Abstract: Novel methods of virtualization with unique virtual architectures on field-programmable gate arrays (FPGAs) are provided. A hardware security method can include providing one or more field-programmable gate arrays (FPGAs), and creating an application specialized virtual architecture (or overlay) over the one or more FPGAs (for example, by providing an overlay generator). Unique bitfiles that configure the overlays implemented on the FPGAs can be provided for each deployed FPGA. The application specialized virtual architecture can be constructed using application code, or functions from a domain, to create an overlay represented by one or more hardware description languages (e.g., VHDL).

Abstract: Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Abstract: Systems and methods for improving security in computer-based authentication systems by using physical unclonable functions are presented. A computing device used to provide authentication includes an array of physical unclonable function devices. Rather than storing user passwords or message digests of passwords, the computing device generates a message digest based on a combination of a user ID and corresponding password. This message digest forms part of challenge (together with instructions for responding to the challenge). A challenge response generated by measuring physical parameters of set of physical unclonable function devices specified by the message digest. This allows the computing device to provide authentication without storing information which could be used by an attacker to compromise user credentials.

Abstract: A container corresponding to executable code may be received. In response receiving the container, an assertion value may be stored in an assertion register. A final canary value may be generated based on a cycles combining a prior canary value and a mix value. A determination may be made as to whether the final canary value matches with the assertion value stored in the assertion register. In response to determining that the final canary value matches with the assertion value, one or more privilege registers may be programmed to provide access to hardware resources for the container corresponding to the executable user code.

Abstract: Disclosed embodiments relate to systems and methods for dynamically identifying potential file system privilege escalation and manipulation vulnerabilities. Techniques include monitoring a file system of a computing system; detecting a privileged file operation involving the file system; determining that a target of the path is writable by a non-privileged identity; and determining whether the target of the path is a dynamic link library. If the target of the path is a dynamic link library, techniques may further include creating a semi-malicious dynamic link library. If the target of the path is not a dynamic link library, techniques may further include creating an object manager symbolic link in a protected file.

Abstract: The present disclosure is related to a virtual register file. Source code can be compiled to include references to a virtual register file for data subject to a logical operation. The references can be dereferenced at runtime to obtain physical addresses of memory device elements according to the virtual register file. The logical operation can be performed in the memory device on data stored in the memory device elements.

Abstract: This application discloses a data processing method, system, and apparatus, a storage medium, and a device, and belongs to the field of database technologies. The method includes receiving, a trigger request; triggering, according to the trigger request, the first cloud encryptor to store a root key seed, an operating policy, a data key seed, and a data key identifier, and triggering the database proxy to store an encryption data dictionary, the operating policy indicating an operation policy of the first cloud encryptor. The method further includes receiving a data processing request from the client; sending first data that the data processing request requests to process and the data key identifier in the encryption data dictionary to the first cloud encryptor. The method further includes implementing the operating policy, processing the first data, and responding to the data processing request by using the second data.

Abstract: Zero round trip secure communications is implemented based on noisy secrets with a polynomial secret sharing scheme. A sender identifies two negotiated noisy secrets associated with an encrypted message to send to a receiver system. The sender utilizes a first negotiated noisy secret for sub-key selection, and generates a secret polynomial using Shamir's polynomial-based secret sharing scheme with N positive integer points and a message key as a secret. The sender divides the first negotiated noisy secret into a plurality of sub-keys, and divides a second negotiated noisy secret into test blocks of a length equivalent to a length of a sub-key. The sender utilizes each of the plurality sub-keys for encrypting a corresponding test block along with one unique point of the secret polynomial. Moreover, the sender sends all encrypted test blocks and corresponding encrypted points of the secret polynomial to the receiver with the encrypted message.

Abstract: Embodiments herein describe segmenting a Wi-Fi network into different groups. The embodiments herein assign a user, a client device, or a traffic flow originating from a client device to a group. For example, all the client devices for a particular user can be assigned to the same group tag, or each traffic flow in the client device may be assigned to different groups. Each group corresponds to a group key which can be transmitted to the client device when the device associates to an access point (AP). As such, within the same service set identifier (SSID), there can be multiple groups, and thus, client devices can use different group keys to communicate with other client devices associated to the same SSID. Put differently, rather than all devices connected the same SSID being assigned to the same group, the client devices can be assigned in different groups.

Abstract: An anti-theft protection disablement solution is provided to authorized users and authorized customer service representatives. An anti-theft protection disablement request message from a recovery application on a user device may be received via a cloud messaging service or a binary messaging service. In turn, an anti-theft protection disablement message may be transmitted to the user device via the cloud messaging service or the binary messaging service when the anti-theft protection disablement request message is authenticated. The anti-theft protection disablement message may disable an anti-theft protection function on the user device that calls for an input of an anti-theft protection authentication credential for a factory reset of the user device.

Abstract: A programmable electronic computer embedded in an avionics environment on board an aircraft for implementing at least one critical function and associated electronic device, method and computer program are disclosed. In one aspect, the electronic computer includes at least one control module configured to implement a respective critical function and configured to deliver at least one output data item associated with the critical function, and at least one monitoring module of a control module of another electronic computer. Each monitoring module configured to implement the same respective critical function as the one implemented by the monitored control module.

Abstract: A device comprising a physical support and an electronic chip supported by the support and comprising a memory module and a processor configured to implement a computer program configured to produce a result from data. The device further comprises a display module configured to display the result and a radio antenna configured to receive at least one electromagnetic signal configured to electrically supply the display module. The data comprises at least one item of static data, stored in a non-transient memory and an item of dynamic data, circulating in a transient memory. The dynamic data is received by the device through the at least one electromagnetic signal and the at least one electromagnetic signal is received by the device from at least one communication device.

Abstract: A method for decoding a video according to the present invention may comprise: determining whether to divide a current block with quad tree partitioning, and dividing the current block into four partitions based on a vertical line and a horizontal line when it is determined that the current block is divided with the quad tree partitioning.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: Zero round trip secure communications is implemented based on two noisy secrets. A sender system: calculates a required number of sub-keys to have at least one noiseless sub-key; for each first negotiated secret sub-key, uses the sub-key to encrypt a first half of a message key and test bytes, and adds the encrypted first half of the message key and the encrypted test bytes to the encrypted message; for each second negotiated secret sub-key, uses the sub-key to encrypt a second half of the message key and the test bytes, and adds the encrypted second half of the message key and the encrypted test bytes to the encrypted message; and sends the encrypted message, message MAC information, encrypted first halves of the message key with associated encrypted test bytes, and encrypted second halves of the message key with associated encrypted test bytes to a receiver.

Abstract: Methods, systems, and media for determining application permissions are provided. In some embodiments, the method comprises: receiving a description of an application to be installed on a user device and a group of permissions required by the application; identifying a subset of words in the description of the application; determining an expected group of permissions based on the subset of words; comparing the group of permissions required by the application and the expected group of permissions; determining a privacy score associated with the application based on the comparison of the group of permissions required by the application and the expected group of permissions; and causing the application to be installed on the user device based on the privacy score associated with the application.

Abstract: A method of payment using rewards points includes receiving authentication data and a payment amount from a customer's mobile device, determining an amount of rewards points available to fund the payment amount in a rewards account associated with the customer, and sending selectable payment options to the mobile device. The selectable payment options include an option to redeem a portion of the rewards points amount to fund a portion of the payment amount. The method also includes receiving a customer selection of at least one of the selectable payment options from the mobile device and sending a form of payment for the payment amount from the account management system at the mobile device. The form of payment is configured for presentation to a point of sale device.

Abstract: Anti-fault injection systems and methods are disclosed. An anti-fault injection system includes a processor; a boot ROM configured to store a series of boot instructions executable by the processor; and anti-fault injection controller circuitry. The anti-fault injection controller circuitry is accessible to the processor while the processor is executing the boot instructions. The anti-fault injection controller circuitry includes interrupt/reset circuitry configured to interrupt the processor in response to a trigger and secure boot circuitry. The secure boot circuitry is configured to, in response to being accessed by the processor: determine whether the processor is executing non-secure boot instructions in error; and in response to detecting that the processor is executing non-secure boot instructions in error, provide the trigger to the interrupt/reset circuitry.

Abstract: The concepts, systems and methods described herein are directed towards a method running on a security device. The method is provided to including: executing a first secure boot code from a first memory by one of a plurality of cores of a processor, wherein the plurality of cores runs in a secure world; executing a first-stage boot loader (FSBL) from a second memory; executing a security monitoring application to validate the security device; in response to the security device being validated, switching some of the plurality of cores from the secure world to a normal world, wherein at least one of the plurality of cores remains in the secure world to communicate with the security monitoring application; executing a second-stage boot loader (SSBL); and monitoring, via the security monitoring application, status of the security device and communications between the security device and at least one external system.

Abstract: An example method of authenticating software executing in a computer system includes verifying first software executing on the computer system, the software including a hypervisor, verifying second software executing in a virtual machine (VM) managed by the hypervisor, generating a binding key having public and private portions, signing an object to identifies the VM using the private portion of the binding key, and verifying a signature of the object using a public portion of the binding key.

Abstract: A method for virtualizing of software applications. The method comprises initializing a virtual environment created by a virtual engine executed over a computer; creating a new data file; launching an installation process of a software application to be virtualized, wherein the installation process runs in the virtual environment; during the installation process, capturing data writes to a file system of the computer's operating system; and saving the data writes to the new data file.

Abstract: A method is provided for generating an encrypted database. The method includes: receiving a plaintext database having plaintext data entries therein; and generating an encrypted database using the plaintext database, the encrypted database including encrypted data entries therein. The encrypted database is configured to support at least one form of conditional query such that the at least one form of conditional query returns a correct encrypted result when the query is computed on the encrypted data entries without the decryption thereof.

Abstract: A secure engine method includes providing an embedded microcontroller in an embedded device, the embedded microcontroller having internal memory. The method also includes providing a secure environment in the internal memory. The secure environment method recognizes a boot sequence and restricts user-level access to the secure environment by taking control over the secure environment memory. Taking such control may include disabling DMA controllers, configuring at least one memory controller for access to the secure environment, preventing the execution of instructions fetched from outside the secure environment, and only permitting execution of instructions fetched from within the secure environment. Secure engine program instructions are then executed to disable interrupts, perform at least one secure operation, and re-enable interrupts after performing the at least one secure operation.

Abstract: Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Abstract: A method, computer program product, and computer system are provided. A processor receives an executable file for execution by an operating system, where the executable file includes a plurality of sections in a first order. A processor determines a second order that indicates a loading order for the plurality of sections, where the second order is distinct from the first order. A processor loads the plurality of sections of the executable file into a plurality of locations in memory of a device based on the second order. A processor resolves one or more memory references for the plurality of sections based on the plurality of locations in memory. A processor executes the plurality of sections of the executable file in the plurality of locations in memory.

Abstract: A method of operating a memory system includes setting a secured area in a volatile memory device of the memory system during a secure mode, writing secure data in the secured area during the secure mode, and when a write command for the secured area is inputted in a normal operation mode, preventing a write operation from occurring and generating an error signal. Accordingly, the secured area is set in the volatile memory device so that the hacking and the data forgery may be prevented.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for processing blockchain data under a trusted execution environment (TEE). One of the methods includes receiving, by a blockchain node, a request to execute one or more software instructions in a TEE executing on the blockchain node; determining, by a virtual machine in the TEE, data associated with one or more blockchain accounts to execute the one or more software instructions based on the request; traversing, by the virtual machine, an internal cache hash table stored in the TEE to determine whether the data are included in the internal cache hash table; and in response to determining that the data is included in the internal cache hash table, executing, by the virtual machine, the one or more software instructions by retrieving the data from the internal cache hash table.

Abstract: Various embodiments are generally directed to techniques for enclave confidentiality management, such as for protecting cross enclave confidentiality on servers, for instance. Some embodiments are particularly directed to a computing platform including hardware and/or instruction set architecture (ISA) extensions that ensure enclaves cannot access confidential data of other enclaves. For example, key programming ISA extensions and/or hardware changes to the page miss handler (PMH) may ensure that the key uniquely associated with an enclave is used for its memory accesses.

Abstract: Non-limiting examples of the present disclosure describe processing operations that achieve file consistency in the presence of a large-scale collaboration service. A mismatch may be determined between hash values associated with two or more versions of a file that is associated with a tenant of a productivity service. Version vector data for different versions of the file may be evaluated. Version vector data may comprise: a session value indicating a session of the productivity service and a version value that indicates a number of changes made by the tenant during the session. A synchronization determination is generated based on an evaluation of the version vector data for the different versions of the file.

Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, an enclave pool is formed. The enclave pool may include a plurality of enclaves that are secure execution environments. In some examples, forming the enclave pool includes registering the enclaves of the enclave pool. A request to allocate an enclave from the enclave pool may be received. An enclave may be fetched from the enclave pool responsive to the request to assign the enclave. Cryptlet code is executed in the fetched enclave such that a payload is generated in the enclave. The payload can be digitally signed and/or encrypted by the cryptlet, and can also be digitally signed by the enclave. The fetched enclave may be deallocated.

Abstract: The present invention provides methods for executing a private computer program on untrusted computers. The present invention also provides for products produced by the methods of the present invention and for apparatuses used to perform the methods of the present invention.

Abstract: Embodiment of this disclosure provide techniques to support full memory paging between different trust domains (TDs) in compute system without losing any of the security properties, such as tamper resistant/detection and confidentiality, on a per TD basis. In one embodiment, a processing device including a memory controller and a memory paging circuit operatively coupled to the memory controller is provided. The memory paging circuit is to evict a memory page associated with a trust domain (TD) executed by the processing device. A binding of the memory page to a first memory location of the TD is removed. A transportable page that includes encrypted contents of the memory page is created. Thereupon, the memory page is provided to a second memory location.

Abstract: Methods and apparatus for extending packet processing to trusted programmable and fixed-function accelerators. Secure enclaves are created in system memory of a compute platform, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The compute platform further includes one or more hardware-based accelerators that are used by the software to offload packet processing operations. The accelerators are configured to read packet data from input queues, process the data, and output processed data to output queues, wherein the input and output queues are located in encrypted portions of memory that may be in a secure enclave or external to the secure enclaves.

Abstract: Secure memory repartitioning technologies are described. Embodiments of the disclosure may include a processing device including a processing core and a memory controller coupled between the processor core and a memory device. The memory device includes a memory range including a section of convertible pages that are convertible to secure pages or non-secure pages. The processor core is to receive a non-secure access request to a page in the memory device, responsive to a determination, based on one or more secure state bits in one or more secure state bit arrays, that the page is a secure page, insert an abort page address into a translation lookaside buffer, and responsive to a determination, based on the one or more secure state bits in the one or more secure state bit arrays, that the page is a non-secure page, insert the page into the translation lookaside buffer.

Abstract: A method for implementing a pseudo-random function (PRF) using a white-box implementation of a cryptographic function in N rounds, including: receiving an input to the PRF; receiving a cryptographic key in a first round; encrypting, using the white-box implementation of the cryptographic function and the cryptographic key, an input message that is one of M possible input messages based upon a portion of the input to produce a first output; for each succeeding round: encrypting, using the white-box implementation of the cryptographic function and an ith cryptographic key, further input messages that are one of M possible input messages based upon a further portion of the input to produce an ith output, wherein the ith cryptographic key is the output from the preceding round, wherein the white-box implementation of the cryptographic function only produces a correct output for the M possible input messages and produces an incorrect output for input messages that are not one of the M possible input messages.

Abstract: A method includes generating a root key pair including a public key and a private key, generating metadata for keys associated with a tenant, wherein the metadata includes a key tag, a key version, and a tenant identifier, deriving a tenant key from the root key pair and the metadata, and outputting the tenant key.

Abstract: A field programmable gate array (FPGA) including a root of trust architecture. The architecture includes a system controller providing system control commands for the architecture and a cryptography processor for performing a hash or key operation for authentication of controller-embedded software and attestation of correct firmware in external system resources. The architecture also includes a lock-step fault-tolerant processor being responsive to messages from the system controller, and including a plurality of soft lock-step cores. Each soft core including separate memory and resources and operating on the same input, where each soft core provides output messages that are analyzed by a logic in the fault-tolerant processor that selects one of the messages to be output to the cryptography processor.

Abstract: Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register.

Abstract: Example embodiments disclosed herein relate to generating a point-wise protection based on dynamic security analysis. Vulnerability solution recommendation are provided based on the dynamic security analysis. A point-wise protection is generated based on a selection of the vulnerability solution recommendation.

Abstract: Present disclosure provides the system and method for protecting the control-flow of a computer program against manipulation and leak of code pointers during program execution. The system includes a memory that a computer program is loaded onto and a processor which executes the computer program for protecting the control-flow of a program against manipulation and leak of code pointers during program execution. The method includes providing a shadow stack for each process and thread of the computer program in a thread local storage (TLS). Each code pointer is encrypted with the corresponding encryption key, the pair with a global key is encrypted, and reencryption of the code pointer at runtime is performed.

Abstract: Computer systems, devices, and associated methods of evaluating an expression comprising restricted data are disclosed herein. In one embodiment, a method includes receiving a database statement from a client application and verifying the authenticity of the database statement. If the database statement is authentic, an approved expression is identified in the database statement for creating an evaluation rule. The method further includes restricting evaluation of expressions in a protected computing environment according to the created evaluation rule.

Abstract: Techniques for field-programmable gate array (FPGA) virtualization are described herein. In one or more implementations, an FPGA virtualization manager of a host device receives a request from a virtual machine for a device, such as for a compression engine. The FPGA virtualization manager identifies an FPGA program associated with the request and configured to program FPGAs of the host as the requested device. The FPGA virtualization manager also checks the FPGA program against security policies of the host to determine whether to allow the FPGA program to program the FPGAs. If the programming is allowed, the FPGA virtualization manager allocates at least a portion of the FPGAs to the requested device and loads the FPGA program to program the allocated portion of FPGAs. The FPGA virtualization manager generates a virtual device to furnish the functionality of the programmed device to the requesting virtual machine.

Abstract: A microservice infrastructure that securely maintains the currency of computing platform microservices implemented within a process virtual machine is provided. The computing platform microservices maintained by the infrastructure may include protected methods that provide and control access to components of the underlying computing environment. These components may include, for example, storage devices, peripherals, and network interfaces. By providing a software-defined microservice layer between these hardware components and workflows that specify high-level application logic, the embodiments disclosed herein have enhanced flexibility and scalability when compared to conventional technology.

Abstract: An electronic generation device arranged to generate parameters for digital obfuscated arithmetic including a prime number unit arranged to generate a prime modulus (p) and a base element unit arranged to generate a prime modulus and a base element such that each ring-element modulo the prime modulus may be expressed as a difference between two powers of the potential base element.

Abstract: Methods and apparatus for implemented trusted packet processing for multi-domain separatization and security. Secure enclaves are created in system memory of a compute platform configured to support a virtualized execution environment including a plurality of virtual machines (VMs) or containers, each secure enclave occupying a respective protected portion of the system memory, wherein software code external from a secure enclave cannot access code or data within a secure enclave, and software code in a secure enclave can access code and data both within the secure enclave and external to the secure enclave. Software code for implementing packet processing operations is installed in the secure enclaves. The software in the secure enclaves is then executed to perform the packet processing operations.

Abstract: Examples relate to in-memory attack prevention. The examples disclosed herein enable obtaining, in response to a first boot command, a first encryption key generated based on a randomization process. The examples further enable determining whether first information of a page table indicates that a memory page is intended to be secure, the page table storing mapping between a virtual address of the memory page and a physical address of the memory page. In response to determining that the first information indicates that the memory page is intended to be secure, the examples further enable determining whether second information of the page table indicates that the memory page is encrypted. In response to determining that the second information indicates that the memory page is not encrypted, the examples further enable encrypting the memory page in a physical memory using the first encryption key.

Abstract: Technique and systems for detecting network intrusion are described. Each device in a plurality of devices in the network can generate an integrity report by: (1) measuring a first set of execution parameter values during an execution of a portion of a software image at the device, (2) comparing the first set of execution parameter values with a second set of execution parameter values associated with executing the portion of the software image at a secure instance of the device, and (3) generating the integrity report based on said comparing. Next, the integrity reports can be collected, and network intrusions can be detected based on the integrity reports by using statistical and pattern recognition techniques including but not limited to neural nets implementing crossover and backpropagation, and classifiers including but not limited to cluster analysis, correlation and regression, factor analysis.

Abstract: An apparatus and method for efficient guest EPT manipulation. For example, one embodiment of a apparatus comprises: a hypervisor to create extended page table (EPT) mappings between a guest physical address (GPA) space and a host physical address (HPA) space; the hypervisor to create an EPT edit table and populate the EPT edit table with information related to permitted mappings between the GPA space and HPA space; a guest to read the EPT edit table to determine information related to the permitted mappings between the GPA space and HPA space, the guest to use the information to map one or more pages in the GPA space to one or more pages in the HPA space.

Abstract: Subject matter disclosed herein relates to techniques to read memory in a continuous fashion.