Abstract: Devices and methods relating to insulation-free lead wires in compact fluorescent lamps are provided. For example, there is provided a compact fluorescent lamp including at least two lead wires. Each of the lead wires can be connected to a respective cathode of a respective discharge tube. The compact fluorescent lamp further includes a ballast circuit. The lead wires are isolated from one another without any insulation.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: Described systems and methods enable an efficient analysis of security-relevant events, especially in hardware virtualization platforms. In some embodiments, a notification handler detects the occurrence of an event within a virtual machine, and communicates the respective event to security software. The security software then attempts to match the respective event to a collection of behavioral and exception signatures. An exception comprises a set of conditions which, when satisfied by an <event, entity> tuple, indicates that the respective entity is not malicious. In some embodiments, a part of exception matching is performed synchronously (i.e., while execution of the entity that triggered the respective event is suspended), while another part of exception matching is performed asynchronously (i.e., after the triggering entity is allowed to resume execution).

Abstract: Described systems and methods allow a host system, such as a computer or a smartphone, to enable a secure environment, which can be used to carry out secure communications with a remote service provider, for applications such as online banking, e-commerce, private messaging, and online gaming, among others. A hypervisor oversees a switch between an insecure environment and the secure environment, in response to a user input, or in response to an event such as receiving a telephone call. Switching from the insecure to the secure environment comprises transitioning the insecure environment to a sleeping state and loading the secure environment from a memory image (snapshot) saved to disk, after checking the integrity of the snapshot. Switching from the secure to the insecure environment comprises transitioning the secure environment into a sleeping state and waking up the insecure environment.

Abstract: Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. In some embodiments, the computer security module may indicate to the processor a selected subset of events which trigger introspection notifications.

Abstract: Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. Some embodiments of the present invention introduce a dedicated instruction for delivering introspection notifications. The instruction may be encoded such that it is interpreted as a no-operation instruction (NOP) by legacy processors and/or by processors that do not support hardware virtualization or do not currently execute in hardware virtualization mode.

Abstract: Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. The described computer systems may be used in conjunction with a conventional anti-malware filter to increase throughput and/or the efficacy of malware scanning.

Abstract: Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious.

Abstract: Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.

Abstract: Described systems and methods allow an instruction that violates memory access permissions within a virtual machine to execute natively (i.e., within the respective virtual machine), when such execution is deemed acceptable by security software executing at the level of the hypervisor. In some embodiments, the processor is endowed with a register having a set of control fields (e.g., control bits) that regulate permission overrides. Control fields may be accessible to software via a VM state object such as the VMCS on Intel® platforms.

Abstract: Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. Such hardware components include, among others, a memory shadower configured to detect changes to a memory connected to the first processor, and a storage shadower configured to detect an attempt to write to a non-volatile storage device of the computer system.

Abstract: Described systems and methods allow a client system to carry out secure transactions with a remote service-providing server, in applications such as online banking and e-commerce. The server may evaluate each transaction to determine whether the transaction requires security clearance, according to criteria including, among others, a transaction amount, a location of the client system, and/or a history of transactions carried out for the respective user. In some embodiments, when the transaction requires security clearance, the server instructs the client system to switch to executing a secure virtual machine. In some embodiments, most transaction details (e.g., a selection of merchandise, an amount of a bank transfer, a delivery address) are sent to the server from a regular browser application, while a transaction authorization is sent to the server from within the secure virtual machine.

Abstract: Described systems and methods allow protecting a computer system from malware such as viruses, Trojans, and spyware. For each of a plurality of executable entities (such as processes and threads executing on the computer system), a scoring engine records a plurality of evaluation scores, each score determined according to a distinct evaluation criterion. Every time an entity satisfies an evaluation criterion (e.g, performs an action), the respective score of the entity is updated. Updating a score of an entity may trigger score updates of entities related to the respective entity, even when the related entities are terminated, i.e., no longer active. Related entities include, among others, a parent of the respective entity, and/or an entity injecting code into the respective entity. The scoring engine determines whether an entity is malicious according to the plurality of evaluation scores of the respective entity.

Abstract: Described systems and methods allow protecting a client system, such as a computer system or smartphone, from malware. In some embodiments, a network regulator device is used to distribute a bootable image of a hypervisor, on demand, to each of a set of client systems connected to a network. After booting on a client system, the hypervisor loads the local OS and applications into a virtual machine. Integrity measurements of the hypervisor and/or OS are sent to the network regulator for verification. When the network regulator determines that software executing on a client system, such as the hypervisor and/or the OS, are not in a trusted state, the network regulator may block access of the respective client system to the network.

Abstract: Described systems and methods allow protecting a host computer system from malware, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters configured to store a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a stream of instructions fetched by the processor for execution. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack.

Abstract: Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A processor is configured to generate a VM suspend event (e.g., a VM exit or a virtualization exception) when a guest instruction executing within a guest VM performs a memory access violation. In some embodiments, the processor is further configured to delay generating the VM suspend event until the execution stage of the pipeline for the guest instruction is complete, and to save results of the execution stage to a specific location (e.g. a specific processor register readable by security software) before generating the event.

Abstract: Described systems and methods allow computer security software to access a memory of a host system with improved efficiency. A processor and a memory management unit (MMU) of the host system may be configured to perform memory access operations (read/write) in a target memory context, which may differ from the implicit memory context of the currently executing process. In some embodiments, the instruction set of the processor is extended to include new categories of instructions, which, when called from outside a guest virtual machine (VM) exposed by the host system, instruct the processor of the host system to perform memory access directly in a guest context, e.g., in a memory context of a process executing within the guest VM.

Abstract: Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A processor is configured to generate a VM suspend event (e.g., a VM exit or a virtualization exception) when software executing within a guest VM performs a memory access violation. In some embodiments, the processor is further configured to save disassembly data determined for the processor instruction which triggered the VM suspend event to a special location (e.g., a specific processor register) before generating the event. Saved disassembly data may include the contents of individual instruction encoding fields, such as Prefix, Opcode, Mod R/M, SIB, Displacement, and Immediate fields on Intel® platforms.

Abstract: Described systems and methods allow protecting a host system from malicious injection of code and/or data. A memory introspection engine operates below an operating system (OS), having higher processor privileges than the OS. The memory introspection engine is configured to selectively block the copying of memory between a source process and a destination process, thus preventing the injection of code and/or data, particularly from or into user-mode processes. To prevent inter-process memory copying, some embodiments hook a native OS function carrying out such copy operations. A subsequent call to the hooked function may either carry out or block the requested copy operation, according to a set of decision criteria based on the identity of the source process and/or the identity of the destination process.

Abstract: In some embodiments, a fluorescent lighting device includes an arc tube; an amalgam flag including two opposing planar surfaces within the arc tube, the planar surfaces being adjacent to each other along a first edge of the planar surfaces and spaced apart from each other along a second edge of the planar surfaces; a quantity of amalgam deposited on the planar surfaces of the amalgam flag; and an electrode disposed within the arc tube to, at least in part, heat the quantity of amalgam when energized.