Abstract: Methods, apparatus, systems, and articles of manufacture to protect proprietary functionality and/or other content in hardware and software are disclosed. An example computer apparatus includes; a first circuit including a first interface, the first circuit associated with a first domain; a second circuit including a second interface, the second circuit associated with a second domain; and a chip manager to generate a first authenticated interface for the first interface using a first token and to generate a second authenticated interface for the second interface using a second token to enable communication between the first authenticated interface and the second authenticated interface.

Abstract: Various systems and methods for synchronizing execution of workload tasks are described herein. A networked computing device is configured to receive a set of barrier messages from a first set of tasks executing on at least one of a plurality of compute nodes in a system, the respective set of tasks operating as a part of a distributed workload; evaluate the set of barrier messages to determine whether a barrier synchronization condition is satisfied; and initiate execution of a second set of tasks executing on at least one of the plurality of compute nodes in the system in response to determining that the barrier synchronization condition is satisfied.

Abstract: Various systems and methods for providing intent-based workload orchestration described herein. A data center system may include a plurality of compute nodes and an orchestration node. The orchestration node may be configured to identify a workload for execution on the plurality of compute nodes; identify intents that define requirements for the execution of the workload on the plurality of compute nodes; monitor the execution of the workload to produce monitoring data; and control the execution of the workload based on the intents and the monitoring data, to dynamically adapt to changed conditions during the execution of the workload.

Abstract: Various systems and methods are described for implementing security intents for the execution of workloads in cloud-to-edge (C2E) and cloud-native execution environments. An example technique for implementing security intents for a workload on a computing node of a cluster includes: identifying a workload for execution on the computing node; identifying security intents that define levels of respective security requirements for the execution of the workload on the computing node; adapting an execution environment of the computing node, based on the identified security intents; and controlling the execution of the workload within the execution environment, based on the identified security intents, to dynamically monitor and adapt to changing security conditions during the execution of the workload.

Abstract: Various systems and methods are described for implementing attestation microservices and an attestation microservice mesh for cloud-to-edge (C2E) and cloud-native deployments are disclosed.

Abstract: Various systems and methods for providing cloud-to-edge workload orchestration described herein. A computing node is configured to receive a distributed workload configuration including security intents; decompose, based on the distributed workload configuration, a workload into a plurality of sub-workloads; identify an infrastructure resource of the plurality of compute nodes to execute a sub-workload of the plurality of sub-workloads; determine that an operating environment of the infrastructure resource satisfies the security intents; bind the sub-workload to the infrastructure resource, wherein the binding produces a token that is presented by the sub-workload to the infrastructure resource, and wherein the token is used to ensure trust among framework layers; and deploy the sub-workload to the infrastructure resource.

Abstract: Various systems and methods for providing secure and reliable node lifecycle in elastic workloads are described here. A compute node may be configured to: receive data describing a first elastic workload of the plurality of elastic workloads, the first elastic workload to execute on a first virtual execution environment, the first virtual execution environment associated with a first security context; determine a common resource that is used by the plurality of elastic workloads; store the common resource in a memory accessible by the first virtual execution environment; and execute the first elastic workload, wherein the first elastic workload has access to the common resource, and wherein the plurality of elastic workloads is executed in isolation from one another based on respective security contexts.

Abstract: Various systems and methods for providing Monte Carlo as a service are described here. A networked computing device may be configured to receive data describing an elastic workload that is partitioned among multiple nodes, execute a Monte Carlo simulation using at least a portion of the data describing the elastic workload, to obtain a workload configuration that distributes the elastic workload over a plurality of nodes, and present the workload configuration.

Abstract: Various systems and methods for managing data provenance are described herein. A networked computing device is configured to receive, from an edge node, a first data and a first data provenance capsule for the first data; process the first data using a data transformation function to produce second data; generate a second data provenance capsule for the second data; bind the second data provenance capsule to the second data with a digital signature, the digital signature using the first data provenance capsule as an ingredient of the digital signature; and transmit the second data and the second data provenance capsule to a destination node.

Abstract: Methods and apparatus for jitter-less distributed Function as a Service (FaaS) using flavor clustering. A set of FaaS functions clustered by flavor chaining is implemented to deploy one or more FaaS flavor clusters on one or more edge nodes, wherein each flavor is defined by a set of resource requirements mapped into a jitter Quality of Service (QoS) and is executed on at least one hardware computing component on the one or more edge nodes. One or more jitter controllers are implemented to control and monitor execution of FaaS functions in the one or more FaaS flavor clusters such that the functions are executed to meet jitter-less QoS requirements. Jitter controllers include platform jitter-less function controllers in edge nodes and a data center FaaS jitter-less controller. A jitter-less Software Defined Wide Area Network (SD-WAN) network controller is also provided to provide network resources used by FaaS flavor clusters and satisfy connectivity requirements between the edge nodes.

Abstract: Various systems and methods are described to enable cyber-physical protections in edge computing platforms, including with countermeasures that mitigate and halt a variety of digital or real-world attacks. In an example, an attack detection and response engine is used to monitor processing circuitry, with operations that: identify operational data from processing circuitry that operates multiple layers (e.g., of an IP block) to perform compute operations, with trust of the processing circuitry established based on attestation of a hardware root of trust (RoT); evaluate the operational data to identify an attack condition at the processing circuitry, based on monitoring an operational layer of the multiple layers; and provide a digital attack response to the processing circuitry, in response to identifying the attack condition, to deploy the digital attack response and cause a countermeasure at the operational layer of the processing circuitry.

Abstract: Various aspects of methods, systems, and use cases for verification and attestation of operations in an edge computing environment are described, based on use of a trust calculus and established definitions of trustworthiness properties. In an example, an edge computing verification node is configured to: obtain a trust representation, corresponding to an edge computing feature, that is defined with a trust calculus and provided in a data definition language; receive, from an edge computing node, compute results and attestation evidence from the edge computing feature; attempt validation of the attestation evidence based on attestation properties defined by the trust representation; and communicate an indication of trustworthiness for the compute results, based on the validation of the attestation evidence. In further examples, the trust representation and validation is used in a named function network (NFN), for dynamic composition and execution of a function.

Abstract: Various systems and methods are described for implementing cloud-to-edge (C2E) security are disclosed, including systems and methods for the execution of various workloads that are distributed among multiple edge computing nodes. An example technique for managing distributed workloads includes: identifying characteristics of a distributed workload from an execution of the distributed workload, for a distributed workload that is partitioned among multiple computing nodes; evaluating a trust status of the distributed workload in response to a change in the execution of the distributed workload, including verifying resources to execute the distributed workload and verifying security policies associated with the resources; and controlling the execution of the distributed workload among the multiple computing nodes, based on the characteristics and the evaluated trust status.

Abstract: A named function network (NFN) system includes a routing node, a function generation node, and a server node. The routing node receives requests for new functions, the requests including data values for generating the new functions. The function generation node receives the data values from the routing node and generates a new function for the NFN using the data values. The server node receives a request from the routing node to execute the new function, executes the new function, and transmits results of the execution to the routing node.

Abstract: Software and other electronic services are increasingly being executed in cloud computing environments. Edge computing environments may be used to bridge the gap between cloud computing environments and end-user software and electronic devices, and may implement Functions-as-a-Service (FaaS). FaaS may be used to create flavors of particular services, a chain of related functions that implements all or a portion of a FaaS edge workflow or workload. A FaaS Temporal Software-Defined Wide-Area Network (SD-WAN) may be used to receive a computing request and decompose the computing request into several FaaS flavors, enable dynamic creation of SD-WANs for each FaaS flavor, execute the FaaS flavors in their respective SD-WAN, return a result, and destroy the SD-WANs. The FaaS Temporal SD-WAN expands upon current edge systems by allowing low-latency creation of SD-WAN virtual networks bound to a set of function instances that are created to a execute a particular service request.

Abstract: A system for trust brokering as a service includes an edge computing node and a trust brokering service edge computing device. The trust brokering service edge computing device receives a computing workload request from an application configured to process secure data and identifies a set of security requirements associated with the request. The device also identifies a security feature present in the set of security requirements but not provided by the edge computing node. To address this, the device generates an application execution environment that includes a secure plugin providing the security feature and a virtual device representing the edge computing node. The computing workload request is then executed at the application execution environment, providing a secure and efficient solution for trust brokering as a service.

Abstract: Various systems and methods are described for implementing attestation operations. A computing device includes a processor; and memory to store instructions, which when executed by the processor, cause the computing device to: receive a workload from a source computing device over a network shared with the computing device; determine whether the workload has valid attestation; establish attestation for the workload when the workload does not have valid attestation; determine whether the attestation is compliant with a policy; and execute the workload when the attestation is compliant with the policy.

Abstract: Various systems and methods for providing consensus-based named function execution are described herein. A system is configured to access an interest packet received from a user device, the interest packet including a function name of a function and a data payload; broadcast the interest packet to a plurality of compute nodes, wherein the plurality of compute nodes are configured to execute a respective instance of the function; receive a plurality of responses from the plurality of compute nodes, the plurality of responses including respective results of the execution of the respective instances of the function; analyze the plurality of responses using a consensus protocol to identify a consensus result; and transmit the consensus result to the user device.

Abstract: Methods, apparatus, systems and articles of manufacture to train a model using attestation data are disclosed. An example apparatus includes a model trainer to train a machine learning model using a golden training data set received from a server to generate golden training results; and an attestation result generator to: compare the shared model training results to the golden training results; and determine if attestation of the shared model training results passes based on the comparison of the shared model training results and the golden training results.

Abstract: Various systems and methods for providing decentralized reputation management in a named-function network are described herein. A compute node is configured to access an information centric network (ICN) interest packet from a user device, the ICN interest packet including a function name and a data name; construct a named-function network (NFN) interest packet using the function name; transmit the NFN interest packet to a function provider; receive an NFN data packet with a version of a function corresponding to the function name; construct a named-data network (NDN) interest packet using the data name; receive an NDN data packet with a data value corresponding to the data name; determine that the version of the function is not on a denylist; and initiate execution of the version of the function with the data value in response to determining that the version of the function is not on the denylist.