Abstract: A method, computer program product, and a system where a secure interface control configures a hardware security module for exclusive use by a secure guest. The secure interface control (“SC”) obtains a configuration request (via a hypervisor) to configure the hardware security module (HSM), from a given guest of guests managed by the hypervisor. The SC determines if the HSM is already configured to a specific guest of the one or more guests, but based on determining that the HSM is not configured to the and is a secure guest the SC forecloses establishing a configuration of the HSM by limiting accesses by guests to the HSM exclusively to the given guest. The SC logs the given guest into the HSM by utilizing a secret of the given guest. The SC obtains, from the HSM, a session code and retains the session code.

Abstract: A method includes determining, by a tracker controller of a hardware security module, that a first processor has submitted a first request to access a computing resource. The method also includes determining, by the tracker controller, whether the first request and a second request both request access to the same computing resource. The second request is submitted by a second processor. The method also includes preventing access to the computing resource based on a determination that the first request and the second request do not request access to the same computing resource. The method also includes permitting access to the computing resource based on a determination that the first request and the second request both request access to the same computing resource.

Abstract: A bytecode construction, a method, and a system for optimizing just in time compilation. The bytecode includes several regions wherein a region is a logical sequence of one or more bytecode blocks and the bytecode is annotated with region hints embedded therein. The region hints have a bytecode structure and are designed for instructing a just-in-time, or JIT, runtime environment for JIT compilation of the regions by JIT compilers implemented at nodes of a network. A method and a system for implementing the bytecode construction are also presented.

Abstract: System, methods, and media are provided for enforcing segmentation of multi-tenant data. An example method includes informing hardware of direct memory access (DMA) segmented regions, in which the hardware is informed of software-specified size and count parameters relating to DMA windows. Identifying an originating DMA window for each DMA descriptor and referenced data. Verifying that contents of one or more DMA transfers are entirely from memory controlled by a single process. Setting DMA window-describing registers based the software-specified size and count parameters. Enforcing restrictions, based on the DMA window-describing registers, for DMA requests relating to the DMA windows as DMA requests are received.

Abstract: Batched execution of encryption operations is performed. A batched set of data for which format-preserving encryption is to be performed is obtained. The batched set of data includes a plurality of fields of data, which are independent of one another. Multiple rounds of format- preserving encryption are performed on the plurality of fields of data to provide an output of format-preserved encrypted data. A round of format-preserving encryption includes calling an encryption function to perform one or more encryption operations on the plurality of fields of data in parallel.

Abstract: An example operation may include one or more of receiving, by one or more endorser nodes of a blockchain network, an invoke chaincode transaction proposal, executing chaincode, encrypting, by an application programming interface between the chaincode and a shared ledger, blockchain state to the shared ledger, decrypting blockchain state from the shared ledger, endorsing, by the one or more endorser nodes, one or more results from executing the chaincode, and creating a blockchain transaction from the one or more endorsed results.

Abstract: Graph data of a DAG is received. The data describes a module to be started by way of nodes connected by edges, wherein some nodes are submodule nodes that correspond to submodules of said module. Submodule nodes are connected via edge(s) that reflect a data dependency between the corresponding submodules. Each of said submodules is a hardware module or a software submodule, capable of producing and/or consuming data that can be consumed and/or produced, by other submodule(s) of said module, based on the DAG. Asynchronous execution is started of two of said submodules, respectively corresponding to two submodule nodes located in independent branches of the DAG. A third submodule node(s) is determined that is a descendant of each of said two submodule nodes, according to an outcome of the execution of the corresponding two submodules. Execution is started of a third submodule that corresponds to the determined third submodule node.

Abstract: A method includes determining, by a persistent memory lockstep unit of a hardware security module, that a first processor is attempting to change a state of the hardware security module. The method also includes determining, by the persistent memory lockstep unit, whether a second processor has attempted the same change. The method also includes preventing the change until both the first processor and the second processor have attempted the same change. The method also includes permitting the change to the state of the hardware security module based on a determination that both the first processor and the second processor have both attempted the same change.

Abstract: A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10).

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A method includes determining, by a persistent memory lockstep unit of a hardware security module, that a first processor is attempting to change a state of the hardware security module. The method also includes determining, by the persistent memory lockstep unit, whether a second processor has attempted the same change. The method also includes preventing the change until both the first processor and the second processor have attempted the same change. The method also includes permitting the change to the state of the hardware security module based on a determination that both the first processor and the second processor have both attempted the same change.

Abstract: A machine instruction is provided that has associated therewith an opcode to identify a perform pseudorandom number operation, and an operand to be used by the machine instruction. The machine instruction is executed, and execution includes obtaining a modifier indicator. Based on the modifier indicator having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand. A selected hash technique and the seed material are used to provide one or more seed values, and the one or more seed values are stored in a parameter block.

Abstract: Embodiments of the present invention may involve providing security to a computing device. The providing security to a computing device may involve performing crypto-operations. A security system may include a central processing unit and a pre-processing unit. The pre-processing unit may be configured for receiving an incoming encapsulated request, parsing header infrastructure information of the encapsulated request, decapsulating the request, and providing the decapsulated request to the central processing unit for further processing.

Abstract: Systems and methods are provided for preserving data in a data deduplication system. A hash tree-based deduplication system balancing memory utilization and duplication-related storage access overhead is disclosed. The system preferably relies on distributed file system infrastructure and the system modifies this infrastructure. The data structures may be adapted to accommodate file-block distribution properties at runtime, such as runtime-specializing the hash tree to detect replicated chunks.

Abstract: Embodiments include method, systems and computer program products for secure logging of host security module. In some embodiments, an event may be received. The event may include data to be written to a secure log file. A hash may be generated using data of the event. The hash may be stored in a first field of an event record associated with the event. The event record may be stored in the secure log file. The hash may be stored in a second field of a next event record in the secure log file.

Abstract: An instruction configured to perform a plurality of functions is executed. Based on a function code associated with the instruction having a selected value, one or more inputs of the instruction are checked to determine which one or more functions of the plurality of functions are to be performed. Based on a first input of the one or more inputs having a first value, a function of providing raw entropy is performed, in which the providing of raw entropy includes storing a number of raw random numbers. Further, based on a second input of the one or more inputs having a second value, a function of providing conditioned entropy is provided, in which the providing of conditioned entropy includes storing a number of conditioned random numbers.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A method includes determining, by a tracker controller of a hardware security module, that a first processor has submitted a first request to access a computing resource. The method also includes determining, by the tracker controller, whether the first request and a second request both request access to the same computing resource. The second request is submitted by a second processor. The method also includes preventing access to the computing resource based on a determination that the first request and the second request do not request access to the same computing resource. The method also includes permitting access to the computing resource based on a determination that the first request and the second request both request access to the same computing resource.