Abstract: A single system for detecting and blocking all cases of null-byte injection in all text data received for a network, before the text reaches potentially vulnerable services in the network. A set of directed graphs is received, each one of the directed graphs corresponding to a singly encoded null-byte that is encoded according to a corresponding character encoding method contained within a set of character encoding methods. The set of directed graphs is used to generate an output finite-state machine that models detection of at least one multiply encoded null-byte that is encoded according to at least one of the character encoding methods contained in the set of character encoding methods. The output finite-state machine is loaded into an attack detection and prevention system that receives input text, and that detects null-bytes, including multiply encoded null-bytes, within the input text.

Abstract: The present invention relates to a terminal and a control method thereof which automatically log in to an application, which is installed on a common smart apparatus that multiple users use, using a personal smart device used by an individual such as a smart phone.

Abstract: Providing an encrypted search index for performing searches on encrypted documents, the method comprising: (i) providing a set of documents, the documents comprising a plurality of unencrypted phrases; (ii) providing a master key; (iii) providing, based on the master key, for each phrase a set of encryption keys comprising one or more encryption keys; (iv) selecting, for each phrase, one encryption key of the set of encryption keys; (v) encrypting each phrase with the selected encryption key; and (vi) building an index based on the encrypted phrases, the index comprising information regarding which encrypted phrase is comprised within a certain document.

Abstract: Systems, methods, and computer program products retrieve data from a low retrieval speed device. A request is made to retrieve data from the low retrieval speed device. A determination is made that the time to respond to the request will exceed a threshold amount of time. In response to the determination that the time to respond to the request will exceed the threshold amount of time, a load stall interrupt is generated. In response to the load stall interrupt, one or more system resources associated with a source of the request are released.

Abstract: Systems and methods of the present disclosure facilitate synchronizing data between a device management system and ticketing systems. In some embodiments, the system includes an update module, a mapping module, and a service board selection module. The update module may be configured to update ticketing information about a ticketing ticket on the ticketing system to match device management information about a device management ticket on the device management system. The mapping module may be configured to select a ticket category for a device management ticket on the device management system responsive to the device management information about the device management ticket. The service board selection module may be configured to select a service board for a ticketing ticket on the ticketing system.

Abstract: The use of a sleep, or halt, instruction enables a processor to halt execution when read from a non-volatile memory. The opcode for the sleep instruction is the same value as the constant bit value of an un-programmed, nonvolatile memory. When the opcode is read by the processor, execution is halted and the processor enters a wait or sleep mode. During the sleep mode, firmware is programmed into memory with another means such as an external host processor. When a valid trigger event occurs, for instance, external or internal interrupts or reset activation, the processor then exits the sleep mode and starts instruction etching at the PC_INIT address.

Abstract: Embodiments of the present application relate to a method, apparatus, and system for managing confidential information. The method includes accessing stored target information comprising a public part and a confidential part, wherein an identifier corresponds to the confidential part of the target information, outputting the public part of the target information and the corresponding identifier, wherein the public part of the target information comprises at least first address information, receiving location information and a to-be-recognized identifier, wherein the location information is associated with a current location of a mobile terminal, determining whether the location information is consistent with the first address information, and in the event that the location information is consistent with the first address information, sending the confidential part of the target information associated with the to-be-recognized identifier to the mobile terminal.

Abstract: Methods and apparatus are disclosed for using a shared page miss handler device to satisfy page miss requests of a plurality of devices in a multi-core system. One embodiment of such a method comprises receiving one or more page miss requests from one or more respective requesting devices of the plurality of devices in the multi-core system, and arbitrating to identify a first page miss requests of the one or more requesting devices A page table walk is performed to generate a physical address responsive to the first page miss request. Then the physical address is sent to the corresponding requesting device, or a fault is signaled to an operating system for the corresponding requesting device responsive to the first page miss request.

Abstract: A processing system includes a processing core to execute a task and a memory management unit, coupled to the core. The memory management unit includes a protection key register comprising a plurality of fields. Each field comprising a set of bits reflecting a memory access permission for each of a plurality of memory domains. The memory management unit also includes a plurality of protection key mask registers. Each of the protection key mask registers comprising a mask having a plurality of bits, each bit reflecting an access permission to a corresponding field of the protection key register by a code page residing in a memory domain of the plurality of memory domains identified by an index of the protection key mask register.

Abstract: Systems and methods for managing the identity of a user, for managing the identity of the user in a public storage facility, and for certifying pending transactions for a user are disclosed. One example method includes receiving, at an input device, personal data that identifies the user. The personal data is represented as input data. The input device is configured to process a hashing function to provide a hash value and user accessible interface for transmitting the hash value and a public key of the user to the public storage facility, e.g., block chain, and for receiving back from the public storage facility a transaction number corresponding to the hash value and the public key. In one example, the input device is configured to encrypt the hash value, a time stamp and the transaction number with a public key of a certification entity to provide user certifiable data to the certification entity. The certification entity is configured to access the public storage facility to verify the user.

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract: A definition is received of at least one data object and a compute object from a host at a storage compute device. A first key is associated with the at least one data object and a second key is associated with the compute object. A command is received from the host to perform a computation that links the first and second keys. The computation is defined by the compute object and acts on the data object. The computation is performed via the storage compute device using the compute object and the data object in response to the command.

Abstract: In some embodiments, a method includes establishing a secured connection between a client device and a subordinate web service of a single sign-on service for a user, using a shared cryptographic key in a cookie stored on the client device that was transmitted over a different secured connection by a master web service of the single sign-on service, as part of authentication of the user for the single sign-on service.

Abstract: A method carried out at a point of contact (e.g., reverse proxy, a web server plug-in, or the like) that serves as an intermediary between a client browser and one or more back-end applications (or application component), wherein each back-end application has the capability to set its own server-side session management data with respect to the point of contact that is independent of any client-side session management data set by the point of contact and used by the point of contact to manage a user session. The method begins as a given back-end application returns a response to a first request that has been issued from the client browser (the first request having been received at the point of contact and passed to a back end application or component for processing).

Abstract: A method for redirecting, to a second machine, without user intervention, a request for access to a folder on a first machine, the request made by a resource executing within a remote access session on the first machine, includes receiving, by a component on a first machine, folder mapping information associated with a folder provided by a shell namespace on a second machine. The component intercepts a request by a resource executing on the first machine for access to file system data on the first machine. The component redirects the request to the second machine responsive to the received folder mapping information.

Abstract: Methods, systems, and computer readable media can be operable to facilitate a unique protection of recorded content. A central device may be configured to establish and maintain associations between unique passwords and one or more individual recordings. A user may provide a unique password to be associated with one or more individual recordings. When a recording is associated with a unique password, the central device may require entry of the unique password before carrying out an action such as playback or deletion of the recording.

Abstract: There are provided methods for single-owner multi-consumer work queues for repeatable tasks. A method includes permitting a single owner thread of a single owner, multi-consumer, work queue to access the work queue using atomic instructions limited to only a single access and using non-atomic operations. The method further includes restricting the single owner thread from accessing the work queue using atomic instructions involving more than one access. The method also includes synchronizing amongst other threads with respect to their respective accesses to the work queue.

Abstract: A system for preventing data remanence in memory is provided. The system includes a computing device, a memory chip coupled to the computing device and including memory, and a heater, the heater configured to prevent data remanence in a memory by providing heat to at least a portion of the memory. The memory includes a plurality of bits configured to electronically store data.

Abstract: Methods and systems are disclosed to embed valid-field (VF) bits into classification keys for network packet frames. The embedded VF bits allow for extracted data from existing fields associated with frame data to be distinguished from default data used for missing fields where this extracted data and default data has been included within a frame classification key generated for a network packet frame. In certain embodiments, a valid-field field extraction command (VF-FEC) causes a key generator to embed VF bits into a frame classification key, and the logic state of the VF bits are used to distinguish extracted data from default data. Further, the disclosed embodiments allow VF bits to be selectively cleared based upon a bit mask applied prior to embedding of the VF bits. Still further, users can define VF-FECs and other field extraction commands (FECs) for key generation through one or more programmable key composition rules.

Abstract: A garbage collector scans containers of a storage system, each container containing a plurality of segments referenced by files of the storage system. For each of the containers being scanned constructing a working live segment record (LSR) file in memory, including generating a container LSR for each of the containers being scanned in a sequential order according to container identifiers of the containers, generating segment LSRs associated with the container LSR, each of the segment LSRs corresponding to one of the segments contained in the container, and for each of the segments contained in the container, indicating in a corresponding segment LSR whether the segment is a live segment. The segment LSRs of each container LSR of the working LSR file are translated from the memory into a persistent LSR for each of the containers in a persistent LSR file stored a persistent storage.

Abstract: A system for secure information storage and delivery includes a vault repository that includes a secure vault associated with a user, wherein the secure vault is associated with a service level including at least one of a data type or a data size limit associated with the secure vault, the secure vault being adapted to receive and at least one data entry and securely store the at least one data entry if the at least one of a size or a type of the at least one data entry is consistent with the service level. A mobile vault server coupled to the vault repository creates a mobile vault on a mobile device based on the secure vault and is capable of authenticating the mobile device based on user authentication information. The mobile vault server includes a mobile device handler that communicates with the mobile device.

Abstract: Embodiments of an invention for sharing memory in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to match an offer to make a page in an enclave page cache shareable to a bid to make the page shareable. The execution unit is to execute the instruction. Execution of the instruction includes making the page shareable.

Abstract: A method of operating a data storage device includes generating at least one pseudo noise (PN) sequence using logical information and physical information for the data storage device. The method also includes converting first data into second data using the at least one PN sequence. The logical information may be a logical address for the data storage device, and the physical information may be a physical address for the data storage device.

Abstract: Aspects of a method and system for allowing no code download in a code download scheme are provided. A system-on-a-chip (SoC) may comprise a security processor, a ROM, and a one-time-programmable (OTP) memory. The security processor may enable fetching code from a restricted function portion of the ROM. The restricted functions may comprise code for booting up the SoC and code that prevents enabling security algorithms within the SoC. The security processor may then enable booting up of at least a portion of the SoC based on the fetched code. The remaining portion of the ROM may comprise code for downloading security code from an external memory, such as a FLASH memory, to an internal memory, such as a RAM, to boot up the SoC. Access to the restricted function portion or the remaining portion of the ROM is based on at least one bit from the OTP memory.

Abstract: Providing an encrypted search index for performing searches on encrypted documents, the method comprising: (i) providing a set of documents, the documents comprising a plurality of unencrypted phrases; (ii) providing a master key; (iii) providing, based on the master key, for each phrase a set of encryption keys comprising one or more encryption keys; (iv) selecting, for each phrase, one encryption key of the set of encryption keys; (v) encrypting each phrase with the selected encryption key; and (vi) building an index based on the encrypted phrases, the index comprising information regarding which encrypted phrase is comprised within a certain document.

Abstract: The present disclosure describes systems and methods for controlling access to secure debugging and profiling features of a computer system. Some illustrative embodiments include a system that includes a processor, and a memory coupled to the processor (the memory used to store information and an attribute associated with the stored information). At least one bit of the attribute determines a security level, selected from a plurality of security levels, of the stored information associated with the attribute. Asserting at least one other bit of the attribute enables exportation of the stored information from the computer system if the security level of the stored information is higher than at least one other security level of the plurality of security levels.

Abstract: A method provides access to an integrated circuit which may comprise a storage containing an unalterable first security key and a memory containing a second security key. The method may comprise: checking the second security key by comparing the first security key and the second security key, if the second security key is valid, providing access to the integrated circuit, optionally depending on the validity of an access key, and if the second security key is invalid, enabling erasing the memory, and storing in the memory a new second security key which corresponds to the first security key. Erasing the memory may be followed by checking the erasing for completeness.

Abstract: A circuit configuration for touch panel controller IC includes a substrate including electrode pins arranged along four border edges thereof for signal transmission, and a controller mounted on the substrate and surrounded by the electrode pins and including processing units arranged in one same direction in a parallel manner, electric contacts arranged in three rows at three sides around the processing units and respectively electrically connected to the electrode pins of the substrate by respective lead wires and steering wires respectively electrically connected between the processing units and the electric contacts. Arranging the processing units in one same direction in a parallel manner minimizes differences in environmental conditions in exposure graphic definition and etch rate, thereby obtaining better circuit component process uniformity, and thus, the variation among the processing units after fabrication can be insignificant and better sensing accuracy can be achieved.

Abstract: An application store server may download a license to use a selected software application, after purchase of the license, along with the selected software application. The downloaded software application and license may be stored in the wireless mobile communication device. A user of the wireless mobile communication device may run the downloaded software application. In response, the downloaded software application may send a request for permission to run to an application store client in the wireless mobile communication device. The application store client may not return this permission, unless running is determined to be permitted by the downloaded license. The downloaded software application may in addition or instead seek to determine whether running is permitted by the downloaded license. An application store server may download a license to use a selected software application, after purchase of the license, along with the selected software application.

Abstract: Containers of a storage system are scanned, each container containing segments of files, where each file is represented by a file tree having segments in a hierarchical structure. The container live segment records (LSRs) corresponding to one of the containers are created, each of the container LSRs including segment LSRs corresponding to segments contained therein. After the segment LSRs of the container LSRs have been created for all segments of the containers, the segment LSRs of the container LSRs are sequentially traversed based on levels of segments specified in the corresponding segment LSRs to determine and indicate in the corresponding segment LSRs whether the segments are live segments. After all of the segment LSRs of the container LSRs have been traversed, a garbage collection operation is performed to reclaim storage space of segments that are not live segments indicated in the segment LSRs of the container LSRs.

Abstract: Methods and systems for managing requests for access to devices managed by a hypervisor in virtualized computing environment. A hypervisor receives a request for access to a device from a guest. The hypervisor provides an address hint associated with the device to the guest and an association between the address hint and the device is stored in a reference table. Upon receipt of a subsequent request from the guest including the address hint, the hypervisor performs a look-up in the reference table based on the address hint to identify the device and establishes access to the device by the guest.

Abstract: Embodiments of memory devices, computer systems, security apparatus, data handling systems, and the like, and associated methods facilitate security in a system incorporating the concept of a security perimeter which combines cryptographic and physical security. The memory device can comprise a memory operable to store information communicated with a processor, and a logic operable to create at least one cryptographic security perimeter enclosing at least one selected region of the memory and operable to manage information communication between the processor and the at least one selected region of the memory.

Abstract: A technique of the present invention includes a storage section for storing contents data and an encryption flag indicating that any one of an encryption recording mode and a non-encryption recording mode is set, an encrypting engine for encrypting contents data using an encryption key when the encryption recording mode is set, and a control section for controlling a storage section so that the encryption key and the encrypted contents data are stored when the encryption recording mode is set. Further, when the setting is changed from the encryption recording mode into the non-encryption recording mode, the control section controls the storage section so that the encryption flag is changed to indicate the setting of the non-encryption recording mode with the continuous storage of the encryption key.

Abstract: There is provided a method for providing access to data securely stored in memory card. An exemplary method comprises specifying first time information corresponding to a time period and storing the first time information in the memory card. The exemplary method also comprises inserting the memory card into a terminal. The exemplary method additionally comprises determining in a control unit included in the memory card, whether the time period has lapsed. The exemplary method also comprises allowing the terminal to access the data until it is determined that the time period has lapsed.

Abstract: Provided are a computer program product, system, and method for providing access information to a storage controller to determine a storage tier for storing data. Access information is maintained for each data record in a data store, wherein the access information indicates a level of access to each data record in the data store. A write request directed to a data record in the data store is received. A command is generated identifying the data record and including the access information for the data record. The command is transmitted to the storage controller, wherein the storage controller uses the access information to determine one of the plurality of storage tiers on which to store the data record.

Abstract: Instructions and logic provide memory key protection functionality. Embodiments include a processor having a register to store a memory protection field. A decoder decodes an instruction having an addressing form field for a memory operand to specify one or more memory addresses, and a memory protection key. One or more execution units, responsive to the memory protection field having a first value and to the addressing form field of the decoded instruction having a second value, enforce memory protection according to said first value of the memory protection field, using the specified memory protection key, for accessing the one or more memory addresses, and fault if a portion of the memory protection key specified by the decoded instruction does not match a stored key value associated with the one or more memory addresses.

Abstract: Resetting a password for a network service account may include redirecting the user to a password reset tool, wherein the user is blocked from network access other than the password reset tool while being redirected. After redirecting the user to the password reset tool, user entry of verification information may be accepted, and the verification information from the user may be compared with known verification information for the user. User entry of a new password may be accepted if the verification information accepted from the user matches the known verification information for the user; and the new password may be stored as the known password for the user. Related systems and computer-program products are also discussed.

Abstract: Non-Internet Protocol (IP) centric resources are accessed based on a value in the form of an IP address. This value (represented as the IP address) is converted to a non-IP address, which is to used access one or more non-IP address space resources. This value (represented as the IP address) typically includes an encoding of the non-IP address and/or an indirect reference (e.g., table index, pointer to a memory location) to the non-IP address.

Abstract: The present invention discloses a method and apparatus for protecting information based on a data card, and the method comprises: selecting information which needs to be hidden in a terminal device; and storing said information which needs to be hidden in a hidden partition of the data card. The present invention makes attackers not perceive the existence of the information and increases the security of the information in the data card, so as to protect the user's private information better.

Abstract: One feature pertains to a method of implementing a physically unclonable function. The method includes initializing an array of magnetoresistive random-access memory (MRAM) cells to a first logical state, where each of the MRAM cells have a random transition voltage that is greater than a first voltage and less than a second voltage. The transition voltage represents a voltage level that causes the MRAM cells to transition from the first logical state to a second logical state. The method further includes applying a programming signal voltage to each of the MRAM cells of the array to cause at least a portion of the MRAM cells of the array to randomly change state from the first logical state to the second logical state, where the programming signal voltage is greater than the first voltage and less than the second voltage.

Abstract: A method for accessing shared memory, the method includes loading a private context ID into a private context ID register, where the first private context ID enables a thread to access a private memory region only accessible by the thread. The method further includes receiving, from the thread, a first request to access a shared memory region, loading a shared context ID into a shared context register, permitting, by a memory management unit (MMU), the thread to access the shared memory region using the shared context ID, and receiving, from the thread, a second request to disable access to the shared memory region. The method further includes removing, in response to the second request, the shared context ID from the shared context ID register, where after removing the shared context ID from the shared context ID register the thread is no longer able to access the shared memory region.

Abstract: The present invention provides a method for providing services to a presentation device. The method comprises detecting a service delivery module in a communication system using a communication device and performing an authentication and authorization session between the service delivery module and the communication device, wherein user authentication and authorization is created. The method further comprises connecting to a service information module in said communication system to access services; providing a service request from said communication device to said service information module and initiating a service delivery session with said service information module using said user authentication and authorization information and said service request. Moreover, the method comprises delivering at least one service to said presentation device based on said service request. The present invention further provides a communication system for providing at least one service to a presentation device.

Abstract: Provided is an apparatus for generating an identification key by a probabilistic determination of a short occurring between nodes constituting a circuit, by violating a design rule provided during a semiconductor manufacturing process. The identification key generating apparatus may include an identification key generator to generate an identification key based on whether a contact or a via used to electrically connect conductive layers in a semiconductor chip shorts the conductive layers, and an identification key reader to read the identification key by reading whether the contact or the via shorts the conductive layers.

Abstract: The invention relates to a method for personalizing an electronic device using an encryption device adaptable to standard certified apparatuses. The encryption device makes it possible to ensure the confidentiality of the transfer of a secret code from the user to a possible personalization server.

Abstract: The authentication of a client to multiple server resources with a single sign-on procedure using multiple factors is disclosed. One contemplated embodiment is a method in which a login session is initiated with the authentication system of a primary one of the multiple server resources. A first set of login credentials is transmitted thereto, and validated. A token is stored on the client indicating that the initial authentication was successful, which is then used to transition to a secondary one of the multiple resources. A second set of login credentials is also transmitted, and access to the secondary one of the multiple resources is granted on the basis of a validated token and second set of login credentials.

Abstract: A method for sign-on and sign-out for a computer system. The method includes receiving a first sign-on request for the computer system and obtaining, from the first sign-on request, a first user identifier where the first user identifier corresponds to a first user for the computer system. The method then includes obtaining, from the first sign-on request, a first uniform resource locator (URL) and determining whether the first URL includes a first root name for the computer system. When a determination is made that the first URL includes the first root name for the computer system a first cookie associated with the first user is issued and a first sub-domain name is obtained from the first URL. Also, a second cookie may be issued associated with the first sub-domain name and, when the first cookie and the second cookie are issued, the first user may sign-on to the computer system. In one or more embodiments, the method may include receiving a sign-out request.

Abstract: A system can include a processor coupled to a bus; a first memory coupled to the bus, configured to limit access to a privileged portion according to at least protection values; a second memory coupled to the bus and having a privileged supervisory portion configured to be section erasable, access to the second memory being limited according to at least the protection values; and a boot sequence stored in the privileged portion that configures the processor to decode values stored in the supervisory portion into the protection values for storage in protection value registers.

Abstract: A secure communication kit is disclosed. The secure communication kit may include a plurality of tangible security tokens; each security token storing one or more cryptographic keys and a group identifier. A first cryptographic key stored on each security token may correspond to one of the cryptographic key(s) stored on every of the other security tokens. The group identifier stored on each security token may correspond to each group identifier stored on every of the other security tokens. A client device for securely communicating using the secure communication kit is also disclosed.

Abstract: Provided are techniques for verifying, by a first device, that a management key block of a second device is valid. A management key block that includes a plurality of verification data, each of the plurality associated with a plurality of security classes ranked from a high to low, is generated. The first device, which is associated with a security class that is higher than a security class associated with the second device, verifies a management key block of the second device by calculating a management key precursor associated with the higher security class and verifying verification data associated with the higher security class. In this manner, the second device is unable to pass an unauthorized, or “spoofed,” management key block.

Abstract: Provided are techniques for verifying, by a first device, that a management key block of a second device is valid. A management key block that includes a plurality of verification data, each of the plurality associated with a plurality of security classes ranked from a high to low, is generated. The first device, which is associated with a security class that is higher than a security class associated with the second device, verifies a management key block of the second device by calculating a management key precursor associated with the higher security class and verifying verification data associated with the higher security class. In this manner, the second device is unable to pass an unauthorized, or “spoofed,” management key block.