Abstract: In an embodiment, dynamically-generated code may be supported in the system by ensuring that the code either remains executing within a predefined region of memory or exits to one of a set of valid exit addresses. Software embodiments are described in which the dynamically-generated code is scanned prior to permitting execution of the dynamically-generated code to ensure that various criteria are met including exclusion of certain disallowed instructions and control of branch target addresses. Hardware embodiments are described in which the dynamically-generated code is permitted to executed but is monitored to ensure that the execution criteria are met.

Abstract: Techniques and systems for protecting data input to a web-based application are provided herein. A method may include executing, within a web browser being executed by a computer system, a web-based application. Execution of the web-based application may include tagging one or more data fields as sensitive and fetching a public key from a remote server system. The method may include identifying, by the web-based application, a keystroke entry being input into the one or more data fields tagged as sensitive within the web-based application. Prior to storing the keystroke entry in memory mapped to the web browser, the method may include encrypting by the web-based application, the keystroke entry using the fetched public key to generate an encrypted entry. The web browser may store the encrypted entry to memory. Importantly, the keystroke entry may never be stored to the memory of the web browser in an unencrypted form.

Abstract: A method and system of cloning a multi-tiered application is disclosed and it comprises of validating received source server configuration data against received target server configuration data. Further the data at a set of nodes on the target server is restored. The cloning of the multi-tiered application is initiated based on a set of predetermined rules, wherein the cloning comprises a set of sequential actions performed at each of the set of nodes. The method of cloning comprises of generating a set of dynamic configuration files for the set of nodes based on the predefined restore rules and the validation and also generating a set of tokens for the set of nodes to communicate status of refresh. Further the target application is restored based on the set of dynamic configuration files and the set of sequential actions at each of the set of nodes is performed based on the status of set of tokens.

Abstract: A computing device includes one or more processors, a memory and an encryption accelerator. The memory includes instructions that when executed on the processors cause a first networking session to be established between a pair of communication peers. Encryption of messages of the first session is enabled by a parameter of a security protocol of the session. The encryption accelerator obtains a key determined in the first session, and uses the key to encrypt messages of a second networking session established between the peers.

Abstract: A data processing system and a data processing method are capable of concealing files and folders. The data processing system of the invention includes a data storage device and at least one processor. When an application process is started and executed by the at least one processor to search a designated folder in the data storage device through a storage device driver residing in a kernel mode of an operating system, a storage filter driver residing in the kernel mode of the operating system judges if there are any files in the designated folder which have not been searched, and if any, the storage filter driver retrieves a next file in the designated folder through the storage device driver. If the storage filter driver determines that the application process is untrusted and determines that the next file is a concealed file, the storage filter driver does not return the next file.

Abstract: A method, non-transitory computer readable medium, and device that assists with managing storage in a distributed deduplication system includes receiving an object to be stored from a client computing device. The received object is divided into a plurality of fragments. A plaintext hash value and a ciphertext hash value is determined for each of the plurality of fragments, wherein each of the plurality of fragments is renamed with the corresponding determined ciphertext hash value. Each of the renamed plurality of fragments are stored in a plurality of storage repositories.

Abstract: A non-transitory computer-readable recording medium having stored therein an information processing program that causes a computer to execute a process includes: extracting second data through executing a first process on first data including sensitive information; outputting fourth data obtained by executing the first process on third data, the third data being obtained by executing a second process to delete sensitive information on the first data; and determining, based on a result of comparing the second data with the fourth data, whether or not the first process uses sensitive information.

Abstract: In some embodiments, a first device may generate a data block for an ordered set of data blocks such that the data block is cryptographically chained to a given data block preceding the data block in the ordered set. The first device may obtain an encryption key used to encrypt information related to the data block, and use group members' keys to encrypt the encryption key to generate a group key. As an example, the group's members may include a first member associated with the first device and other members. The keys used to encrypt the encryption key may include the other members' keys. The first device may transmit the ordered set and the group key to a communication resource (e.g., accessible by the members). Other devices (associated with the other members) may use the ordered set and the group key to obtain content related to the ordered set.

Abstract: This controller system includes: a program acquisition unit that acquires, by turning on the controller system, a control program from a server in which the control program is stored; a main storage device that stores the control program acquired by the program acquisition unit while electric power is supplied to the controller system; and a program execution unit that executes the control program stored in the main storage device.

Abstract: Examples described herein attempt to mitigate risk associated with digitally storing sensitive information (e.g., passwords) in insecure applications and transferring the stored sensitive information to a sensitive information field (e.g., a password field in a login page). A computing device may detect a transfer to a sensitive field. The computing device may determine if a source application for the transfer is an insecure application. If the source application is an insecure application, the computing device may provide a risk mitigation action. The computing device may also transmit to an analytic server telemetry data comprising the identification of the source application, identification of a target application containing the sensitive information field, and a username associated with the computing device. The analytic server may calculate risk score based on the received telemetry data and provide further risk mitigation actions to the computing device.

Abstract: A method includes setting an output of each memory cell in an array of memory cells to a same first value, decreasing power to the array of memory cells and then increasing power to the array of memory cells. Memory cells in the array of memory cells with outputs that switched to a second value different from the first value are then identified in response to decreasing and then increasing the power. A set of memory cells is then selected from the identified memory cells to use in hardware security.

Abstract: A system for managing data protection of virtual machines (VMs) hosted by hosts of data clusters includes a data protection manager. The data protection manager identifies a data protection event associated with at least one VM, obtains, in response the data protection event, data protection rules and a protection policy associated with the at least one VM, spawn, by a monitoring engine orchestrator, a monitoring engine to the data cluster, initiates performance of the data protection services for the at least one VM using a first storage of storages, obtains, after the spawning, monitoring information from the monitoring engine, makes a determination that a data protection rule event of the data protection rule events occurred using the monitoring information, and in response to the determination, initiates the performance of a corrective action of corrective actions based on the data protection rules using a second storage of the storages.

Abstract: A method for data isolation in a multi-tenant environment includes a vault API that is programmed to generate a key ID corresponding to a client ID associated with received entity data and pass an encryption request to a separate computer system that generates a data key to encrypt the entity data. The encrypted data is then returned to the vault API that then stores the encrypted data in a client collection associated with the client ID.

Abstract: A protection system and a protection method for software and firmware or information capable of encrypting and adding software and firmware or information to an electronic component, so that the software and firmware or the information is protected during the process of adding to the electronic component at a manufacturing end. Even if the encrypted software and firmware or information is obtained, the original content thereof cannot be acquired. When the electronic component is activated and used, the software and firmware or the information stored therein is then decrypted. In this way, the software and firmware or the information in the electronic component can be protected from being stolen, and the cost of the electronic component can be reduced and is easy to promote.

Abstract: A system and method for constructing an improved computing model that preserves use rights for data utilized by the model. A first dataset is accessed to build a computing model. The first data set is subject to terminable usage rights provisions. A portion of the first dataset is sampled to generate a second dataset. Vectors present in the first dataset and the second dataset are discretized. In response to determine that the usage rights associated with the primary dataset have been terminated, a coverage depletion for the second dataset is computed based on the usage rights termination associated with the first dataset. An estimated mean time to coverage failure for the first model based on the depletion coverage is determined for the second dataset. One or more data points are removed from the first dataset due to the termination of usage rights.

Abstract: Systems and methods are described for the generation of domain names that may be associated with a particular user device and may be encrypted to obfuscate the domain names of content requested by the user device.

Abstract: An embodiment of the present invention is directed to delivering an entitlements model that scales to both mid-frequency and low-latency use cases. The innovative solution may be distributed in nature and able to operate in low priority threads alongside the main logic of the software. An embodiment of the present invention may be implemented as a software module with APIs for ease of adoption.

Abstract: A data security server system includes a first network proxy, a data classifier, an operation pipeline module, a vault database, security infrastructure, and second network proxy that function as secure data tunnel mechanisms through which network data containing sensitive information passes through. The data classifier identifies data payloads having data fields that require processing and routes these data payloads to an operation pipeline module which can redact, tokenize or otherwise process sensitive data before the data payload exits the system. The data classifier also reverses the process by identifying data payloads having redacted or tokenize data fields and restoring the sensitive data to these data fields.

Abstract: A system for managing composed information handling systems to manage access to data by applications hosted by the composed information handling systems includes a system control processor that instantiates a composed information handling system using a compute resource set that hosts applications and a hardware resource set that stores a portion of the data, associates, using authorization information, storage areas of the at least one hardware resource set with the applications to obtain storage area associations, obtains a data access request from the compute resource set for the portion of the data which is stored in a storage area of the storage areas, makes a determination, based on the storage area associations and an initiator of the data access request, that the initiator of the data access request is not authorized to access the portion of the data, and refuses to service the data access request.

Abstract: Technology permitting secure storage and transmission of data stream as well as tiered access to multiple data stream according to permission. Data streams may be encrypted using symmetric encryption performed with varying symmetric keys according to a key stream of symmetric keys. Native data may be discarded for safety. Whole or partial key streams may be encrypted using the public keys of authorized entities having permission to access respective data streams or portions thereof. Only the corresponding private keys can decrypt the encrypted key streams required to decrypt the encrypted data streams. Thus rigorous access control is provided. IT personnel accessing data stream files on a server or intruders maliciously obtaining files will not be able to derive the data stream. Sensitive data streams may be stored using cloud services despite inherent risks.

Abstract: The technology disclosed herein provides network bound encryption that enables a node management device to orchestrate workloads with encrypted data without sharing the decryption key. An example method may include: obtaining an asymmetric key pair comprising a public asymmetric key and a private asymmetric key; establishing a symmetric key using a key establishment service, wherein the symmetric key is established in view of the private asymmetric key of a first computing device and a public asymmetric key of the key establishment service; transmitting sensitive data encrypted using the symmetric key to a persistent storage device accessible to a second computing device; initiating a creation of an execution environment on the second computing device; and providing, by the first computing device, the public asymmetric key and the location data to the second computing device, wherein the location data corresponds to the key establishment service.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for broadcasting audio. In one aspect, the method includes receiving, from a server by a smart broadcasting device associated with a service client, an audio broadcast instruction; in response to receiving the audio broadcast instruction, downloading an audio file corresponding to the audio broadcast instruction, wherein the audio file comprises a marketing content related to services provided by the server to the service client associated with the smart broadcasting device; and broadcasting, by the smart broadcasting device, the audio file by using a speaker of the smart broadcasting device.

Abstract: Techniques to provide mobile access to content are disclosed. A request from a mobile application running on a mobile device to access content is received at a connector node. A user credential associated with the request is used to identify at the connector node a policy associated with the request. A policy metadata associated with the policy is provided from the connector node to the mobile application running on the mobile device. The mobile application may include application code that is responsive to the policy metadata to perform, with respect to the request to access content, an action indicated by the policy.

Abstract: Secure methods, systems, and media for generating and verifying user credentials are provided. In some embodiments, the method comprises: receiving, from a user device, a request for access to a service that requires valid user credentials; determining an aspect of the user credentials that is to be satisfied to grant access to the requested service; transmitting, to the user device, a request for information related to the aspect of the user credential; receiving, from the user device, information related to the aspect of the user credential, wherein the information has been signed using a key associated with the user device; verifying the key used to sign the information by the user device; in response to verifying the key used to sign the information, determining whether the aspect of the user credential has been satisfied based on the received information; and, in response to determining that the aspect of the user credential has been satisfied, granting access to the service.

Abstract: In an embodiment, a vulnerability scanner component determines one or more target software objects of a remote file system for a vulnerability scan, and performs, via a file system application programming interface (API), a file system decoding procedure based on information associated with the remote file system to determine a subset of disk blocks of the remote file system that comprise the one or more target software objects. The vulnerability scanner component transmits, to a remote device, a read request associated with the subset of disk blocks, and obtains, in response to the read request, the subset of disk blocks (e.g., rather than a full disk image). The vulnerability scanner component extracts the one or more target software objects from the subset of disk blocks, and performs the vulnerability scan on the extracted one or more target software objects.

Abstract: The present technology operates in an application layer of an operating system on a client device of a content management system to monitor for changes to shared content items that are likely unintentional—for example the change might move a content item out of a shared space, or otherwise remove the shared content item from access by other users. The present technology can detect a content item change event on a client device, compare a source file system path for the content item change event with a destination file system path for the content item change event to determine a canonical move causing the content item change event, determine that the canonical move was likely unintentional; and display a notification informing the user that a content item change that was likely unintentional was detected and then allow the user to either confirm or deny (undo) the detected change.

Abstract: A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a folder including encrypted content, a folder access key pair including a folder access public key and a folder access private key; encrypting, by the device, the folder access private key by utilizing the assigned public key; and accessing, by the device, the encrypted content based at least in part on decrypting the folder access private key. Various other aspects are contemplated.

Abstract: Aspects of the present disclosure relate to encryption management. A determination can be made whether an encryption algorithm is at-risk. In response to determining that the encryption algorithm is at-risk, data protected by the encryption algorithm can be identified. A security action can then be executed on the data protected by the encryption algorithm.

Abstract: A method for migrating security benchmark compliance content from a source platform to a target platform includes filtering a set of configuration parameters in a source platform to a subset of configuration parameters, each of the parameters corresponding to a respectively different entry in a security checklist of a security benchmark. Then, a listing is presented in a user interface of each of the configuration parameters and for each configuration parameter, a corresponding entry in the security checklist regulating the configuration parameter according to a range of values. Finally, the configuration parameters in the subset are applied to a target platform excepting for at least one of the configuration parameters. Instead, alternative value within the range is received as input in the user interface and is applied to the target platform in lieu of the at least one of the configuration parameters.

Abstract: A system is described for preserving integrity of computing devices. A manifest that uniquely identifies files on a computing device is periodically captured from the computing device. The manifest is compared against a reference manifest, which represents an ideal or clean state of the device. If the manifest comparison indicates that there have been changes to the contents of the computing device, the system can determine whether the changes constitute a compromise to the endpoint's integrity. If it is determined that a change constitutes a compromise to the endpoint's integrity, the system can perform certain remedial actions, such as sending a message to an administrator or enforcing a base layer onto the device so that the content of the device is replaced with a clean image.

Abstract: A storage system may assign a different encryption key to each logical storage unit (LSU) of a storage system. For each LSU, the encryption key of the LSU may be shared only with host systems authorized to access data of the LSU. In response to a read request for a data portion received from a host application executing on the host system, encryption metadata for the data portion may be accessed. If it is determined from the encryption metadata that the data portion is encrypted, the data encryption metadata for the data portion may be further analyzed to determine the encryption key for the data portion. The data may be retrieved from the storage system, for example, by performance of a direct read operation. The retrieved data may be decrypted, and the decrypted data may be returned to the requesting application.

Abstract: In an approach for classifying and storing multiple layers of a file system as platform-dependent and platform-independent layers, a processor generates an initial layer of a file system. The initial layer is a platform-dependent base layer. A processor assigns one or more files associated with the initial layer with a first group identification as a first same group in a file registry for a plurality of platforms. A processor generates a new layer based on the initial layer into the file system. A processor, in response to the new layer being platform-independent, marks the new layer as platform-independent in the file registry. A processor pushes the new layer into the file registry for one of the plurality of platforms. A processor distributes one or more corresponding files from the file registry per a client request to access the file system.

Abstract: A method and an apparatus for processing a screen by using a device are provided. The method includes obtaining, at the second device, a display screen displayed on the first device and information related to the display screen according to a screen display request regarding the first device, determining, at the second device, an additional screen based on the display screen on the first device and the information related to the display screen, and displaying the additional screen near the display screen on the first device.

Abstract: A device, system and method for securely executing recursive computations over encrypted data in a homomorphically encrypted (HE) space. For a recursive algorithm with sequentially dependent recursive iterations, executing the recursive algorithm in parallel by computing multiple recursive iterations simultaneously over multiple parallel execution iterations and not in sequential order. Each parallel execution iteration may compute a partial HE solution of multiple sequential recursive iterations comprising a known HE part and leaves empty a placeholder call slot for an unknown HE part. Placeholder call slots remain empty and are filled at delayed times at a later parallel execution iteration from when the known part of the same HE computation is computed. A final HE solution is computed in fewer multiple parallel execution iterations than the number of sequential recursive iterations, thereby accelerating the recursive algorithm in HE space.

Abstract: A method including determining, by the first device for a group, a group access key pair including a group access public key and a group access private key; determining, by the first device, a sharing encryption key based on the group access private key and an assigned public key associated with a second device; encrypting, by the first device, the group access private key based on utilizing the sharing encryption key; determining, by a second device, a sharing decryption key based on the group access public key and an assigned private key associated with the second device; decrypting, by the second device, the group access private key based on utilizing the sharing decryption key; and accessing, by the second device, the group based on utilizing the group access private key. Various other aspects are contemplated.

Abstract: A terminal device includes a processor, a direct stream digital (DSD) audio playback circuit, and a headset jack. The processor is connected to the DSD audio playback circuit, and the DSD audio playback circuit is connected to the headset jack. The processor outputs a DSD audio signal to the DSD audio playback circuit in response to triggering performed by a user. The DSD audio playback circuit is configured to process the DSD audio signal, generate an alert tone based on a current scenario, and superpose the processed DSD audio signal and the alert tone. The headset jack is configured to connect to a headset and play the superposed audio signal and alert tone using the headset.

Abstract: Methods for rotating cryptographic keys to revoke access to encrypted data stored on a remote server. Obtaining a first cryptographic key from a key store. Generating a second cryptographic key at a user device. Obtaining a first chunk of data from an encrypted file stored on the remote server. Decrypting the first chunk of data using the first cryptographic key to provide a decrypted first chunk of data. Re-encrypting the decrypted first chunk of data using the second cryptographic key to provide a re-encrypted first chunk of data. Uploading the re-encrypted first chunk of data to the remote server from non-persistent storage. Repeating the steps until an entire encrypted file has been decrypted and re-encrypted. Combining all the re-encrypted chunks of the encrypted file to provide a reassembled encrypted file that is associated with the second cryptographic key. Updating the remote server with the reassembled encrypted file associated with the second cryptographic key.

Abstract: Various aspects of the disclosure relate to test automation systems with pre-compilers to validate various steps associated with a test script. An artificial intelligence (AI)-based pre-compiler may use natural language processing (NLP) to validate various steps associated with a test script associated with an application. Other aspects of this disclosure relate to automated encryption and mocking of test input data associated with test scripts.

Abstract: An apparatus includes a packet encryption circuit that uses an encryption keys to encrypt each of two or more portions of a data packet. Each portion is encrypted with a different encryption key and includes one or more layers of the data packet. A first portion includes a layer of the data packet with MAC information. The apparatus includes a packet transmitter that transmits, from a source router, an encrypted data packet to an intermediate router between the source router and a destination router. The encrypted data packet includes an encrypted version of the data packet encrypted using the encryption keys. The intermediate router has encryption keys sufficient for a service level agreement of the intermediate router and lacks a portion of the encryption keys. The source and destination routers use a MAC security standard for encryption and decryption of the data packet using the encryption keys.

Abstract: This disclosure describes methods, non-transitory computer readable storage media, and systems that provide secure password sharing across a plurality of users and client devices via a shared folder. For example, in one or more embodiments, the disclosed system retrieves a public key set including public encryption keys for client devices having access to the shared folder. The disclosed system provides the public key set to a client device requesting to share the shared folder. The disclosed system receives an encrypted payload for the shared folder and a shared encryption key that is utilized to encrypt the payload and is encrypted in the shared folder utilizing the public key set. The disclosed system also detects key rotation events and notifies one or more client devices to generate a modified shared encryption key and re-encrypt the payload for storage within the shared folder.

Abstract: An encrypted data storage system includes a storage system that is configured to store encrypted data, and a first client device that is coupled to the storage system. The first client device performs a hash operation on first data to generate a Data Encryption Key (DEK), and uses the DEK to perform a data encryption operation on the first data to generate encrypted first data. The first client device then uses a first Key Encryption Key (KEK) to perform a first key encryption operation on the DEK to generate a first encrypted DEK, associates the first encrypted DEK with the encrypted first data, and transmits the encrypted first data to the storage system for storage.

Abstract: The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

Abstract: Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

Abstract: A scheme for securely transferring a patient data file to an intended recipient regardless of a transfer mode selected by a sender. Encryption system executing at the sender device is operative to encrypt each plaintext data line of a file, one by one, using a symmetric key and a starting IV that is incremented per each line, resulting in corresponding ciphertext lines added to an encrypted file. A hash is generated based on the encrypted file. An encrypted header containing the symmetric key, starting IV and the hash is generated using a public key of the recipient, which is appended to the encrypted file. The encrypted header and associated encrypted file are transmitted to the recipient in any manner. Upon receipt, the recipient decrypts the encrypted header using a private key to obtain the symmetric key, starting IV and the hash, which are used by the recipient to validate and decrypt the encrypted file on a line-by-line basis.

Abstract: Technologies are provided to ensure integrity of erasure coded data that is subject to read and write access from distributed processes. Multiple processes that access erasure coded data can be coordinated in an efficient, scalable and fault-tolerant manner so that integrity of the original data is maintained. The Technologies include a fault-tolerant access coordination protocol that ensures exclusive write access by a client. The coordination protocol achieves scalability by not relying on centralized components, and achieves efficiency and performance by piggy-packing access coordination messages on operations of the underlying erasure coding protocol.

Abstract: A method including determining, by a device, a sharing decryption key based at least in part on an assigned private key associated with the device and a group access public key associated with a group; decrypting, by the device, a group access private key associated with the group by utilizing the sharing decryption key; and decrypting, by the device, encrypted content included in a folder associated with the group based at least in part on utilizing the group access private key associated with the group. Various other aspects are contemplated.

Abstract: A device obtains previously created data content. The device unmasks and extracts one or more chain of custody blocks stored in association with the data content. The one or more chain of custody blocks includes chain of custody data identifying who, when, where, and, with what hardware and/or software, created or edited the data content. The device analyzes the one or more chain of custody blocks and validates an origination of the data content based on the analysis of the one or more chain of custody blocks.

Abstract: A distributed database encrypts tables using table encryption keys protected by a client master encryption key. The client may revoke authorization to access the client master encryption key. Subsequent to a revocation of authority to access the client master encryption key, the distributed database generates interim snapshots of the table using the table encryption key. Also subsequent to the revocation, the distributed database generates a backup of the table using a backup encryption key protected by the client master encryption key.

Abstract: A system is provided for securing electronic data by aggregation of distributed electronic database entries. The system may comprise two or more data repositories that may be logically and/or physically separated from one another. Incoming data may be split into multiple parts that may be stored in a distributed manner across the two or more data repositories. Each of the parts of the incoming data may be associated with an identifier and/or a sequence number such that the system, upon receiving a user query for such data, may aggregate the individual parts of the data in the correct sequence. In some embodiments, the system may further use an obfuscation algorithm to apply randomized values to the identifiers and/or sequence numbers and track the operations performed in an obfuscation log. In this way, the system may provide a way to securely store and retrieve data to prevent unauthorized access.

Abstract: A method of performing ordered statistics between at least two parties is disclosed which includes identifying a first dataset (xA) by a first node (A), identifying a second dataset (xB) by a second node (B), wherein xB is unknown to A and xA is unknown to B, and wherein A is in communication with B, and wherein A and B are in communication with a server (S), A and B each additively splitting each member of their respective datasets into corresponding shares, sharing the corresponding shares with one another, arranging the corresponding shares according to a mutually agreed predetermined order into corresponding ordered shares, shuffling the ordered shares into shuffled shares, re-splitting the shuffled shares into re-split shuffled shares, and performing an ordered statistical operation on the re-split shuffled shares, wherein the steps of shuffle and re-split is based on additions, subtractions but not multiplication and division.