Abstract: Techniques for identifying malware based on system API function pointers are disclosed. In some embodiments, a system/process/computer program product for identifying malware based on system API function pointers includes monitoring changes in memory during execution of a malware sample in a computing environment; detecting a dynamic evasion behavior using an Application Programming Interface (API) vector comprising a plurality of system API function pointers identified in the memory during execution of the malware sample in the computing environment; and generating a signature based on the API vector for automatically detecting the malware during execution in the memory, wherein the malware sample was determined to be malicious.

Abstract: A method and an intelligent apparatus for calling permission verification of a protected intelligent application are provided.

Abstract: Methods and apparatus for dynamically controlling a quantum computer are described wherein the method includes selecting a first and second digital pulse signal stored in a memory, the first digital pulse signal having a first pulse shape and a first sample rate and the second digital pulse signal having a second pulse shape and a second sample rate, at least the first or the second sample rate being lower than an output sampling rate of a digital-to-analog converter (DAC); forming a digital pulse sequence signal, the forming including applying a first interpolation algorithm to determine a first upsampled digital pulse signal based on the first digital signal and a second interpolation algorithm to determine a second upsampled digital pulse signal based on the second digital signal, the sample rates of the first and second upsampled digital signals matching the sample rate of the DAC; and, providing the digital pulse sequence signal comprising the first and second upsampled digital pulse signals to an input

Abstract: A system for securely managing a plurality of hardware security modules (HSMs). One example provides a host device, a first HSM, and a second HSM. The host device is configured to designate the first HSM as a primary HSM, and activate a security association mode in the primary HSM. The first HSM is configured to generate a multi-HSM exchange key (“MEK”), and encrypt the MEK using a temporary key generated with a key agreement protocol between the first HSM and the second HSM. The first HSM shares the encrypted MEK with the second HSM via the host device. The host device deactivates the security association mode, and the first HSM receives a traffic encryption key (“TEK”). The first HSM encrypts the TEK using the MEK, and shares the encrypted TEK with the second HSM via the host device. The second HSM decrypts the TEK using the MEK.

Abstract: Methods and systems disclosed herein recite the use of linking cryptography-based digital repositories in order to perform blockchain operations in decentralized applications. For example, the system may link a first cryptography-based, storage application (e.g., a first digital wallet) with a second first cryptography-based, storage application (e.g., a second digital wallet). The first cryptography-based, storage application may correspond to a first private key, and wherein the first private key is stored on a first user device. The second cryptography-based, storage application corresponds to a first partial private key and a second partial private key, wherein the first partial private key is stored on a first remote device, and wherein the second partial private key is stored on the first user device.

Abstract: Disclosed is a system for managing transparent data encryption of a database. The system comprises an encrypted vault application and an application server. The encrypted vault application stores at least one encryption key for the database. The application server is configured to provide an authorization token to the encrypted vault application after unsealing of the encrypted vault application; receive an access token from the encrypted vault application, after authentication of the application server; provide the access token to the encrypted vault application to receive at least one encryption key therefrom; and communicate the at least one encryption key, via a key talker, to the database; and wherein the database comprises a key listener that listens for the at least one encryption key and provides the at least one encryption key to the database.

Abstract: An output of a GenAI model responsive to a prompt is received. The GenAI model is configured using one or more system prompts including one or more Easter eggs. The output is scanned to confirm whether an Easter egg is present. In cases in which at least one Easter egg is present, one or more remediation actions can be initiated to thwart an information leak by the GenAI model. Related apparatus, systems, techniques and articles are also described.

Abstract: Systems and methods are provided that may be implemented in one example to physically transfer or relocate information handling systems between facilities of different system owners in a manner that is downstream of the original equipment manufacturer (OEM) of the transferred information handling system/s, and which in one example may be managed in part or in whole by the OEM's customer base. In conjunction with facilitating physical transfer of each given information handling system directly between different enterprise owners, the disclosed systems and methods may also be implemented at the same time to utilize a unique identifier (that is assigned by the OEM manufacturer to each given information handling system) to manage transfer of the registration or other type of association of the given information handling system assets between the enterprise OEM user accounts of the different enterprise owners that are maintained by an OEM of the information handling system assets.

Abstract: The present disclosure relates to the use of cryptographic techniques to facilitate local decision making at a gateway device (120) interfacing between an operator device (110) and edge devices (130), for example as can be found in Internet of Things infrastructures. Local decision making is facilitated in the context of end to end encryption of data between the edge device and operator device by enabling a function of the data to be computed at the gateway (120) without decrypting the data, for example using Functional Encryption (FE). The gateway determines an action based on the computed function, for example whether to transmit the data to the operator device (110). Examples of edge devices are video surveillance cameras or utility consumption meters but the disclosure is applicable to any edge device that produces data to be transmitted with end to end encryption. The disclosure is also not limited to IoT infrastructures.

Abstract: Arrangements of the present disclosure relate to a method for securing data located in a blockchain having a plurality of blocks. The method includes creating a pointer within a block of the plurality of blocks, the pointer pointing to a security vault located external to the blockchain. The method further includes securing a copy of the block within the security vault by wrapping the security vault in a plurality of layers of different digital signatures.

Abstract: Securely redirecting a system service routine via a provider service table. A service call provider is loaded within an operating system executing in a lower trust security zone. The service call provider comprises metadata indicating a system service routine to be redirected to the service call provider. Based on the metadata, a provider service table is built within a higher trust security zone. The service table redirects the system service routine to the service call provider. Memory page(s) associated with the provider service table are hardware protected, and a read-only view is exposed to the operating system. The provider service table is associated with a user-mode process. A service call for a particular system service routine is received by the operation system from the user-mode process and, based on the provider service table being associated with the user-mode process, the service call is directed to the service call provider.

Abstract: Disclosed are aspects of an untrusted decentralized computing platform that includes an untrusted decentralized database which participant computing systems within the platform reach consensus on an accepted representation thereof. Some aspects of the databased include one or more directed acyclic graphs, which may include cryptographic hash pointers. Some aspects include an untrusted decentralized database architecture that includes two constituent chains. Some aspects of a consensus layer of the untrusted decentralized computing platform alternate a proof of space with a verifiable delay function to reduce compute resource waste relative to systems reliant on compute sources for proofs of work. In some aspects of a consensus layer alternating the proof-of-space and the proof-of-time, a single difficulty factors may be determined by multiplying their difficulty factors together to generate a single variable which accounts for difficulty for both proofs.

Abstract: A computer-implemented method to participate in a token transfer process for transferring a first quantity of token from a sender node to a recipient node using a blockchain is disclosed. The token transfer process includes a plurality of participating nodes and execution of a set of indirect token transactions between multiple pairs of the participating nodes. The method is implemented at a participating node performing steps of obtaining a subset of the indirect token transactions for which the participating node is either an input node or an output node, collaborating with a respective second participating node included in each indirect token transaction of the subset to generate a commitment channel for the indirect token transaction between the participating node and a second participating node, and collaborating with all other participating nodes in executing the indirect token transactions of the subset using the generated commitment channels.

Abstract: A trusted boot method and apparatus, an electronic device, and a readable memory medium. In the method, an IE FUSE that supports only one data write and an IE FW that supports multiple data writes are designed, whereby a first key written in the IE FUSE is prevented from being tampered with. If a second key generated based on a first signature extracted from the current IE FW is different from the first key, it indicates that IE boot parameters stored in the current IE FW are already different from those initially stored in the IE FW, that is, the parameters have been tampered with. In most cases, the IE boot parameters stored in the IE FW should not be tampered with. Therefore, once tampering is discovered, there are reasons to believe that there is a security risk of malicious attacks.

Abstract: A network connection device may include at least one sandbox to detect, isolate, and remove any discovered malware or cyber threat. The device may be configured to receive, save, and inspect data. A control layer may manage network connectivity so that only home organization network connections or external party network connections are connected at given moment in time.

Abstract: A system and method for processing garbled circuit techniques in memory-limited environments. The method includes: initializing a plurality of input gates and a plurality of state gates; generating a circuit slice for an update function; setting the plurality of state gates as a plurality of new output-state-gates; and generating a circuit slice for a finalization function, wherein the finalization function represented by a sub-circuit, the outputs of which are terminal gates.

Abstract: A system is described. The system includes a processing resource and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to detect an unrecognized Internet Protocol Security (IPsec) packet associated with an IP address at a first node within a cluster, retrieve one or more selector fields from the IPsec packet, query of a security policy database to determine whether a destination IP address included in the one or more retrieved selector fields matches one or more matching outbound IPsec policies associated with a destination IP address, determine whether a matching outbound IPsec policy includes an IPsec policy associated with the destination address entry and establish the first IPsec SA communication session between the first node and the client based on the outbound IPsec policy.

Abstract: An apparatus for generating a signature that reflects the similarity of a malware detection and classification system of the present invention includes a pre-processing unit configured to generate an input vector from input information, a classification unit configured to calculate a latent vector which indicates the similarity between at least one malware classification and the input vector by performing a plurality of computations to which learned weights of a plurality of layers are applied on the input vector through a deep neural network model, and a signature generation unit configured to generate a signature of the malware in a form of a binary vector by quantizing the latent vector.

Abstract: An apparatus and method for generating a compiled artificial intelligence (AI) model. The apparatus incudes a processor that is configured to receive data sets from user devices. The processor is further configured to convert the data sets using a machine-learning model into a cleansed data format and generate an accumulated model using the converted data sets as training data.

Abstract: Security measures are provided for resource exchange events occurring within a virtual environment, such as metaverse or the like. Intelligent resource exchange event authentication is realized by leveraging Artificial Intelligence (AI) and, more specifically, Machine Learning (ML) techniques to identify user behavioral patterns associated with previous resource exchange events conducted within the virtual environment and, in some instances, non-virtual environment. Current resource exchange event characteristics are compared to the user behavior patterns to ensure that the resource exchange event is authentic/legitimate. Additionally, intelligent user authentication occurs by leveraging the use of a Non-Fungible Token (NFT) that is presented by the user at the onset of the resource exchange event and is verified within a distributed trust computing network.

Abstract: A computer platform is disclosed. The computer platform comprises a central processing unit (CPU) including at least one socket having a plurality of tiles and control circuitry to partition the socket into a plurality of sub-sockets and assign a unique identity to each of the plurality of sub-sockets for security verification, wherein each sub-socket comprises at least one of the plurality of tiles to operate as a cluster of resources.

Abstract: Systems and methods are provided for implementing one-time programmable features for storage devices. In some embodiments, an Information Handling System (IHS) may include: a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the IHS to: initialize a one-time programmable (OTP) security storage device; and transmit a command to the OTP security storage device, where the OTP security device is configured to be set in security or non-security mode in response to the command, and where the OTP security storage device is configured to deny or ignore any subsequent command to set the OTP security storage device in a security mode or a non-security mode.

Abstract: A method, a non-transitory computer readable medium, and a personal computer for mapping a virtual smart card to a plurality of users. The method includes hosting, on a personal computer, an identity and access management (IAM) client, the IAM client configured to store a master virtual smart card for the plurality of users on the personal computer; authenticating, on the personal computer, a first user of the plurality of users; injecting, by the IAM client on the personal computer, an identity of the first user of the plurality of users and a personal identification number of the virtual smart card into a Kerberos communication application programming interface (API) with an Active Directory (AD), the Active Directory (AD) including the plurality of users; and mapping, on the personal computer, the master virtual smart card to the first user of the plurality of users.

Abstract: A method including at each of a number of client devices receiving a data item, receiving a public key from a second computing system, encrypting the data item using the public key to produce a singly encrypted data item, engaging in an oblivious pseudorandom function protocol with a first computing system using the singly encrypted data item to produce a seed, generating an encrypted secret share using a threshold secret sharing function under which the encrypted secret share cannot be decrypted until a threshold number of encrypted secret shares associated with the same singly encrypted data item are received, and transmitting the encrypted secret share to the first computing system and at the first computing system receiving a number of encrypted secret shares from the number of client devices, processing the number of encrypted secret shares to produce processed data, and transmitting the processed data to a second computing system.

Abstract: A data communication system for transferring data from a hardware unit to a blockchain or other distributed ledger. The system includes a hardware interface to connect to the hardware unit, and a device having a microcontroller, a secure element connected to the microcontroller, first communication module, and a communication protocol for enabling the microcontroller to communicate with the hardware interface through the first communication module. The microcontroller is configured to: read data from the hardware unit through the hardware interface; generate a transaction corresponding to the data; securely generate a blockchain private key (dB); digitally sign the transaction by a blockchain private key (dB); deliver the signed transaction, and then delete the blockchain private key (dB) from volatile memory of the hardware unit. The microcontroller is adapted to generate a blockchain private key (dB) from parameters contained in part from the device itself and in part from the hardware interface.

Abstract: A system and method are disclosed for delegating, by a resource-constrained device, a privilege to a basic input/output system, wherein the privilege allows the basic input/output system to authenticate an endpoint device on behalf of the resource-constrained device. The system and method also includes generating an asymmetric security key that includes a private key and a public key and transmitting the public key to the basic input/output system, wherein the public key is included in a proxy certificate generated by the basic input/output system. In addition, the system and method includes establishing a secure session between the basic input/output system and the endpoint device using the private key and the proxy certificate, wherein the secure session is used by the basic input/output system to authenticate and verify that the endpoint device is authorized to perform an operation.

Abstract: A primary platform (PP) can (i) support a first set of cryptographic parameters and (ii) securely download an unconfigured secondary platform bundle (SPB) that includes a configuration package (SPB CP). The SPB CP can establish a secure session with a configuration server (CS). The CS can select operating cryptographic parameters supported by the first set. The SPB CP can derive an SPB private and public key. The PP can use the selected operating cryptographic parameters to securely authenticate and sign the SPB public key. The CS can (i) verify the PP signature for the SPB public key and (ii) generate an SPB identity and certificate for the SPB and (iii) send the certificate and SPB configuration data to the SPB CP. The SPB CP can complete configuration of the SPB using the SPB identity, certificate, and configuration data. The configured SPB can authenticate with a network using the certificate.

Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include an executable file having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may modify the executable file to include a separation header. The separation header may indicate that the data can be placed at an arbitrary distance in the memory from the code. The separation header may indicate that the code should be loaded into a hardware enclave and that the data should be loaded outside of the hardware enclave. The platform may encrypt the code and provide it to a computing device. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave.

Abstract: The present disclosure is directed to methods and apparatus for validating and authenticating use of machine learning models. For example, various techniques are described herein to limit the vulnerability of machine learning models to attack and/or exploitation of the model for malicious use, and for detecting when such attack/exploitation has occurred. Additionally, various embodiments described herein promote the protection of sensitive and/or valuable data, for example by ensuring only licensed use is permissible. Moreover, techniques are described for version tracking, usage tracking, permission tracking, and evolution of machine learning models.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Abstract: Techniques for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for mobile equipment identity and/or IoT equipment identity and application identity based security enforcement in service provider networks includes monitoring network traffic on a service provider network at a security platform to identify a device identifier for a new session; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the device identifier and the application identifier.

Abstract: Methods, apparatus and computer software products implement embodiments of the present invention that include protecting a computer system, by collecting information from data traffic transmitted between multiple local nodes on a private data network and public IP addresses corresponding to multiple remote nodes on a public data network. DNS resolutions are detected in the collected information, each DNS resolution identifying a local node requesting the resolution with respect to a URI and a public IP address corresponding to the URI. Transmissions from the local nodes to the public IP addresses are detected in the collected information at respective times, and the detected DNS resolutions are compared to the detected transmissions so as to identify the transmissions from the local notes to the public IP addresses that were not resolved by the DNS resolutions. Finally, a protective action is initiated with respect to at least some of the identified transmissions.

Abstract: Methods, systems, and devices to enable a device with chain of trust are described. A controller may authenticate a root of trust entity as part of a boot-up procedure of a system that includes the root of trust entity. The root of trust entity may receive, as part of the boot-up procedure, a first portion of code associated with a first entity of the system. The controller may generate a first measurement result of the first portion of code and may identify, by the root of trust entity, a second measurement result associated with the first portion of code. The controller may determine, by the root of trust entity, whether the first measurement result matches the second measurement result as part of authenticating the first portion of code and may transmit, by the root of trust entity, an indication of whether the first and second measurement results match.

Abstract: Methods, systems, and apparatuses for configuring a device for a specific task or set of tasks thereby allowing the device to be used for more than one task or set of tasks while also enabling fine-grain control over how the device may be used. A device's file system can operate with a particular file system based on the task(s) that the device will perform. Further, the device can physically configure itself based on the task(s) that the device will perform.

Abstract: Apparatus and methods are described herein for multiple single level security (MSLS) domains including, but not limited to, a secure kernel hypervisor (SKH). The SKH configures a single multi-tenant cloud to host the MSLS domains. A cloud orchestration system (COS) configures the single multi-tenant cloud to set up a plurality of separate virtual work packages (VWPs) for the MSLS domains. A key management system (KMS) is configured to manage security objects associated with the MSLS domains.

Abstract: Techniques are described herein for using special session identifiers to defer additional authentication steps (AAS) for at least some restricted application actions. A client session is associated with a special session identifier that is mapped to an authentication tier (AT) achieved for the session based on the satisfied authentication steps. Web servers that are enabled for AAS deferral include context information, which identifies a requested action, with session verification requests to an authentication service. The authentication service determines that AAS is required to perform an action when (a) the AT associated with the action is a higher-security tier than the AT associated with the session, or (b) the session is associated with an AT that is lower than the highest-security AT and there is no context information accompanying the request for session validation, in which case the authentication service assumes that the highest-security AT is required to perform the request.

Abstract: Methods and systems for securing customer data in a multi-tenant database environment are described. A security module running on a database server may generate a private key-public key pair in response to receiving a request to store client data in a database. The security module may then transmit a request to derive a symmetric key to a key server, the request including the generated public key. The key server may derive a symmetric key, using key agreement and a key derivation function, based on the received public key and a private key managed by the key server. The security module may then receive the symmetric key from the key server and encrypt the client data. To facilitate decryption, the public key used to generate the symmetric key and an identifier for the private key managed by the key server may be stored in metadata associated with the client data.

Abstract: Techniques for providing security for Cellular Internet of Things (CIoT) in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for enhanced security for CIoT in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session, in which the session is associated with a CIoT device; determining an application identifier for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscriber identity and the application identifier.

Abstract: A computer-implemented method at a data management system comprises: generating, with one or more processors, a containerized runtime in a memory in communication with the one or more processors; instantiating, with the one or more processors, an app in the runtime; receiving, with the one or more processors, a request from the app for data; retrieving, with the one or more processors, a copy of the requested data from a data source; and transmitting, with the one or more processors, the data to the containerized runtime for the app to operate on.

Abstract: There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

Abstract: A computer-implemented method at a data management system comprises: receiving, at a storage appliance from a server hosting a virtual machine, a write made to the virtual machine; computing, at the storage appliance, a fingerprint of the transmitted write; comparing, at the storage appliance, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.

Abstract: Techniques are disclosed relating to securely communicating traffic. In some embodiments, an apparatus includes a secure circuit storing keys usable to encrypt data communications between devices over a network. The secure circuit is configured to store information that defines a set of usage criteria for the keys. The set of usage criteria specifies that a first key is dedicated to encrypting data being communicated from a first device to a second device. The secure circuit is configured to receive a request to encrypt a portion of a message with the first key, the request indicating that the message is being sent from the first device to the second device, and to encrypt the portion of the message with the first key in response to determining that the set of usage criteria permits encryption with the first key for a message being sent from the first device to the second device.

Abstract: A boot read only memory (ROM) chip unit can perform a secure boot routine based on various operations. A processor device comprises a boot ROM chip with processing circuitry on a system board configured to perform a system board power up according to a read operation in a one-time-programmable OTP memory/non-volatile memory (NVM). The OTP memory/NVM includes a spare area in a portion of the OTP/NVM that can receive a first sequence pattern. The processor determines whether a secure boot indication indicates a secure boot routine, and differentiates one or more read return content of the OTP memory/NVM between a wrongly read return content and a trusted read return content, in response to, or concurrent with, the secure boot indication indicating the secure boot routine.

Abstract: A permission control method and apparatus for a terminal device, where the method includes: acquiring, in response to detecting a login operation of the target user on the target application, from the server, a permission control code of the target user for the target application; processing the permission control code into at least one permission code, the permission code being used to indicate that a user has a use permission for a corresponding functionality of the target application; and controlling, on the basis of the at least one permission code, the use of at least one functionality of the target application by the target user.

Abstract: An item to write on a surface of a celestial body that has less atmosphere than Earth is received at a communications station and from a user device. An instruction that triggers the robot to write the item on the surface of the celestial body is provided by the communications station and to a robot on the surface of the celestial body. An image of the item written on the surface of the celestial body is received by the communications station and from the robot. The image of the item written on the surface of the celestial body is provided by the communications station and to the user device.

Abstract: This invention relates generally to distributed ledger technology (including blockchain related technologies), and in particular the use of a blockchain in implementing, controlling and/or automating a task or process. It may relate to the use of a blockchain or related technology for recording or representing the execution of a portion of logic. This portion of logic may be arranged to implement the functionality of a logic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc. . . . .

Abstract: A device includes a root of trust and a controller to perform a device function of the device using the root of trust. The root of trust is designed to control and/or observe the controller at least partially for the performance of the device function.

Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.

Abstract: A method and system for performing computational jobs securely on a shared computing resource. Data files for the computational job are encrypted on a secure system and the encrypted data files are stored in a data store on the shared computing resource. A key distribution server is established using a secure enclave on a front end of the shared computing resource. Cryptographic keys and application binaries are transferred to the enclave of the shared computing resource using a session key. The computational job is run using an application launcher on compute nodes of an untrusted execution environment of the shared computing resource, the application launcher obtaining the application binaries and the cryptographic keys from the key distribution server.

Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include multiple image files having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may encrypt the code and provide it to a computing device comprising a hardware enclave. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave. The computing device may request a decryption key from an authentication server using a hash of the hardware enclave signed by a processor. The authentication server may provide the decryption key if it verifies the signature and the hash. The computing device may decrypt the code and mark the hardware enclave as non-readable.