Abstract: The present invention provides a solution to the problem of guaranteeing the integrity of software programs by encrypting all or part of each instruction of a program using a key based on all or part of one or a plurality of previous instructions, thus resulting in a different encryption key per instruction. The invention is applicable to software programs whose structures are not necessarily tree-like in nature and is also applicable when the program includes loops, jumps, calls or breaks etc. The invention allows for an exception to be flagged when an encrypted instruction is wrongly decrypted. There is no need for the first instruction to be in clear, since the instruction key may be appropriately initialized as required. The invention can be realized in software or entirely in hardware thereby eliminating the possibility of a third party intercepting a decrypted instruction or a decryption key.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: An improved technique of providing computer code to a set of client computers is disclosed. In the improved technique, a set of files is generated, each file in the set of files including computer code configured to be read by an interpreter on each client computer, the computer code in each file including a set of functions, each function in the set of functions having a name, the name of a function in the set of functions in a first file in the set of files differing from the name of a corresponding function in the set of functions in a second file in the set of files, the computer code in the first file and the computer code in the second file being constructed and arranged to produce functionally equivalent sets of computer instructions when run through the interpreter on each client computer.

Abstract: A microprocessor includes an architected register having a bit (may be x86 EFLAGS register reserved bit) set by the microprocessor. A fetch unit fetches encrypted instructions from an instruction cache and decrypts them (via XOR) prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the bit value to a stack in memory and then clears the bit in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register (and in one embodiment, also restores decryption key values) in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions in response to determining that the restored value of the bit is set.

Abstract: A communication system is provided with an information processing device, and a management device capable of updating old data stored in the information processing device by outputting new data to the information processing device. The management device is provided with an old data input device that inputs the old data, a first new data input device that inputs the new data, an encryption device that encrypts the new data by utilizing the old data as a key, and a new data output device that outputs the new data encrypted by the encryption device to the information processing device. The information processing device is provided with an old data storage that stores the old data, a second new data input device that inputs the encrypted new data output by the management device, a decryption device that decrypts the encrypted new data by utilizing the old data as a key, and an updating device that updates the old data stored in the old data storage to the new data decrypted by the decryption device.

Abstract: In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A system and method for modifying material related to computer software. The system receives an original disclosure for a software system. A masquerading algorithm is applied to the original disclosure to generate a new disclosure. The subject matter of the new disclosure is different from the original disclosure but has the same functionality. The system also receives original source code for the software system and applies a camouflaging algorithm to the original source code to generate modified source code and conversion data for converting between the modified source code and the original source code.

Abstract: A method of operating a User Equipment (UE) for generating a second scrambling code group where the UE is configured for receiving downlink transmission from a Universal Mobile Telecommunications System Terrestrial Radio Access Network (UTRAN) on a set of at least two downlink carriers including an anchor carrier and at least a first secondary carrier includes: determining a first scrambling code group associated with a first cell on the anchor carrier and deriving the second scrambling code group associated with a second cell on said first secondary carrier using a predefined rule defining the relation between the second scrambling code group and the first scrambling code group.

Abstract: A method, system, and apparatus for managing a plurality of cipher processor units. A cipher module may receive a cipher instruction indicating a cipher algorithm to be used. The cipher module may identify a cipher processing unit of the plurality of cipher processing units associated with the cipher algorithm. The cipher module may execute the cipher instruction using the cipher processing unit and the common register array. The cipher module may store a state of a common register array to be used by the cipher processing unit of the plurality of cipher processing units.

Abstract: A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key.

Abstract: A system may include a memory having a unique identifier that uniquely identifies the memory. A package may be communicatively coupled to the memory. The package may include a processor, an identifier storage, and a boot storage. The identifier storage may store the unique identifier from the memory. The boot storage may include instructions to control booting of the processor based on the unique identifier in the identifier storage.

Abstract: A module building system, hosted by a server, receives a user script to be run to monitor software on a client using an introspection tool. The server adds safety constraints to the user script and generates a client kernel module using the user script which includes the safety constraints. The server signs the client kernel module and sends the signed client kernel module to the client. The signed client kernel module allows a user to use the introspection tool to load and execute the client module on the client for monitoring the software on the client.

Abstract: A microprocessor includes a model specific register (MSR) having an address, fuses manufactured with a first predetermined value, and a control register. The microprocessor initially loads the first predetermined value from fuses into the control register. The microprocessor also receives a second predetermined value into the control register from system software of a computer system comprising the microprocessor subsequent to initially loading the first predetermined value into the control register. The microprocessor prohibits access to the MSR by an instruction that provides a first password generated by encrypting a function of the first predetermined value and the MSR address with a secret key manufactured into the first instance of the microprocessor and enables access to the MSR by an instruction that provides a second password generated by encrypting the function of the second predetermined value and the MSR address with the secret key.

Abstract: There is provided a method for selectively protecting one of a plurality of methods of a class of an application written in an object-orientated language, in particular Java, wherein a protected application is created by adding a protection module to the application, analyzing a first method to be protected of a plurality of methods of a first class of the application and determining first parameters needed for executing the first method, generating first gate code depending on the determined first parameters, replacing the first code of the first method by said first gate code and storing the replaced first code such that it can be accessed by the protection module during execution of the protected application, wherein, when the first method is called during execution of the protected application, the first gate code collects first data based on the determined first parameters and transmits the collected first data to the protection module, the protection module accesses the stored first code and generates a

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for identifying and encrypting a subset of a plurality of instructions, for execution in a more secure execution environment. In various embodiments, the subset may include a single entry point and a single exit point. In various embodiments, one or more instructions of the plurality of instructions that precede or follow the subset may be executed in a first execution environment with a first security level. In various embodiments, the subset may be executed in a second execution environment with a second security level that is more secure than the first security level.

Abstract: Protection of interpreted programming language code filesystem files from access and alteration may be provided by encrypting a file to be protected in a boot sequence. Run-time examination of a virtual appliance may be deterred by hiding the boot sequence in a restricted virtual appliance platform. No shell or filesystem access may be provided. Thus, permissions on a read-only filesystem (for example) may be kept from being altered. The permissions may be set along with filesystem access control lists to prevent unauthorized examination of the source files.

Abstract: A method for hindering a cold boot attack on a user equipment (UE) is provided. The method includes, in response to detection of the cold boot attack, executing prioritized security procedures. A user equipment (UE) is also provided that includes a processor configured to execute prioritized security procedures responsive to detection of a cold boot attack.

Abstract: In one embodiment, a picture signature password system may use a picture signature password to determine access to a computing device or service. A display screen 172 may display a personalized digital image 310. A user input device 160 may receive a user drawing set executed by a user over the personalized digital image 310. A processor 120 may authenticate access to the user session if the user drawing set matches a library drawing set associated with the user.

Abstract: A digital rights management (“DRM”) system is described that seeks to restrict the use and execution of certain computer program code to those hardware systems or platforms authorized by the provider of the protected software. To this end, certain computer programs (or portions thereof) are provided to authorized users in an encrypted format. When a “protected” program is to be executed, it is retrieved and stored in its encrypted format in operating system memory where it is accessible to operating system level routines (e.g., a file read operation). It is also decrypted and placed in another memory such that only the process executing the protected program has ready access to it.

Abstract: An IC chip, an information processing apparatus, a software module control method, an information processing system, an information processing method, and a program for ensuring security before booting a software module reliably are provided. A reader/writer and a mobile phone terminal to be accessed by the reader/writer through proximity communication are provided. In the mobile phone terminal, a first software module transmits commands to second and third software modules. The first software module manages states of the second and third software modules. If during boot-up of the third software module, the processing of the second software module is started and completed, then the first software module resumes the boot-up of the third software module.

Abstract: The aim of the present invention is to limit the impact of security breaches, which are the emulators of the security module. This aim is reached by a processing unit of audio/video digital conditional access data, encrypted by control words, responsible for processing security messages containing at least one cryptogram relative to a control word and one instruction relative to the control word, characterized in that it includes means to receive at least two micro programs by security messages, executable by the security module, said security module comprising means to store at least two micro programs and means to receive an instruction contained in the security message, for selecting the micro program indicated by the instruction, for executing the said micro program with at least the cryptogram as a parameter of execution, this execution allowing the calculation of the control word to be sent back to the audio/video processing unit.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A branch target address cache (BTAC) caches history information associated with branch and switch key instructions previously executed by a microprocessor. The history information includes a target address and an identifier (index into a register file) for identifying key values associated with each of the previous branch and switch key instructions. A fetch unit receives from the BTAC a prediction that the fetch unit fetched a previous branch and switch key instruction and receives the target address and identifier associated with the fetched branch and switch key instruction. The fetch unit also fetches encrypted instruction data at the associated target address and decrypts (via XOR) the fetched encrypted instruction data based on the key values identified by the identifier, in response to receiving the prediction. If the BTAC predicts correctly, a pipeline flush normally associated with the branch and switch key instruction is avoided.

Abstract: A method, apparatus, and manufacture for debugging and crash logging is provided. A log file is received, where the log file includes encrypted log messages that indicate execution trace of obfuscated code while leaving code locations of corresponding code in the obfuscated code unknown. The encrypted log messages include execution way-point indices. Next, at least a portion of the log file is then decrypted. A debug log viewer is then employed to view the decrypted log file. The debug log viewer includes an execution way-point manifest that correlates each of the execution way-point indices to a corresponding code location.

Abstract: A microprocessor includes a storage element that stores decryption key data and a fetch unit that fetches and decrypts program instructions using a value of the decryption key data stored in the storage element. The fetch unit fetches an instance of a branch and switch key instruction and decrypts it using a first value of the decryption key data stored in the storage element. If the branch is taken, the microprocessor loads the storage element with a second value of the decryption key data for subsequent use by the fetch unit to decrypt an instruction fetched at a target address specified by the branch and switch key instruction. If the branch is not taken, the microprocessor retains the first value of the decryption key data in the storage element for subsequent use by the fetch unit to decrypt an instruction sequentially following the branch and switch key instruction.

Abstract: Software reuse utilizing naive group annotation of incomplete software descriptions. A software code is decimated whereby the software code's attributes, such as variable, class and method names are obfuscated into non-informative forms. The decimated software code is then presented to two or more participants that include at least one naive and one informed participant. The naive participant(s) poses a predetermined number of question(s) to and receive answer(s) from the informed participant(s). After receiving the answer(s) posed to the informed participant(s), the naive participant(s) proceeds to guess the function of the presented decimated software code. The annotations, i.e., questions and answers, to the decimated software code under review are collected and stored in a database.

Abstract: A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass.

Abstract: In an embodiment, regarding an addition of a kb-bit number A and a b-bit random number r, element data of a pre-calculated table C? is set based on a sum AH+rH of a value AH of upper b/2 bits of a number A2, which is lower b bits of the number A, and a value rH of upper b/2 bits of the random number r and the sum AL+rL of a value AL of lower b/2 bits of the number A2 and a value rL of lower b/2 bits of the random number r in such a way that presence/absence of carrying-over of A2+r is indicated. Accordingly, the size of the pre-calculated table needed to be reduced for obtaining an addition result of upper (k?1)b bits by mutually adding the kb-bit number A and the b-bit number r.

Abstract: To protect computer programs against security attacks that attempt to corrupt pointers within the address space of the program, the value of a pointer is encrypted each time the pointer is initialized or modified, and then the value is decrypted before use, i.e., each time the pointer is read. Preferably, the encrypting and decrypting steps are effected by instructions generated by a compiler during compilation of the program. One convenient method of implementing the encrypting and decrypting steps is by XOR'ing the pointer with a predetermined encryption key value, which could be specially selected or selected at random.

Abstract: Embodiments of the present invention relate to a separate type mass data encryption/decryption apparatus and an implementing method therefor. The separate type mass data encryption/decryption apparatus includes a microprocessor and a storage unit for storing an encryption/decryption key. The apparatus further includes an external communication interface module connecting to a peripheral data bus for transmitting data between the encryption/decryption apparatus and an external terminal, and said microprocessor is used for encrypting/decrypting data inputted from the external terminal. Embodiments of the present invention can process mass data with higher security and expedience.

Abstract: An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector.

Abstract: A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the network environment. An architecture for the network service may include: a request dispatcher configured to receive a candidate file for inspection from a given computing device in the network environment and distribute the candidate file to one or more of a plurality of detection engines, where the detection engines operate in parallel to analyze the candidate file and output a report regarding the candidate file; and a result aggregator configured to receive reports from each of the detection engines regarding the candidate file and aggregates the reports in accordance with an aggregation algorithm.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both.

Abstract: Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code.

Abstract: The systems, methods and apparatuses described herein provide a computing environment that manages application specific identification of devices. An apparatus according to the present disclosure may comprise a non-volatile storage storing identifier (ID) base data and a processor. The processor may be configured to validate a certificate of an application being executed on the apparatus. The certificate may contain a code signer ID for a code signer of the application. The processor may further be configured to receive a request for a unique ID of the application, generate the unique ID from the code signer ID and the ID base data and return the generated unique ID.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A method for enhancing reliability of data is provided. A computer configured to provide output datum (Ds) from input datum (De), includes at least two data processing modules, and a computing member connected to each module. The method includes computing, with each module, intermediate datum (DIA, DIB) from the input datum (De) calculating, with each module, an intermediate security code (CSIA, CSIB) from the corresponding intermediate datum (DIA, DIB), transmitting to the computing member with each module, the intermediate security code (CSIA, CSIB) and the intermediate datum (DIA, DIB), computing, a security code (CS) from the intermediate security codes (CSIA, CSIB), selecting, an intermediate datum from among the received intermediate data (DIA, DIB) the output datum, (Ds) of the computer including the selected intermediate datum, and transmitting to a receiving device, the security code (CS) and output datum (Ds).

Abstract: Various embodiments described herein relate to apparatus for executing software in a secure computing environment. A secure processor can be used and configured to request a context swap from a first context to a second context when switching execution from a first portion of software to a second portion of software. A context manager, which can be in communication with the secure processor, can be configured to receive and initiate a requested context swap. A trust vector verifier, which can be in communication with the secure processor and the context manager, can be configured to load a trust vector descriptor upon command from a context manager.

Abstract: Implementing a key and a protection circuit in a configurable device. A soft key associated with a protection circuit is combined with a user's electronic design in generating configuration data for download onto the configurable device. The placement and routing of the soft key is pseudo-randomly arranged with respect to the user's electronic design such that its placement and routing on the configurable device is substantially different for binary configuration data that is generated. Hiding the soft key and its connections to the protection circuit and assisting in protecting user electronic designs is achieved.

Abstract: A device stores program code in a plurality of slots in its memory. When a processor of the device receives a call to an encrypted function, it uses a slot table to find the location of the cipher function and the cipher module and the key to decrypt the encrypted module. The encrypted module is decrypted, executed, re-encrypted and moved to a new memory slot. The cipher function used is moved to a further new slot and the slot table is updated. Also provided is a method and a computer program support. The invention can make it more difficult to analyse execution traces of the program code.

Abstract: A system for locating and monitoring electronic devices utilizing a security system that is secretly and transparently embedded within the computer. This security system causes the client computer to periodically and conditionally call a host system to report its serial number via an encoded series of dialed numbers. A host monitoring system receives calls from various clients and determines which calls to accept and which to reject by comparing the decoded client serial numbers with a predefined and updated list of numbers corresponding to reported stolen computers. The host also concurrently obtains the caller ID of the calling client to determine the physical location of the client computer. The caller ID and the serial number are subsequently transmitted to a notifying station in order to facilitate the recovery of the stolen device. The security system remains hidden from the user, and actively resists attempts to disable it.

Abstract: Embodiments herein provide a method, system, etc. for a sovereign information sharing service. More specifically, a method for secure distributed query processing comprises storing data tables from at least one data provider in at least one first computer comprising a sovereign server. Next, encrypted input and output of the data tables is performed between the server and a second computer. Following this, join operations are computed, comprising determining whether arbitrary join predicates yield matches within the data tables; and encrypted results of the join operations are output. The method minimizes possible information leakage from interaction between the server and the second computer by making observations and inferences from patterns of the outputting of the encrypted results.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout appliance in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout appliance includes multiple states that support manufacturing, testing, production, tamper detection and end of life, and the functions of the breakout appliance vary according to its state.

Abstract: A method, for use in a processor context, wherein instructions in a program executable are encoded with plural instruction set encodings. A method wherein a control instruction encoded with an instruction set encoding contains information about decoding of an instruction that is encoded with another instruction set encoding scheme. A method wherein instruction set encodings are randomly generated at compile time. A processor framework wherein an instruction is decoded during execution with the help of information provided by a previously decoded control instruction.

Abstract: A method of coding a secret, a numerical value d, subdivided into a number N of secret elements [di]n1, a composition law () applied to the elements di giving the value d. The following are calculated: (A) a first image (TN) of the secret by iterative calculation and application of the law () between the first image Ti-1 of rank i?1 and of the product according to this law of the element (di) of next rank and of a random value (Ri) of a first set, (B) a first numerical value (S1) by application of the law () to the N random values (Ri), (C) a second numerical value (S2) by application of the law to the N?1 random values (Aj) of a second set, (D) a second image T? of the secret by application of the inverse law () to the first image (TN) and to the second numerical value (S2) so as to generate an intermediate image (Tx) and then application of the inverse law to the intermediate image (Tx) and to the second numerical value (S2).

Abstract: In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet's routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: A method and system for validating access to a group of related elements are described. The elements within the group access a security context associated with a markup domain when a call is made to an element. An authorized call to an element is enabled such that the markup domain is navigated to a new web page. However, an unauthorized call is prevented so that the navigation to the new web page is not permitted. After the markup domain has been navigated, the security context associated with the markup domain is invalidated. A new security context is generated and associated with the markup domain. The elements associated with the web page navigated from are inaccessible after navigation of the markup domain to the new page. The association of the new security context with the markup domain prevents an unauthorized user from accessing any element that references the previous security context.

Abstract: An encryption chip is programmable to process a variety of secret key and public key encryption algorithms. The chip includes a pipeline of processing elements, each of which can process a round within a secret key algorithm. Data is transferred between the processing elements through dual port memories. A central processing unit allows for processing of very wide data words from global memory in single cycle operations. An adder circuit is simplified by using plural relatively small adder circuits with sums and carries looped back in plural cycles. Multiplier circuitry can be shared between the processing elements and the central processor by adapting the smaller processing element multipliers for concatenation as a very wide central processor multiplier.