Abstract: According to one embodiment, an isogeny calculation device includes a memory and an isogeny calculator. The memory stores, as a pre-calculated value, an intermediate value, among a plurality of intermediate values used for isogeny calculation, which is determined from an elliptic point T obtained by repeatedly performing L-point multiplication (where L is a positive integer) and M-isogeny (where M is a positive integer) on an elliptic point S serving as a kernel of the isogeny. The isogeny calculator identifies the elliptic point T serving as the kernel of the M-isogeny according to lower e digits (where e is a positive integer) of an L-adic representation of a secret key sk that determines the elliptic point S, reads the pre-calculated value determined from the elliptic point T from the memory, and performs at least one of calculations of the L-point multiplication and the M-isogeny using the pre-calculated value read from the memory.

Abstract: A data storage device has a controller, a decryption engine, and a memory storing encrypted data. Instead of using the decryption engine to generate a tweak value needed to decrypt the encrypted data, the tweak value is generated by the controller while the controller is waiting for the encrypted data to be read from the memory. This hides the latency to compute the tweak value in the latency to read the encrypted data from the memory.

Abstract: In a general aspect, a method for testing vulnerability of a cryptographic function (CF) to a side-channel attack includes providing a plurality of input values to the function, where the CF, for each input value calculates a sum of the input value and a first value of the CF, and replaces a second value of the CF with the sum. The method further includes measuring a set of samples including a respective side-channel leakage sample for each input value. The method also includes iteratively performing a series of operations including splitting the set of samples into a plurality of subsets based on the input values, calculating a respective value for each subset based on samples of the subset, and comparing the respective values for different subsets to discover respective bit values of the first value and the second value from their least significant bits to most significant bits.

Abstract: A security architecture system includes a plurality of subsystems. The plurality of subsystems include a secure element subsystem. A first subsystem of the plurality of subsystems includes a trusted computing platform that has a trusted platform control module. The first subsystem is configured to, for a running object in one or more subsystems other than the first subsystem in the plurality of subsystems, use the trusted platform control module to perform security measurement on the running object based on a measurement strategy and a measurement benchmark value to obtain a measurement result. The measurement result is used to control a running state of the running object in one or more subsystems other than the first subsystem in the plurality of subsystems.

Abstract: Systems and methods for identifying memory devices for swapping virtual machine memory pages. An example method may comprise: identifying, by a processing device, a workload type associated with a workload being executed by a computer system; identifying a memory device associated with the workload type; evaluating a memory pressure metric reflecting a period of time during which an application being executed by the computer system has been blocked by a memory allocation operation; and responsive to determining that the memory pressure metric exceeds a threshold value, allocating a memory block on the identified memory device.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.

Abstract: A data management system manages concurrent readers and writers for large file scans. The data management system may read a plurality of data chucks of the file starting from different offsets and generate a bounded number of read requests, which causes a data chuck identifiable by a data offset to be loaded into a data buffer. The system may queue the loaded data chucks for generating write requests to release the loaded data chunks. One or more write requests are generated responsive to one or more data chunks being associated with a consecutive order of data offsets being successfully loaded to data buffers. The system may write data chucks released from the buffer-rounded reading stage to the data storage in a checkpointed writing stage. The checkpointed writing stage creates a checkpoint based on the data offset of the data chucks that have been completely transferred to the data storage.

Abstract: Disclosed herein are techniques for reducing sizes of executable files. Techniques include identifying an executable file having a plurality of functions; determining, by parsing the executable file or a code structure representing the executable file, that a first and second function each comprise a common block; identifying a third function configured to perform the common block; changing the first and second functions by: removing the common block from at least one of the first or second functions; and inserting a call to the third function into at least one of the first or second functions; and updating the executable file by: replacing, in the executable file, at least one of the first or second functions with at least one of the updated first or second functions; and adding the third function to the executable file.

Abstract: It is provided a method for controlling camera-based supervision of a physical space. The method is performed in a supervision controller and comprises the steps of: determining that a person enters the physical space; deactivating camera-based supervision of the physical space based on the person entering the physical space, by turning off a video feed of the camera-based supervision; determining that a person exits the physical space; and activating camera-based supervision of the physical space based on the person exiting the physical space.

Abstract: Systems and methods for metadata processing. In some embodiments, a target address may be received from a host processor. The target address may be used to access mapping information and decoding information, the mapping information and the decoding information being associated with the target address. The mapping information may be used to map the target address to a metadata address. The metadata address may be used to retrieve metadata, and the decoding information may be used to decode the retrieved metadata.

Abstract: A system and a method for protecting code are provided. Extraction of code to be protected takes place during an object-to-object transformation and that code is replaced with fake binary code. The extracted code to be protected may then be encrypted or otherwise obscured and stored in a separate region of an object file. A prior source-to-source file transformation can be provided to isolate and mark the code to be protected, and to inject additional source code to handle later decryption.

Abstract: Embodiments described herein are generally directed to a cloud-native approach to software license enforcement in a container orchestration system. According to an example, information indicative of a number of sets of containers that are making use of one or more components of an application is received. The application is licensed by the tenant and the sets of containers are running within a namespace of the tenant within a cluster of a container orchestration system. Overuse of the application by the tenant is determined based on whether the number exceeds a licensing constraint for the application specified within an Application Programming Interface (API) object of the container orchestration system corresponding to the application. Responsive to a determination that the application is being overused by the tenant, the tenant is caused to be notified regarding the overuse.

Abstract: An electronic device includes a System on Chip (SoC) and a memory. The SoC includes a processor and a neural processing unit (NPU). The memory includes an enclave page cache (EPC), in which a validation table is stored, and at least one NPU enclave. The NPU enclave and the EPC have a trusted execution environment, which is isolated from an execution environment in which system software of the CPU is executed.

Abstract: There are provided a method, system and computer program product for preventing unauthorized use of a deep reinforcement learning agent. The DRL agents are trained to behave as expected only when they observe the one or more required secret operational keys. In some embodiments, the DRL agents are further trained to operate at a diminished capacity when the one or more required secret operational keys are unused.

Abstract: The present disclosure provides a system. The system includes a memory device configured to store memory data. The memory device includes a plurality of valid memory blocks that comprises a first valid memory block and a second valid memory block. The system also includes a controller, having a processor and a memory, operatively coupled to the first and second valid memory blocks. The controller is configured to, in an operation on redundant array of independent disks (RAID), generate an address chain in a check code factor of the plurality of valid memory blocks, the address chain comprising a first address point pointing to the first valid memory block. The controller is also configured to generate, in the first valid memory block, a second address pointer, the second address pointer pointing to the second valid memory block.

Abstract: An information security protection method includes: repeatedly substituting a plaintext into an encryption algorithm to obtain a plurality of ciphertexts, and determining whether the ciphertexts are all the same h the processor core. Each time the processor core substitutes the plaintext into the encryption algorithm, the encryption algorithm outputs a ciphertext. When the processor core determines that the ciphertexts are not all the same, the processor core outputs a hacker attack message, which means that an encryption process has suffered a hacker attack.

Abstract: Example implementations include a method of requesting an instruction block associated with one or more instructions and located at one or more addresses of a system memory, obtaining the instruction block from the system memory, generating a hash of the instruction block, obtaining an expected hash associated with the instruction block, comparing the expected hash with the generated hash, in accordance with a determination that the expected hash matches the generated hash, generating a first validation response associated with the instruction block.

Abstract: Methods, systems, and devices for data processing are described. Some database systems may implement data processing permits to manage data access. A database system may use encryption schemes to tie permits to data (e.g., cryptographically ensuring that the system follows data regulations). To support queries for a database implementing such encryption schemes, the database may implement a proxy. When the system receives a query, the database proxy may intercept and transform the query based on the encryption schema of the database. The database proxy may execute the transformed query at the database, receive encrypted query results in response, and decrypt the results for use by the querying application. Additionally, the system may access relevant data processing permits to support querying operations. For example, the system may use permits when transforming the query, executing the query in the database, preparing query results for the querying application, or any combination thereof.

Abstract: Methods, systems, and devices for mapping descriptors for read operations are described. A memory device may include a first cache may include a mapping table between the logical addresses and the physical addresses, and a second cache may include one or more descriptors of one or more physical addresses of the memory array. A descriptor may include a starting logical address, a starting physical address, and a quantity of addresses in the descriptor, and may be configured to identify addresses or sets of address that are frequently accessed. When an access command (e.g., a read command) is received, the first cache may be queried and then the second cache may be queried (if there is a cache miss at the first cache). The physical address of the data of the memory array may be determined (and accessed) based on the descriptors stored in the second cache.

Abstract: Systems, computer program products, and methods are described herein for identification of obfuscated electronic data through placeholder indicators. The present invention is configured to electronically receive, from a computing device of a user, a request to obfuscate one or more data artifacts stored on a first database; retrieve, from a data obfuscation repository, one or more data obfuscation algorithms; implement the one or more data obfuscation algorithms on the one or more data artifacts; generate one or more placeholder indicators identifying the one or more data obfuscation algorithms implemented on the one or more data artifacts; create one or more data fields corresponding to the one or more masked data artifacts on the first database; store the one or more placeholder indicators in the one or more data fields; and update the first database with the one or more masked data artifacts and the one or more placeholder indicators.

Abstract: A process wrapping method for bypassing native code anti-analysis includes receiving an execution instruction intended to run in an application from an Android framework when the application starts, extracting metadata of string and method from a compiled OAT file using an oatdump tool in the Android framework, determining if anti-analysis techniques are applied by comparing with information of a database (DB) based on the transmitted execution instruction and the extracted metadata, modifying the execution instruction based on the determined information when the anti-analysis technique is applied, and sending the modified execution instruction back to the Android framework. Accordingly, it is possible to provide an environment in which malicious applications to which anti-analysis techniques are applied can be easily analyzed.

Abstract: A secure data transfer apparatus, where a processor in the apparatus is configured to execute a driver software to generate cryptography information, a cryptography device in the apparatus is configured to obtain a current cryptography parameter based on the cryptography information, and perform a cryptography operation using the current cryptography parameter, a Peripheral Component Interconnect Express (PCIe) interface in the apparatus configured to perform a ciphertext data exchange with a memory controller in a memory located external to the apparatus, where the ciphertext data exchange includes sending the ciphertext data from the cryptography device to the memory controller when the memory is to be written, and sending the ciphertext data from the memory controller to the cryptography device when the memory is to be read.

Abstract: Systems and methods for integrated communication security are described. One aspect includes a clock generator configured to generate a clock signal at a first frequency, and a circuit utilizing the clock signal. The circuit may include a port configured to receive an encryption sequence at the first frequency, and a first unidirectional data path between the port and a memory configured to permit data transfer from the port to the memory. The memory may be configured to access the encryption sequence from the port via the first unidirectional data path and store the data. The circuit may further include a clock divider configured to divide the first frequency by a divisor deriving another clock signal at a second frequency, and an encryption/decryption module configured to read a portion of the encryption sequence from the memory, process input using the portion of the encryption sequence, and generate output responsive to the processing.

Abstract: A time master and sensor data collection module for a robotic system such as an autonomous vehicle is disclosed. The module includes a processing device, one or more sensors, and programming instructions that are configured to cause the processing device to operate as a timer that generates a vehicle time, receive data from the one or more sensors contained within the housing, and synchronize the data from the one or more sensors contained within the housing with the vehicle time. The integrated sensors may include sensors such as a global positioning system (GPS) unit and/or an inertial measurement unit (IMU). The module may interface with external sensors such as a LiDAR system and/or cameras.

Abstract: A system and method for securely computing an inference of two types of tree-based models, namely XGBoost and Random Forest, using secure multi-party computation protocol. The method includes computing a respective comparison result of each respective node of a plurality of nodes in a tree classifier. Each node has a respective threshold value. The respective comparison result is based on respective data associated with a data owner device being applied to a respective node having the respective threshold value. The method includes computing, based on the respective comparison result, a leaf value associated with the tree classifier, generating a share of the leaf value and transmitting, to the data owner device, a share of the leaf value. The data owner device computes, using a secure multi-party computation and between the model owner device and the data owner device, the leaf value for the respective data of the data owner.

Abstract: A computer-implemented method of obfuscating a computer code comprises receiving (1201) an original computer program comprising a plurality of code blocks with computer instructions, the original computer program operable on input data within an input space, the original computer program operable to follow an execution path through the plurality of code blocks when receiving the input data, wherein the input space is segmented into at least one segment according to a segmentation, each segment comprising a subset of the input space containing inputs that correspond to a same execution path. A plurality of updated code blocks is included (1302) in the updated computer program. Selection code is operable 1303, during execution of the updated computer program, to select an updated code block of the plurality of updated code blocks in dependence on the input data. The selection code is included (1304) in the updated computer program.

Abstract: This application discloses a data processing method, system, and apparatus, a storage medium, and a device, and belongs to the field of database technologies. The method includes receiving, a trigger request; triggering, according to the trigger request, the first cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, the operating policy indicating an operation policy of the first cloud encryptor. The method further includes receiving a data processing request from the client; sending first data that the data processing request requests to process and the data key identifier in the encryption data dictionary to the first cloud encryptor. The method further includes implementing the operating policy, processing the first data, and responding to the data processing request by using the second data.

Abstract: Embodiments herein describe a memory controller that has an encryption path and a bypass path. Using an indicator (e.g., a dedicated address range), an outside entity can inform the memory controller whether to use the encryption path or the bypass path. For example, using the encryption path when performing a write request means the memory controller encrypts the data before it was stored, while using the bypass path means the data is written into memory without be encrypted. Similarly, using the encryption path when performing a read request means the controller decrypts the data before it is delivered to the requesting entity, while using the bypass path means the data is delivered without being decrypted.

Abstract: This application pertains to encryption/decryption methods and related apparatuses. A communication device receives an initial layer-3 message. The initial layer-3 message includes an indication indicating that a part of the initial layer-3 message is encrypted. The communication device generates a keystream, and decrypts the encrypted part of the initial layer-3 message by performing an exclusive OR operation on the keystream and the initial layer-3 message.

Abstract: A plaintext and cryptographic key are used to generate an initialization vector to be used in a cryptographic algorithm, such as an encryption algorithm. In some examples, the plaintext and cryptographic key are input into an effectively one-way function, such as a cryptographic hash function, the output of which is usable as an initialization vector. Cryptographic keys may be rotated probabilistically based at least in part on probabilities of output collisions of the effectively one-way function to ensure a low probability of two different plaintexts resulting in calculation of the same initialization vector for use with the same cryptographic key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: An embodiment integrated circuit comprises a first memory zone having a first level of access rights that is configured to store at least one first software application containing encrypted instructions, means for verifying the integrity of the first software application, an encryption/decryption means, for example a first logic circuit, that is configured to decrypt the encrypted instructions which are considered to exhibit integrity, a processing unit that is configured to execute the decrypted instructions, the first logic circuit being further configured to encrypt the data generated by the execution operation and a second means, for example a second logic circuit, that is configured to store the encrypted data in a second memory zone having a second level of access rights that is identical to the first level of access rights.

Abstract: A log processing device and a log processing method thereof are provided. The log processing device divides the original log data into a plurality of block data, transforms a numeric variable of each of the block data into a representative code, and determines whether to perform a combination process for continuous block data to generate a plurality of combinational block data according to a data integrity of each of the block data. The log processing data takes the combinational block data as a log template, and each of the combinational block data corresponds to an event.

Abstract: An approach is provided that, after receiving a request to execute a computer program, determines an active set of metadata that corresponds to the requested computer program and then loads basic blocks of the requested computer program into memory. One of the loaded basic blocks is a starting block of the requested computer program. The memory also stores basic blocks corresponding to some previously loaded computer programs. The approach also inactivates basic blocks that are currently stored in the memory, with the inactivated basic blocks being identified based on a comparison of the active set of metadata to the sets of metadata that corresponding to the basic blocks of previously loaded computer programs. After inactivating some basic blocks, the approach executes the starting block of the requested computer program.

Abstract: System and techniques for multi-tenant cryptographic memory isolation are described herein. A multiple key total memory encryption (MKTME) circuitry may receive a read request for encrypted memory. Here, the read request may include an encrypted memory address that itself includes a sequence of keyid bits and physical address bits. The MKTME circuitry may retrieve a keyid-nonce from a key table using the keyid bits. The MKTME circuitry may construct a tweak from the keyid-nonce, the keyid bits, and the physical address bits. The MKTME circuitry may then decrypt data specified by the read request using the tweak and a common key.

Abstract: A device includes a microcontroller, memory including secure memory to store a private key, a set of registers, and an authentication engine. The set of registers includes a write mailbox register and a read mailbox register, and message data is to be written to the write mailbox register by a host system. The message data includes at least a portion of a challenge request, and the challenge request includes a challenge by the host system to authenticity of the device. The authentication engine generates a response to the challenge, where the response includes data to identify attributes of the device and a signature generated using the private key. The authentication engine causes at least a portion of the response to be written to the read mailbox register to be read by the host system.

Abstract: A method for the usage-based licensing of one or more applications in a container, wherein the container comprises a license module, an application queries the presence of an application license via the license module and is only executed if an application license is present. In the license module, a linking of one or more application licenses with a unique identifier is stored, and the container comprises a settlement module, which retrieves a usage unit from an external license source. For the duration of an obtained usage unit, the settlement module provides the unique identifier in a secure data storage so that all applications linked with the unique identifier can be executed. A computer system and a computer program product are also provided.

Abstract: Memory control circuitry controls access to data stored in memory, and memory security circuitry generates encrypted data to be stored in the memory. The encrypted data is based on target data and a first one-time-pad (OTP). In response to an OTP update event indicating that the first OTP is to be updated to a second OTP different from the first OTP, the memory security circuitry generates a re-encryption value based on the first OTP and the second OTP, and the memory security circuitry to issues a re-encryption request to cause updated encrypted data to be generated in a downstream component based on the encrypted data and the re-encryption value and to cause the encrypted data to be replaced in the memory by the updated encrypted data.

Abstract: A method for executing a computer program, wherein when a microprocessor writes a block of No bytes of a datum of a block of cleartext data stored in an unencrypted memory, a security module switches a validity indicator associated with this block of No bytes to an active state wherein it indicates that this block of bytes is valid, and each time a block of No bytes of a datum of the block of cleartext data is loaded by the microprocessor from the unencrypted memory, the hardware security module verifies whether the validity indicator associated with this block of No bytes is in its active state and, if such is the case, processing, by the microprocessor, of this block of No bytes is permitted, and, if such is not the case, processing, by the microprocessor, of this block of No bytes is forbidden.

Abstract: A method for operating an industrial PC (IPC) device, wherein the IPC device includes a general-purpose operating system (GPOS) section implemented to execute program code under the GPOS, and a real time operating system (RTOS) section implemented to execute program code adapted to real-time data processing under the RTOS, includes providing a wrapped application program based on an application program including binary code designed to be executed under the RTOS and a security policy; validating the wrapped application program according to the security policy by an RTOS process for obtaining a validated application program; transferring the binary code of the validated application program and a security element from the RTOS process to a GPOS process; establishing a secure communications channel between the GPOS process and the RTOS section using the security element; and executing the binary code of the validated application program by the GPOS process.

Abstract: In various embodiments, a method for page cache management is described. The method can include: identifying a storage device fault associated with a fault-resilient storage device; determining that a first region associated with the fault-resilient storage device comprises an inaccessible space and that a second region associated with the fault-resilient storage device comprises an accessible space; identifying a read command at the second storage device for the data and determine, based on the read command, first data requested by a read operation from a local memory of the second storage device; determining, based on the read command, second data requested by the read operation from the second region; retrieving the second data from the second region; and scheduling a transmission of the second data from the fault-resilient storage device to the second storage device.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises storing, in a register, an encoded pointer to a memory location, wherein the encoded pointer comprises first context information and a slice of a memory address of the memory location, wherein the first context information includes an identification of a data key; decoding the encoded pointer to obtain the memory address of the memory location; using the memory address obtained by decoding the encoded pointer to access encrypted data at the memory location; and decrypting the encrypted data based on the data key.

Abstract: The present disclosure is related to encryption of executables in computational memory. Computational memory can traverse an operating system page table in the computational memory for a page marked as executable. In response to finding a page marked as executable, the computational memory can determine whether the page marked as executable has been encrypted. In response to determining that the page marked as executable is not encrypted, the computational memory can generate a key for the page marked as executable. The computational memory can encrypt the page marked as executable using the key.

Abstract: A system includes a memory, a processor in communication with the memory, and a first TEE instance. The first TEE instance is configured to maintain an encrypted secret, obtain a cryptographic measurement associated with a second TEE instance, validate the cryptographic measurement, and provision the second TEE instance with the encrypted secret. Additionally, the first TEE instance and the second TEE instance are both configured to service at least a first type of request.

Abstract: A method is provided for decrypting data encrypted according to a cipher key according the advanced encryption standard (AES). The method includes precomputing a product of each element value of an InvMixColumn matrix and each possible value of an input state array and deriving a set of round keys from the cipher key and the set of round keys. The deriving includes providing an initial round key and a plurality of further round keys, performing an initial decryption round, and performing N full decryption rounds at least in part using the precomputed product of each element value of an InvMixColumn matrix and each possible value of the input state array.

Abstract: Systems, computer program products, and methods are described herein for implementing multi-dimensional data obfuscation. The present invention is configured to electronically receive, from a computing device of a user, a request to implement a multi-dimensional data obfuscation on a first database; initiate a data obfuscation engine on the first database based on at least receiving the request, wherein initiating further comprises: determining one or more data types associated with the one or more data artifacts; determining one or more exposure levels of the one or more data artifacts; retrieving, from a data obfuscation repository, one or more data obfuscation algorithms; and implementing the one or more data obfuscation algorithms on the one or more data artifacts based on at least the one or more data types; and generate an obfuscated first database based on at least initiating the data obfuscation engine on the first database.

Abstract: A method of preventing exploitation of a vulnerability of a computing system includes generating a deprivation token to cause disabling of a selected one or more features of a component of the computing system to prevent an exploit of a vulnerability affecting the selected one or more features; and publishing the derivation token to at least one of a computing system manufacturer computing system and an enterprise information technology (IT) computing system for distribution to affected computing systems.

Abstract: Zero round trip secure communications are implemented based on noisy secrets with a polynomial secret sharing scheme. A sender identifies two negotiated noisy secrets associated with an encrypted message to send to a receiver system. The sender utilizes a first negotiated noisy secret for sub-key selection, and generates a secret polynomial using Shamir's polynomial-based secret sharing scheme with N positive integer points and a message key as a secret. The sender divides the first negotiated noisy secret into a plurality of sub-keys, and divides a second negotiated noisy secret into test blocks of a length equivalent to a length of a sub-key. The sender utilizes each of the plurality sub-keys for encrypting a corresponding test block along with one unique point of the secret polynomial. Moreover, the sender sends all encrypted test blocks and corresponding encrypted points of the secret polynomial to the receiver with the encrypted message.

Abstract: Systems and methods include determination of a first value to be blinded, determination of a first key value, generation of a first composite value based on the first value and the first key value, performance of a hash operation on the first composite value to generate a first hash value, seeding of a pseudorandom generator with the first hash value to generate a first pseudorandom value, truncation of the first hash value based on the first pseudorandom value to generate a first truncated value, and generation of a blinded value associated with the first value based on a blinding function comprising the first value and the first truncated value.

Abstract: A computer system includes an independent compute core; and an isolated secure data storage device to store data accessible only to the independent compute core. The independent compute core is to open an Application Program Interface (API) during runtime of the computer system in response to receiving a verified message containing secure data to be written to the secure data storage device.