Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: A method, system, and/or computer program product securely generates and/or manages a virtual card on a mobile device. The mobile device receives a protected application, which initially cannot be accessed by an operating system for execution by a processor. The mobile device also receives a security object, which is used to convert the received protected application into an executable application that can be utilized by the operating system for execution by the processor. The executable application is then executed by the processor to act as a virtual card, which provides a functionality of a predefined physical electronic or magnetic-stripe card.

Abstract: A smart card comprises: a processing circuit; a memory that contains a protected object; an activity detector that receives a signal that describes a planned activity of a person who is in physical possession of the smart card; and an activity analyzer that evaluates features of the planned activity. In response to the activity analyzer determining that a predefined risk associated with the planned activity exceeds a predetermined value, the activity analyzer: issues an instruction to the person who is in physical possession of the smart card to provide a biomarker to a biosensor that is physically contained within the smart card; and receives, from the biosensor, real-time biometric data for the person who is in physical possession of the smart card.

Abstract: A method, system, and/or computer program product enables the secure debugging of a software application. A server receives a secure software application from a client. The secure application is designed to execute within the server, and access to data used by the secure software application is protected by a security object, which allows a processor within the server to access the data used by the secure software application without permitting data to exit unprotected from the processor. The server also receives a secure sidecar debugging application from the client. The secure sidecar debugging application is designed to debug the secure application, but cannot be used by the server. If there is an error in execution of the secure software application within the server, the server transmits the secure software application to the client, where it is debugged using the secure sidecar debugging application.

Abstract: A method, system, and/or computer program product securely generates and/or manages a virtual card on a mobile device. The mobile device receives a protected application, which initially cannot be accessed by an operating system for execution by a processor. The mobile device also receives a security object, which is used to convert the received protected application into an executable application that can be utilized by the operating system for execution by the processor. The executable application is then executed by the processor to act as a virtual card, which provides a functionality of a predefined physical electronic or magnetic-stripe card.

Abstract: The computer system includes a first memory to store an executable file of a first application platform owner (APO). The executable file includes an owner identification object and an encrypted secure object payload. The computer system includes a key store having one nonvolatile key slot for each of two or more APOs. Each key slot stores one or more keys of a respective APO. The computer system further includes a processor configured upon receiving the executable file to identify a first key slot in the key store corresponding with the owner identification object. The first key slot is associated with the first APO. The processor is configured to determine whether the executable file is authentic using an APO key. Furthermore the processor decrypts the encrypted secure object payload using a first key of the first APO if the executable file is determined to be authentic.

Abstract: The computer system includes a first memory to store an executable file of a first application platform owner (APO). The executable file includes an owner identification object and an encrypted secure object payload. The computer system includes a key store having one nonvolatile key slot for each of two or more APOs. Each key slot stores one or more keys of a respective APO. The computer system further includes a processor configured upon receiving the executable file to identify a first key slot in the key store corresponding with the owner identification object. The first key slot is associated with the first APO. The processor is configured to determine whether the executable file is authentic using an APO key. Furthermore the processor decrypts the encrypted secure object payload using a first key of the first APO if the executable file is determined to be authentic.

Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: A method, computer program product and system of detecting changes in hardware, software, or programming of a device in a computer system by a computer in the system coupled to the device through a network, without generating alerts or alerting unauthorized users of the detection of the changes.

Abstract: A method and structure in a computer system, including a mechanism supporting a Secure Object that includes code and data that is cryptographically protected from other software on the computer system.

Abstract: Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted.

Abstract: A method and structure for a cloud service includes an API (application programming interface) as tangibly embodied in a set of computer-executable instructions and selectively executable on a computer on a network. The API provides a user interface for a cloud environment comprising one or more virtual machines to be selectively instantiated on at least one computer in the network upon a user request. A library is accessible via the API, the library providing definitions of components available to be instantiated in the cloud environment. The API automatically instantiates an image of a virtual network of components, as defined by a user input request and provides at least one cloud portal providing the user an access to exercise the instantiated virtual network image.

Abstract: A computing device for securely executing authorized code includes a protected memory for storing authorized code, which contains an original digital signature, and a processor in signal communication with the protected memory for preparing to execute code from the protected memory by verifying that a digital signature contained in the code is original in accordance with a public key, and if the original digital signature is verified, then branching to a copy of the authorized code in the protected memory to begin execution.

Abstract: A method for distributing electronic mail efficiently across a network of information processing units and intermediate nodes. The method on an information processing unit includes receiving a mail message created by a user with a list of destinations. Also, the method further includes sending a single copy of the mail message across the network via intermediate nodes to addresses corresponding to the list of destinations using a reliable multicast technique. Also, the invention includes receiving a packet on an intermediate node where the packet contains address information for a list of destinations. Also, the invention includes determining at an intermediate node the “next hop” or “next hops” that the packet should be forwarded to and forwarding a copy of the packet to each of those “next hops”.

Abstract: A method, information processing unit, and computer readable storage medium, are provided for distributing data packets efficiently across a packet-based data network of information processing units and intermediate nodes. The method with an information processing unit includes receiving data and identification of destinations on a packet-based data network, the data being associated with the identification of, and destined for reception by, each of the destinations on the packet-based data network. The method sends a single copy of the data across the packet-based data network via intermediate nodes to the destinations using a reliable multicast technique, the single copy of the data being sent contained in one or more multi-cast data packets. Each multi-cast data packet includes a multi-cast indicator and one or more unicast addresses associated with one or more of the destinations on the packet-based data network.

Abstract: A method (and structure) for automatically configuring a network including a plurality of interconnected computers, includes configuring more than one of the plurality of computers to assume a role as a designated router which determines a current network configuration by determining which computers are currently on-line, using this determined current network configuration to determine a current network topology that defines a neighborhood relationship among the interconnected computers currently on-line, and communicating the current network topology to the network. The method also includes defining a priority criterion and automatically selecting one of the computers according to the priority criterion to serve the role as designated router.

Abstract: A method (and structure) for determining an optimal routing of data packets to subnet addresses in a network including a plurality of routers interrelated by a defined neighborhood relationship, includes, responsive to learning of a presence of a subnet, determining a distance between the subnet and each router.

Abstract: A method, information processing unit, and computer readable storage medium, are provided for distributing data packets efficiently across a packet-based data network of information processing units and intermediate nodes. The method with an information processing unit includes receiving data and identification of destinations on a packet-based data network, the data being associated with the identification of, and destined for reception by, each of the destinations on the packet-based data network. The method sends a single copy of the data across the packet-based data network via intermediate nodes to the destinations using a reliable multicast technique, the single copy of the data being sent contained in one or more multi-cast data packets. Each multi-cast data packet includes a multi-cast indicator and one or more unicast addresses associated with one or more of the destinations on the packet-based data network.

Abstract: A backtracking method, program and unit that involves a traceback computer program for tracking a denial-of-service attack on a victim machine, v, back toward the source of the denial-of service attack. The traceback program determines a set of routers that are upstream neighbors of v and determines which of those neighbors is the principal source of packets flowing to v. After determining the identity of the neighbor node, n, that is the principal source of packets flowing to v, the traceback program continues further upstream from n to determine the upstream neighbor of n that is the principal source of packets to v. After determining this upstream neighbor, the program continues further upstream until the source of the denial-of-service packets is determined.

Abstract: A method for distributing web content efficiently across a network of information processing units and intermediate nodes. The method on an information processing unit includes receiving a web content object created by a user that is to be distributed to a set of destinations. Also, the method further includes sending a single copy of the web content object across the network via intermediate nodes to a set of destinations using a reliable multicast technique. Also, the invention includes receiving a packet on an intermediate node where the packet contains address information for a set of destinations. Also, the invention includes determining at an intermediate node the next hop or next hops that the packet should be forwarded to and forwarding a copy of the packet to each of those next hops.