Abstract: An operating system interface, responsive to detecting a non-privileged thread request with a scheduling attribute set to a critical setting to request access to at least one privileged core, selectively schedules the non-privileged thread request into a privileged core queue associated with the at least one privileged core only when a resource availability of the at least one privileged class core meets a threshold level of availability, the at least one privileged core providing a higher throughput than at least one regular core. The operating system interface, responsive to detecting a privileged thread request with the scheduling attribute set to the critical setting, automatically scheduling the privileged thread request into the privileged core queue.

Abstract: The subject matter discloses a computerized system for securing data, comprising a first node, comprising a first memory storage configured to store a first share of a cryptographic key and a communication module, a second node, in communication with the first node, comprising a second memory storage configured to store a second share of the cryptographic key, wherein the first share and the second share of the cryptographic key are required to perform a cryptographic operation using a multi-party computation (MPC) process, wherein the second node further comprises a control unit configured to change an operation mode of the second share from enable to disable, wherein the disable operation mode prevents performing the cryptographic operation using the MPC process.

Abstract: Disclosed herein are methods and systems of identifying vulnerabilities of an application. An exemplary method comprises identifying at least one function in executable code of the application according to at least one rule for modification of functions, adding an interception code to the executable code of the application upon launching of the application, executing the application with the added interception code, collecting, by the interception code, data relating to function calls performed by the application during execution, analyzing the collected data based on criteria for safe execution of applications, wherein the criteria comprises a range of permissible values of arguments of intercepted function calls and identifying inconsistencies between the analyzed data and the criteria for safe execution of applications, wherein the inconsistencies indicate vulnerabilities in the application.

Abstract: Systems, methods and computer program products for providing a multi-tenant application execution environment that provides an object metadata service for managing application configuration in the multi-tenant environment. In one embodiment, a system has an application manager, a bundle manager, and a deployment manager. The application manager captures application metadata for a corresponding version of an application and defines a corresponding bundle which contains metadata that configures the version of the application. The bundle manager validates each bundle and stores the validated bundle in a bundle library in a data storage device. The deployment manager retrieves a master schema and one or more of the bundles from the bundle library and installs the retrieved master schema and the retrieved bundles, generating a tenant schema which is accessible by a corresponding tenant of the multi-tenant environment that has subscribed to the version of the application.

Abstract: A request associated with one or more privileges assigned to a first entity may be received. Each of the one or more privileges may correspond to an operation of an integrated circuit. Information corresponding to the first entity and stored in a memory that is associated with the integrated circuit may be identified. Furthermore, the memory may be programmed to modify the information stored in the memory that is associated with the integrated circuit in response to the request associated with the one or more privileges assigned to the first entity.

Abstract: The present invention provides a method for performing Elliptic Curve Cryptography (ECC) on data, the ECC implemented on multiple arithmetic layers. By performing multi-precision multiplication by implementing product-scanning to process columns of intermediary results in order to obtain a multiplication result by computing unsigned multiplication of data, accumulating a result of the multiplication and preserving a generated carry flag such that propagation of the carry flag is delayed, the present invention improves performance.

Abstract: An electronic control unit for a vehicle, the electronic control unit comprising a processor comprising: a processor core; storage, the storage storing data comprising instructions for the processor core; a tamper-resistant hardware security module which is coupled to the storage for reading and writing; and an external interface; the electronic control unit further comprising further storage connected to the processor through the external interface and containing further data; in which the hardware security module is arranged to cause a determination whether the data in the storage has been tampered with and, on a determination that the data has been tampered with, to cause the further data to be loaded into the storage from the further storage over the external interface. Other apparatus and methods for improving the security of electronic control circuits are disclosed.

Abstract: A computing system includes a server comprising email policy rules to be applied to emails containing sensitive information, a mail server to provide the emails, and a client computing device enrolled with the server to access the mail server. An email privacy filter is to be applied to emails from the mail server intended for the client computing device. The email privacy filter interfaces with the server to receive the email policy rules therefrom. The email privacy filter identifies sensitive information within the email. The email privacy filter then applies the email policy rules, in response to identification of sensitive information within the email, to determine if the email is to be hidden from view on the client computing device so as to prevent display of the sensitive information to an unauthorized viewer.

Abstract: A disclosed method of operating a representational state transfer (REST) server to respond to receiving a batch request includes: extracting a first requested item from the batch request; opening an output stream to a client network; writing a response opening of a batch response to the output stream; writing a first response item opening of the batch response to the output stream; in response to determining that a first REST service indicated by the first requested item is authorized to be invoked based on access control lists (ACLs), invoking the first REST service to stream a first response item body of the batch response to the output stream; writing a first response item closing of the batch response to the output stream; and writing a response closing of the batch response to the output stream, wherein the batch response is in valid JavaScript Object Notation (JSON).

Abstract: Systems and methods provide for segment routing (SR) with fast reroute in a container network. An SR ingress can receive a packet from a first container destined for a container service. The ingress can generate an SR packet including a segment list comprising a first segment to a first container service host, a second segment to a second service host, and a third segment to the service. The ingress can forward the SR packet to a first SR egress corresponding to the first host using the first segment. The first egress can determine whether the first service and/or host is reachable. If so, the first egress can forward the SR packet to the first host or the packet to the service. If not, the first egress can perform a fast reroute and forward the SR packet to a second SR egress corresponding to the second host using the second segment.

Abstract: A method, system, computer-readable media, and apparatus for ensuring a secure cloud environment is provided, where public cloud services providers can remove their code from the Trusted Computing Base (TCB) of their cloud services consumers. The method for ensuring a secure cloud environment keeps the Virtual Machine Monitor (VMM), devices, firmware and the physical adversary (where a bad administrator/technician attempts to directly access the cloud host hardware) outside of a consumer's Virtual Machine (VM) TCB. Only the consumer that owns this secure VM can modify the VM or access contents of the VM (as determined by the consumer).

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.

Abstract: Disclosed are a method for scanning cache of an application, an electronic device and a computer-readable storage medium. The method may include: acquiring a list of applications to be scanned; querying a historical scanning record of each application in the list of applications to be scanned; determining a scanning priority of each application and whether the application needs to be scanned according to the historical scanning record of each application; scanning applications that need to be scanned in the list of applications to be scanned in a descending order of the scanning priorities, so as to acquire cache sizes of respective applications that need to be scanned; and scanning applications that need not to be scanned in the list of applications to be scanned in a descending order of the scanning priorities, so as to acquire cache sizes of respective applications that need not to be scanned.

Abstract: Example methods, apparatus and articles of manufacture to update virtual machine templates are disclosed. A disclosed example method to update a virtual machine template (105) includes updating a management policy (110), starting a virtual machine (116) based on the virtual machine template (105) in a network cordoned sandbox (170), triggering the virtual machine (116) to update per the updated management policy (110), and saving the virtual machine (116) as an updated virtual machine template (106).

Abstract: A system for protecting a computer from malicious software uses a whitelist to determine is a program is safe to run. As new malicious software is created, attempts at execution of executables including such malicious software are prevented being that the new malicious software is not listed in the whitelist. When such attempts are made, the executable is forwarded to a server where further analysis is performed to determine if the executable contains suspect code (e.g., malicious software) including running the executable in a sandbox to analyze how the executable behaves and running industry virus scanners against the executable to see if those scanners can find a virus. If such research finds that the executable is well-behaved, the executable is added to the whitelist and future execution is allowed.

Abstract: A system and method for classifying packets according to packet header field values. Each of a set of subkey tables is searched for a respective packet header field value; each such search results in a value for a subkey. The subkeys are combined to form a decision key. A decision table is then searched for the decision key. The search of the decision table results in an action code and a reason code, one or both of which may be used to determine how to further process the packet.

Abstract: An apparatus and method for collecting an audit trail in a virtual machine boot process, the audit-trail-collecting apparatus including an event detection unit for detecting a software interrupt event, a register state information extraction unit for extracting state information of a CPU register corresponding to a detection time of the software interrupt event, a monitoring unit for monitoring a change in a vector value corresponding to the software interrupt event in an interrupt vector table, a threat occurrence detection unit for detecting a threat occurrence in a virtual machine boot process based on at least one of the CPU register state information and a monitored result, and an audit trail collection unit for storing an audit trail corresponding to at least one of the CPU register state information and the monitored result when the threat occurrence is detected in the virtual machine boot process.

Abstract: Disclosed embodiments relate to secure and reliable customization of operating system kernels. Techniques include configuring a kernel security module for loading to an operating system kernel to run kernel-level scripts on the kernel, the kernel security module being configured to perform a security verification comprising operations of: identifying, at the kernel security module, a script received at the kernel security module for requested execution by the kernel, and verifying whether the script has a valid signature; determining, at the kernel security module and based on the security verification, whether to permit the script to be processed by the kernel; and identifying, based on the determining, executable code corresponding to the script to execute at the kernel.

Abstract: In one example, a first enclave for use by a first counterparty to a smart contract is identified. A second enclave for use by a second counterparty to the smart contract may be identified. Secrets associated with the first counterparty to the first enclave may be caused to be securely provided. Secrets associated with the second counterparty to the second enclave may be caused to be securely provided. A cryptlet is caused to be provided to the first enclave. The cryptlet may be caused to be provided to the second enclave. A payload is received from the first enclave. A payload may be received from the second enclave. Validation may be caused to be performed for a plurality of payloads. The plurality of payloads may include the payload from the first enclave and the payload from the second enclave.

Abstract: Systems and methods for providing security services during a power management mode are disclosed. In some embodiments, a method comprises detecting with a mobile security system a wake event on a mobile device, providing from the mobile security system a wake signal, the providing being in response to the wake event to wake a mobile device from a power management mode, and managing with the mobile security system security services of the mobile device. Managing security services may comprise scanning a hard drive of the mobile devices for viruses and/or other malware. Managing security services may also comprise updating security applications or scanning the mobile device for unauthorized data.

Abstract: An example system includes at least one memristive dot product engine (DPE) having at least one resource, the DPE further having a physical interface and a controller, the controller being communicatively coupled to the physical interface, the physical interface to communicate with the controller to access the DPE, and at least one replicated interface, each replicated interface being associated with a virtual DPE, the replicated interface with communicatively coupled to the controller. The controller is to allocate timeslots to the virtual DPE through the associated replicated interface to allow the virtual DPE access to the at least one resource.

Abstract: A computer implemented method for data anonymization comprises: receiving a request for data that needs anonymization. The request comprises at least one field descriptor of data to be retrieved and a usage scenario of a user for the requested data. Then, based on the usage scenario, an anonymization algorithm to be applied to the data that is referred to by the field descriptor is determined. Subsequently, the determined anonymization algorithm is applied to the data that is referred to by the field descriptor. A testing is performed, as to whether the degree of anonymization fulfills a requirement that is related to the usage scenario. In the case, the requirement is fulfilled, access to the anonymized data is provided.

Abstract: A method and apparatus are provided for secure communication. The method includes binding an isolated environment, of a device, to a secure component. The secure component includes a secure application and data. The method also includes utilizing the isolated environment as an intermediary for communication of the data between the secure application and the device.

Abstract: A computerized system and method may include, in response to receiving a blockchain via a communications network that includes information associated with an event, parsing, by a blockchain parsing engine being executed by a blockchain node, the information to identify a status state of an item related to the event. The blockchain may be inclusive of the information along with the status state of the item may be stored in a storage unit. An event tracking engine may determine from the parsed information that the status state of the item transitioned from a first state to a second state. Responsive to the event tracking engine determining that a qualifying state is satisfied by the item being in the second state, automatically executing, by the blockchain node, a smart code inclusive of initiating communications between a first party and a second party.

Abstract: A system includes profile control circuitry that may receive a sovereign onboarding command. The sovereign onboarding command may be issued on behalf of a sovereign associated with a profile. The sovereign onboarding command may update a status value in the profile. The profile may be recorded on a data-tamper-protected distributed ledger. Arbitration circuitry may review the recorded profile status value and ensure that status values are enforced against the sovereign during exchanges.

Abstract: Dynamic Trust Manager (DTM) having an interface coupled to an embedded system including an Application Processor (AP), boot media, and security processor. The security processor, at a start of a boot sequence of the AP, prevents the AP from proceeding with the boot sequence, verifies bootloader code stored in the boot media via boot media access, and if the bootloader code verification is successful, allows the AP to proceed using the verified bootloader code. The security processor may also be configured to activate an interrupt request of the AP during runtime, request the AP to execute a Security Monitor Driver (SMD) of the embedded system to measure an integrity information of code/data stored in an embedded system memory, receive from the SMD the measured integrity information of code/data, and verify whether the measured integrity information equals a reference integrity information stored in an integrity table of a DTM memory.

Abstract: A computer implemented method for data anonymization comprises: receiving a request for data that needs anonymization. The request comprises at least one field descriptor of data to be retrieved and a usage scenario of a user for the requested data. Then, based on the usage scenario, an anonymization algorithm to be applied to the data that is referred to by the field descriptor is determined. Subsequently, the determined anonymization algorithm is applied to the data that is referred to by the field descriptor. A testing is performed, as to whether the degree of anonymization fulfills a requirement that is related to the usage scenario. In the case, the requirement is fulfilled, access to the anonymized data is provided.

Abstract: In some aspects, a mobile application package is bound to a privileged component of a mobile device operating system. The mobile application package includes a software virtualization layer and a management service component. The software virtualization layer and the management service component are enabled to execute in a privileged mode based on the privileged component. A virtual phone image is downloaded from a management server. A virtual machine based on the virtual phone image is launched by the software virtualization layer.

Abstract: Techniques for isolating a portion of an online computing service referred to as a deployment unit and configured with a complete build of the online computing service may include routing production traffic away from the deployment unit, applying one or more changes to the complete build, and after applying one or more changes to the complete build, using the deployment unit for testing these changes using end-to-end tests. In one embodiment, the deployment unit may be dedicated to a specific group of tenants that require at least some isolation from other tenants.

Abstract: Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

Abstract: A target file is run in an installation package. A secure dynamic library is loaded in the installation package. Based on a code in the target file, digital watermark information embedded in the target file and verification information stored in the secure dynamic library is retrieved. Based on the digital watermark information and the verification information, a determination is made whether the installation package is a repackaged installation package.

Abstract: The present invention is provided with an encryption similarity calculation unit to calculate an encryption similarity being a similarity degree between storage data and search data encrypted using a homomorphic encryption, by performing a homomorphic operation on storage encryption data being the storage data encrypted using the homomorphic encryption, and search encryption data being the search data encrypted using the homomorphic encryption, the search data being used in search of the storage data, and an encryption result transmission unit to generate an encryption search result to represent whether or not the similarity degree is not more than a threshold value ? by using the encryption similarity, and to transmit the encryption search result to a search device.

Abstract: An exemplary system method, and computer-accessible medium for initiating a protocol(s) can be provided, which can include, for example, generating a digitally encrypted perishable object(s), distributing the digitally encrypted perishable object(s) to a cyber-physical entity(s), determining if the cyber-physical entity(s) has received the digitally encrypted perishable object(s), and initiating at a predetermined protocol(s) based on the determination.

Abstract: There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

Abstract: When a computer system is compromised by a malicious user, detecting or preventing the malicious user can improve the security and efficiency of the computer system, as well as prevent data from being deleted or corrupted and/or stolen. An attacker who compromises a computer system is likely to take certain actions to exert control over the computer or avoid detection. When a compromised system is behind a network firewall, the attacker may seek to open a remote reverse shell on the compromised system to more easily issue commands, as the firewall may block direct attempts from outside the network to contact the compromised system. Detecting a reverse shell can be difficult, slow, and unreliable, however. The present disclosure discusses methods for detecting reverse shells based on analyzing redirection of data streams such as STDIN, STDOUT, and STDERR.

Abstract: Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

Abstract: Various examples are directed to systems and methods for managing a database to include data from an external data source. A database engine may receive a request to add a reference column to a database described by a database schema. The request may comprise a location parameter describing a location of the external data source comprising data for populating the reference column and a data identifying parameter describing data at the external data source for populating the reference column. The database engine may modify the database schema to include the reference column, send a query to the external data source to obtain at least one data item for populating the reference column, and populate the reference column with the at least one data item.

Abstract: A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other.

Abstract: Systems and methods are disclosed for encrypting portions of data for storage and processing in a remote network. For example, methods may include receiving a message that includes data for forwarding to a server device; encrypting a portion of the data to determine an encrypted portion; determining metadata based on the portion of the data, wherein the metadata indicates one or more properties of the portion of the data and enables one or more operations to be performed by the server device that depend on the one or more properties; determining a payload including the data with both the encrypted portion and the metadata substituted for the portion of the data; and transmitting the payload to the server device.

Abstract: In one embodiment, a crypto cloudlet is provided that includes a security wrapper to a virtual machine to guarantee secure Input/Output exchange between a client and one or more cryptographic adaptive services powered by a set of virtual CPUs through a single well defined channel, an adaptive service running in the virtual machine that identifies hardware resources necessary to satisfy a cryptographic demand or request, and an Ethernet interface communicatively coupled to the security wrapper providing network channel services for exchange of cryptographic data and commands. The security wrapper presents to the adaptive services the hardware accelerators exposed by the virtual machine. Other embodiments are disclosed.

Abstract: A method for operating virtual machines on a virtualization platform includes: embedding control information in a predetermined memory area of a front-end virtual machine where at least one virtual device is to be initialized, the control information being required for initiating a communication with a back-end virtual machine where at least one back-end driver runs; retrieving, by the front-end virtual machine, the control information from the predetermined memory area of the front-end virtual machine; and performing the communication between the front-end virtual machine and the back-end virtual machine via a direct communication channel to exchange information for initializing the at least one virtual device of the front-end virtual machine, by communicating with the at least one back-end driver via the direct communication channel. The direct communication channel is established based on the control information embedded in the predetermined memory area of the front-end virtual machine.

Abstract: An external biometric reader and verification device for providing access control to a computing device, and associated methods, are disclosed. The external reader can store and verify biometrics under the control of the computing device and send identity verification messages to the computing device. One disclosed device includes a biometric reader communicatively connected to an external secure microcontroller. The external secure microcontroller stores a set of biometric data and a signing key. The signing key can be injected by a device manufacturer in a controlled key injection room in a manufacturing facility and can be used to sign a certificate. An operating system of the computing device can be programmed to send a request for the certificate, receive the certificate, and predicate control of access to the operating system using the verification messages on verification of the certificate.

Abstract: An approach is provided for providing mechanisms to control unattended notifications at a device. The approach includes determining that at least one notification presented at a device is an unattended notification. The approach also includes causing, at least in part, a presentation of one or more mechanisms for controlling the unattended notification at the device, one or more other devices, or a combination thereof.

Abstract: A system performs cryptographic operations utilizing information usable to verify validity of plaintext. To prevent providing information about a plaintext by providing the information usable to verify the validity of the plaintext, the system provides the information usable to verify validity of the plaintext to an entity on a condition that the entity is authorized to access the plaintext. The information usable to verify validity of the plaintext may be persisted in ciphertext along with the plaintext to enable the plaintext to be verified when decrypted.

Abstract: Approaches for monitoring a host operating system. A threat model is stored and maintained. The threat model identifies for any process executing on a host operating system how trustworthy the process should be deemed based on a pattern of observed behavior. The execution of the process and those processes in a monitoring circle relationship thereto are monitored. The monitoring circle relationship includes a parent process, any process in communication with a member of monitoring circle relationship, and any process instantiated by a present member of monitoring circle relationship. Observed process behavior is correlated with the threat model. Upon determining that a particular process has behaved in a manner inconsistent with a pattern of allowable behavior identified by the threat model for that process, a responsive action is taken.

Abstract: The present invention describes a distributed operating system that allows any local operating system to run more than one cloud-hosted virtual machine. The described system uses three different server clusters: one for storing, one for general processing and other for image processing. The processed image is sent to the user over the network, all the user needs is a screen to display the final image and an input terminal as a touch screen or a mouse and keyboard.

Abstract: A hypervisor monitors for an initialization of a guest kernel running on a virtual machine implemented by the hypervisor. When the initialization of the guest kernel is detected, the hypervisor pauses a virtual processor of the virtual machine, locates a guest kernel image of the guest kernel in guest memory, locates a kernel function in the guest kernel image, inserts a breakpoint on the guest kernel function, resumes the virtual processor and monitors for a breakpoint instruction. After detecting the breakpoint instruction, the hypervisor gathers guest context by examining the guest memory and guest registers, pauses the virtual processor, constructs and injects a code gadget configured to run in the virtual machine, diverts the virtual processor to execute the code gadget, which causes the virtual processor to call the hypervisor at the end of executing the code gadget, and returns the virtual processor to execute the guest kernel function.

Abstract: A system and method for downloading software is provided. When software is required to be downloaded to the mobile terminal, a software downloading tool on the computer terminal establishes a connection with the mobile terminal via a preloader port of the mobile terminal and sends a download agent to the mobile terminal. A preloader program of the mobile terminal checks whether the download agent is signed and encrypted by a private key matched with an RSA public key in the preloader program, and if yes, the mobile terminal utilizes the DA download agent to download the software. The method can effectively prevent illegal tools from having communication capability with the mobile phone by USB connection for data deletion or tampering, and reduce the possibility that a hacker damages “limiting function” of the mobile phone.

Abstract: The invention provides multiple secure virtualized environments operating in parallel with optimal resource usage, power consumption and performance. The invention provides a method whereby virtual machines (VMs) have direct access to the computing system's hardware without adding traditional virtualization layers while the hypervisor maintains hardware-enforced isolation between VMs, preventing risks of cross-contamination. Additionally, some of the VMs can be deactivated and reactivated dynamically when needed, which saves the computing system resources. As a result, the invention provides bare-metal hypervisor use and security but without the limitations that make such hypervisors impractical, inefficient and inconvenient for use in mobile devices due to the device's limited CPU and battery power capacity.

Abstract: A shoe is provided for use by a user and for use with an external reset system that is operable to transmit a reset signal. The shoe comprises a sole, a detector, a memory, a controller, and a receiver. The sole has a top surface for supporting the foot of the user when being worn by the user. The detector generates a parameter signal based on a detected parameter. The controller generates a control signal to activate said detector. The controller further generates a modification signal based on the received reset signal. The memory stores parameter data based on the parameter signal. The memory further modifies the stored parameter data based on the modification signal. The receiver receives the reset signal.