Abstract: The disclosed technology is generally directed to a distributed query-and-command system. In one example of the technology, in a trusted execution environment (TEE) of a first node, database code of the first node and distributed ledger code of the first node is executed, such that execution of the distributed ledger code of the first node instantiates a first instance of a distributed ledger of a consortium blockchain, and such that execution of the query-and-command code of the first node instantiates a first instance of a query-and-command system. The consortium blockchain is distributed among a plurality of nodes, and the query-and-command system is distributed among the plurality of nodes. A first transaction that is associated with modifying the query-and-command system is received. The first transaction is executed. Changes associated with the first transaction to the distributed ledger are persisted.

Abstract: The disclosed technology is generally directed to code transparency. In one example of the technology, a claim associated with an application is received. The claim is a document that is signed with a claim signature and that includes evidence associated with a policy, and further includes an expected set of at least one binary measurement associated with the application. The evidence is cryptographically verifiable evidence associated with the application. A trusted execution environment (TEE) is used to provide a distributed ledger. The claim is verified. Verifying the claim includes verifying the expected set of at least one binary measurement associated with the application, verifying the claim signature, and, based at least on the evidence, verifying that the application meets the policy. Upon successful verification of the claim, the claim is appended to the distributed ledger. A ledger countersignature associated with the claim is generated.

Abstract: The disclosed technology is generally directed to code transparency. In one example of the technology, evidence associated with a policy is obtained. The evidence includes data that includes cryptographically verifiable evidence associated with initial source code in accordance with the policy. The initial source code is source code for a CTS. The initial binary is based on the initial source code is executed in a TEE such that a CTS instance begins operation. The CTS instance is configured to register guarantee(s) associated with code approved by the CTS instance. The TEE is used to provide a ledger. The evidence is stored on the ledger. Measurement(s) associated with the binary are provided. A service key associated with CTS instance is generated. TEE attestation of the measurement(s), the evidence, and the service key is provided.

Abstract: According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.

Abstract: According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.