Abstract: The present disclosure discloses a method, a system and a browser for executing a browser active object. In the present invention, a proxy object is run in a page process and an active object is run in an independent process, so that a true plug-in is separated from the page process. The present invention further discloses an inter-process script execution method, system and browser. The present invention further discloses a browser active object executing method and system, and a browser.

Abstract: Embodiments of an invention for maintaining a secure processing environment across power cycles are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to evict a root version array page entry from a secure cache. The execution unit is to execute the instruction. Execution of the instruction includes generating a blob to contain information to maintain a secure processing environment across a power cycle and storing the blob in a non-volatile memory.

Abstract: Methods, systems, and computer program products are included for providing one or more additional kernels kernel in a protected kernel environment. A method includes providing, by a hypervisor, a virtual machine that includes a first kernel. A first portion of memory of the virtual machine is allocated for the first kernel and a second portion of memory of the virtual machine is allocated for a second kernel. The virtual machine executes the first kernel. The hypervisor disables access privileges corresponding to the second portion of memory. Execution is transitioned from the first kernel to the second kernel by clearing memory corresponding to the first kernel, enabling access privileges corresponding to the second portion of the memory, and executing the second kernel on the virtual machine.

Abstract: Computationally implemented methods and systems include acquiring data regarding an application configured to access one or more protected portions of a particular device, said application configured to provide one or more services, detecting that the application has completed at least one of the one or more services and that the application maintains access to the one or more protected portions of the particular device, presenting information indicating that the one or more services are completed and that the application maintains access to the one or more protected portions of the particular device, and circuitry for facilitating presentation of an option to discontinue the access of the application to the one or more protected portions of the particular device. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.

Abstract: A data access method based on a cloud computing platform, and a user terminal, are provided. The method is performed by a user terminal, and the method includes obtaining an access request for a data ciphertext of the cloud computing platform, the access request including a decryption key, and the decryption key including a user precise identity identifier and a user attribute identifier. The method further includes decrypting the data ciphertext into a data plaintext, in response to the user precise identity identifier belonging to an identity identifier set included in an access structure of the data ciphertext and/or in response to the user attribute identifier belonging to a user attribute identifier set included in the access structure of the data ciphertext.

Abstract: Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function.

Abstract: Apparatuses, methods, and systems for enabling higher current charging of Universal Serial Bus (USB) Specification Revision 2.0 (USB 2.0) portable electronic devices from USB 3.x hosts are disclosed. In one aspect, a USB 2.0 controller is provided in a USB 2.0 portable device. A USB 3.x controller is provided in a USB 3.x host. The USB 2.0 controller is configured to draw a higher charging current than specified in USB 2.0 for the USB 2.0 portable device over a USB 2.0 cable. In order to draw the higher charging current without violating USB 2.0, the USB 2.0 controller is configured to use one or more reserved elements in an existing USB 2.0 descriptor(s) or bitmap(s) to indicate a higher charging current request from the USB 2.0 controller.

Abstract: Programmable devices, hierarchical parallel machines and methods for providing state information are described. In one such programmable device, programmable elements are provided. The programmable elements are configured to implement one or more finite state machines. The programmable elements are configured to receive an N-digit input and provide a M-digit output as a function of the N-digit input. The M-digit output includes state information from less than all of the programmable elements. Other programmable devices, hierarchical parallel machines and methods are also disclosed.

Abstract: A wireless station associates with an access point to join a wireless local area network (WLAN). The access point is part of the WLAN and operates as a switching device between wireless stations of the WLAN. The wireless station forms a TCP session via the access point with an external device which is external to the WLAN. The wireless station exchanges (i.e., transmits and/or receives) a first sequence of packets on the TCP session. The wireless station receives a frame from the access point, the frame indicating that the wireless station has been disassociated after having associated earlier with the access point. The wireless station re-associates with the access point. The access point then communicates with the external device on the TCP session after re-associating, the communicating involving exchanging a second sequence of packets with the external device after the re-association.

Abstract: A data processing apparatus including circuitry for performing data processing, a plurality of registers; and a data store including regions having different secure levels, at least one secure region (for storing sensitive data accessible by the data processing circuitry operating in the secure domain and not accessible by the data processing circuitry operating in a less secure domain) and a less secure region (for storing less secure data). The circuitry is configured to determine which stack to store data to, or load data from, in response to the storage location of the program code being executed. In response to program code calling a function to be executed, the function code being stored in a second region, the second region having a different secure level to the first region, the data processing circuitry is configured to determine which of the first and second region have a lower secure level.

Abstract: Methods and devices for searching are described. In one aspect, the method includes: receiving a search query; identifying a search data file associated with a third party application, the search data file being prepared according to predetermined format rules by the third party application, and stored, prior to receiving the search query; searching, at least a portion of the search data file using the search query to identify information that matches the search query; using the predetermined format rules to identify associated information in the search data file, the associated information being related to the information that matches the search query; obtaining search results from at least one other source; and generating a display of search results based on both the information matching the search query and the associated information, the display including the search results from the at least one other source.

Abstract: A security framework and methodology is provided which provides front-end security through authentication and authorization, and back-end security through a virtual private data-store created within an insecure environment using existing object-relational mapping (ORM) layers or database drivers. The front-end security utilizes numerous multi-factor authentication metrics and a distributed denial of service (DDoS) cryptographic boundary to proactively attack malicious users using a cryptographic puzzle, and the back-end security provides data encryption and decryption, data privacy, data integrity, key management, pattern monitoring, audit trails and security alerts while simultaneously hiding the complexity behind an identical or similar ORM or database drive application programming interface (API).

Abstract: A system and method for sharing data and a risk assessment of the data comprises receiving data in a first application and obtaining a risk level of the data, performing an action in the first application necessitating passing a message comprising at least the data and the risk level to a second application, passing the message from the first application to the second application, receiving, at the second application, the message, determining by said second application whether the risk level exceeds a predetermined threshold, when the risk level exceed the predetermined threshold, implementing a protocol to perform actions in the second application using the data in accordance with the protocol, and when the risk level does not exceed the predetermined threshold, running the second application using the data.

Abstract: Systems, methods, and media for generating analytical data from actions performed on one or more publishing servers. Methods may include capturing one or more audit trails by determining actions performed on the one or more publishing servers via one or more client devices, the one or more publishing servers adapted to publish informational content; generating analytical data from the one or more audit trails; and storing the generated analytical data in a database.

Abstract: Systems and methods are disclosed for providing a trusted database system that leverages a small amount of trusted storage to secure a larger amount of untrusted storage. Data are encrypted and validated to prevent unauthorized modification or access. Encryption and hashing are integrated with a low-level data model in which data and meta-data are secured uniformly. Synergies between data validation and log-structured storage are exploited.

Abstract: Systems for a method for monolithic workload scheduling in a portable computing device (“PCD”) having a hypervisor are disclosed. An exemplary method comprises instantiating a primary virtual machine at a first exception level, wherein the primary virtual machine comprises a monolithic scheduler configured to allocate workloads within and between one or more guest virtual machines in response to one or more interrupts, instantiating a secure virtual machine at the first exception level and instantiating one or more guest virtual machines at the first exception level as well. When an interrupt is received at a hypervisor associated with a second exception level, the interrupt is forwarded to the monolithic scheduler along with hardware usage state data and guest virtual machine usage state data. The monolithic scheduler may, in turn, generate one or more context switches which may comprise at least one intra-VM context switch and at least one inter-VM context switch.

Abstract: An apparatus and method for monitoring a virtual machine based on a hypervisor. The method for monitoring a virtual machine based on a hypervisor includes monitoring an attempt to access an executable file located in a virtual machine, when the attempt to access the executable file is detected, extracting a system call transfer factor, input through a task that attempted to make access, acquiring, based on the system call transfer factor, an execution path corresponding to the executable file and a reference path corresponding to a reference file that is executed together with the executable file, and checking based on the execution path and the reference path whether any of the executable file and the reference file is malicious, and collecting a file in which malicious code is present when the malicious code is present in any of the executable file and the reference file.

Abstract: Approaches for transferring control to a bit set. At a point of ingress, prior to transferring control to the bit set, a determination is made as to whether the bit set is recognized as being included within a set of universally known malicious bit sets. If the bit set is not so recognized, then another determination is made as to whether the bit set is recognized as being included within a set of locally known virtuous bit sets. If the bit set is recognized as being included within a set of locally known virtuous bit sets, then control is not transferred to the bit set. Upon determining that the bit set is not included within the set of locally known virtuous bit sets, then the bit set is copied into a micro-virtual machine and control is transferred to the bit set within the micro-virtual machine.

Abstract: A computing system for a secure and reliable firmware update through a verification process, dynamic validation and continuous monitoring for error or failure and speedy correction of Internet of Things (IoT) device operability. The invention uses a Trusted Execution Environment (TEE) for hardware-based isolation of the firmware update, validation and continuous monitoring services. The isolation is performed by hardware System on a Chip (SoC) Security Extensions such as ARM TrustZone or similar technologies on other hardware platforms. The invention therefore comprises Firmware Update Service (FUS), System Validation Service (SMS) and Continuous Monitoring Service (CMS) running in the TEE with dedicated memory and storage, thus providing a trusted configuration management functionality for the operating system (OS) code and applications on IoT devices.

Abstract: Constructs to define a Trusted Execution Environment Driver that can implement a standard communication interface in a first environment for discovering and/or exchanging messages with secure applications/services executed in a Trusted Execution Environment (TrEE). The first environment can represent an environment with a different security policy from the TrEE.

Abstract: Embodiments for changing bit rates in streaming media are provided. As portions of a streaming media file are downloaded for playback, the size of the portion is compared with an expected size determined prior to initiating playback of streaming AV data. The portion of the media file may be padded such that the size of the portion matches the size specified prior to initiating playback of streaming AV data.

Abstract: Systems and methods for protecting symmetric encryption keys when performing encryption are described. In one embodiment, a computer-implemented method includes retrieving at least one real key from a secure area and executing, with a processor, a key transform instruction to generate at least one transformed key based on receiving the at least one real key. The at least one transformed key is an encrypted version of at least one round key that is encrypted by the processor using the at least one real key. The processor is able to decrypt the at least one transformed key and encrypt the at least one round key.

Abstract: Technologies are provided in embodiments for receiving policy information associated with at least one security exception, the security exception relating to execution of at least one program, determining an operation associated with the security exception based, at least in part, on the policy information, and causing the operation to be performed, based at least in part, on a determination that the at least one security exception occurred.

Abstract: A behavior-based malicious code detecting apparatus and method using multiple feature vectors is disclosed. A malicious code learning method may include collecting characteristic factor information when a training target process comprising a malicious code is executed, generating a feature vector for malicious code verification based on the collected characteristic factor information, learning the generated feature vector through a plurality of machine learning algorithms to generate a model of representing the malicious code and a model of representing a normal file, and storing the model of representing the malicious code and the model of representing the normal file generated through the learning.

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other sensitive information. Certain embodiments may use a virtualized execution environment to execute code and/or programs that wish to access and/or otherwise use genomic and/or other sensitive information. In some embodiments, data requests from the code and/or programs may be routed through a transparent data access proxy configured to transform requests and/or associated responses to protect the integrity of the genomic and/or other sensitive information.

Abstract: Embodiments of an invention for loading and virtualizing cryptographic keys are disclosed. In one embodiment, a processor includes a local key storage location, a backup key storage location, and execution hardware. Neither the local key storage location nor the backup key storage location is readable by software. The execution hardware is to perform a first operation and a second operation. The first operation includes loading a cryptographic key into the local key storage location. The second operation includes copying the cryptographic key from the local key storage location to the backup key storage location.

Abstract: Techniques to isolating a portion of an online computing service are described. The following description may refer to the isolated portion as a deployment unit configured with a complete build of the online computing service. In one embodiment, after applying one or more changes to the complete build, the deployment unit may be used for testing these changes using end-to-end tests. In another embodiment, the deployment unit may be dedicated to a specific group of tenants that require at least some isolation from other tenants. Other embodiments are described and claimed.

Abstract: There is provided a system comprising a non-transitory memory storing a rights database and a hardware processor configured to receive a user input from a user device requesting playback of a media content, the media content being provided by a first type of content provider, perform a first search of the rights database for a first media content entitlement associated with the media content corresponding to the first type of content provider, if the first search does not find the first media content entitlement, perform a second search of the rights database for a second media content entitlement associated with the media content corresponding to a second type of content provider, and, when the second search finds the second media content entitlement, enable playback of the media content from a content provider that is the first type of content provider based on the second media content entitlement corresponding to the second type of content provider.

Abstract: Methods, apparatus, and systems are disclosed for, among other things, secure passphrase handling for computing devices. In one respect, a method is provided. The method includes receiving a plurality of passphrase elements from an input device. The method also includes performing a sequence of secure delay processing operations, each operation generating a delayed output value from an initial value. The passphrase is verified upon completion of the sequence of secure delay processing operations. Further, initial values of respective secure delay processing operations are based on respective passphrase elements and, for each secure delay processing operation after a first secure delay processing operation, a delayed output value from at least one other secure delay processing operations.

Abstract: This disclosure provides an infrastructure monitoring tool, and related systems and methods, for collecting industrial process control and automation system risk data, and other data. A method includes discovering multiple devices in a computing system by a risk manager system. The method includes grouping the multiple devices into multiple security zones by the risk manager system. The method includes, for each security zone, causing one or more devices in that security zone to provide information to the risk manager system identifying alerts and events associated with the one or more devices. The method includes storing the information, by the risk manager system, in association with unique identifier values, the unique identifier values identifying different types of information.

Abstract: Methods, systems, and computer program products are included for performing tracing in a protected kernel environment. A method includes scanning at least a portion of a kernel to locate one or more instructions. The locations of the one or more instructions are provided to a hypervisor. The one or more instructions are replaced with one or more other instructions. After replacing the one or more instructions, a kernel protection feature is activated. After activating the kernel protection feature, they hypervisor detects an attempted modification of the kernel. The hypervisor determines that the attempted modification corresponds to the at least one location provided to the hypervisor and that the attempted modification corresponds to an authorized code variant. The hypervisor modifies the kernel to include the authorized code variant at the at least one location.

Abstract: An apparatus is described herein. The apparatus includes a Universal Serial Bus (USB) component and a controller interface. The controller interface is to allocate register space for interfacing with the USB component and the USB component is virtualized into multiple instantiations. The apparatus also includes a secure environment, and the secure environment further virtualizes the multiple instantiations such that the multiple instantiations are owned by the secure environment.

Abstract: A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described.

Abstract: Disabling communication in a multiprocessor fabric. The multiprocessor fabric may include a plurality of processors and a plurality of communication elements and each of the plurality of communication elements may include a memory. A configuration may be received for the multiprocessor fabric, which specifies disabling of communication paths between one or more of: one or more processors and one or more communication elements; one or more processors and one or more other processors; or one or more communication elements and one or more other communication elements. Accordingly, the multiprocessor fabric may be automatically configured in hardware to disable the communication paths specified by the configuration. The multiprocessor fabric may be operated to execute a software application according to the configuration.

Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.

Abstract: Securing an endpoint against exposure to unsafe content includes encrypting files to prevent unauthorized access, and monitoring an exposure state of a process to potentially unsafe content by applying behavioral rules to determine whether the exposure state is either exposed or secure, where (1) the process is initially identified as secure, (2) the process is identified as exposed when the process opens a network connection to a URL that is not internal to an enterprise network of the endpoint and that has a poor reputation, (3) the process is identified as exposed when it opens a file identified as exposed, and (4) the process is identified as exposed when another exposed process opens a handle to the process. Access to the files may be restricted when the process is exposed by controlling access through a file system filter that conditionally decrypts files for the process according to its exposure state.

Abstract: Disclosed are examples of authorizing an application access attempt. One example method may include connecting via a computing device to at least one remote computing device at a remote site and attempting to download an application from the remote site. The method may also include determining via a processor a trust level of the application based on trust metrics and comparing the trust level to a predetermined threshold. The method may also include determining whether to allow the application to be downloaded to the computing device based on results of the comparing operation.

Abstract: The present embodiments relate to security in a virtualized operating system environment with an active host based Intrusion Detection System (IDS). More specifically, the IDS identifies any infected container operating on the shared kernel and remedies the infected container. In an operating system virtualization, one or more containers are started in virtual memory utilizing the same operating system kernel. When a container starts any resource not specified in the container configuration is shared with the host operating system. The shared IDS provides security of the namespaces of all containers operating on the shared kernel.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: Embodiments described herein include methods and systems for remotely managing appliances associated with a user. A mobile phone is but one example of a controlled appliance. A third party operating system (OS) resident on the appliance and is in communication with a third party infrastructure. The appliance receives communications from the third party infrastructure related to management of the appliance, wherein management comprises controlling when the appliance is operable, and which functions the appliance can perform.

Abstract: A system for secure data storage and transmission is provided. The system comprises a first security module for protecting data in a first data at rest system and a second security module for protecting data in a second data at rest system. At least one encryption parameter for the second data at rest system differs from at least one encryption parameter for the first data at rest system so that a datum is reencrypted when the datum is transferred from the first data at rest system to the second data at rest system.

Abstract: Aspects of the present invention disclose a method for customizing a parameter value in a software program. The method includes one or more processors receiving one integrated input requesting a change to the original value of a parameter in a software program to a new value of the parameter and defining a persistence level of the new value of the parameter. The method further includes one or more processors changing the original value of the parameter to the new value of the parameter based on the one integrated input and setting the persistence level of the new value based on the one integrated input.

Abstract: Processing payment through a mobile device includes: receiving a command; generating a payment request based on the command and send the payment request to be processed by a lower layer payment program; and monitoring the payment request sent from the localhost address of the mobile device via the predetermined port; in response to the payment request, providing an input interface for payment information in and receive the input payment information; using the lower layer payment program to connect with a payment server and pass the payment information over a network to the payment server; using the lower layer payment program to transfer a payment processing result received from the payment server, to the upper layer application program; and after the upper layer application program has been unblocked, presenting to a user an indication of whether the payment has been successfully processed.

Abstract: A method for webpage content browsing is provided. The method includes a terminal receiving a browsing request inputted by a user through performing an operation on a webpage link in a task window of an application, where the browsing request contains the webpage link. The method also includes the terminal parsing the browsing request to obtain the webpage link included in the browsing request. Further, the method includes the terminal generating a browsing window process, creating a browsing window using the browsing window process and attaching the browsing window to the task window. In addition, the method includes the terminal obtaining the webpage contents corresponding to the webpage link and outputting the webpage contents to the browsing window.

Abstract: In some implementations, a satellite communication system is a capable of utilizing converged data transmissions over a satellite network to improve various aspects of services provisioned through the satellite network. For example, the system includes multiple electronic components that operate within a common software application framework to enable the ability to perform monitored operations in real-time. The system uses the monitored data to dynamically and intelligently adjust network configurations of the satellite network configuration to dynamically and intelligently improve to the provisioning of network-based services under varying network conditions.

Abstract: A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database.

Abstract: In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.

Abstract: The disclosure is generally directed towards automatically generating a mock object from a description of a real object, such as for use in testing. Mock object generation logic parses the description to determine interface(s) of the real object, which are replicated in the mock object, and to determine method(s) of the real object, which are simulated in the mock object. The mock object generation logic may generate a description of the mock object that is then compiled into the mock object for execution. Data types may be validated so that the arguments and/or return values from the mock object meet the expectations of a calling object.

Abstract: Embodiments generally relate to out-of-band management of a computing system. The present technology discloses enable a primary service controller to provide a centralized configuration of multiple secondary service controllers so that they can share a same configuration. It can utilize an authentication-free protocol to modify and manage credentials for a large number of service controllers.