Abstract: A TEE system that includes a first platform that runs a first TEE, a second platform that runs a second TEE, and a merging unit that is adapted to merge a first output from the first TEE of the first platform, with a second output from the second TEE of the second platform, so as to form an output of the TEE system. The first TEE and the second TEE are based on different implementations. In this way, the security of the system is improved, as a malicious actor even be able to access “t” machines, still would not be able to retrieve the secret unless there are multiple exploitable TEE vulnerabilities on all executing TEE platforms at the same time.

Abstract: A distributed key management system, which contains a server, a plurality of key-holding devices adapted to communicate with the server; and a key-requesting device adapted to communicate with the server. Each one of the plurality of key-holding devices is adapted to hold a different fragment of a private key. The server is adapted to reconstruct the private key based on the fragments received from the plurality of key-holding devices. The key-requesting device is adapted to obtain the private key from the server. The systems according to the invention provide a zero-trust model key management scheme and would eliminate the risk of key leakage to unauthorized person while providing flexibility of authorizing devices.

Abstract: A method includes: identifying, by a runtime instrumentation agent of a web server, a plurality of attack surfaces of a web application executed on the web server; generating, by the runtime instrumentation agent, a plurality of hash values, where each hash value is generated based on one of the plurality of attack surfaces; and transmitting, by the runtime instrumentation agent, the plurality of hash values to an attack server external to the web server, where the attack server is to determine whether to scan each attack surface based on the plurality of hash values.

Abstract: Examples herein disclose via use of a physical processor, detecting a specific application programming interface (API) call to interact with an application running on a production server. Based on the detection of the specific API call, die examples assist, using the physical processor, a scanning session based on the specific API call Using the physical processor, the examples identify a modification to the application based on the scanning session.

Abstract: A TEE system that includes a first platform that runs a first TEE, a second platform that runs a second TEE, and a merging unit that is adapted to merge a first output from the first TEE of the first platform, with a second output from the second TEE of the second platform, so as to form an output of the TEE system. The first TEE and the second TEE are based on different implementations. In this way, the security of the system is improved, as a malicious actor even be able to access “t” machines, still would not be able to retrieve the secret unless there are multiple exploitable TEE vulnerabilities on all executing TEE platforms at the same time.

Abstract: A method for preventing blockchain intrusion includes the steps of detecting a transaction broadcasted to a blockchain network, determining if the transaction is authorized or unauthorized, and taking a prevention action if the transaction is unauthorized. The proposed system and method are not only adapted to detect unauthorized transactions but they can also cancel unauthorized transactions if the system prepare some data/arrangements in advance.

Abstract: In some examples, a method may include detecting a vulnerability in an application during execution on a first computing device. The method may include triggering a breakpoint based on the detecting, thereby pausing the execution of the application before execution of a portion of code that exploits the vulnerability. The method may include communicating a message indicating occurrence of the breakpoint. The method may include receiving a connection request from a second computing device in response to the message. The method may include resuming execution of the application from the breakpoint subject to a signal from the second computing device.

Abstract: Information stored in a Hypertext Transfer Protocol (HTTP) session is monitored. Based on the monitoring, authentication information in the information stored in the HTTP session is identified.

Abstract: In some examples, a system includes a scan execution engine and a scan adaptation engine. The scan execution engine may execute a scan of a web application hosted on a web host. During scan execution, the scan adaptation engine may adapt a subsequent scan portion for later execution based on a scan metric received from a monitoring agent that monitors the web application, the web host, or both.

Abstract: A distributed key management system, which contains a server, a plurality of key-holding devices adapted to communicate with the server; and a key-requesting device adapted to communicate with the server. Each one of the plurality of key-holding devices is adapted to hold a different fragment of a private key. The server is adapted to reconstruct the private key based on the fragments received from the plurality of key-holding devices. The key-requesting device is adapted to obtain the private key from the server. The systems according to the invention provide a zero-trust model key management scheme and would eliminate the risk of key leakage to unauthorized person while providing flexibility of authorizing devices.

Abstract: Examples herein disclose via use of a physical processor, detecting a specific application programming interface (API) call to interact with an application running on a production server. Based on the detection of the specific API call, die examples assist, using the physical processor, a scanning session based on the specific API call Using the physical processor, the examples identify a modification to the application based on the scanning session.

Abstract: Examples disclosed herein relate to modifying a web page. In one example, in response to beginning execution of a process initiating generation of a web page of a web application at a server, a runtime agent is executed. In this example, the runtime agent modifies code of the web page to inject code to protect output of the web page. In the example, the process can be executed using the modified code to generate a modified web page.

Abstract: A method for attack detection includes: intercepting, by a runtime security agent, a request for a web resource; determining whether the intercepted request was triggered from an external website; determining whether the intercepted request was triggered from a current session; determining whether the intercepted request is requesting a static file type; and in response to a determination that the intercepted request was triggered from an external website and was not triggered from a current session, or a determination that the intercepted request was triggered from an external website and is not requesting a static file type, providing, by the runtime security agent, an indication of a potential attack.

Abstract: A method includes: identifying, by a runtime instrumentation agent of a web server, a plurality of attack surfaces of a web application executed on the web server; generating, by the runtime instrumentation agent, a plurality of hash values, where each hash value is generated based on one of the plurality of attack surfaces; and transmitting, by the runtime instrumentation agent, the plurality of hash values to an attack server external to the web server, where the attack server is to determine whether to scan each attack surface based on the plurality of hash values.

Abstract: In some examples, a method may include detecting a vulnerability in an application during execution on a first computing device. The method may include triggering a breakpoint based on the detecting, thereby pausing the execution of the application before execution of a portion of code that exploits the vulnerability. The method may include communicating a message indicating occurrence of the breakpoint. The method may include receiving a connection request from a second computing device in response to the message. The method may include resuming execution of the application from the breakpoint subject to a signal from the second computing device.

Abstract: In some examples, a system includes a scan execution engine and a scan adaptation engine. The scan execution engine may execute a scan of a web application hosted on a web host. During scan execution, the scan adaptation engine may adapt a subsequent scan portion for later execution based on a scan metric received from a monitoring agent that monitors the web application, the web host, or both.

Abstract: A method for attack detection includes: intercepting, by a runtime security agent, a request for a web resource; determining whether the intercepted request was triggered from an external website; determining whether the intercepted request was triggered from a current session; determining whether the intercepted request is requesting a static file type; and in response to a determination that the intercepted request was triggered from an external website and was not triggered from a current session, or a determination that the intercepted request was triggered from an external website and is not requesting a static file type, providing, by the runtime security agent, an indication of a potential attack.

Abstract: Examples disclosed herein relate to modifying a web page. In one example, in response to beginning execution of a process initiating generation of a web page of a web application at a server, a runtime agent is executed. In this example, the runtime agent modifies code of the web page to inject code to protect output of the web page. In the example, the process can be executed using the modified code to generate a modified web page.

Abstract: Examples relate to protection against database injection attacks. The examples disclosed herein enable intercepting a current database query prior to being executed by a database management system (DBMS). The examples disclosed herein further enable determining whether the current database query is suspected of having a security threat of a database injection attack by comparing the current database query with past database queries that have been intercepted prior to the interception of the current database query, and in response to determining that the current database query is not suspected of having the security threat of the database injection attack, storing the current database query in an allowed query list.

Abstract: Information stored in a Hypertext Transfer Protocol (HTTP) session is monitored. Based on the monitoring, authentication information in the information stored in the HTTP session is identified.