Abstract: A method begins by a processing module generating an integrity check value for each encoded data slice of a set of encoded data slices to produce a set of integrity check values. The method continues with the processing module encoding the set of integrity check values to produce encoded integrity check values. The method continues with the processing module sending the encoded integrity check values for storage in a memory system.

Abstract: A system, method, and computer program product are provided for implementing asymmetric AES-CBC (Advanced Encryption Standard-Cipher Block Chaining) channels usage between encryption and decryption of data. In operation, data to be written to memory is identified. In addition, the data is encrypted utilizing a first AES-CBC channel. Additionally, at least one of a plurality of AES-CBC channels is utilized to decrypt the data to achieve a determined performance target.

Abstract: An apparatus and method for providing home evolved node-B (H(e)NB) integrity verification and validation using autonomous validation and semi-autonomous validation is disclosed herein.

Abstract: Systems and methods of determining compliance of content in a website or web application are disclosed. The systems and methods comprise a compliance tool to retrieve data associated with website or web application content. The compliance tool can scan the data to determine references to network locations. The compliance tool can compare the references to one or more approval rules to determine whether the references comply with the approval rules. A report can be compiled and outputted that indicates which references comply and which references do not comply with the approval rules. A user can have the option to add non-complying references to an approved list. The compliance tool can further remove non-complying references from the website or web application data and/or register non-complying references with a firewall.

Abstract: The invention relates to a method for obfuscating a computer program. Said method comprises the following steps: a—selecting a numerical variable V used by said program or an instruction of said program using said numerical value V, b—defining at least one operation which provides said numerical value V when executed, c—substituting at least one line of said program using the numerical value V for at least one new program line performing the operation that supplies the value of said numerical variable V.

Abstract: A non-transitory computer-readable recording medium has stored therein a patch scheduling program that causes a computer to execute a process. The process includes managing, aggregating, determining, and scheduling. The managing includes managing a system including a plurality of software that control a plurality of virtual machines. The aggregating includes aggregating virtual machines including a similar trend regarding a predetermined index thereof with a mutually-same virtual software. The determining includes determining a time period during which the virtual machines are to be moved, based on the trends of the virtual machines aggregated with the mutually-same virtual software and based on moving time of the move of the virtual machines to a different virtual software included in the plurality of virtual software. The scheduling includes scheduling applying a patch to each of the plurality of virtual software at the determined time periods.

Abstract: A data loss prevention (DLP) manager running on a security virtual machine manages DLP policies for a plurality of guest virtual machines. The DLP manager identifies a startup event of a guest virtual machine, and installs a DLP component in the guest virtual machine. The DLP component communicates with the DLP manager operating within the security virtual machine. The DLP manager also receives file system events from the DLP component, and enforces a response rule associated with the guest virtual machine if the file system event violates a DLP policy.

Abstract: Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

Abstract: The present disclosure relates generally to digital watermarking and grocery/retail store checkout. One claim recites a system comprising: a 2D camera for capturing imagery of packaged items, the packaged items including digital watermarking printed on product packaging; one or more processors programmed for: prioritizing at least some image areas from within at least one captured imagery frame for digital watermark detection based on: i) area brightness, and on ii) area frame location; and detecting digital watermarks from one or more image areas prioritized from the prioritizing image areas, in which the detecting digital watermarks analyzes image areas in order of prioritization. Of course, other features, combinations and claims are also provided.

Abstract: In order for intermediary WAAS devices to process and accelerate ICA traffic, they must decrypt the ICA traffic in order to examine it. Disclosed is a mechanism by which the ICA traffic may be re-encrypted for transport over the WAN in a manner that does not require explicit configuration by the administrator of the WAAS devices. For example, VDI traffic may be intercepted and all data redundancy elimination messages may be encrypted and sent to a peer network device.

Abstract: A method of extending trust from a trusted processor to a graphics processing unit to expand trusted processing in an electronic device comprises inserting a trusted kernel into the graphics processing unit, monitoring the activity level of the graphics processing unit, suspending graphics processing on at least a portion of the graphics processing unit, repurposing a portion of the graphics processing unit to perform trusted processing, and releasing the portion of the graphics processing unit from trusted processing.

Abstract: A system that incorporates the subject disclosure may include, for example, a system for receiving a request to modify a universal integrated circuit card, generating a package comprising configuration data for modifying the universal integrated circuit card, encrypting the package with a transport key to generate an encrypted package, transmitting the encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card, and providing a mobile network operator trusted service manager system information relating to the configuration data to enable the mobile network operator trusted service manager system to manage content and memory allocation of the universal integrated circuit card. Other embodiments are disclosed.

Abstract: In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system.

Abstract: A method, system, and apparatus for verifying integrity and execution state of an untrusted computer. In one embodiment, the method includes placing a verification function in memory on the untrusted computer; invoking the verification function from a trusted computer; determining a checksum value over memory containing both the verification function and the execution state of a processor and hardware on the untrusted computer; sending the checksum value to the trusted computer; determining at the trusted computer whether the checksum value is correct; and determining at the trusted computer whether the checksum value is received within an expected time period.

Abstract: The protected resource, typically an API, is exposed by endpoints of a plurality of administrative domains. The endpoints are previously unknown by said service application and the method further comprises: i. using an intermediate or global entity for: a) selecting one of said administrative domains based on flexible criteria (i.e. at least on the identity of said end user but also considering varying user or service preferences); and b) performing, said selected administrative domain, a secure authorization to grant access to said end user by means of an open protocol; and ii. providing, said selected administrative domain to said service application, once performed said secure authorization, direct or proxy access to said user's protected resource via the endpoint established by said intermediate entity.

Abstract: A method may include generating a first shared secret for a present boot session of the information handling system and determining if a second shared secret existed for a prior boot session of the information handling system. If the second shared secret existed for the prior boot session, the method may include encrypting the first shared secret with the second shared secret and communicating the first shared secret encrypted by the second shared secret from a first information handling resource to a second information handling resource. If the second shared secret did not exist for the prior boot session, the method may include communicating the first shared secret unencrypted from the first information handling resource to the second information handling resource. The method may additionally include securely communicating between the first information handling resource and the second information handling resource using the first shared secret for encryption and decryption.

Abstract: The disclosed apparatus may include a storage device and a secure counter. The apparatus may also include a tamper-logging component that (1) detects an action that is associated with booting untrusted images from the storage device and, in response to detecting the action, (2) securely logs the action by incrementing the secure counter. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A system for simplifying the configuration and administration of computer networks. A the server system first sends a broadcast message out to the other network nodes on the computer network to learn configuration of each other network nodes on the local network. Next, network software within each other network node (not shown) responds to the broadcast message with a response containing configuration information and an identifier key value. In one embodiment, the identifier key value may be a randomly generated number. The server system then builds a table of network nodes using the information received in the response messages sent in response to the broadcast message. The server may then communicate with systems having duplicate addresses using the identifier key value. In some embodiments, the server system may send request messages to one or more network nodes specifying a network configuration change.

Abstract: According to one embodiment, a method for authenticating a device, wherein the device holds secret identification information, encrypted secret identification information, and key management information, and an authenticator holds an identification key, the method includes reading, by the authenticator, the encrypted secret identification information and the key management information from the device, and obtaining, by the authenticator, a family key by using the key management information, the family key being capable of being decrypted with the identification key. The method further includes obtaining, by the authenticator, the secret identification information by decrypting the encrypted secret identification information with the family key.

Abstract: The invention provides a method for loading an application requiring personalization into a portable storage medium which is set up to be operated in a terminal. Personalization data for personalizing the application and possibly application data are additionally loaded into a restore module which is independent of applications stored in an application memory, is configured as a non-volatile memory, and is disposed within the portable storage medium or within the terminal. For updating an application, the personalization data and possibly application data are loaded from the restore module into the updated application. A portable storage medium has a non-volatile, application-independent restore module. System with storage medium and terminal and non-volatile, application-independent restore module.

Abstract: A software license for a particular version of a software product on a computing device includes both a branding identifier that identifies the particular version of the software product and component dependency information that identifies one or more aspects of the particular version of the software product. To activate a software product on the computing device, the branding identifier is compared to a portion of the software product on the computing device. If the branding identifier matches the portion of the software product, then the component dependency information is compared to one or more aspects of the software product on the computing device. If the component dependency information matches the one or more aspects of the software product then the software product is activated. Otherwise, the a license state of the software product is kept unchanged.

Abstract: A method for enhancing reliability of data is provided. A computer configured to provide output datum (Ds) from input datum (De), includes at least two data processing modules, and a computing member connected to each module. The method includes computing, with each module, intermediate datum (DIA, DIB) from the input datum (De) calculating, with each module, an intermediate security code (CSIA, CSIB) from the corresponding intermediate datum (DIA, DIB), transmitting to the computing member with each module, the intermediate security code (CSIA, CSIB) and the intermediate datum (DIA, DIB), computing, a security code (CS) from the intermediate security codes (CSIA, CSIB), selecting, an intermediate datum from among the received intermediate data (DIA, DIB) the output datum, (Ds) of the computer including the selected intermediate datum, and transmitting to a receiving device, the security code (CS) and output datum (Ds).

Abstract: A method and system for securely propagating client identities in a service call from a first system to a target service system are provided. The system includes a memory device for storing data and a service provider (SP) computer system. The SP computer system is programmed to determine identities to transmit to the target system in association with a request, construct a data structure to represent each identity and additional information related to the identity, digitally sign the identity information, pair the identity information and the corresponding digital signature in a header of a request message from the first system to the target service system, receive the request message and extract the identity information and corresponding digital signatures from the header, validate the corresponding digital signatures, and construct using the corresponding identity information a data structure that represents each of the original identities established in the first system.

Abstract: A system may include a host that may include a processor coupled to a non-volatile memory over a secure communication protocol. As a result, prior to release for manufacturing, a binding code may be established between the host and the non-volatile memory. In some embodiments, this binding code may be stored on the non-volatile memory and not on the host. Then during a boot up of the system, the boot up process may be initiated by the host using code associated with the host, followed by secure booting using the secure protocol using code stored on the non-volatile memory.

Abstract: Embodiments of the present invention provide an approach for protecting visible data during computerized process usage. Specifically, in a typical embodiment, when a computerized process is identified, a physical page key (PPK) is generated (e.g., a unique PPK may be generated for each page of data) and stored in at least one table. Based on the PPK a virtual page key (VPK) is generated and stored in at least one register. When the process is later implemented, and a request to access a set of data associated the process is received, it will be determined whether the VPK is valid (based on the PPK). Based on the results of this determination, a data access determination is made.

Abstract: Various techniques for providing a device token protocol for authorization and persistent authentication shared across applications are disclosed. In some embodiments, a device token protocol for authorization and persistent authentication shared across applications includes sending user credentials to a remote server to authenticate a user on a device for a plurality of applications; and receiving a device token from the remote server for the user to authenticate the user for the plurality of applications on the device, in which the device token facilitates authentication and authorization.

Abstract: A configuration for achieving efficient content verification processing based on hash values is provided. Hash values of hash units set as segmented data of a content stored on an information storage medium are recorded in a content hash table and are stored on the information storage medium together with the content. An information processing apparatus for executing content playback executes hash-value comparison processing based on one or more randomly selected hash values. Regardless of the data amount of content, the configuration can perform hash-value determination and comparison processing based on hash units having a small amount of data, so that user equipment for executing content playback can perform efficient content verification.

Abstract: The disclosed implementations are related to trace-assisted prefetching of a virtual machine from a network resource to improve interactive performance of the virtual machine on a host device. Trace patterns can be automatically uploaded to a network resource, which aggregates the patterns, and serves the patterns back to the host device, or a different host device, when the host device downloads a virtual machine for the first time.

Abstract: A privileged cryptographic service is described, such as a service running in system management mode (SMM). The privileged service is operable to store and manage cryptographic keys and/or other security resources in a multitenant remote program execution environment. The privileged service can receive requests to use the cryptographic keys and issue responses to these requests. In addition, the privileged service can measure the hypervisor at runtime (e.g., either periodically or in response to the requests) in an attempt to detect evidence of tampering with the hypervisor. Because the privileged service is operating in system management mode that is more privileged than the hypervisor, the privileged service can be robust against virtual machine escape and other hypervisor attacks.

Abstract: A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer.

Abstract: A method and system for signing a digital certificate in real time for accessing a service application hosted within a service provider (SP) computer system through an open application programming interface (API) platform is provided. The API platform is in communication with a memory device. The method includes receiving registration data from a developer computer device wherein the developer computer device is associated with a developer and configured to store a developer application, receiving a certificate signing request (CSR) from the developer computer device wherein the CSR includes a public key associated with the developer, verifying the registration data as being associated with the developer, signing the CSR to produce a signed certificate after verifying the registration data wherein the verifying and signing steps are performed by the SP computer system in real time, and transmitting the signed certificate and a client ID to the developer computer device.

Abstract: A download method of media contents, and which includes receiving and storing, by an electronic book terminal, a DRM (Digital Right Management) code from a contents server, the DRM code being stored in a memory of the electronic book terminal; receiving a media contents list from the contents server by requesting the media contents list at the contents server; decoding the received media contents list with the DRM code stored in the memory; displaying the media contents list on a screen of the electronic book terminal; requesting at least one media contents at the contents server, the at least one media contents being selected in the media contents list in response to a user input; receiving the at least one media contents from the contents server; and decoding the received at least one media contents with the DRM code stored in the memory.

Abstract: A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed.

Abstract: System call interception is activated for an application process. It is recorded that system call interception is active for the application process. Ongoing checking is performed to determine whether system call interception remains active.

Abstract: The present invention provides methods and apparatuses that utilize a portable apparatus to securely operate a host electronic device. Typically, each portable apparatus includes a data storage unit which stores an operating system and other software. In one example, a portable apparatus can provide a virtual operating environment on top of a host's operating system for a host device. In another example, a portable apparatus containing its operating system can directly boot a host device with one or more hardware profiles. Furthermore, a device-dependent protection against software piracy, a user-dependent protection against sensitive data leaks, a controllable host operating environment to prevent unwanted information exposure, and a secure restoration procedure to prevent virus infection between the host device users may be incorporated. Moreover, an authorization signature may also be utilized to authorize a connected-state guest operation environment in the host device.

Abstract: Verification of software to be run in a secure environment is performed by comparing a critical portion of the executable boot program code in an EPROM with code stored in a logic circuit. The comparison may be performed before the code to be verified is run or while it is running in the event that the validation fails certain critical functions of the platform are inhibited to prevent fraudulent operation of the platform. The system is particularly applicable to gaming machines to avoid cheating.

Abstract: Methods and systems for allowing customer or third party testing of secure programmable code are disclosed and may include verifying code loaded in a set-top box utilizing a test hash or a production hash prior to execution of the code, where the test hash and production hash may be stored in a memory, such as an OTP, within the set-top box, and may allow migration from corresponding test code to production code, which may be verified utilizing the test hash and production hash, respectively. The test and production hashes may be customer specific. The migration from test code to production code may be authenticated using at least a set-top box specific password. The test hash may be stored in a first portion of a one-time programmable memory and the production hash in a remaining portion, with the first portion being less than or equal to the remaining portion.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provided. The security arrangements prevent an unauthorized or suspicious USB device from communicating with the host system, detect suspicious activity originating from a device which is already communicating with the host system and may provide notification to a user.

Abstract: Firmware in a UEFI-compliant computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

Abstract: An application creating apparatus generates first authentication information using an authentication element is provided. The apparatus includes an application module when the application module is created, inserts the first authentication information into the application module, and distributes the application module. A user digital device that executes the application module checks the authentication element and the first authentication information included in the application module, generates second authentication information for the authentication element, and determines whether to execute the application module based on a result of comparison between the first authentication information and the second authentication information.

Abstract: A device, system, and method for conducting a secure transaction over a network includes receiving from a user, being issued a stored-value financial instrument, a dollar amount to be associated to the stored-value financial instrument, communicating the dollar amount to a debit agent residing on a network processing and communication device, receiving at the debit agent a selection of a non-integrated financial institution selected from a list that includes at least one non-integrated financial institution, receiving at the debit agent a financial-institution user-identifier from the user, communicating the financial-institution user-identifier from the debit agent to the selected non-integrated financial institution, participating in a user-free electronic dialogue between the debit agent and the selected non-integrated financial institution, the dialogue including a request to transfer funds from the selected non-integrated financial institution, and transferring, with the debit agent, the funds from the s

Abstract: A mobile terminal for use with a cellular or mobile telecommunications network includes a normal execution environment and a secure execution environment The mobile terminal enables the software of the terminal in the secure execution environment to be updated. The terminal may be provided with minimal software initially in the secure execution environment, and is operable to subsequently update the software by over the air transmission of software. Also disclosed is a method for managing rights in respect of broadcast, multicast and/or unicast (downloaded) data. The method defines a service protection platform implemented on mobile terminals having both normal execution environment and secure execution environment. Service protection is provided by separating the operation of service protection application components into those that operate in the normal environment and those that are adapted to execute only in the secure execution environment.

Abstract: A mobile platform security apparatus and method is provided. The apparatus may perform a security setting by generating a first authentication key, a second authentication key, and a third authentication key for each function called by an application program. The apparatus may store the first authentication key and an identifier for identifying the application program in a first storage unit, the second authentication key and the identifier in a secret domain of a second storage unit, and register the third authentication key and the identifier as a function parameter in the application program. Subsequently, if the function is called by the application program, the apparatus may determine values for the first authentication key, the second authentication key, and the third authentication key corresponding to the called function, and may perform authentication processing using the three authentication key values.

Abstract: This discloses a video file encryption and decryption method, device, and mobile terminal. The encryption method can include: obtaining a to-be-encrypted video file and an encryption key, encrypting the video file using the encryption key to obtain an encrypted video file, obtaining scanned non-hidden partitions of a mobile terminal and an extended memory of the mobile terminal for storing user data, determining a partition storing the to-be-encrypted video file among the non-hidden partitions, and moving the encrypted video file to a folder in the partition storing the to-be-encrypted video file. The decryption method can include: obtaining a to-be-decrypted video file and a decryption key, decrypting the to-be-decrypted video file using the decryption key to obtain a decrypted video file, and determining a pre-encryption storage location of the to-be-decrypted video file and moving the decrypted video file to the pre-encryption storage location of the to-be-decrypted video file.

Abstract: A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine.

Abstract: Techniques for web application vulnerability scanning are disclosed. In one particular embodiment, the techniques may be realized as a method for web application vulnerability scanning comprising crawling a web application for content associated with the web application, generating a client security policy based on the content associated with the web application, and scanning the web application for vulnerabilities based on the client security policy.

Abstract: A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device.

Abstract: A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed.