Abstract: A method of authorizing an operation on a remote device with a cryptographic signature verification component, the remote device being operable in a communications network having human-readable messages with message signatures, comprising receiving at an arbitrator an authorization request to perform an operation requiring authorization on the remote device; retrieving from the request an operation identifier and plaintext data; sending a human-readable request with the identifier and the plaintext data to an authorizer; receiving a reply from an authorizer, the reply message comprising at least the plaintext data and a verifiable cryptographic signature identifying the authorizer derived from the request; and on receiving the reply, sending a request to perform the operation to the remote device with an authorization derived from at least the cryptographic signature, the cryptographic signature being suitable for verification by the cryptographic signature verification component on the remote device.

Abstract: A machine-implemented method for controlling a configuration data item in a storage-equipped device having at least two security domains, comprising receiving, by one of the security domains, a configuration data item; storing the configuration data item; providing a security indication for the configuration data item; and when an event indicates untrustworthiness of the data item, invalidating a configuration effect of the stored configuration data item. Further provided is a machine-implemented method for controlling a storage-equipped device as a node in a network of devices, comprising receiving information that a data source or type of a configuration data item is untrusted; analysing metadata for the data source and the configuration data item; populating a knowledge base with analysed metadata; and responsive to the analysed metadata, transmitting security information to the network of devices. A corresponding device and computer program product are also described.

Abstract: Apparatus and methods are described to provision a compute node in a plurality of compute nodes to a requestor, comprising receiving an anonymised access token from a provider of the compute nodes, requesting identities of a subset of compute nodes in the plurality of compute nodes, selecting at least one compute node in the subset of compute notes, providing the anonymised access token to a secure enclave of the selected at least one compute node, providing an anonymised identity of the requestor to the secure enclave and validating use of the anonymised identity with the access token.

Abstract: A device comprising: a processing element; a data store, coupled to the processing element, the data store comprising a non-volatile data store having a trusted region for trusted code and an untrusted region for untrusted code; a security component, coupled to the processing element and the data store, wherein the security component is configured to, in response to one of a power event occurring at the device and receiving a trigger signal, send a first signal to the processing element and the data store, and wherein the processing element is configured to execute trusted code in response to the first signal.

Abstract: A machine implemented method of authenticating a communication channel between a first device and a second device by providing proof of proximity between both devices, the method comprising: generating, at the first device, an acoustic authentication signal to be received at the second device via a solid body acoustic coupling established between the first device and the second device thereby providing proof of proximity between both devices and so authenticating the communication channel between the first device and the second device.

Abstract: A method of accessing a remote resource (4) from a data processing device (2) includes obtaining a first URL corresponding to the remote resource (4), obtaining secret data corresponding to the first URL, using the secret data to generate an obscured URL at the data processing device (2), and accessing the remote resource using the obscured URL. This allows the user of the device (2) to see a first URL which is intelligible and provides useful information about the device, without sharing that information with the network. The obscured URL identifies the actual location of the remote resource and can be an unintelligible stream of digits or letters.

Abstract: Broadly speaking, embodiments of the present technique provide apparatus, systems and methods to enable secure communication between devices. In particular, the present techniques provide an apparatus configured to monitor for a data packet transmitted between a transmitter and a receiver, determine if the data packet is permitted to be transmitted, and act on at least part of the data packet to prevent the receiver from acting on the data packet if it is not permitted to be transmitted. In other words, the present techniques provide/implement security filters in a communication channel between a transmitter and a receiver to reduce the risk that unauthorised data packets are sent to, and implemented by, the receiver device.

Abstract: In one example, a method includes obtaining, by a data processing device, first secret data associated with a first user and corresponding to a first location of a remote resource. The method further includes generating, using the first secret data, a first uniform resource locator (URL) usable to obtain the first location, and accessing the first location using the first URL. The method further includes obtaining, in response to transfer of usage rights of the data processing device from the first user to a second user, second secret data associated with the second user and corresponding to a second location of the remote resource. The method further includes generating, using the second secret data, a second URL usable to obtain the second location, and accessing the second location using the second URL. The second location is inaccessible via the first URL. The first location is inaccessible via the second URL.

Abstract: Technology for operating a data-source device for assembling a data stream compliant with a data stream constraint. The technology comprises acquiring a plurality of data items by accessing data in a memory and/or transforming data. Prior to completion of the accessing data in a memory, an accessor is selected based on an estimate of access constraint. Prior to completion of the transforming data, a transformer is selected based on an estimate of transformation constraint, wherein the transportation constraint comprises any data acquisition constraint. The access and transformation constraints are dependent upon system state it the data-source system. The data items are positioned in the data stream, and, responsive to achieving compliance with the data stream constraint, the data strewn is communicated.

Abstract: A machine-implemented method or data processing component for controlling the processing of digital content from plural sources by at least one data processing device comprises receiving at least two digital content manifests at the data processing device; receiving at least one digital content payload at the data processing device; and responsive to the at least two digital content manifests, performing an atomic action using the at least one digital content payload.

Abstract: A machine-implemented method is provided for securing a storage-equipped device against introduction of malicious configuration data into configuration data storage, the method comprising steps of receiving by the device, a trusted signal for modification of the configuration of the device; responsive to the receiving, placing the device into a restricted mode of operation and at least one of deactivating a service and rebooting the device, responsive to the placing the device into the restricted mode of operation and the deactivating or rebooting, permitting configuration data entry into a restricted portion of the configuration data storage. A corresponding device and computer program product are also described.

Abstract: A first processing component samples and lossily accumulates statistical activity data by generating at least one data bucket by segmenting a memory window in a memory and providing a map of the segmented memory window; sampling to detect activity in the data bucket and surjectively populating the map with statistical activity data; and responsive to a trigger, passing at least part of a population of the map to a second processing component. The second processing component receives and stores the at least part of the population of the surjective map, compares it with at least one previously stored map population; and on detecting anomalous patterning, performs an “anomaly detected” action.

Abstract: A data processing apparatus having a first secure area and a second secure area coupled by a monitor is provided. The monitor applies security credentials to processing circuitry transitioning from the first secure area to the second secure area to enable the processing circuitry to perform functions in the second secure area. A call gateway comprising a transition instruction and access parameters stored in a trusted storage device is used by the monitor to determine when to applying the security credentials to the processing circuitry. The access parameters comprising a target function or a memory location.

Abstract: Methods of accessing a remote resource from a data processing device A method of accessing a remote resource from a data processing device for providing a rich user interface on a client device, the method comprising: pushing, from the data processing device, a first type of data comprising user interface resources to the remote resource; generating, on the data processing device, a second type of data comprising operational data relating to the operation of the data processing device; pushing from the data processing device, the second type of data, to the remote resource.

Abstract: A system provided at nodes within a network of nodes enabling the nodes to migrate activities to other nodes within its communication range to provide load balancing across the network. The other nodes having power and processing capabilities and capacity enabling them to undertake the migrated activities.

Abstract: A method of accessing a remote resource (4) from a data processing device (2) includes obtaining a first URL corresponding to the remote resource (4), obtaining secret data corresponding to the first URL, using the secret data to generate an obscured URL at the data processing device (2), and accessing the remote resource using the obscured URL. This allows the user of the device (2) to see a first URL which is intelligible and provides useful information about the device, without sharing that information with the network. The obscured URL identifies the actual location of the remote resource and can be an unintelligible stream of digits or letters.

Abstract: A machine implemented method for protecting a target domain and a source domain from unauthorized accesses. The method comprising: identifying an exit call gateway comprising an exit transition instruction and at least one exit access parameter, said exit access parameters restricting exit from said source domain; identifying an entry call gateway corresponding to said exit call gateway, said entry call gateway comprising a transition instruction and at least one entry access parameter, said entry access parameters restricting access to said target domain; determining that said exit access parameters and said entry access parameters are compatible with each other; and performing a context switch from said source domain to said target domain, when said exit access parameters and said entry access parameters are complied with.

Abstract: The machine implemented method for operating at least one electronic system comprises detecting a pattern of use of plural control parameters in a path through a graph of operational context switches to reach a target operational context; storing a representation of the pattern in association with an indicator identifying the target operational context; responsive to detecting at least one of a request for a switch of operation from a source operational context to the target operational context, a trapping on a resource access, and a detection of a breakpoint, retrieving the representation in accordance with the indicator identifying the target operational context; and responsive to the retrieving, applying at least one control parameter to said at least one electronic system to match the pattern.

Abstract: A method of accessing a remote resource (4) from a data processing device (2) includes obtaining a first URL corresponding to the remote resource (4), obtaining secret data corresponding to the first URL, using the secret data to generate an obscured URL at the data processing device (2), and accessing the remote resource using the obscured URL. This allows the user of the device (2) to see a first URL which is intelligible and provides useful information about the device, without sharing that information with the network. The obscured URL identifies the actual location of the remote resource and can be an unintelligible stream of digits or letters.

Abstract: There is disclosed a method of establishing trust between an agent device and a verification apparatus, the method comprising: obtaining, at the agent device, a trust credential, wherein the trust credential relates to an aspect of the agent device and comprises authentication information for identifying at least one party trusted by the verification apparatus and/or device data relating to the agent device; transmitting, from the agent device to the verification apparatus, the trust credential; obtaining, at the verification apparatus, the trust credential; analysing, at the verification apparatus, the trust credential; determining, at the verification apparatus, whether the agent device is trusted based on the analysis; and responsive to determining the agent device is trusted, establishing trust between the agent device and the verification apparatus.