Abstract: A method and system for performing computational jobs securely on a shared computing resource. Data files for the computational job are encrypted on a secure system and the encrypted data files are stored in a data store on the shared computing resource. A key distribution server is established using a secure enclave on a front end of the shared computing resource. Cryptographic keys and application binaries are transferred to the enclave of the shared computing resource using a session key. The computational job is run using an application launcher on compute nodes of an untrusted execution environment of the shared computing resource, the application launcher obtaining the application binaries and the cryptographic keys from the key distribution server.

Abstract: This disclosure describes systems and methods for protecting commercial off-the-shelf software program code from piracy. A software program may include multiple image files having code and data. A platform may modify the executable file such that the data may be placed at a location in memory that is an arbitrary distance from the code. The platform may encrypt the code and provide it to a computing device comprising a hardware enclave. The computing device may load the encrypted code into the hardware enclave but load the data into memory outside the hardware enclave. The computing device may request a decryption key from an authentication server using a hash of the hardware enclave signed by a processor. The authentication server may provide the decryption key if it verifies the signature and the hash. The computing device may decrypt the code and mark the hardware enclave as non-readable.

Abstract: A computer-implemented method to participate in a token transfer process for transferring a first quantity of token from a sender node to a recipient node using a blockchain is disclosed. The token transfer process includes a plurality of participating nodes and execution of a set of indirect token transactions between multiple pairs of the participating nodes.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: Systems and methods for tokenization in a cloud-based environment. The disclosed systems and methods may perform operations including receiving input to be tokenized; obtaining a keyed hash function from a key management system; using the keyed hash function to generate a storage token for the input; creating an encrypted database entry linking the generated token to the received input; setting an expiry for the storage token; and when the storage token is received before the expiry, providing the linked input in response.

Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for network risk assessment. One of the methods includes obtaining information describing network traffic between a plurality of network devices within a network. A network topology of the network is determined based on the information describing network traffic, with the network topology including nodes connected by an edge to one or more other nodes, and with each node being associated with one or more network devices. Indications of user access rights of users are associated to respective nodes included in the network topology. User interface data associated with the network topology is generated.

Abstract: Systems and methods involve a database function of an ATM processor on which rules database records for positive transition flows of ATM hardware or software activities are stored, a security agent function of the ATM processor that extracts data points from a transition flow for every succeeding ATM activity, and an algorithm function of the ATM processor that generates a rules database record for the transition flows for succeeding ATM activity based on the extracted data points and discards any generated rules database record that is identical to a rules database record already stored on the rules database function. A discovery phase of the algorithm function stores new rules database records, rules database function, and a protection phase of the algorithm function selects a risk protocol, when a generated record is not identical to a record already stored.

Abstract: A system enables a content creator to upload the content onto the server and set rules and conditions for the access and retrieval. The content is downloaded to a portable storage medium, the content will be encrypted for display at a particular destination device. When the content is loaded on the destination device, the destination device will check if the content is loaded on the correct destination device by checking the information of the destination device attached to the content against the device information stored on the destination device.

Abstract: A method of controlling access of an information handling system to a secured network may comprise detecting a time of flight (TOF) signal distance between the information handling system and a plurality of WLAN access points and received signal strength indication (RSSI) values to determine, via a processor executing code instructions of the information handling system, a location fingerprint of the information handling system relative to the plurality of address-identified wireless local area network (WLAN) access points and a secured perimeter of the facility before completing a boot process of the information handling system or allowing access to a secured network, if the location fingerprint indicates the information handling system is located within the secured perimeter.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: Apparatuses, methods and storage medium associated with virtualizing a USB device controller of a SoC in a computing platform hosting multiple VMs, are disclosed herein. In some embodiments, a CRM includes instructions to implement a USB driver stack in a SOS of a SVM on the computing platform. The USB driver stack of the SOS includes a SOS device controller driver to communicate with one or more USB devices of the computing platform, via a USB device controller of the SoC; and a SOS function virtualization driver to communicate with one or more corresponding UVM function virtualization drivers of the UVMs to paravirtualize the SOS device controller driver to the UVMs. Other embodiments are also described and claimed.

Abstract: Embodiments described include systems and methods for managing downloads from an embedded browser. The client application can control the locations to which downloads are directed. A system administrator can configure a policy to restrict downloads to approved locations. The client application can prevent a user from navigating to and downloading a file to a location that has not been approved according to the policy.

Abstract: An information processing apparatus having at least a first controller and a second controller. The second controller includes a CPU and a first storage for storing, in a non-volatile manner, a first program to be executed by the CPU. When the information processing apparatus is started up, the first controller verifies a presence or absence of alteration of the first program stored in the first storage, and causes the CPU to start up after confirming by the verification that the first program has not been altered.

Abstract: Examples associated with storage monitoring are described. One example system includes generating an encryption key and transmitting the encryption key to a basic input/output system (BIOS) security module. The BIOS security module uses the encryption key as a basis for a heartbeat. A provisioning module receives a signal identifying a monitored storage and generates an enforced storage associated with the monitored storage. The provisioning module also creates a manifest describing the relationship between the enforced storage and the monitored storage. The provisioning module transmits the manifest to the BIOS security module. A versioning module assigns a first access policy for the monitored storage and a second access policy to the enforced storage based on the manifest. The versioning module performs versioning for the monitored storage using the enforced storage, and periodically verifies operation to the BIOS security module using the heartbeat.

Abstract: In an approach for securing container workloads, a processor encrypts workload binaries. A processor uploads the workload binaries to a software repository. A processor encrypts a workload definition. A processor replaces the workload definition with a mock workload definition. A processor references the encrypted workload definition in the mock workload definition. A processor submits the mock workload definition to a master node.

Abstract: Various embodiments are generally directed to techniques for library behavior verification, such as by generating executables for software with indications of permitted behaviors by the library. Some embodiments are particularly directed to monitoring library behavior and performing one or more protective actions based on abnormal or unpermitted library behavior. In many embodiments, libraries and library manifests may be validated based on one or more signatures. In various embodiments, library behavior data comprising a set of permitted behaviors for the library may be determined based on the library manifest. In various such embodiments, a compiler may embed indications of the permitted library behavior in executables.

Abstract: A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other.

Abstract: Systems, methods, and software can be used to analyze security risks of a binary software code. In some aspects, a computer-implemented method comprises: receiving, by at least one hardware processor, a binary software code; determining, by the at least one hardware processor, a security risk value for each of a plurality of security risk factors of the binary software code; for each of the plurality of security risk factors, determining, by the at least one hardware processor, a security confidence level of the respective security risk factor; and generating, by the at least one hardware processor, a security notification, wherein the security notification includes the security confidence levels corresponding to the plurality of security risk factors.

Abstract: Disclosed are various embodiments for executing entity-specific cryptographic code in a cryptographic coprocessor. In one embodiment, encrypted code implementing a cryptographic algorithm is received from a service via a network. The cryptographic coprocessor decrypts the encrypted code. The cryptographic coprocessor executes the decrypted code to generate a cryptogram including information encrypted using the cryptographic algorithm. The cryptogram is sent to the service via the network.

Abstract: A device includes a secure execution context that is segregated from an operating system of the device. A security application executing in the operating system interfaces with the secure execution context to obtain verified data. The secure execution context may verify that operating system files are free of malware, obtain sensor readings that may be cryptographically signed, verify functioning of a baseband processor, and verify other aspects of the function and security of the device. The verified data may be used for various purposes such as verifying location of the device, training a machine learning model, and the like.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to intercept a process, store execution profiling for the process if the process involves a privileged resource or a privileged operation, and analyze the code involved in each stack frame to determine malicious activity. If the process does not involve a privileged resource or a privileged operation, then the process is not analyzed.

Abstract: A system root of trust device of a computing system authenticates boot images associated with data processing units of the computing system. The device includes at least one processor configured to determine whether a first set of boot code associated with a first processor of the computing system is authentic, in response to determining that the first set of boot code is authentic, reset the first processor to allow the first processor to boot and authenticate first executable code to be executed by the first processor, after resetting the first processor, determine whether a second set of boot code associated with a second processor of the computing system is authentic, and in response to determining that the second set of boot code is authentic, reset the second processor to allow the second processor to boot and to authenticate second executable code to be executed by the second processor.

Abstract: An intrusion detection system, comprising a monitor to receive messages from a target over a low-latency communication link comprising a controlled access memory structure logically positioned between the target and the monitor using point-to-point interconnects, the controlled access memory structure to receive a message from the target indicating that the target has entered a controlled mode of operation.

Abstract: The described technology is generally directed towards secure collaborative processing of private inputs. A secure execution engine can process encrypted data contributed by multiple parties, without revealing the encrypted data to any of the parties. The encrypted data can be processed according to any program written in a high-level programming language, while the secure execution engine handles cryptographic processing.

Abstract: One embodiment provides for a computer-implemented method comprising generating a linked list table including a first component having linking data to be stored in a table data structure for one or more rebase and bind operations and second a component having instructions to implement the table data structure to perform the rebase and bind operations according to a linked list chain and executing the instructions in the second component of the linked list table to perform the one or more rebase and bind operations based on the linked list chain.

Abstract: Various embodiments are provided for managing cryptographic bottlenecks for distributed multi-signature blockchain contracts in a computing environment. One or more cryptographic bottlenecks of cryptographic requests at a cryptographic accelerator may be resolved by switching between a blockchain node cryptographic library and an accelerator cryptographic library upon a number of the cryptographic requests at the accelerator exceeding a defined threshold.

Abstract: Techniques for generating a data representation without access to content are described. A method for generating a data representation without access to content comprises receiving a request to analyze one or more data items in a protected area of the provider network, sending the request to the protected area of the provider network, wherein the cluster model is used to identify a cluster identifier associated with each of the one or more data items, receiving the cluster identifier associated with each of the one or more data items, and regenerating each of the one or more data items based on the cluster identifier.

Abstract: A user terminal apparatus may include a communication unit for communicating with a server; a memory in which applications are stored; and a processor for executing an application including a first logic which requires security processing, performing mutual verification with the server, controlling the communication unit such that a request for executing the first logic on the server is sent to the server, and when the execution result of the first logic is received from the server, proceeding with the execution of the application by using the received execution result.

Abstract: The present embodiments relate to methods and apparatuses for side-band management of security for server computers. According to certain aspects, such management is directed to the security of data that is stored under the local control of the server, as well as data that flows through the network ports of the server. Such locally stored data is secured by encryption, and the encryption keys are managed by a management entity that is separate from the server. The management entity can also manage the security of network data flowing through the server using its own configuration of network security applications such as firewalls, monitors and filters.

Abstract: Techniques for obfuscating and deploying digital assets (e.g., mobile applications) are provided to mitigate the risk of unauthorized disclosure. An asset can be received that is to be deployed to a plurality of mobile devices, each of the mobile devices associated with a corresponding account having account attributes. A deployment group of one or more mobile devices for deploying the asset can be identified based on a set of one or more obfuscation parameters, comprising account attributes shared among the one or more mobile devices within the deployment group. A customized obfuscation scheme to be applied to the asset can be determined based at least in part on the set of obfuscation parameters. The customized obfuscation scheme can be applied to the asset to generate an obfuscated asset. The obfuscated asset can be transmitted and/or updated over a network to the one or more mobile devices within the deployment group.

Abstract: A method for establishing and maintaining a security policy for a device can include establishing a secure channel between a secure execution environment (SEE) operating on the device and a security entity external to the device. The method can also include configuring, by a security manager executing on the SEE, access to sensitive operations of an environment interactor coupled to the device based on a security policy provided from the security entity. The method can further include resetting, by the security manager, a secure watchdog timer in response to a reset authorization token provided from the secure entity. If the secure watchdog timer expires a given predetermined number of times since a last reset authorization token is received, the security manager executes a given prescriptive operation dictated by the security policy.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for determining an applicable privacy policy based on various criteria associated with a user and the associated product or service. User and product criteria may be obtained automatically and/or based on user input and analyzed by a privacy policy rules engine to determine the applicable policy. Text from the applicable policy can then be presented to the user. A default policy can be used when no particular applicable policy can be identified using by the rules engine. Policies may be ranked or prioritized so that a policy can be selected in the event the rules engine identifies two, conflicting policies based on the criteria.

Abstract: Implementations of the present disclosure include receiving a record corresponding to a private transaction recorded in two or more private state databases of entities participating in the private transaction within a distributed ledger system (DLS), generating a data representation based on the record, transmitting the data representation for public consensus processing within the DLS, and recording within a public ledger of the DLS, and providing a public record for recording in the DLS, the public record being recorded in a public state database of each of entity participating in the DLS.

Abstract: Techniques are disclosed for enhanced crawling of unexposed web applications for vulnerability scanning purposes. A response to a request to a web application is received and a web application framework detection routine is executed on the response. A determination is made that a web application framework is part of the response and the response is loaded in a web browser associated with the web application. A custom web application framework hook for the web application framework is injected into a web page of a web browser and a list of Document Object Model (DOM) elements and corresponding event handlers is received. A determination is made, based on the list, to execute DOM events to discover functionality of the web application. The DOM events are executed, and network activity of the web browser during execution of the DOM events is recorded.

Abstract: A security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations. In response to one of those specific operations, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with one of the pages, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

Abstract: A reprogramming method of a vehicle includes authenticating a diagnostor; receiving integrated firmware comprising a plurality of firmwares that correspond to a plurality of target controllers, respectively, from the diagnostor that is completely authenticated; authenticating the integrated firmware; encrypting and storing the plurality of firmwares included in the integrated firmware; and generating encryption keys that corresponds the plurality of target controllers, respectively apparatus. The encrypting and storing comprises encrypting and storing the plurality of firmwares to the encryption keys that correspond to the plurality of firmwares, respectively.

Abstract: An information processing device shifts to first and second power states and includes an output unit to output an operation stop signal, and a device to receive the operation stop signal and to shift to an operation stop state based on the operation stop signal, and to shift to an electric power saving mode where less power is consumed than in the operation stop state on condition that the operation stop signal has not been input. A signal control unit provides control that prevents the operation stop signal from being input to the device when the information processing device shifts to the second power state. The signal control unit controls the operation stop signal when a restart unit restarts the information processing device.

Abstract: A process monitoring methodology is disclosed. In a computer-implemented method, a selection of a process to be monitored is received. The process is to be at least partially performed using a component of a computing environment. An expected operating parameter of the process is determined. The process is also monitored to determine an actual operating parameter of the process. The actual operating parameter of the process is compared with the expected operating parameter of the process to generate a comparison result. An operation is then automatically performed based upon the comparison result.

Abstract: A malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.

Abstract: One embodiment provides a method, including: generating, using an information handling device, digital content; providing an indication of the digital content to at least one other device; and receiving, from the at least one other device, a digital signature for the digital content. Other aspects are described and claimed.

Abstract: Systems are provided for managing access to a log of dataset that is generated when the dataset is accessed. A system stores, with respect to each of a log producer and a log accessor, an encrypted symmetric key for dataset that is encrypted using a corresponding public key. The system returns the encrypted symmetric key for the log producer, such that the log producer can decrypt the dataset that is encrypted using the symmetric key. A log of the dataset is generated when the log producer accesses the dataset.

Abstract: Methods and systems for verifying, via formal verification, a hardware design for a data transformation pipeline comprising one or more data transformation elements that perform a data transformation on one or more inputs, wherein the formal verification is performed under conditions that simplify the data transformations calculations that the formal verification tool has to perform.

Abstract: Functionality is disclosed herein for providing temporary access to a resource. A software product that is executing in response to a request from a customer may access one or more resources of a software provider. The resources that may be accessed by a software product may be identified within an access policy. The customer is prevented from accessing the resource when the software product is not executing.

Abstract: Systems and methods of disarming malicious code in protected content in a computer system having a processor are provided. The method includes determining that a received input file intended for a recipient is protected, the recipient may be connected to a network; accessing a credential associated with the intended recipient for accessing the protected input file; accessing the content of the protected input file based on the credential; modifying at least a portion of digital values of the content of the input file configuring to disable any malicious code included in the input file, thereby creating a modified input file; and protecting the modified input file based on the credential associated with the intended recipient. The method also includes forwarding the protected modified input file to the intended recipient in the network.

Abstract: Techniques for implementing a ledger-independent token service are provided. According to one set of embodiments, a computer system executing the service can receive, from a user, a request to create a token on a distributed ledger network. The computer system can further provide to the user one or more token templates, where each token template corresponds to a type of physical or digital asset and defines a set of one or more attributes and one or more control functions associated with the type. The computer system can then receive, from the user, a selection of a token template in the one or more token templates and create the token on the distributed ledger network, where the created token includes the set of one or more attributes and one or more control functions defined in the selected token template.

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree. The first device then sends the validator to the second device.

Abstract: Disclosed are various approaches for providing on-demand virtual private network (VPN) connectivity on a per-application basis. An application is determined to have begun execution on a computing device. The application is identified. A determination that the application is authorized to access a VPN connection is made, and the VPN connection is created.

Abstract: Embodiments of the present invention include a system for utilizing setting information, including a first electronic device and a second electronic device communicably connected to an information processing apparatus via a network. The first electronic device includes first circuitry to: obtain, from a first memory, setting information relating to setting of the first electronic device; accept selection of a saving destination of the setting information; encrypt the setting information in an encryption method determined in accordance with the saving destination; and store the encrypted setting information in the saving destination.

Abstract: Methods, non-transitory computer readable media, and network traffic management apparatuses that obtain one or more custom selection rules and one or more custom priority rules via a graphical user interface (GUI). One or more of the custom selection rules are applied to a cipher suite database to generate a result set of cipher suites. The cipher suite database includes a plurality of cipher suite sets. One or more of the custom priority rules are applied to the result set of cipher suites to generate an ordered result set of cipher suites. A cipher string is generated based on the ordered result set of cipher suites. The cipher string is stored in a secure socket layer (SSL) profile to be used during negotiation of secure network sessions.