Abstract: An integrated circuit, having a security supervision system, comprising a plurality of functional circuit blocks interconnected to collectively performing data processing tasks, one or more communication adaptors, having: (i) a hardware interconnection to the functional circuit blocks, whereby the communication adaptor senses the state and/or activity of the functional circuit block; (ii) memory storing definitions of state and/or activity of functional circuit block and actions for each definition; and (iii) processing circuitry comparing the state and/or activity of the functional block with each definition, such that when state and/or activity of the functional block corresponding to a stored definition is detected, perform the corresponding action.

Abstract: A method of obscuring the input and output of a modular exponentiation function, including: receiving modular exponentiation parameters including an exponent e having N bits and a modulus m; generating randomly a pre-multiplier; calculating a post-multiplier based upon the pre-multiplier, exponent e, and modulus m; multiplying an input to the modular exponentiation function by the pre-multiplier; performing the modular exponentiation function; and multiplying the output of the modular exponentiation function by the post-multiplier, wherein multiplying an input to the modular exponentiation function by the pre-multiplier, performing the modular exponentiation function, and multiplying the output of the modular exponentiation function by the post-multiplier are split variable operations.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only. The code pages can be remapped as execute only in an alternate extended page table view.

Abstract: A secure data storage device with wireless authentication is provided. The described data storage device is wirelessly unlocked using another wireless device. The secure data storage device interoperates with a cloud server for configuring and managing the data storage device.

Abstract: According to one embodiment, an information processing device includes a processor, a nonvolatile memory, a designation unit, and a controller. The nonvolatile memory stores the first software and the second software which is used as substitute for the first software. The designation unit designates software to be executed by the processor at a boot. The controller protects an area of the nonvolatile memory storing the first software from being written while the first software is executed by the processor. When third software is executed by the processor, the third software verifies the second software. When the second software is legal in a result of verifying by the third software, the designation unit designates the second software.

Abstract: The present invention provides methods and apparatuses that utilize a portable apparatus to securely operate a host electronic device. Typically, each portable apparatus includes a data storage unit which stores an operating system and other software. In one example, a portable apparatus can provide a virtual operating environment on top of a host's operating system for a host device. In another example, a portable apparatus containing its operating system can directly boot a host device with one or more hardware profiles. Furthermore, a device-dependent protection against software piracy, a user-dependent protection against sensitive data leaks, a controllable host operating environment to prevent unwanted information exposure, and a secure restoration procedure to prevent virus infection between the host device users may be incorporated. Moreover, a pre-defined information may also be utilized to authorize a connected-state guest operation environment in the host device.

Abstract: An information handling system includes a processor, a Unified Extensible Firmware Interface (UEFI) boot volume, and a memory including UEFI code and a setup module. The UEFI code is executable by the processor to boot the information handling system, determine if the UEFI boot volume includes a setup data file, and launch the setup module in response to determining that the UEFI boot volume includes the setup data file. The setup module is executable by the processor to read first information from the setup data file, and set a first configuration setting of the information handling system based upon the first information.

Abstract: In one embodiment, a processor comprises: at least one core formed on a die to execute instructions; a first memory controller to interface with an in-package memory; a second memory controller to interface with a platform memory to couple to the processor; and the in-package memory located within a package of the processor, where the in-package memory is to be identified as a more distant memory with respect to the at least one core than the platform memory. Other embodiments are described and claimed.

Abstract: Memory security technologies are described. An example processing system includes a processor core and a memory controller coupled to the processor core and a memory. The processor core can receive a content read instruction from an application. The processor core can identify a cache line (CL) from a plurality of CLs of a cryptographic cache block (CCB) requested in the content read instruction. The processor core can load, from a cryptographic tree, tree nodes with security metadata. The processor core can retrieve, from the memory, the CCB. The processor core can generate a second MAC from the CCB. The processor core can compare the first MAC with the second MAC. The processor core can decrypt the CCB using security metadata when the first MAC matches the second MAC. The processor core can send at least the identified CL from the decrypted CCB to the application.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to allow a user to designate a selected persona from a pool of potential personas, where each potential persona is associated with the user and has a distinct set of computer network attributes. A virtual private network egress point for the selected persona is designated, where the virtual private network egress point masks computer network attributes of the selected persona. Contact with the virtual private network egress point is coordinated to initiate a network communication for the selected persona.

Abstract: Provided is a non-transitory computer readable storage medium storing a program causing a computer to execute a process, the process including: obtaining an analysis result of a program hierarchically structured by a plurality of hierarchies; identifying an exclusion request of a check content of a same kind as a specific check content by referring to a storage unit storing information about a past exclusion request of a check content when the specific check content in the analysis result is displayed in association with a part corresponding to the specific check content of the program; outputting reference information for an exclusion request of the specific check content based on a request result of the exclusion request of the check content of the same kind, and a difference between positions in the plurality of hierarchies of the specific check content and the check content of the same kind in the program.

Abstract: A computer architecture is disclosed for implementing a hacking-resistant computing device. The computing device, which could be a mainframe computer, personal computer, smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet, and can directly communicate only with the second partition or with input/output devices directly connected to the first partition. Further, the first partition segments its memory addressing for program code and hardware-protects it from alteration. The second partition is hardware-limited from reading or writing to the memory addressing of the first partition. As a result, the critical data files and program code stored on the first partition are protected from malicious code affecting the second partition.

Abstract: A method of encrypting a program instructions stream and a method of executing an instructions stream thus encrypted. Instructions are translated into binary code before being encrypted by a stream cipher method. When the program contains a conditional or unconditional branch instruction, an instruction is inserted in the program to initialize the pseudo-random sequence generator using an initialization vector, the initialization vector being used to generate the pseudo-random sequence for encryption and decryption of instructions at the branch address. Instructions can be decrypted and executed on-the-fly without needing to know their physical addresses, even in the presence of a branch.

Abstract: A multi-level cache system may include a server with a processor and memory. The memory may include a database cache system for use with a distributed database system. The server may also include a Solid State Drive that may include a key-value store and a second storage device that may store a backend database. The key-value store may act as a second level cache to the database cache system.

Abstract: Techniques described and suggested herein include the use of transformation parameters, such as mathematical and/or cryptographic operations, to permute various aspects of executables so as to control executable code authorized to run on one or more hosts. For example, a set of transformation parameters, such as a mathematical operation and a specified value upon which the mathematical operation may operate, are associated with a host or group of hosts. The set of transformation parameters may be applied to one or more runtime-related numerical locations associated with an executable that is intended to run on the specified hosts. At runtime, appropriately encoded executables are decoded by the specified hosts and operate normally, while differently encoded or unencoded executables are inoperable by the specified hosts.

Abstract: The present disclosure includes apparatuses and methods related to virtual address tables. An example method comprises generating an object file that comprises: an instruction comprising a number of arguments; and an address table comprising a number of indexed address elements. Each one of the number of indexed address elements can correspond to a virtual address of a respective one of the number of arguments, wherein the address table can serves as a target for the number of arguments. The method can include storing the object file in a memory.

Abstract: A method for virtualizing of software applications. The method comprises initializing a virtual environment created by a virtual engine executed over a computer; creating a new data file; launching an installation process of a software application to be virtualized, wherein the installation process runs in the virtual environment; during the installation process, capturing data writes to a file system of the computer's operating system; and saving the data writes to the new data file.

Abstract: A method of obscuring software code implementing a modular exponentiation function, including: receiving modular exponentiation parameters including an exponent e having N bits; generating a bitwise exponent array and inverse bitwise exponent array; and generating modular exponentiation function operations using the bitwise exponent array, inverse bitwise exponent array, and N, wherein the generated modular exponentiation function operations are split variable operations.

Abstract: An electronic device comprising: a memory; and at least one processor configured to: install an application by using an installation file associated with the application; grant at least one permission to the application based on a permission setting token that is included in the installation file; and store, in a database, an indication that the application is granted the permission.

Abstract: Systems, methods, and non-transitory computer-readable medium are provided to secure data centers and cloud computing. A method receives network identifiers for functions, requests a network key for each function, allocates network interfaces, requests a virtual network interface controller allocation, requests a network key for each cloud function, receives storage identifiers for functions, requests a storage key for each cloud function, allocates virtual storage disks, requests a storage interface controller allocation, requests a storage key for each cloud function. Methods secure migration of a virtual machine from a source to a target server. A server includes multiple cores where each core is dedicated to a compute function and a unique key encrypts data of each compute function. A non-transitory computer-readable medium encodes programs that execute the above methods.

Abstract: The present invention relates to an IoT (Internet of Things) device, a mobile terminal, a method of pairing the IoT device using the mobile terminal, and a control method. According to one embodiment of the present invention, the method includes the steps of, when an IoT device contacted with at least one side of the mobile terminal is recognized, generating a vibration using a designated vibration pattern, receiving vibration pattern information from the IoT device, and when the received vibration pattern information is identical to the designated vibration pattern, performing paring with the IoT device. According to the embodiments of the present invention, a user can intuitively perform pairing between the mobile terminal and the IoT device through the paring method between the mobile terminal and the IoT device.

Abstract: Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Abstract: Techniques are described for providing processor-based dedicated fixed function hardware to perform runtime integrity measurements for detecting attacks on system supervisory software, such as a hypervisor or native Operating System (OS). The dedicated fixed function hardware is provided with memory addresses of the system supervisory software for monitoring. After obtaining the memory addresses and other information required to facilitate integrity monitoring, the dedicated fixed function hardware activates a lock-out to prevent reception of any additional information, such as information from a corrupted version of the system supervisory software. The dedicated fixed function hardware then automatically performs periodic integrity measurements of the system supervisory software. Upon detection of an integrity failure, the dedicated fixed function hardware uses out-of-band signaling to report that an integrity failure has occurred.

Abstract: A method of obscuring software code including a data array and a plurality of operations, including: identifying, by a processor, a data array with an index to be obscured and an operation using the data array; permutating the identified data array using a permutating function; and replacing the identified operation using the permutated data array and equivalent encoded permutation function.

Abstract: Techniques to enable scalable cryptographically protected memory using on-chip memory are described. In one embodiment, an apparatus may comprise a processor component implemented on a first integrated circuit, an on-chip memory component implemented on the first integrated circuit, the on-chip memory component to include a memory page handler to manage memory pages stored on the on-chip memory component, and a cryptographic engine to encrypt and decrypt memory pages for the memory page handler, and an off-chip memory component implemented on a second integrated circuit coupled to the first integrated circuit, the off-chip memory component to store encrypted memory pages evicted from the on-chip memory component. Other embodiments are described and claimed.

Abstract: A system for managing Containers, including a hardware node running an OS; a multi-tenant application on the node; and a plurality of Containers under the OS. A process of the multi-tenant application uses only one Container at a time. Remaining Containers available to the process are taskless Containers. An arbiter controls permissions for the process to switch from one Container to another Container. The arbiter defines trusted and untrusted execution contexts. Code of the process executing in the untrusted context is not permitted to switch Containers, and the code of the process executing in the trusted context is permitted to switch Containers. The arbiter detects attempts to switch Containers, and prevents them when executing untrusted code. Upon a request to the multi-tenant application, the arbiter switches the process that will process the user request to one of the taskless Containers and executes the request in the untrusted context.

Abstract: A device for performing a mapping an input message to an output message by a keyed cryptographic operation, wherein the keyed cryptographic operation includes a plurality of rounds. To protect against differential fault analysis attacks, the cryptographic operation is modified to apply a secret sharing approach to one of the rounds. Also, a portion of the computations are split into first and second shares, where the first share uses a first weight and the second share uses a second weight. The final operations are again merged into a single matrix multiplication. Cryptographic operations that have a substitution function and an affine transformation can be protected in this way.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: The disclosure is related to a machine to machine (M2M) device and a security management method thereof. The M2M device includes an identification circuit. The identification circuit may be configured to encrypt data collected from a sensor with a device identification (ID) of the M2M device and at least one subscriber ID of the identification circuit and to generate a data packet in a predetermined communication standard format by including the encrypted data in a payload of the data packet.

Abstract: A method and system for performing a graph search, includes constructing an abstract representation of the graph using state-space abstraction. The abstract representation of the graph includes one or more abstract nodes having duplicate detection scopes and one or more abstract edges having operator groups. The duplicate detection scopes of the abstract nodes are partitioned into smaller duplicate detection scopes using edge partitioning. The abstract edges include the smaller duplicate detection scopes. Nodes in the current search layer are expanded using the operator groups of outgoing abstract edges of the abstract nodes the nodes map to. The operator groups associated with abstract edges having disjoint duplicate detection scopes are used to expand the nodes in parallel. Once all the operator groups in the current search layer have been used for node expansion the method progresses to the next search layer.

Abstract: A method for backing cloud data up and a method for recovering cloud data are provided. A cloud server and a client device are connected to a cloud network. The method for backing cloud data up includes: using the client device to obtain an installed application list and to show the installed application list; using the client device to choose a application in the application list; using the client device to obtain a access path where the backup of the application data file in the client device is and to transmit the access path and a backup of the application data file to the cloud server; and using the cloud server to save the access path and the corresponding backup of the application data file. By using the present inventive method, any user's chosen data can be shared among the cloud server and the client device.

Abstract: A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation.

Abstract: Roughly described, a method of restricting access of a debug controller to debug architecture on an integrated circuit chip, the debug architecture comprising an access controller, a plurality of peripheral circuits, and a shared hub, the shared hub being accessible by the access controller and the plurality of peripheral circuits, the method comprising: at the access controller, authenticating the debug controller; at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; and after assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights.

Abstract: Mass storage devices and methods for securely storing data are disclosed. The mass storage device includes a communication interface for communicating with a connected host computer, a mass-memory storage component for storing data, a secure key storage component adapted to securely store at least one master secret, and an encryption-decryption component different from the secure key storage component and connected to the secure key storage component and the mass-memory storage component. The encryption-decryption component may be adapted to encrypt data received from the host computer using an encryption algorithm and at least one encryption key and to write the encrypted data into the mass-memory storage component.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify regions of code to be monitored, probe and lock code pages that include the identified regions of code, and remap the code pages as execute only to assist with the mitigation of malicious invocation of sensitive code. The code pages can be remapped as execute only in an alternate extended page table view to allow for the detection and mitigation of malicious invocation of sensitive code.

Abstract: A data communication system comprises a Network Interface Card (NIC), Central Processing Unit (CPU), and Data Memory Buffer (DMB) to efficiently verify hardware-trust. The NIC, CPU, and DMB execute boot-up software, and in response, the NIC, CPU, and DMB execute hardware-trust software to assert control over their Application Programming Interfaces (APIs). The NIC, CPU, and DMB receive and hash hardware-trust data with their physically-embedded hardware-trust codes to generate hardware-trust results. The NIC, CPU, and DMB transfer their hardware-trust results for hardware-trust validation. The CPU may execute Network Function Virtualization Virtual Network Functions (NFV VNFs) for Software Defined Networks (SDNs).

Abstract: Trust characteristics attributable to components associated with a disaggregated infrastructure environment are obtained. A trust policy of an application to be hosted in the disaggregated infrastructure environment is obtained. The trust characteristics are compared to the trust policy. One or more of the components associated with the disaggregated infrastructure environment are selected based on the comparison step. A compute node is formed from the selected components.

Abstract: A processor includes a plurality of registers, an instruction decoder to receive an instruction to process a KECCAK state cube of data representing a KECCAK state of a KECCAK hash algorithm, to partition the KECCAK state cube into a plurality of subcubes, and to store the subcubes in the plurality of registers, respectively, and an execution unit coupled to the instruction decoder to perform the KECCAK hash algorithm on the plurality of subcubes respectively stored in the plurality of registers in a vector manner.

Abstract: An apparatus for providing an improved content protecting and packaging system for protecting content may include an extractor for extracting a content package into a plurality of content segments including a first portion and a second portion. An enveloper may envelop each of the content segments in the first portion separately to thereby create one or more protected content segments. Further, a packager may package the protected content segments with the second portion of the content segments into a protected content package, which may then be uploaded to a distributor for distribution to user terminals. A corresponding method and computer program product are also provided.

Abstract: A method includes, in various implementations, regulating a memory region for execute-only access, storing a set of instructions in the memory region, executing an early instruction among the set of instructions, and executing a set of subsequent instructions among the instructions. The early instruction loads a secret value into a volatile register. A correct execution of the subsequent instructions depends on the secret value being loaded into the volatile register. A system includes, in various implementations, a memory and a processor with one or more volatile registers. The processor regulates access to portions of the memory. The processor can load a secret value into the volatile register in response to executing a program stored in an execute-only portion of the memory. The processor is configured to lose, in response to an asynchronous event, information loaded in the volatile registers.

Abstract: Virtual desktops generated by a virtual desktop application locally executing on a tablet computing device, can further display remote applications. The tablet computing device executes an operating system that does not contemplate a mouse pointer and that displays a native desktop. In many instances, the virtual desktop is displayed on the tablet computing device such that the virtual desktop appears to be the native desktop. The virtual desktops therefore include a mouse pointer which can be used to interact with the remote applications. The remote applications generate graphical application output when they execute on a remote server. The graphical application output is transmitted to the tablet computing device and displayed in an application output window displayed within the virtual desktop. Using a virtual trackpad or other virtual input device, a user can interact with the remote applications via the application output displayed on the virtual desktop.

Abstract: A method for determining a representation of a product of a first element and a second element is disclosed comprising, picking a random value for each pair of a first integer between 1 and d and a second integer greater than the first integer, adding the random value to the product of a first value and a second value, and adding the result of the first addition and the product of the first value and the second value. Then summing, for each integer between 1 and d, a product of the first and second values associated with the integer, the random values associated with the pairs of which the first integer is the integer concerned, and the values obtained for the pairs of which the second integer is the integer concerned.

Abstract: In one embodiment, a processor comprises: at least one core formed on a die to execute instructions; a first memory controller to interface with an in-package memory; a second memory controller to interface with a platform memory to couple to the processor; and the in-package memory located within a package of the processor, where the in-package memory is to be identified as a more distant memory with respect to the at least one core than the platform memory. Other embodiments are described and claimed.

Abstract: Roughly described, a method of restricting access of a debug controller to debug architecture on an integrated circuit chip, the debug architecture comprising an access controller, a plurality of peripheral circuits, and a shared hub, the shared hub being accessible by the access controller and the plurality of peripheral circuits, the method comprising: at the access controller, authenticating the debug controller; at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; and after assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights.

Abstract: In a data communication network, Network Interface Cards (NICs) receive user data and interrupt Central Processing Units (CPUs) that then transfer buffer descriptors for the user data to Data Memory Buffers (DMBs). The DMBs receive the buffer descriptors from the CPUs and transfer the buffer descriptors to the NICs. The NICs receive the buffer descriptors and responsively transfer the user data to the DMBs. The DMBs buffer the user data. A master NIC transfers a CPU hardware-trust validation challenge to a master CPU. The master CPU hashes the validation data with its physically-embedded, hardware-trust code to generate and transfer a CPU hardware-trust validation result. The master NIC processes the CPU hardware-trust validation result to verify hardware-trust of the master CPU.

Abstract: Various embodiments relate to a method, device, and non-transitory medium including: determining a master key value for use in secure communications with a different device, wherein the master key value is used as a master key; deriving at least one session key using the master key; generating a new master key value based on the master key; deleting the current master key value; and using the new master key value as the master key.

Abstract: Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register.

Abstract: A numerical control device for controlling a machine tool while sequentially reading out an NC program from a host computer includes an external program invoking unit configured to invoke an encrypted NC program, a communication setting information storing unit configured to store setting information for communicating with the host computer, an NC program acquisition determining unit, an encrypted NC program acquisition request transmitting unit, an encrypted NC program decrypting unit, and an NC program display prohibiting unit.

Abstract: A method for downloading information into a secure non-volatile memory of a secure embedded device (SED) during a manufacturing or personalization process. The method involves communicating the information and a software program from a device to a temporary storage memory of the SED. The method also involves starting the software program provided to facilitate an initialization of a first key and to facilitate a transfer of at least a portion of the information from the temporary storage memory to the secure non-volatile memory. In response to starting, the software program, the first key is initialized and the portion of information is transformed into transformed information locally at the SED using at least one of a scramble algorithm and a cipher algorithm. Thereafter, the transformed information is written to a memory element of the secure non-volatile memory.

Abstract: Security of information—both code and data—stored in a computer's system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.