Abstract: An electronic device comprising: a memory; and at least one processor configured to: install an application by using an installation file associated with the application; grant at least one permission to the application based on a permission setting token that is included in the installation file; and store, in a database, an indication that the application is granted the permission.

Abstract: The present invention relates to an IoT (Internet of Things) device, a mobile terminal, a method of pairing the IoT device using the mobile terminal, and a control method. According to one embodiment of the present invention, the method includes the steps of, when an IoT device contacted with at least one side of the mobile terminal is recognized, generating a vibration using a designated vibration pattern, receiving vibration pattern information from the IoT device, and when the received vibration pattern information is identical to the designated vibration pattern, performing paring with the IoT device. According to the embodiments of the present invention, a user can intuitively perform pairing between the mobile terminal and the IoT device through the paring method between the mobile terminal and the IoT device.

Abstract: Systems, methods, and non-transitory computer-readable medium are provided to secure data centers and cloud computing. A method receives network identifiers for functions, requests a network key for each function, allocates network interfaces, requests a virtual network interface controller allocation, requests a network key for each cloud function, receives storage identifiers for functions, requests a storage key for each cloud function, allocates virtual storage disks, requests a storage interface controller allocation, requests a storage key for each cloud function. Methods secure migration of a virtual machine from a source to a target server. A server includes multiple cores where each core is dedicated to a compute function and a unique key encrypts data of each compute function. A non-transitory computer-readable medium encodes programs that execute the above methods.

Abstract: Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Abstract: Techniques are described for providing processor-based dedicated fixed function hardware to perform runtime integrity measurements for detecting attacks on system supervisory software, such as a hypervisor or native Operating System (OS). The dedicated fixed function hardware is provided with memory addresses of the system supervisory software for monitoring. After obtaining the memory addresses and other information required to facilitate integrity monitoring, the dedicated fixed function hardware activates a lock-out to prevent reception of any additional information, such as information from a corrupted version of the system supervisory software. The dedicated fixed function hardware then automatically performs periodic integrity measurements of the system supervisory software. Upon detection of an integrity failure, the dedicated fixed function hardware uses out-of-band signaling to report that an integrity failure has occurred.

Abstract: A method of obscuring software code including a data array and a plurality of operations, including: identifying, by a processor, a data array with an index to be obscured and an operation using the data array; permutating the identified data array using a permutating function; and replacing the identified operation using the permutated data array and equivalent encoded permutation function.

Abstract: Techniques to enable scalable cryptographically protected memory using on-chip memory are described. In one embodiment, an apparatus may comprise a processor component implemented on a first integrated circuit, an on-chip memory component implemented on the first integrated circuit, the on-chip memory component to include a memory page handler to manage memory pages stored on the on-chip memory component, and a cryptographic engine to encrypt and decrypt memory pages for the memory page handler, and an off-chip memory component implemented on a second integrated circuit coupled to the first integrated circuit, the off-chip memory component to store encrypted memory pages evicted from the on-chip memory component. Other embodiments are described and claimed.

Abstract: A system for managing Containers, including a hardware node running an OS; a multi-tenant application on the node; and a plurality of Containers under the OS. A process of the multi-tenant application uses only one Container at a time. Remaining Containers available to the process are taskless Containers. An arbiter controls permissions for the process to switch from one Container to another Container. The arbiter defines trusted and untrusted execution contexts. Code of the process executing in the untrusted context is not permitted to switch Containers, and the code of the process executing in the trusted context is permitted to switch Containers. The arbiter detects attempts to switch Containers, and prevents them when executing untrusted code. Upon a request to the multi-tenant application, the arbiter switches the process that will process the user request to one of the taskless Containers and executes the request in the untrusted context.

Abstract: A device for performing a mapping an input message to an output message by a keyed cryptographic operation, wherein the keyed cryptographic operation includes a plurality of rounds. To protect against differential fault analysis attacks, the cryptographic operation is modified to apply a secret sharing approach to one of the rounds. Also, a portion of the computations are split into first and second shares, where the first share uses a first weight and the second share uses a second weight. The final operations are again merged into a single matrix multiplication. Cryptographic operations that have a substitution function and an affine transformation can be protected in this way.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: A method and system for performing a graph search, includes constructing an abstract representation of the graph using state-space abstraction. The abstract representation of the graph includes one or more abstract nodes having duplicate detection scopes and one or more abstract edges having operator groups. The duplicate detection scopes of the abstract nodes are partitioned into smaller duplicate detection scopes using edge partitioning. The abstract edges include the smaller duplicate detection scopes. Nodes in the current search layer are expanded using the operator groups of outgoing abstract edges of the abstract nodes the nodes map to. The operator groups associated with abstract edges having disjoint duplicate detection scopes are used to expand the nodes in parallel. Once all the operator groups in the current search layer have been used for node expansion the method progresses to the next search layer.

Abstract: The disclosure is related to a machine to machine (M2M) device and a security management method thereof. The M2M device includes an identification circuit. The identification circuit may be configured to encrypt data collected from a sensor with a device identification (ID) of the M2M device and at least one subscriber ID of the identification circuit and to generate a data packet in a predetermined communication standard format by including the encrypted data in a payload of the data packet.

Abstract: A method for backing cloud data up and a method for recovering cloud data are provided. A cloud server and a client device are connected to a cloud network. The method for backing cloud data up includes: using the client device to obtain an installed application list and to show the installed application list; using the client device to choose a application in the application list; using the client device to obtain a access path where the backup of the application data file in the client device is and to transmit the access path and a backup of the application data file to the cloud server; and using the cloud server to save the access path and the corresponding backup of the application data file. By using the present inventive method, any user's chosen data can be shared among the cloud server and the client device.

Abstract: A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation.

Abstract: Roughly described, a method of restricting access of a debug controller to debug architecture on an integrated circuit chip, the debug architecture comprising an access controller, a plurality of peripheral circuits, and a shared hub, the shared hub being accessible by the access controller and the plurality of peripheral circuits, the method comprising: at the access controller, authenticating the debug controller; at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; and after assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights.

Abstract: Mass storage devices and methods for securely storing data are disclosed. The mass storage device includes a communication interface for communicating with a connected host computer, a mass-memory storage component for storing data, a secure key storage component adapted to securely store at least one master secret, and an encryption-decryption component different from the secure key storage component and connected to the secure key storage component and the mass-memory storage component. The encryption-decryption component may be adapted to encrypt data received from the host computer using an encryption algorithm and at least one encryption key and to write the encrypted data into the mass-memory storage component.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only to assist with the mitigation of malicious invocation of sensitive code. The code pages can be remapped as execute only in an alternate extended page table view to allow for the detection and mitigation of malicious invocation of sensitive code.

Abstract: A data communication system comprises a Network Interface Card (NIC), Central Processing Unit (CPU), and Data Memory Buffer (DMB) to efficiently verify hardware-trust. The NIC, CPU, and DMB execute boot-up software, and in response, the NIC, CPU, and DMB execute hardware-trust software to assert control over their Application Programming Interfaces (APIs). The NIC, CPU, and DMB receive and hash hardware-trust data with their physically-embedded hardware-trust codes to generate hardware-trust results. The NIC, CPU, and DMB transfer their hardware-trust results for hardware-trust validation. The CPU may execute Network Function Virtualization Virtual Network Functions (NFV VNFs) for Software Defined Networks (SDNs).

Abstract: Trust characteristics attributable to components associated with a disaggregated infrastructure environment are obtained. A trust policy of an application to be hosted in the disaggregated infrastructure environment is obtained. The trust characteristics are compared to the trust policy. One or more of the components associated with the disaggregated infrastructure environment are selected based on the comparison step. A compute node is formed from the selected components.

Abstract: A processor includes a plurality of registers, an instruction decoder to receive an instruction to process a KECCAK state cube of data representing a KECCAK state of a KECCAK hash algorithm, to partition the KECCAK state cube into a plurality of subcubes, and to store the subcubes in the plurality of registers, respectively, and an execution unit coupled to the instruction decoder to perform the KECCAK hash algorithm on the plurality of subcubes respectively stored in the plurality of registers in a vector manner.

Abstract: An apparatus for providing an improved content protecting and packaging system for protecting content may include an extractor for extracting a content package into a plurality of content segments including a first portion and a second portion. An enveloper may envelop each of the content segments in the first portion separately to thereby create one or more protected content segments. Further, a packager may package the protected content segments with the second portion of the content segments into a protected content package, which may then be uploaded to a distributor for distribution to user terminals. A corresponding method and computer program product are also provided.

Abstract: A method includes, in various implementations, regulating a memory region for execute-only access, storing a set of instructions in the memory region, executing an early instruction among the set of instructions, and executing a set of subsequent instructions among the instructions. The early instruction loads a secret value into a volatile register. A correct execution of the subsequent instructions depends on the secret value being loaded into the volatile register. A system includes, in various implementations, a memory and a processor with one or more volatile registers. The processor regulates access to portions of the memory. The processor can load a secret value into the volatile register in response to executing a program stored in an execute-only portion of the memory. The processor is configured to lose, in response to an asynchronous event, information loaded in the volatile registers.

Abstract: Virtual desktops generated by a virtual desktop application locally executing on a tablet computing device, can further display remote applications. The tablet computing device executes an operating system that does not contemplate a mouse pointer and that displays a native desktop. In many instances, the virtual desktop is displayed on the tablet computing device such that the virtual desktop appears to be the native desktop. The virtual desktops therefore include a mouse pointer which can be used to interact with the remote applications. The remote applications generate graphical application output when they execute on a remote server. The graphical application output is transmitted to the tablet computing device and displayed in an application output window displayed within the virtual desktop. Using a virtual trackpad or other virtual input device, a user can interact with the remote applications via the application output displayed on the virtual desktop.

Abstract: In one embodiment, a processor comprises: at least one core formed on a die to execute instructions; a first memory controller to interface with an in-package memory; a second memory controller to interface with a platform memory to couple to the processor; and the in-package memory located within a package of the processor, where the in-package memory is to be identified as a more distant memory with respect to the at least one core than the platform memory. Other embodiments are described and claimed.

Abstract: A method for determining a representation of a product of a first element and a second element is disclosed comprising, picking a random value for each pair of a first integer between 1 and d and a second integer greater than the first integer, adding the random value to the product of a first value and a second value, and adding the result of the first addition and the product of the first value and the second value. Then summing, for each integer between 1 and d, a product of the first and second values associated with the integer, the random values associated with the pairs of which the first integer is the integer concerned, and the values obtained for the pairs of which the second integer is the integer concerned.

Abstract: Roughly described, a method of restricting access of a debug controller to debug architecture on an integrated circuit chip, the debug architecture comprising an access controller, a plurality of peripheral circuits, and a shared hub, the shared hub being accessible by the access controller and the plurality of peripheral circuits, the method comprising: at the access controller, authenticating the debug controller; at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; and after assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights.

Abstract: In a data communication network, Network Interface Cards (NICs) receive user data and interrupt Central Processing Units (CPUs) that then transfer buffer descriptors for the user data to Data Memory Buffers (DMBs). The DMBs receive the buffer descriptors from the CPUs and transfer the buffer descriptors to the NICs. The NICs receive the buffer descriptors and responsively transfer the user data to the DMBs. The DMBs buffer the user data. A master NIC transfers a CPU hardware-trust validation challenge to a master CPU. The master CPU hashes the validation data with its physically-embedded, hardware-trust code to generate and transfer a CPU hardware-trust validation result. The master NIC processes the CPU hardware-trust validation result to verify hardware-trust of the master CPU.

Abstract: Various embodiments relate to a method, device, and non-transitory medium including: determining a master key value for use in secure communications with a different device, wherein the master key value is used as a master key; deriving at least one session key using the master key; generating a new master key value based on the master key; deleting the current master key value; and using the new master key value as the master key.

Abstract: Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register.

Abstract: A method for downloading information into a secure non-volatile memory of a secure embedded device (SED) during a manufacturing or personalization process. The method involves communicating the information and a software program from a device to a temporary storage memory of the SED. The method also involves starting the software program provided to facilitate an initialization of a first key and to facilitate a transfer of at least a portion of the information from the temporary storage memory to the secure non-volatile memory. In response to starting, the software program, the first key is initialized and the portion of information is transformed into transformed information locally at the SED using at least one of a scramble algorithm and a cipher algorithm. Thereafter, the transformed information is written to a memory element of the secure non-volatile memory.

Abstract: A numerical control device for controlling a machine tool while sequentially reading out an NC program from a host computer includes an external program invoking unit configured to invoke an encrypted NC program, a communication setting information storing unit configured to store setting information for communicating with the host computer, an NC program acquisition determining unit, an encrypted NC program acquisition request transmitting unit, an encrypted NC program decrypting unit, and an NC program display prohibiting unit.

Abstract: Security of information—both code and data—stored in a computer's system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.

Abstract: A hardware TPM has a plurality of registers, and performs data protection by encryption of data associated with the value of one of the plurality of registers. A register number manager manages, for each application, a register number used for the data protection. During execution of an application, an application executor issues a data protection request that designates a register number preset in the application. A software TPM transfers, to the hardware TPM, the data protection request in which the register number designated in the data protection request has been replaced with the register number managed by the register number manager.

Abstract: A computer-implemented method and system for the validation of a true browsing user on a website is disclosed. The invention allows for the collection of data regarding the evolving threat landscape created by online attackers. The system and method fingerprint user behavior to detect differences between a local user, a remote/foreign user, and an automated script. The system then covertly transmits that information back to a financial institution client without giving online attackers the opportunity to notice such transmittal. Certain embodiments of the invention also correspond with the browsing user to validate their identity. The claimed system and method proactively reveal attackers and attack ploys, additionally enabling institutions and security consultants to adapt to attacks in an automated fashion.

Abstract: An information handling system includes a processor, a Unified Extensible Firmware Interface (UEFI) boot volume, and a memory including UEFI code and a setup module. The UEFI code is executable by the processor to boot the information handling system, determine if the UEFI boot volume includes a setup data file, and launch the setup module in response to determining that the UEFI boot volume includes the setup data file. The setup module is executable by the processor to read first information from the setup data file, and set a first configuration setting of the information handling system based upon the first information.

Abstract: A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.

Abstract: A method of obscuring software code including a plurality of instructions, comprising: determining, by a processor, a number N prior instructions to a current instruction; encoding the current instruction based upon a first function, a second function, and the N prior instructions, wherein the second function is based upon the N prior instructions, and wherein the first function is based upon the current instruction and an output of the second function.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: Systems, methods, and computer programs are disclosed for providing secure access control to a graphics processing unit (GPU). One system includes a GPU, a plurality GPU programming interfaces, and a command processor. Each GPU programming interface is dynamically assigned to a different one of a plurality of security zones. Each GPU programming interface is configured to receive work orders issued by one or more applications associated with the corresponding security zone. The work orders comprise instructions to be executed by the GPU. The command processor is in communication with the plurality of GPU programming interfaces. The command processor is configured to control execution of the work orders received by the plurality of GPU programming interfaces using separate secure memory regions. Each secure memory region is allocated to one of the plurality of security zones.

Abstract: Embodiments of methods, apparatuses, and storage mediums associated with controlling content capture of prohibited content on remote devices, are disclosed. In embodiments, components of a remote device may receive image data of an image captured by the remote device and analyze the image data to determine whether the image includes prohibited content. In embodiments, the remote device may conditionally display or persistently store the image data, based at least in part on a result of the analysis.

Abstract: A method and apparatus for compiling and executing an application including Central Processing Unit (CPU) source code and Graphic Processing Unit (GPU) source code. The apparatus includes a hardware device including a CPU and a GPU; a compiler that compiles the GPU source code into a GPU virtual instruction; and a hybrid virtualization block that executes an execution file by translating the GPU virtual instruction into GPU machine code.

Abstract: In the host operating system of a computing device, entropy data is collected based at least in part on each of one or more hardware components of the computing device. An entropy pool is updated based at least in part on the collected entropy data, and data from the entropy pool is provided to a guest operating system running as a virtual machine of the computing device. The guest operating system maintains a guest operating system entropy pool based on the data from the entropy pool provided by the host operating system. The guest operating system accesses the guest operating system entropy pool and uses the guest operating system entropy pool as a basis for generating values including random numbers.

Abstract: Compiler based obfuscation is described. To protect portions of a code project with obfuscations, the code is modified within a compiler to produce one or more modifications that obfuscate the code as part of a compilation process. A compiled version of the code is generated having the modifications that are produced within the compiler. In one approach, the compiler is configured to consume an obfuscation description that indicates portions of the code to protect and specifies the modifications to make to the indicated portions. Various different modifications of code may be performed during the compilation process to implement corresponding obfuscation features. For example, the modifications made within a compiler may include, but are not limited to, modifications designed to enable tamper detection, anti-debugging, and/or encryption of the code.

Abstract: A function of a software program is stored in a memory during execution in a device of the software program. A processor relocates the function in a region of the memory comprising dummy code, transforms the dummy code in a predictable manner, generates a predicted checksum for the region based on a previous checksum, generates a calculated checksum over the region, and verifies the integrity of the function by comparing the predicted checksum and the calculated checksum. Also provided are a device and a computer program product.

Abstract: A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation.

Abstract: A device for carrying out a cryptographic method has an input interface for receiving input data, an output interface for outputting output data, and a cryptographic unit for carrying out the cryptographic method. A first functional unit is provided which is designed to convert at least a portion of the input data into transformed input data using a first deterministic method, and to supply the transformed input data to the cryptographic unit, and/or a second functional unit is provided which is designed to convert at least a portion of output data of the cryptographic unit into transformed output data using a second deterministic method, and to supply the transformed output data to the output interface.

Abstract: A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: Various technologies described herein pertain to parallel local sequence alignment that aligns a query sequence with a database sequence. The database sequence is segmented into a plurality of stripes. A first processing unit can compute Smith-Waterman values for a first stripe of the database sequence across the query sequence based on a cost function that models biological similarity between sequences. Moreover, a second processing unit can compute Smith-Waterman values for a second stripe of the database sequence across the query sequence based on the cost function. Further, a subset of the Smith-Waterman values for the second stripe of the database sequence across the query sequence can be re-computed based on the cost function (e.g., by the first processing unit or the second processing unit). The subset of the Smith-Waterman values to be re-computed can be determined based on a query sequence length and the cost function.

Abstract: Tags may be grouped into a tag cluster to be represented by a master tag. Tag transmission reports may be received from one or more tag readers that receive wireless transmissions from a plurality of tags. Tag IDs corresponding to each tag of the plurality of tags in the tag transmission reports may be determined. A plurality of the tag IDs may be grouped into a tag cluster and one of the tag IDs may be selected as a master tag ID to represent the tag cluster. A control command may be transmitted to each tag of the tag cluster except for the master tag. The control command may instruct each tag of the tag cluster except the master tag to stop broadcasting wireless transmissions. The tags in the tag cluster will be represented by the master tag.