution environment to use the cryptographic key to access sensitive data on a persistent storage device.

Abstract: Systems and methods providing a processing device to receive, by a software build process executing in a trusted execution environment (TEE) of a first computer system, software source code from a second computer system. The processing device generates a software package by compiling the software source code. The processing device also generates a first signature of the software package and sends the first signature to the second computer system. Responsive to receiving, from the second computer system, a second signature comprising the first signature signed by the second computer system, the processing device further deploys the software package on the first computer system.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: A method includes receiving data uploaded to a storage system from a client device and in response to receiving the data, instantiating a serverless function for anonymizing the data uploaded to the storage system. The method further includes retrieving, by the serverless function, an anonymization model to anonymize the data uploaded to the storage system and applying the anonymization model to the data uploaded to the storage system to generate anonymized data.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key.

Abstract: The technology disclosed herein enable a consumer to verify the integrity of services running in trusted execution environments. An example method may include: receiving, by a broker device, a request to verify that a service is executing in a trusted execution environment, wherein the request comprises data identifying the service; determining, by the broker device, a computing device that is executing the service; initiating, by the broker device, a remote integrity check of the computing device executing the service; receiving, by the broker device, integrity data of the trusted execution environment of the computing device; and providing, by the broker device, the integrity data to a consumer device associated with the service.

Abstract: The technology disclosed herein enable consumer devices to verify the integrity of services running in trusted execution environments. An example method may include: establishing, by a computing device, a trusted execution environment for a service, wherein the trusted execution environment comprises an encrypted storage area; loading, by the computing device, data of the service into the trusted execution environment, wherein the data comprises executable data; detecting, by a computing device, a change of the trusted execution environment that is executing the service; generating, by the computing device, integrity data that represents a state of the trusted execution environment after the change; and transferring, by the computing device, the integrity data to another computing device.