Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU_Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate_Bit by using a Clock_Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: A machine instruction is provided that has associated therewith an opcode to identify a perform pseudorandom number operation, and an operand to be used by the machine instruction. The machine instruction is executed, and execution includes obtaining a modifier indicator. Based on the modifier indicator having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand. A selected hash technique and the seed material are used to provide one or more seed values, and the one or more seed values are stored in a parameter block.

Abstract: Embodiments are directed to an IC device comprising a set of N elements, and an interconnect system for enabling communication between the set of elements. Each element of the set of elements is configured according to a first communication plan to receive attestation data of each other element of the set of elements. Upon receiving the attestation data the element may determine whether each of the received attestation data from the other elements match an attestation pattern as defined in the first communication plan. In case the received attestation data match the first communication plan, the element may determine whether the received attestation data is attested by N?1 elements of the set of elements. In case the attestation data is attested by N?1 elements of the set of elements, the element may indicate the presence of the set of elements before the time interval has lapsed.

Abstract: Graph data of a DAG is received. The data describes a module to be started by way of nodes connected by edges, wherein some nodes are submodule nodes that correspond to submodules of said module. Submodule nodes are connected via edge(s) that reflect a data dependency between the corresponding submodules. Each of said submodules is a hardware module or a software submodule, capable of producing and/or consuming data that can be consumed and/or produced, by other submodule(s) of said module, based on the DAG. Asynchronous execution is started of two of said submodules, respectively corresponding to two submodule nodes located in independent branches of the DAG. A third submodule node(s) is determined that is a descendant of each of said two submodule nodes, according to an outcome of the execution of the corresponding two submodules. Execution is started of a third submodule that corresponds to the determined third submodule node.

Abstract: Managing transfer of device ownership is provided. A digitally signed state change request for a device that includes at least one of a new device owner, a new designated successor device owner, and a new device ownership reversibility control bit is accepted. A stored state for the device that includes at least one of a current device owner, a previous device owner, a designated successor device owner, and a current device ownership reversibility control bit is read. The previous device owner is replaced with the current device owner, the current device owner is replaced with the new device owner, the designated successor device owner is replaced with the new designated successor device owner, and the new device ownership reversibility control bit is set in response to the new device ownership reversibility control bit being included in the digitally signed state change request.

Abstract: An instruction to perform ciphering and authentication is executed. The executing includes ciphering one set of data provided by the instruction to obtain ciphered data and placing the ciphered data in a designated location. It further includes authenticating an additional set of data provided by the instruction, in which the authenticating generates at least a part of a message authentication tag. The at least a part of the message authentication tag is stored in a selected location.

Abstract: Graph data of a DAG is received. The data describes a module to be started by way of nodes connected by edges, wherein some nodes are submodule nodes that correspond to submodules of said module. Submodule nodes are connected via edge(s) that reflect a data dependency between the corresponding submodules. Each of said submodules is a hardware module or a software submodule, capable of producing and/or consuming data that can be consumed and/or produced, by other submodule(s) of said module, based on the DAG. Asynchronous execution is started of two of said submodules, respectively corresponding to two submodule nodes located in independent branches of the DAG. A third submodule node(s) is determined that is a descendant of each of said two submodule nodes, according to an outcome of the execution of the corresponding two submodules. Execution is started of a third submodule that corresponds to the determined third submodule node.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: Embodiments of the present invention may involve providing security to a computing device. The providing security to a computing device may involve performing crypto-operations. A security system may include a central processing unit and a pre-processing unit. The pre-processing unit may be configured for receiving an incoming encapsulated request, parsing header infrastructure information of the encapsulated request, decapsulating the request, and providing the decapsulated request to the central processing unit for further processing.

Abstract: A method for updating code images in a system includes booting a first image of a code with a sub-system processor, receiving a second image of the code, performing a security and reliability check of the second image of the code with the sub-system processor, determining whether the security and reliability check of the second image of the code is successful, storing the second image of the code in a first memory device responsive to determining that the security and reliability check of the second image of the code is successful, designating the second image of the code as an active image, and sending the second image of the code to a second memory device, the second memory device communicatively connected with the first memory device and a main processor.

Abstract: A machine instruction is provided that has associated therewith an opcode to identify a perform pseudorandom number operation, and an operand to be used by the machine instruction. The machine instruction is executed, and execution includes obtaining a modifier indicator. Based on the modifier indicator having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand. A selected hash technique and the seed material are used to provide one or more seed values, and the one or more seed values are stored in a parameter block.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a second operand to be used. The machine instruction is executed, and execution includes obtaining a modifier field of a register associated with the machine instruction; based on the modifier field having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand; using a 512 bit secure hash technique and the seed material to provide one or more seed values; and storing the one or more seed values in a parameter block.

Abstract: A software version management system comprising a host driver and at least one software module. The host driver comprises migration means to start, stop and replace the software modules on a computer system in response to replacement actions.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: Graph data of a DAG is received. The data describes a module to be started by way of nodes connected by edges, wherein some nodes are submodule nodes that correspond to submodules of said module. Submodule nodes are connected via edge(s) that reflect a data dependency between the corresponding submodules. Each of said submodules is a hardware module or a software submodule, capable of producing and/or consuming data that can be consumed and/or produced, by other submodule(s) of said module, based on the DAG. Asynchronous execution is started of two of said submodules, respectively corresponding to two submodule nodes located in independent branches of the DAG. A third submodule node(s) is determined that is a descendant of each of said two submodule nodes, according to an outcome of the execution of the corresponding two submodules. Execution is started of a third submodule that corresponds to the determined third submodule node.

Abstract: A system and method of performing electronic transactions between a server computer and a client computer. The method implements a communication protocol with encrypted data transmission and mutual authentication between a server and a hardware device via a network, performs a decryption of encrypted server responses, forwards the decrypted server responses from the hardware device to the client computer, displays the decrypted server responses on a client display, receives requests to be sent from the client computer to the server, parses the client requests for predefined transaction information by the hardware device, encrypts and forwards client requests, displays the predefined transaction information upon detection, forwards and encrypts the client request containing the predefined transaction information to the server if a user confirmation is received, and cancels the transaction if no user confirmation is received.

Abstract: A method, system, and computer program product to generate results for a query to an encrypted database stored on a host are described. The method includes generating indexes from the encrypted database, each index identifying records of the encrypted database associated with a range of data for at least one field stored in the records of the encrypted database, and generating index metadata associated with each index, the index metadata indicating the range of data identified by the associated index. The method also includes generating a sub-query from the query for each field associated with the query and determining a subspace of search within the encrypted database based on sub-query results obtained through the index metadata. The method further includes searching the subspace of the encrypted database to generate the results of the query.

Abstract: A method for creating entropy in a virtualized computing environment includes waking one or more samplers, each sampler having a sampling frequency; sampling a sample source with each of the one or more samplers; placing each of the samplers in an inactive state when not sampling; determining a difference between an expected value and a sampled value at each sampler; and providing a function of the difference from each of the one or more samplers to an aggregator.

Abstract: Exemplary embodiments include a method for remapping subsets of host-centric application programming interfaces to commodity service providers, the method including receiving a commodity service providers object, embedding the commodity service providers object with a handle, transforming the handle into a serialized object readable by a hardware security module, generating a virtualized handle from the transformed handle, selecting a target hardware security module based on characteristics of the serialized object and mapping the virtualized handle to the target hardware security module.