Abstract: The protected resource, typically an API, is exposed by endpoints of a plurality of administrative domains. The endpoints are previously unknown by said service application and the method further comprises: i. using an intermediate or global entity for: a) selecting one of said administrative domains based on flexible criteria (i.e. at least on the identity of said end user but also considering varying user or service preferences); and b) performing, said selected administrative domain, a secure authorization to grant access to said end user by means of an open protocol; and ii. providing, said selected administrative domain to said service application, once performed said secure authorization, direct or proxy access to said user's protected resource via the endpoint established by said intermediate entity.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: The disclosed apparatus may include a storage device and a secure counter. The apparatus may also include a tamper-logging component that (1) detects an action that is associated with booting untrusted images from the storage device and, in response to detecting the action, (2) securely logs the action by incrementing the secure counter. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A system for simplifying the configuration and administration of computer networks. A the server system first sends a broadcast message out to the other network nodes on the computer network to learn configuration of each other network nodes on the local network. Next, network software within each other network node (not shown) responds to the broadcast message with a response containing configuration information and an identifier key value. In one embodiment, the identifier key value may be a randomly generated number. The server system then builds a table of network nodes using the information received in the response messages sent in response to the broadcast message. The server may then communicate with systems having duplicate addresses using the identifier key value. In some embodiments, the server system may send request messages to one or more network nodes specifying a network configuration change.

Abstract: According to one embodiment, a method for authenticating a device, wherein the device holds secret identification information, encrypted secret identification information, and key management information, and an authenticator holds an identification key, the method includes reading, by the authenticator, the encrypted secret identification information and the key management information from the device, and obtaining, by the authenticator, a family key by using the key management information, the family key being capable of being decrypted with the identification key. The method further includes obtaining, by the authenticator, the secret identification information by decrypting the encrypted secret identification information with the family key.

Abstract: A software license for a particular version of a software product on a computing device includes both a branding identifier that identifies the particular version of the software product and component dependency information that identifies one or more aspects of the particular version of the software product. To activate a software product on the computing device, the branding identifier is compared to a portion of the software product on the computing device. If the branding identifier matches the portion of the software product, then the component dependency information is compared to one or more aspects of the software product on the computing device. If the component dependency information matches the one or more aspects of the software product then the software product is activated. Otherwise, the a license state of the software product is kept unchanged.

Abstract: The invention provides a method for loading an application requiring personalization into a portable storage medium which is set up to be operated in a terminal. Personalization data for personalizing the application and possibly application data are additionally loaded into a restore module which is independent of applications stored in an application memory, is configured as a non-volatile memory, and is disposed within the portable storage medium or within the terminal. For updating an application, the personalization data and possibly application data are loaded from the restore module into the updated application. A portable storage medium has a non-volatile, application-independent restore module. System with storage medium and terminal and non-volatile, application-independent restore module.

Abstract: A method for enhancing reliability of data is provided. A computer configured to provide output datum (Ds) from input datum (De), includes at least two data processing modules, and a computing member connected to each module. The method includes computing, with each module, intermediate datum (DIA, DIB) from the input datum (De) calculating, with each module, an intermediate security code (CSIA, CSIB) from the corresponding intermediate datum (DIA, DIB), transmitting to the computing member with each module, the intermediate security code (CSIA, CSIB) and the intermediate datum (DIA, DIB), computing, a security code (CS) from the intermediate security codes (CSIA, CSIB), selecting, an intermediate datum from among the received intermediate data (DIA, DIB) the output datum, (Ds) of the computer including the selected intermediate datum, and transmitting to a receiving device, the security code (CS) and output datum (Ds).

Abstract: A method and system for securely propagating client identities in a service call from a first system to a target service system are provided. The system includes a memory device for storing data and a service provider (SP) computer system. The SP computer system is programmed to determine identities to transmit to the target system in association with a request, construct a data structure to represent each identity and additional information related to the identity, digitally sign the identity information, pair the identity information and the corresponding digital signature in a header of a request message from the first system to the target service system, receive the request message and extract the identity information and corresponding digital signatures from the header, validate the corresponding digital signatures, and construct using the corresponding identity information a data structure that represents each of the original identities established in the first system.

Abstract: A system may include a host that may include a processor coupled to a non-volatile memory over a secure communication protocol. As a result, prior to release for manufacturing, a binding code may be established between the host and the non-volatile memory. In some embodiments, this binding code may be stored on the non-volatile memory and not on the host. Then during a boot up of the system, the boot up process may be initiated by the host using code associated with the host, followed by secure booting using the secure protocol using code stored on the non-volatile memory.

Abstract: Embodiments of the present invention provide an approach for protecting visible data during computerized process usage. Specifically, in a typical embodiment, when a computerized process is identified, a physical page key (PPK) is generated (e.g., a unique PPK may be generated for each page of data) and stored in at least one table. Based on the PPK a virtual page key (VPK) is generated and stored in at least one register. When the process is later implemented, and a request to access a set of data associated the process is received, it will be determined whether the VPK is valid (based on the PPK). Based on the results of this determination, a data access determination is made.

Abstract: Various techniques for providing a device token protocol for authorization and persistent authentication shared across applications are disclosed. In some embodiments, a device token protocol for authorization and persistent authentication shared across applications includes sending user credentials to a remote server to authenticate a user on a device for a plurality of applications; and receiving a device token from the remote server for the user to authenticate the user for the plurality of applications on the device, in which the device token facilitates authentication and authorization.

Abstract: The disclosed implementations are related to trace-assisted prefetching of a virtual machine from a network resource to improve interactive performance of the virtual machine on a host device. Trace patterns can be automatically uploaded to a network resource, which aggregates the patterns, and serves the patterns back to the host device, or a different host device, when the host device downloads a virtual machine for the first time.

Abstract: A privileged cryptographic service is described, such as a service running in system management mode (SMM). The privileged service is operable to store and manage cryptographic keys and/or other security resources in a multitenant remote program execution environment. The privileged service can receive requests to use the cryptographic keys and issue responses to these requests. In addition, the privileged service can measure the hypervisor at runtime (e.g., either periodically or in response to the requests) in an attempt to detect evidence of tampering with the hypervisor. Because the privileged service is operating in system management mode that is more privileged than the hypervisor, the privileged service can be robust against virtual machine escape and other hypervisor attacks.

Abstract: A configuration for achieving efficient content verification processing based on hash values is provided. Hash values of hash units set as segmented data of a content stored on an information storage medium are recorded in a content hash table and are stored on the information storage medium together with the content. An information processing apparatus for executing content playback executes hash-value comparison processing based on one or more randomly selected hash values. Regardless of the data amount of content, the configuration can perform hash-value determination and comparison processing based on hash units having a small amount of data, so that user equipment for executing content playback can perform efficient content verification.

Abstract: A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer.

Abstract: A method and system for signing a digital certificate in real time for accessing a service application hosted within a service provider (SP) computer system through an open application programming interface (API) platform is provided. The API platform is in communication with a memory device. The method includes receiving registration data from a developer computer device wherein the developer computer device is associated with a developer and configured to store a developer application, receiving a certificate signing request (CSR) from the developer computer device wherein the CSR includes a public key associated with the developer, verifying the registration data as being associated with the developer, signing the CSR to produce a signed certificate after verifying the registration data wherein the verifying and signing steps are performed by the SP computer system in real time, and transmitting the signed certificate and a client ID to the developer computer device.

Abstract: System call interception is activated for an application process. It is recorded that system call interception is active for the application process. Ongoing checking is performed to determine whether system call interception remains active.

Abstract: Verification of software to be run in a secure environment is performed by comparing a critical portion of the executable boot program code in an EPROM with code stored in a logic circuit. The comparison may be performed before the code to be verified is run or while it is running in the event that the validation fails certain critical functions of the platform are inhibited to prevent fraudulent operation of the platform. The system is particularly applicable to gaming machines to avoid cheating.

Abstract: A download method of media contents, and which includes receiving and storing, by an electronic book terminal, a DRM (Digital Right Management) code from a contents server, the DRM code being stored in a memory of the electronic book terminal; receiving a media contents list from the contents server by requesting the media contents list at the contents server; decoding the received media contents list with the DRM code stored in the memory; displaying the media contents list on a screen of the electronic book terminal; requesting at least one media contents at the contents server, the at least one media contents being selected in the media contents list in response to a user input; receiving the at least one media contents from the contents server; and decoding the received at least one media contents with the DRM code stored in the memory.

Abstract: The present invention provides methods and apparatuses that utilize a portable apparatus to securely operate a host electronic device. Typically, each portable apparatus includes a data storage unit which stores an operating system and other software. In one example, a portable apparatus can provide a virtual operating environment on top of a host's operating system for a host device. In another example, a portable apparatus containing its operating system can directly boot a host device with one or more hardware profiles. Furthermore, a device-dependent protection against software piracy, a user-dependent protection against sensitive data leaks, a controllable host operating environment to prevent unwanted information exposure, and a secure restoration procedure to prevent virus infection between the host device users may be incorporated. Moreover, an authorization signature may also be utilized to authorize a connected-state guest operation environment in the host device.

Abstract: A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: Methods and systems for allowing customer or third party testing of secure programmable code are disclosed and may include verifying code loaded in a set-top box utilizing a test hash or a production hash prior to execution of the code, where the test hash and production hash may be stored in a memory, such as an OTP, within the set-top box, and may allow migration from corresponding test code to production code, which may be verified utilizing the test hash and production hash, respectively. The test and production hashes may be customer specific. The migration from test code to production code may be authenticated using at least a set-top box specific password. The test hash may be stored in a first portion of a one-time programmable memory and the production hash in a remaining portion, with the first portion being less than or equal to the remaining portion.

Abstract: Firmware in a UEFI-compliant computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provided. The security arrangements prevent an unauthorized or suspicious USB device from communicating with the host system, detect suspicious activity originating from a device which is already communicating with the host system and may provide notification to a user.

Abstract: An application creating apparatus generates first authentication information using an authentication element is provided. The apparatus includes an application module when the application module is created, inserts the first authentication information into the application module, and distributes the application module. A user digital device that executes the application module checks the authentication element and the first authentication information included in the application module, generates second authentication information for the authentication element, and determines whether to execute the application module based on a result of comparison between the first authentication information and the second authentication information.

Abstract: A device, system, and method for conducting a secure transaction over a network includes receiving from a user, being issued a stored-value financial instrument, a dollar amount to be associated to the stored-value financial instrument, communicating the dollar amount to a debit agent residing on a network processing and communication device, receiving at the debit agent a selection of a non-integrated financial institution selected from a list that includes at least one non-integrated financial institution, receiving at the debit agent a financial-institution user-identifier from the user, communicating the financial-institution user-identifier from the debit agent to the selected non-integrated financial institution, participating in a user-free electronic dialogue between the debit agent and the selected non-integrated financial institution, the dialogue including a request to transfer funds from the selected non-integrated financial institution, and transferring, with the debit agent, the funds from the s

Abstract: A mobile platform security apparatus and method is provided. The apparatus may perform a security setting by generating a first authentication key, a second authentication key, and a third authentication key for each function called by an application program. The apparatus may store the first authentication key and an identifier for identifying the application program in a first storage unit, the second authentication key and the identifier in a secret domain of a second storage unit, and register the third authentication key and the identifier as a function parameter in the application program. Subsequently, if the function is called by the application program, the apparatus may determine values for the first authentication key, the second authentication key, and the third authentication key corresponding to the called function, and may perform authentication processing using the three authentication key values.

Abstract: A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine.

Abstract: This discloses a video file encryption and decryption method, device, and mobile terminal. The encryption method can include: obtaining a to-be-encrypted video file and an encryption key, encrypting the video file using the encryption key to obtain an encrypted video file, obtaining scanned non-hidden partitions of a mobile terminal and an extended memory of the mobile terminal for storing user data, determining a partition storing the to-be-encrypted video file among the non-hidden partitions, and moving the encrypted video file to a folder in the partition storing the to-be-encrypted video file. The decryption method can include: obtaining a to-be-decrypted video file and a decryption key, decrypting the to-be-decrypted video file using the decryption key to obtain a decrypted video file, and determining a pre-encryption storage location of the to-be-decrypted video file and moving the decrypted video file to the pre-encryption storage location of the to-be-decrypted video file.

Abstract: Techniques for web application vulnerability scanning are disclosed. In one particular embodiment, the techniques may be realized as a method for web application vulnerability scanning comprising crawling a web application for content associated with the web application, generating a client security policy based on the content associated with the web application, and scanning the web application for vulnerabilities based on the client security policy.

Abstract: A mobile terminal for use with a cellular or mobile telecommunications network includes a normal execution environment and a secure execution environment The mobile terminal enables the software of the terminal in the secure execution environment to be updated. The terminal may be provided with minimal software initially in the secure execution environment, and is operable to subsequently update the software by over the air transmission of software. Also disclosed is a method for managing rights in respect of broadcast, multicast and/or unicast (downloaded) data. The method defines a service protection platform implemented on mobile terminals having both normal execution environment and secure execution environment. Service protection is provided by separating the operation of service protection application components into those that operate in the normal environment and those that are adapted to execute only in the secure execution environment.

Abstract: A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device.

Abstract: A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.

Abstract: A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed.

Abstract: A method for processing an operating sequence of instructions of a program in a processor, wherein each instruction is represented by an assigned instruction code which comprises one execution step to be processed by the processor or a plurality of execution steps to be processed successively by the processor, includes determining an actual signature value assigned to a current execution step of the execution steps of the instruction code representing the instruction of the operating sequence; determining, in a manner dependent on an address value, a desired signature value assigned to the current execution step; and if the actual signature value does not correspond to the desired signature value, omitting at least one execution step directly available for execution and/or an execution step indirectly available for execution.

Abstract: Approaches for limiting exploitable or potentially exploitable sub-components in software components are disclosed. In certain implementations, a first software component in the component creation environment may be identified. The first software component may include a first sub-component that provides a function that is exploitable or potentially exploitable to compromise the first software component. The first sub-component may be disabled such that the function provided by the first sub-component is not available via the first software component when the first software component is executed. The first software component may be placed in the component repository after the first sub-component is disabled such that the first software component is placed in the component repository without availability of the function provided by the first sub-component. In some implementations, disabling the first sub-component may comprise removing the first sub-component from the first software component.

Abstract: The present disclosure relates to verifying transactions using user devices. A client device used to complete a transaction with a server computer. The client device communicates with a user device such as a smart phone, laptop computer, or other computing device. The user device communicates with the client device and a verification server via the out-of-band communication channel. The verification server receives two or more copies of session data associated with the transaction occurring between the client device and the server computer. One copy of the session data is received from the server computer and another copy of the session data is provided by the user device. The two copies of the session data are compared by the verification server or by the user device, and mismatches are reported as suspected malicious software attacks.

Abstract: Aspect of the invention are directed to antivirus scanning, by a proxy server, of data downloaded from the network onto a PC workstation. The antivirus scanning is optimized for each scan by selecting an algorithm for that scan based on a determined overall likelihood that the downloaded data contains malicious code. Determination of the overall likelihood is augmented by the strength, or confidence, of statistical data relating to malware screening of results of previous downloads having similar parameters to the instant download.

Abstract: A method, device and system for authenticating a programmable hardware device, such as a programmable hardware chip, and a command received by the programmable hardware device. A secure processor or other trusted source authenticates the programmable hardware chip by verifying, with the secure processor's own verification key, a random number sent to the programmable hardware chip and encrypted using a verification key embedded within the programmable hardware chip, since the nature of the encryption is such that only the original logic function that includes the verification key can encrypt the data correctly. A command received by the programmable hardware chip is authenticated by verifying that a command authentication token received by the programmable hardware chip is generated using the correct command authentication key and consequently verifying that the command is received from the secure processor, as only the party who has the command authentication key can encrypt the data correctly.

Abstract: An automated system for automatic update of a Common Vulnerability Scoring System (CVSS) score, the system including vulnerability information analyzing functionality to analyze preexisting vulnerability information, the preexisting vulnerability information relating to at least one of at least one vulnerability and at least one attack vector thereof, the at least one vulnerability having a preexisting CVSS score, the preexisting CVSS score being based at least partially on the preexisting vulnerability information, vulnerability information extraction functionality, responsive to the analyzing preexisting vulnerability information, to extract new vulnerability information, the new vulnerability information relating to the at least one of the at least one vulnerability and the at least one attack vector thereof, and CVSS score updating functionality to employ the new vulnerability information to update the preexisting CVSS score.

Abstract: The method is for downloading applications takes place in a network that has a server, a mobile terminal, a trusted operator and preferably, a personal computer. In the method a user selects an application to be downloaded at his computer or mobile terminal. The user then sends a request to the server for downloading the selected application to the mobile terminal. The server sends a message to the mobile terminal with instructions for downloading of the application. This message is sent via a trusted operator in order to ensure a secure downloading. Thereafter, the application is downloaded to the mobile terminal.

Abstract: An automatic software audit system includes a client and a server. The client includes a network interface, a software installation record database, a software audit rule database, a software release database and a central processing unit (CPU). The network interface is coupled to the client. The software installation record databases stores a software installation record of the client. The software audit rule database stores a software audit rule. The software release database stores a software release record of the client. The CPU installs an agent program to the client to collect the software installation record, and generates a software audit result of the client according to the software installation record, the software audio rule and the software release record.

Abstract: Detecting a malicious advertisement is disclosed. An advertisement is analyzed. A determination that the advertisement is associated with malicious activity is made. An indication that the advertisement is malicious is provided as output. The indication can be provided as a report, such as to a publisher and can also be provided using an API, such as to the entity responsible for serving the advertisement.

Abstract: A system is described for scheduling the processing of items of suspicious network content to determine whether these items contain malicious network content. The system features a memory and an analyzer that may comprise a processor-based digital device in which at least one virtual machine (VM) and a scheduler operates. The scheduler is configured to generate an order of processing of a plurality of items of network content by the processor based on a plurality of probability scores, each corresponding to an item of network content. The analyzer is configured to process the items of network content in at least the virtual machine by replaying these items in accordance with the order of processing. The virtual machine is configured with a software profile corresponding to each of the processed items and being adapted to monitor behavior of each of the items during processing, thereby to detect malicious network content.

Abstract: A computer-implemented method for identifying malware is described. Event data is received from a mobile device. The event data including events performed on the mobile device and a list of one or more applications. The list of the one or more applications is compared with at least one additional list of applications received from at least one additional mobile device. An application in common across the lists of applications is identified. The identification of the application in common to is transmitted to the mobile device.

Abstract: An information processing apparatus securely stores a program group comprising one or more programs and includes a first detector that detects an execution waiting state of a given program among the program group; a secure module that is configured such that information stored therein cannot be referred to by an external device, and when the execution waiting state is detected by the first detector, that encrypts the given program and writes the encrypted given program to a storage area that is different from that of the program group; a second detector that detects an execution request concerning the given program; a decrypter that decrypts the given program encrypted by the secure module and writes the decrypted given program to the storage area, when the execution request concerning the given program is detected by the second detector; and a program executor that executes the given program decrypted by the decrypter.

Abstract: A system and method identifies mobile applications that can have an adverse effect on a mobile device or mobile network. In an implementation, a server monitors behavioral data relating to a mobile application and applies a model to determine if the application has an adverse effect or has the potential to cause an adverse effect on a mobile device or a network the mobile device may connect to. A mobile device may monitor behavioral data, apply a model to the data, and transmit a disposition to the server. The server may aggregate behavioral data or disposition information from multiple devices. The server may transmit or make available the disposition information to a subscriber through a web interface, API, email, or other mechanism. After identifying that an application may have an adverse effect, the server may enact corrective actions, such as generating device or network configuration data.