Abstract: Methods, systems, and devices for mapping descriptors for read operations are described. A memory device may include a first cache may include a mapping table between the logical addresses and the physical addresses, and a second cache may include one or more descriptors of one or more physical addresses of the memory array. A descriptor may include a starting logical address, a starting physical address, and a quantity of addresses in the descriptor, and may be configured to identify addresses or sets of address that are frequently accessed. When an access command (e.g., a read command) is received, the first cache may be queried and then the second cache may be queried (if there is a cache miss at the first cache). The physical address of the data of the memory array may be determined (and accessed) based on the descriptors stored in the second cache.

Abstract: Systems, computer program products, and methods are described herein for identification of obfuscated electronic data through placeholder indicators. The present invention is configured to electronically receive, from a computing device of a user, a request to obfuscate one or more data artifacts stored on a first database; retrieve, from a data obfuscation repository, one or more data obfuscation algorithms; implement the one or more data obfuscation algorithms on the one or more data artifacts; generate one or more placeholder indicators identifying the one or more data obfuscation algorithms implemented on the one or more data artifacts; create one or more data fields corresponding to the one or more masked data artifacts on the first database; store the one or more placeholder indicators in the one or more data fields; and update the first database with the one or more masked data artifacts and the one or more placeholder indicators.

Abstract: Systems and methods for integrated communication security are described. One aspect includes a clock generator configured to generate a clock signal at a first frequency, and a circuit utilizing the clock signal. The circuit may include a port configured to receive an encryption sequence at the first frequency, and a first unidirectional data path between the port and a memory configured to permit data transfer from the port to the memory. The memory may be configured to access the encryption sequence from the port via the first unidirectional data path and store the data. The circuit may further include a clock divider configured to divide the first frequency by a divisor deriving another clock signal at a second frequency, and an encryption/decryption module configured to read a portion of the encryption sequence from the memory, process input using the portion of the encryption sequence, and generate output responsive to the processing.

Abstract: A secure data transfer apparatus, where a processor in the apparatus is configured to execute a driver software to generate cryptography information, a cryptography device in the apparatus is configured to obtain a current cryptography parameter based on the cryptography information, and perform a cryptography operation using the current cryptography parameter, a Peripheral Component Interconnect Express (PCIe) interface in the apparatus configured to perform a ciphertext data exchange with a memory controller in a memory located external to the apparatus, where the ciphertext data exchange includes sending the ciphertext data from the cryptography device to the memory controller when the memory is to be written, and sending the ciphertext data from the memory controller to the cryptography device when the memory is to be read.

Abstract: A process wrapping method for bypassing native code anti-analysis includes receiving an execution instruction intended to run in an application from an Android framework when the application starts, extracting metadata of string and method from a compiled OAT file using an oatdump tool in the Android framework, determining if anti-analysis techniques are applied by comparing with information of a database (DB) based on the transmitted execution instruction and the extracted metadata, modifying the execution instruction based on the determined information when the anti-analysis technique is applied, and sending the modified execution instruction back to the Android framework. Accordingly, it is possible to provide an environment in which malicious applications to which anti-analysis techniques are applied can be easily analyzed.

Abstract: A time master and sensor data collection module for a robotic system such as an autonomous vehicle is disclosed. The module includes a processing device, one or more sensors, and programming instructions that are configured to cause the processing device to operate as a timer that generates a vehicle time, receive data from the one or more sensors contained within the housing, and synchronize the data from the one or more sensors contained within the housing with the vehicle time. The integrated sensors may include sensors such as a global positioning system (GPS) unit and/or an inertial measurement unit (IMU). The module may interface with external sensors such as a LiDAR system and/or cameras.

Abstract: A system and method for securely computing an inference of two types of tree-based models, namely XGBoost and Random Forest, using secure multi-party computation protocol. The method includes computing a respective comparison result of each respective node of a plurality of nodes in a tree classifier. Each node has a respective threshold value. The respective comparison result is based on respective data associated with a data owner device being applied to a respective node having the respective threshold value. The method includes computing, based on the respective comparison result, a leaf value associated with the tree classifier, generating a share of the leaf value and transmitting, to the data owner device, a share of the leaf value. The data owner device computes, using a secure multi-party computation and between the model owner device and the data owner device, the leaf value for the respective data of the data owner.

Abstract: A computer-implemented method of obfuscating a computer code comprises receiving (1201) an original computer program comprising a plurality of code blocks with computer instructions, the original computer program operable on input data within an input space, the original computer program operable to follow an execution path through the plurality of code blocks when receiving the input data, wherein the input space is segmented into at least one segment according to a segmentation, each segment comprising a subset of the input space containing inputs that correspond to a same execution path. A plurality of updated code blocks is included (1302) in the updated computer program. Selection code is operable 1303, during execution of the updated computer program, to select an updated code block of the plurality of updated code blocks in dependence on the input data. The selection code is included (1304) in the updated computer program.

Abstract: Embodiments herein describe a memory controller that has an encryption path and a bypass path. Using an indicator (e.g., a dedicated address range), an outside entity can inform the memory controller whether to use the encryption path or the bypass path. For example, using the encryption path when performing a write request means the memory controller encrypts the data before it was stored, while using the bypass path means the data is written into memory without be encrypted. Similarly, using the encryption path when performing a read request means the controller decrypts the data before it is delivered to the requesting entity, while using the bypass path means the data is delivered without being decrypted.

Abstract: This application discloses a data processing method, system, and apparatus, a storage medium, and a device, and belongs to the field of database technologies. The method includes receiving, a trigger request; triggering, according to the trigger request, the first cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, the operating policy indicating an operation policy of the first cloud encryptor. The method further includes receiving a data processing request from the client; sending first data that the data processing request requests to process and the data key identifier in the encryption data dictionary to the first cloud encryptor. The method further includes implementing the operating policy, processing the first data, and responding to the data processing request by using the second data.

Abstract: This application pertains to encryption/decryption methods and related apparatuses. A communication device receives an initial layer-3 message. The initial layer-3 message includes an indication indicating that a part of the initial layer-3 message is encrypted. The communication device generates a keystream, and decrypts the encrypted part of the initial layer-3 message by performing an exclusive OR operation on the keystream and the initial layer-3 message.

Abstract: A plaintext and cryptographic key are used to generate an initialization vector to be used in a cryptographic algorithm, such as an encryption algorithm. In some examples, the plaintext and cryptographic key are input into an effectively one-way function, such as a cryptographic hash function, the output of which is usable as an initialization vector. Cryptographic keys may be rotated probabilistically based at least in part on probabilities of output collisions of the effectively one-way function to ensure a low probability of two different plaintexts resulting in calculation of the same initialization vector for use with the same cryptographic key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: An embodiment integrated circuit comprises a first memory zone having a first level of access rights that is configured to store at least one first software application containing encrypted instructions, means for verifying the integrity of the first software application, an encryption/decryption means, for example a first logic circuit, that is configured to decrypt the encrypted instructions which are considered to exhibit integrity, a processing unit that is configured to execute the decrypted instructions, the first logic circuit being further configured to encrypt the data generated by the execution operation and a second means, for example a second logic circuit, that is configured to store the encrypted data in a second memory zone having a second level of access rights that is identical to the first level of access rights.

Abstract: A log processing device and a log processing method thereof are provided. The log processing device divides the original log data into a plurality of block data, transforms a numeric variable of each of the block data into a representative code, and determines whether to perform a combination process for continuous block data to generate a plurality of combinational block data according to a data integrity of each of the block data. The log processing data takes the combinational block data as a log template, and each of the combinational block data corresponds to an event.

Abstract: An approach is provided that, after receiving a request to execute a computer program, determines an active set of metadata that corresponds to the requested computer program and then loads basic blocks of the requested computer program into memory. One of the loaded basic blocks is a starting block of the requested computer program. The memory also stores basic blocks corresponding to some previously loaded computer programs. The approach also inactivates basic blocks that are currently stored in the memory, with the inactivated basic blocks being identified based on a comparison of the active set of metadata to the sets of metadata that corresponding to the basic blocks of previously loaded computer programs. After inactivating some basic blocks, the approach executes the starting block of the requested computer program.

Abstract: System and techniques for multi-tenant cryptographic memory isolation are described herein. A multiple key total memory encryption (MKTME) circuitry may receive a read request for encrypted memory. Here, the read request may include an encrypted memory address that itself includes a sequence of keyid bits and physical address bits. The MKTME circuitry may retrieve a keyid-nonce from a key table using the keyid bits. The MKTME circuitry may construct a tweak from the keyid-nonce, the keyid bits, and the physical address bits. The MKTME circuitry may then decrypt data specified by the read request using the tweak and a common key.

Abstract: A device includes a microcontroller, memory including secure memory to store a private key, a set of registers, and an authentication engine. The set of registers includes a write mailbox register and a read mailbox register, and message data is to be written to the write mailbox register by a host system. The message data includes at least a portion of a challenge request, and the challenge request includes a challenge by the host system to authenticity of the device. The authentication engine generates a response to the challenge, where the response includes data to identify attributes of the device and a signature generated using the private key. The authentication engine causes at least a portion of the response to be written to the read mailbox register to be read by the host system.

Abstract: A method for the usage-based licensing of one or more applications in a container, wherein the container comprises a license module, an application queries the presence of an application license via the license module and is only executed if an application license is present. In the license module, a linking of one or more application licenses with a unique identifier is stored, and the container comprises a settlement module, which retrieves a usage unit from an external license source. For the duration of an obtained usage unit, the settlement module provides the unique identifier in a secure data storage so that all applications linked with the unique identifier can be executed. A computer system and a computer program product are also provided.

Abstract: Memory control circuitry controls access to data stored in memory, and memory security circuitry generates encrypted data to be stored in the memory. The encrypted data is based on target data and a first one-time-pad (OTP). In response to an OTP update event indicating that the first OTP is to be updated to a second OTP different from the first OTP, the memory security circuitry generates a re-encryption value based on the first OTP and the second OTP, and the memory security circuitry to issues a re-encryption request to cause updated encrypted data to be generated in a downstream component based on the encrypted data and the re-encryption value and to cause the encrypted data to be replaced in the memory by the updated encrypted data.

Abstract: A method for executing a computer program, wherein when a microprocessor writes a block of No bytes of a datum of a block of cleartext data stored in an unencrypted memory, a security module switches a validity indicator associated with this block of No bytes to an active state wherein it indicates that this block of bytes is valid, and each time a block of No bytes of a datum of the block of cleartext data is loaded by the microprocessor from the unencrypted memory, the hardware security module verifies whether the validity indicator associated with this block of No bytes is in its active state and, if such is the case, processing, by the microprocessor, of this block of No bytes is permitted, and, if such is not the case, processing, by the microprocessor, of this block of No bytes is forbidden.

Abstract: A method for operating an industrial PC (IPC) device, wherein the IPC device includes a general-purpose operating system (GPOS) section implemented to execute program code under the GPOS, and a real time operating system (RTOS) section implemented to execute program code adapted to real-time data processing under the RTOS, includes providing a wrapped application program based on an application program including binary code designed to be executed under the RTOS and a security policy; validating the wrapped application program according to the security policy by an RTOS process for obtaining a validated application program; transferring the binary code of the validated application program and a security element from the RTOS process to a GPOS process; establishing a secure communications channel between the GPOS process and the RTOS section using the security element; and executing the binary code of the validated application program by the GPOS process.

Abstract: In various embodiments, a method for page cache management is described. The method can include: identifying a storage device fault associated with a fault-resilient storage device; determining that a first region associated with the fault-resilient storage device comprises an inaccessible space and that a second region associated with the fault-resilient storage device comprises an accessible space; identifying a read command at the second storage device for the data and determine, based on the read command, first data requested by a read operation from a local memory of the second storage device; determining, based on the read command, second data requested by the read operation from the second region; retrieving the second data from the second region; and scheduling a transmission of the second data from the fault-resilient storage device to the second storage device.

Abstract: The present disclosure is related to encryption of executables in computational memory. Computational memory can traverse an operating system page table in the computational memory for a page marked as executable. In response to finding a page marked as executable, the computational memory can determine whether the page marked as executable has been encrypted. In response to determining that the page marked as executable is not encrypted, the computational memory can generate a key for the page marked as executable. The computational memory can encrypt the page marked as executable using the key.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

Abstract: A system includes a memory, a processor in communication with the memory, and a first TEE instance. The first TEE instance is configured to maintain an encrypted secret, obtain a cryptographic measurement associated with a second TEE instance, validate the cryptographic measurement, and provision the second TEE instance with the encrypted secret. Additionally, the first TEE instance and the second TEE instance are both configured to service at least a first type of request.

Abstract: A method is provided for decrypting data encrypted according to a cipher key according the advanced encryption standard (AES). The method includes precomputing a product of each element value of an InvMixColumn matrix and each possible value of an input state array and deriving a set of round keys from the cipher key and the set of round keys. The deriving includes providing an initial round key and a plurality of further round keys, performing an initial decryption round, and performing N full decryption rounds at least in part using the precomputed product of each element value of an InvMixColumn matrix and each possible value of the input state array.

Abstract: Systems, computer program products, and methods are described herein for implementing multi-dimensional data obfuscation. The present invention is configured to electronically receive, from a computing device of a user, a request to implement a multi-dimensional data obfuscation on a first database; initiate a data obfuscation engine on the first database based on at least receiving the request, wherein initiating further comprises: determining one or more data types associated with the one or more data artifacts; determining one or more exposure levels of the one or more data artifacts; retrieving, from a data obfuscation repository, one or more data obfuscation algorithms; and implementing the one or more data obfuscation algorithms on the one or more data artifacts based on at least the one or more data types; and generate an obfuscated first database based on at least initiating the data obfuscation engine on the first database.

Abstract: A method of preventing exploitation of a vulnerability of a computing system includes generating a deprivation token to cause disabling of a selected one or more features of a component of the computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system for distribution to affected computing systems.

Abstract: Zero round trip secure communications are implemented based on noisy secrets with a polynomial secret sharing scheme. A sender identifies two negotiated noisy secrets associated with an encrypted message to send to a receiver system. The sender utilizes a first negotiated noisy secret for sub-key selection, and generates a secret polynomial using Shamir's polynomial-based secret sharing scheme with N positive integer points and a message key as a secret. The sender divides the first negotiated noisy secret into a plurality of sub-keys, and divides a second negotiated noisy secret into test blocks of a length equivalent to a length of a sub-key. The sender utilizes each of the plurality sub-keys for encrypting a corresponding test block along with one unique point of the secret polynomial. Moreover, the sender sends all encrypted test blocks and corresponding encrypted points of the secret polynomial to the receiver with the encrypted message.

Abstract: Systems and methods include determination of a first value to be blinded, determination of a first key value, generation of a first composite value based on the first value and the first key value, performance of a hash operation on the first composite value to generate a first hash value, seeding of a pseudorandom generator with the first hash value to generate a first pseudorandom value, truncation of the first hash value based on the first pseudorandom value to generate a first truncated value, and generation of a blinded value associated with the first value based on a blinding function comprising the first value and the first truncated value.

Abstract: A computer system includes an independent compute core; and an isolated secure data storage device to store data accessible only to the independent compute core. The independent compute core is to open an Application Program Interface (API) during runtime of the computer system in response to receiving a verified message containing secure data to be written to the secure data storage device.

Abstract: Examples of systems and method described herein provide for accessing memory devices and, concurrently, generating access codes using an authenticated stream cipher at a memory controller. For example, a memory controller may use a memory access request to, concurrently, perform translation logic and/or error correction on data associated with the memory access request; while also utilizing the memory address as an initialization vector for an authenticated stream cipher to generate an access code. The error correction may be performed subsequent to address translation for a write operation (or prior to address translation for a read operation) to improve processing speed of memory access requests at a memory controller; while the memory controller also generates the encrypted access code.

Abstract: Embodiments herein describe a memory controller that has an encryption path and a bypass path. Using an indicator (e.g., a dedicated address range), an outside entity can inform the memory controller whether to use the encryption path or the bypass path. For example, using the encryption path when performing a write request means the memory controller encrypts the data before it was stored, while using the bypass path means the data is written into memory without be encrypted. Similarly, using the encryption path when performing a read request means the controller decrypts the data before it is delivered to the requesting entity, while using the bypass path means the data is delivered without being decrypted.

Abstract: Disclosed is a ciphertext computation method. The ciphertext computation method includes: receiving a modular computation command for a plurality of ciphertexts; performing a modular computation for the plurality of ciphertexts by using a lookup table storing a plurality of predetermined prime number information; and outputting a result of the computation.

Abstract: A method of attestation of a host machine based on runtime configuration of the host machine is provided. The method receives, at an attestation machine, a request from the host machine for attestation of a software executing on the host machine, the request including at least one security-related configuration of the software at launch time and a corresponding runtime behavior of the software when the security-related configuration changes. The method then generates a claim based on evaluating a value associated with the at least one security-related configuration and the corresponding runtime behavior of the software when the value changes. The method also generates an attestation token after a successful attestation of the software and include in the attestation token the generated claim. The method further transmits the attestation token to the host machine.

Abstract: An information processing system is provided. The information processing system generates a program so as to output a hash value calculated based on a hash value calculation instruction included in a source code for generating the program, determines a set of analysis support information associated with the hash value calculation instruction and the hash value calculated based on the hash value calculation instruction, stores the set of the analysis support information and the hash value, stores at least a part of one or more hash values output as a result of execution of the program, and outputs, by using at least the part of the stored hash value, the analysis support information that makes the set with the hash value.

Abstract: In one embodiment, a branch processing method comprising receiving information from at least two branch execution units; writing two updates per clock cycle to respective first and second write queues based on the information; and writing from the first write queue up to two updates per clock cycle into plural tables of a first predictor and a single update for the single clock cycle when there is an expected write collision, the first predictor comprising a single write or read/write port.

Abstract: An electronic device is provided. A computing system includes a storage device and a host. The storage device includes a memory device including a write protection area. The host performs an operation of providing, to the storage device, a first request regarding security write and write data in parallel with an operation of generating a host authentication code based on the write data and a key shared with the storage device.

Abstract: Systems and methods for an interface device that is configured to locally generated encrypted data and also receive encrypted data from a host computer, locally decrypt the data, and present the decrypted data independently from the host computer.

Abstract: A computer implemented method of securing an application executing in a software container deployed in a computer system includes providing access to the application selectively in accordance with access control rules by sharing an encryption key with authorized accessors.

Abstract: A memory module includes: a plurality of memories, wherein each of the memories comprises: an encryption key storage circuit suitable for storing an encryption key; an address encryption circuit suitable for generating an encrypted address by encrypting an address transferred from a memory controller by using the encryption key stored in the encryption key storage circuit; and a cell array accessed by the encrypted address, wherein the encryption key storage circuits of the memories store different encryption keys.

Abstract: A processor comprising an instruction execution circuit to execute a second code stored at a second address of a memory, wherein the second code is translated from a first code stored at a first address of the memory and a translation table (TT) controller coupled to a translation table to store a TT entry comprising a mapping between the first address and the second address and an attribute field comprising an attribute value associated with execution of the second code, wherein the TT controller is to monitor execution of the second code by the instruction execution circuit and update, based on a performance metric of the execution, the attribute value of the TT entry.

Abstract: A device and method for data protection, and a storage controller, related to the technical field of data protection. The device comprises: an encryption unit (11), used for receiving first data to be written into a storage module and first storage address information (401), and for encrypting the first data on the basis of the first storage address information and of feature information of the storage module (402); and a decryption unit (12), used for reading from the storage module second data corresponding to second storage address information (403), and for decrypting the second data on the basis of the second storage address information and of the feature information (404).

Abstract: An apparatus includes a memory that stores a plurality of records and a hardware processor. The processor receives a request for a first record and a second record of the plurality of records and divides, based on a type of the first record and a type of the second record, the first record into a first portion and a second portion and the second record into a third portion and a fourth portion. The processor also creates a first chunk using the first portion of the first record and the third portion of the second record and creates a second chunk using the second portion of the first record and the fourth portion of the second record. The processor further scrubs the first chunk to create a first message, scrubs the second chunk to create a second message, and communicates the first and second messages to an external device.

Abstract: Techniques for secure public exposure of digital data include extracting n chunks, each containing Q bits, n=2(Q+1). A random mapping of each chunk to only one batch of M numbered batches is determined and stored securely. A bit based on a random key is combined at a location based on batch number with each of the chunks in the batch to produce a batch of enhanced chunks, each containing Q+1 bits. This is repeated with each non-overlapping batch of chunks, each enhanced chunk of the batch having one bit based on a different bit from the key. A unique set of the enhanced chunks is combined with a XOR to produce an encoded chunk, every bit of which is based on a bit from the key. An encoding vector B that indicates the unique set is stored securely. The encoded chunk can be safely exposed publically.

Abstract: A method performed by a virtual trusted platform module, vTPM on an execution platform, comprises the steps of obtaining (S11) encrypted information (encvTPMContext) and a first identifier (Salt), both associated with a virtual machine, VM to be executed; retrieving (S14), using the identifier from a trusted launch authority, TLA, at least a first secret portion (SlaKeystart), the first secret portion (SlaKeystart) being dynamically linked to the VM and dependant on at least a property of the VM; and decrypting (S16) the encrypted information (encvTPMContext) with a decryption key (EncKeystart) derived from at least the first secret portion (SlaKeystart) and a first measurement result (VmDigeststart) of at least the VM.

Abstract: A blockchain-implemented transaction from an originator node is to be broadcast. The originator node is communicatively coupled to proxy nodes. The method, implemented by a proxy node, includes: receiving a transaction including an input taking x+r units of computing resources, an output providing x units to the output address and another output providing d+r units to a 1-of-n multi-signature address unlockable by any one of a set of private keys associated the proxy nodes. The proxy node selects a quantity of computing resources, t units, to be allocated to the proxy node for broadcasting the transaction and having it included in the blockchain and generates a further transaction taking d+r units sourced from the multi-signature address and an output providing t units to the proxy node. The proxy node broadcasts both transactions timed to permit their inclusion in the same block of the blockchain.

Abstract: Using a first key, an encrypted file fingerprint is decrypted, the decrypting resulting in a decrypted file fingerprint. Using a hash function on a script file, a script file fingerprint is computed, the script file intended to be executed by an interpreter. Responsive to the script file fingerprint matching the decrypted file fingerprint, the script file is executed.

Abstract: Provided with a calculation device for performing a calculation for an encryption data in a virtual execution environment protected from a standard execution environment, the calculation device has a virtual execution environment construction unit for constructing the virtual execution environment, and the virtual execution environment includes: an encryption data acquisition unit for acquiring the encryption data; a source code acquisition unit for acquiring a source code for the calculation; a key acquisition unit for acquiring the system key; a decryption unit for decrypting the encryption data by the acquired system key; a source code execution unit for executing the source code; an encryption unit for encrypting a calculation result to which the source code is executed by the system key; and a calculation result providing unit for providing the encrypted calculation result to the standard execution environment.