Abstract: The technology disclosed herein enables consumer devices to verify the integrity of services running in trusted execution environments. An example method may include: acquiring, by a broker device, integrity data of a first trusted execution environment of a first computing device and integrity data of a second trusted execution environment of a second computing device, wherein the first trusted execution environment executes a first service and the second trusted execution environment executes a second service; storing the integrity data of the first trusted execution environment and the integrity data of the second trusted execution environment in a data storage device as stored integrity data; correlating integrity data of the first trusted execution environment with the first service and the integrity data of the second trusted execution environment with the second service; and providing, by the broker device, the stored integrity data to a plurality of consumer devices.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: The technology disclosed herein enables a first computing process to execute within a trusted execution environment to protect its data from other processes while selectively enabling a second computing process (e.g., a kernel process) to inspect data for compliance. An example method may include: establishing, by a processor, a trusted execution area for the first computing process, wherein the trusted execution area comprises an encrypted storage area; copying data of the first computing process into the trusted execution area, wherein the data comprises executable data or non-executable data; enabling the second computing process to access the copy of the data of the first computing process; and executing, by the processor, the first computing process using the trusted execution area.

Abstract: Systems and methods providing a processing device to receive, by a software build process executing in a trusted execution environment (TEE) of a first computer system, software source code from a second computer system. The processing device generates a software package by compiling the software source code. The processing device also generates a first signature of the software package and sends the first signature to the second computer system. Responsive to receiving, from the second computer system, a second signature comprising the first signature signed by the second computer system, the processing device further deploys the software package on the first computer system.

Abstract: Systems and methods providing a processing device to receive, by a software build process executing in a trusted execution environment (TEE) of a first computer system, software source code from a second computer system. The processing device generates a software package by compiling the software source code. The processing device also receives, from the second computer system, a signing key associated with the second computer system. The processing device further signs the software package using the signing key associated with the second computer system. The processing device then deploys the signed software package on the first computer system.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that cryptographically controls access to data. An example method may include: selecting a set of cryptographic attributes in view of a characteristic of a computing device; obtaining, by a processing device, a cryptographic key; encrypting, by the processing device, the cryptographic key in view of the set of cryptographic attributes to produce a wrapped key; and providing the wrapped key and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving the cryptographic key from the wrapped key.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses integrated key fragments to cryptographically control access to data. An example method may include encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; determining a plurality of key fragments of a second cryptographic key, wherein the second cryptographic key is for decrypting the wrapped key and at least one of the plurality of key fragments is derived using one of the key fragments as input; selecting a set of cryptographic attributes for deriving the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key fragments to cryptographically control access to data. An example method may include: encrypting a first cryptographic key to produce a wrapped key, wherein the first cryptographic key enables a computing device to access content; splitting a second cryptographic key into a plurality of key fragments, wherein the second cryptographic key is for decrypting the wrapped key; selecting a set of cryptographic attributes for deriving at least one of the plurality of key fragments, wherein the set of cryptographic attributes are selected in view of a characteristic of the computing device; and providing the wrapped key and the set of cryptographic attributes to the computing device, the set of cryptographic attributes facilitating determination of the second cryptographic key.

Abstract: The technology disclosed herein provides a cryptographic key wrapping system for verifying device capabilities. An example method may include: accessing, by a processing device, a wrapped key that encodes a cryptographic key; executing, by the processing device in a trusted execution environment, instructions to derive the cryptographic key in view of the wrapped key, wherein the executing to derive the cryptographic key comprises a task that consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the evaluated condition.

Abstract: Systems and methods for detecting and handling attacks on processes executing within a trusted execution environment (TEE) are disclosed. In one implementation, a processing device may detect by a first process an event indicating that a first process executing in a TEE of a host computer system is under attack from a second process executing on the host computer system. the processing device may set a flag within a memory region of the TEE indicating that the first process is under attack. The processing device may further perform, in view of an attack response policy associated with the first process, an action responsive to detecting the event.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: The technology disclosed herein enables resource sharing for trusted execution environments.

Abstract: Systems and methods for implementing trusted clients using secure execution environments. An example method comprises: receiving, by a server, a measurement from a client application running in a secure execution environment implemented by a client computing device; responsive to validating the measurement, transmitting a first confidential data item to the client application running in the secure execution environment; receiving, from the client application running in the secure execution environment, a second confidential data item derived from a local state of the client application modified by the first confidential data item; and updating, in view of the second confidential data item, a local state of a server application.

Abstract: The technology disclosed herein provides an enhanced access control mechanism that uses a proof-of-work key wrapping system to temporally restrict access to data. An example method may include: determining, by a processing device, characteristics of a computing device; accessing a cryptographic key for accessing content; selecting a set of cryptographic attributes for wrapping the cryptographic key, wherein the set of cryptographic attributes are selected to enable the computing device to derive the cryptographic key from a wrapped key in a predetermined duration of time; and providing the wrapped key and an indication of at least one of the cryptographic attributes to the computing device.

Abstract: Methods and systems for detecting and responding to fabricated or unauthorized events received by serverless computing environments are provided. In one embodiment the method is provided that includes receiving an event from an event source external to the serverless computing environment for execution by function. The method may then include creating a message that includes the events and signing the message with an identifier of the event source. The message may then be received at the function and the identifier of the event source may be validated. The event may then be executed with the function of the serverless computing environment if the identifier of the event sources successfully validated. However, if the identifier of the event source is not successfully validated, execution of the event with the function may be prevented.

Abstract: Systems and methods for implementing multi-factor system-to-system authentication using secure execution environments. An example method comprises: determining, by a first computing system, using a secure execution environment, a measure of one or more computing processes running on the first computing system; presenting, to a second computing system, a first authentication factor derived from the measure computing, using the secure execution environment, a second authentication factor derived from at least one of: one or more first data items received from the second computing system, one or more confidential second data items received from one or more third computing systems, or one or more public data items received from one or more fourth computing systems; and presenting the second authentication factor to the second computing system.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.

Abstract: The technology disclosed herein enables resource sharing for trusted execution environments.

Abstract: Systems and methods for providing secured provisioning of workloads to a trusted execution environment (TEE) using a trusted client agent (TCA) are disclosed. In one implementation, a processing device may receive, at a software TCA residing in a a host computer system of a computing environment, a software provisioning command from an orchestration system of the computing environment, wherein the software provisioning command identifies a workload to be provisioned to a TEE. The processing device may determine a validation measure associated with the workload. Responsive to determining that the validation measure satisfies a predetermined condition, the processing device may perform the software provisioning operation to deploy the workload at the TEE.