Abstract: A numerical control device for controlling a machine tool while sequentially reading out an NC program from a host computer includes an external program invoking unit configured to invoke an encrypted NC program, a communication setting information storing unit configured to store setting information for communicating with the host computer, an NC program acquisition determining unit, an encrypted NC program acquisition request transmitting unit, an encrypted NC program decrypting unit, and an NC program display prohibiting unit.

Abstract: A method for downloading information into a secure non-volatile memory of a secure embedded device (SED) during a manufacturing or personalization process. The method involves communicating the information and a software program from a device to a temporary storage memory of the SED. The method also involves starting the software program provided to facilitate an initialization of a first key and to facilitate a transfer of at least a portion of the information from the temporary storage memory to the secure non-volatile memory. In response to starting, the software program, the first key is initialized and the portion of information is transformed into transformed information locally at the SED using at least one of a scramble algorithm and a cipher algorithm. Thereafter, the transformed information is written to a memory element of the secure non-volatile memory.

Abstract: Security of information—both code and data—stored in a computer's system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.

Abstract: A hardware TPM has a plurality of registers, and performs data protection by encryption of data associated with the value of one of the plurality of registers. A register number manager manages, for each application, a register number used for the data protection. During execution of an application, an application executor issues a data protection request that designates a register number preset in the application. A software TPM transfers, to the hardware TPM, the data protection request in which the register number designated in the data protection request has been replaced with the register number managed by the register number manager.

Abstract: A computer-implemented method and system for the validation of a true browsing user on a website is disclosed. The invention allows for the collection of data regarding the evolving threat landscape created by online attackers. The system and method fingerprint user behavior to detect differences between a local user, a remote/foreign user, and an automated script. The system then covertly transmits that information back to a financial institution client without giving online attackers the opportunity to notice such transmittal. Certain embodiments of the invention also correspond with the browsing user to validate their identity. The claimed system and method proactively reveal attackers and attack ploys, additionally enabling institutions and security consultants to adapt to attacks in an automated fashion.

Abstract: An information handling system includes a processor, a Unified Extensible Firmware Interface (UEFI) boot volume, and a memory including UEFI code and a setup module. The UEFI code is executable by the processor to boot the information handling system, determine if the UEFI boot volume includes a setup data file, and launch the setup module in response to determining that the UEFI boot volume includes the setup data file. The setup module is executable by the processor to read first information from the setup data file, and set a first configuration setting of the information handling system based upon the first information.

Abstract: A structured data store service, such as a database service, may implement fine-grained access to data maintained at the database service using federated identity. Fine grained access requests may be received at a database service for specified data maintained for an application provider from a client of the application provider. An access credential may be also be received. Verification of the access credential may be obtained, and the database service may evaluate the fine-grained access request according to a delegation policy corresponding to the access credential to determine whether the fine-grained request is authorized. If authorized, the fine-grained access request may be service. If not authorized, the fine-grained access request may be denied. In some embodiments, multiple application clients may have the same authorization for data, such as read authorization, while another one or more application clients may have different authorization for the data, such as write authorization.

Abstract: A method of obscuring software code including a plurality of instructions, comprising: determining, by a processor, a number N prior instructions to a current instruction; encoding the current instruction based upon a first function, a second function, and the N prior instructions, wherein the second function is based upon the N prior instructions, and wherein the first function is based upon the current instruction and an output of the second function.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: Systems, methods, and computer programs are disclosed for providing secure access control to a graphics processing unit (GPU). One system includes a GPU, a plurality GPU programming interfaces, and a command processor. Each GPU programming interface is dynamically assigned to a different one of a plurality of security zones. Each GPU programming interface is configured to receive work orders issued by one or more applications associated with the corresponding security zone. The work orders comprise instructions to be executed by the GPU. The command processor is in communication with the plurality of GPU programming interfaces. The command processor is configured to control execution of the work orders received by the plurality of GPU programming interfaces using separate secure memory regions. Each secure memory region is allocated to one of the plurality of security zones.

Abstract: In the host operating system of a computing device, entropy data is collected based at least in part on each of one or more hardware components of the computing device. An entropy pool is updated based at least in part on the collected entropy data, and data from the entropy pool is provided to a guest operating system running as a virtual machine of the computing device. The guest operating system maintains a guest operating system entropy pool based on the data from the entropy pool provided by the host operating system. The guest operating system accesses the guest operating system entropy pool and uses the guest operating system entropy pool as a basis for generating values including random numbers.

Abstract: Embodiments of methods, apparatuses, and storage mediums associated with controlling content capture of prohibited content on remote devices, are disclosed. In embodiments, components of a remote device may receive image data of an image captured by the remote device and analyze the image data to determine whether the image includes prohibited content. In embodiments, the remote device may conditionally display or persistently store the image data, based at least in part on a result of the analysis.

Abstract: A method and apparatus for compiling and executing an application including Central Processing Unit (CPU) source code and Graphic Processing Unit (GPU) source code. The apparatus includes a hardware device including a CPU and a GPU; a compiler that compiles the GPU source code into a GPU virtual instruction; and a hybrid virtualization block that executes an execution file by translating the GPU virtual instruction into GPU machine code.

Abstract: Compiler based obfuscation is described. To protect portions of a code project with obfuscations, the code is modified within a compiler to produce one or more modifications that obfuscate the code as part of a compilation process. A compiled version of the code is generated having the modifications that are produced within the compiler. In one approach, the compiler is configured to consume an obfuscation description that indicates portions of the code to protect and specifies the modifications to make to the indicated portions. Various different modifications of code may be performed during the compilation process to implement corresponding obfuscation features. For example, the modifications made within a compiler may include, but are not limited to, modifications designed to enable tamper detection, anti-debugging, and/or encryption of the code.

Abstract: A function of a software program is stored in a memory during execution in a device of the software program. A processor relocates the function in a region of the memory comprising dummy code, transforms the dummy code in a predictable manner, generates a predicted checksum for the region based on a previous checksum, generates a calculated checksum over the region, and verifies the integrity of the function by comparing the predicted checksum and the calculated checksum. Also provided are a device and a computer program product.

Abstract: A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation.

Abstract: A device for carrying out a cryptographic method has an input interface for receiving input data, an output interface for outputting output data, and a cryptographic unit for carrying out the cryptographic method. A first functional unit is provided which is designed to convert at least a portion of the input data into transformed input data using a first deterministic method, and to supply the transformed input data to the cryptographic unit, and/or a second functional unit is provided which is designed to convert at least a portion of output data of the cryptographic unit into transformed output data using a second deterministic method, and to supply the transformed output data to the output interface.

Abstract: A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: Various technologies described herein pertain to parallel local sequence alignment that aligns a query sequence with a database sequence. The database sequence is segmented into a plurality of stripes. A first processing unit can compute Smith-Waterman values for a first stripe of the database sequence across the query sequence based on a cost function that models biological similarity between sequences. Moreover, a second processing unit can compute Smith-Waterman values for a second stripe of the database sequence across the query sequence based on the cost function. Further, a subset of the Smith-Waterman values for the second stripe of the database sequence across the query sequence can be re-computed based on the cost function (e.g., by the first processing unit or the second processing unit). The subset of the Smith-Waterman values to be re-computed can be determined based on a query sequence length and the cost function.

Abstract: Tags may be grouped into a tag cluster to be represented by a master tag. Tag transmission reports may be received from one or more tag readers that receive wireless transmissions from a plurality of tags. Tag IDs corresponding to each tag of the plurality of tags in the tag transmission reports may be determined. A plurality of the tag IDs may be grouped into a tag cluster and one of the tag IDs may be selected as a master tag ID to represent the tag cluster. A control command may be transmitted to each tag of the tag cluster except for the master tag. The control command may instruct each tag of the tag cluster except the master tag to stop broadcasting wireless transmissions. The tags in the tag cluster will be represented by the master tag.

Abstract: In one embodiment, the data storage apparatus includes a control unit configured to decode at least one input command and configured to generate at least one of a read signal and a start signal in response to the input command. The start signal indicates to start an internal mode determination process. The data storage apparatus also includes a memory unit configured to output data in response to the read signal, and a coding unit configured to start and perform the internal mode determination process in response to the start signal. The internal mode determination process includes autonomously determining a coding mode, and the coding unit is configured to code the output data based on the determined coding mode to produce coded data.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A mobile device is provided which includes a working memory having a memory area divided into a secure domain and a non-secure domain; and a system-on-chip configured to access and process contents stored in the secure domain. The system-on-chip includes a processing unit driven by at least one of a secure operating system and a non-secure operating system; at least one hardware block configured to access the contents according to control of the processing unit comprising a master port and a slave port which are set to have different security attributes; at least one memory management unit configured to control access of the at least one hardware block to the working memory; and an access control unit configured to set security attributes of the slave port and the master port or an access authority on each of the secure domain and the non-secure domain of the working memory.

Abstract: Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

Abstract: A system and method of processing an encrypted instruction stream in hardware is disclosed. Main memory stores the encrypted instruction stream and unencrypted data. A central processing unit (CPU) is operatively coupled to the main memory. A decryptor is operatively coupled to the main memory and located within the CPU. The decryptor decrypts the encrypted instruction stream upon receipt of an instruction fetch signal from a CPU core. Unencrypted data is passed through to the CPU core without decryption upon receipt of a data fetch signal.

Abstract: A system and method for providing transactional data privacy while maintaining data usability, including the use of different obfuscation functions for different data types to securely obfuscate the data, in real-time, while maintaining its statistical characteristics. In accordance with an embodiment, the system comprises an obfuscation process that captures data while it is being received in the form of data changes at a first or source system, selects one or more obfuscation techniques to be used with the data according to the type of data captured, and obfuscates the data, using the selected one or more obfuscation techniques, to create an obfuscated data, for use in generating a trail file containing the obfuscated data, or applying the data changes to a target or second system.

Abstract: A method for preventing unauthorized recording of media content on an Apple operating system (OS). The present method registers a compliance mechanism on a client system having the Apple OS operating thereon. The compliance mechanism comprises a framework for validating the compliance mechanism on the client system, and a multimedia component opened by the framework. The present method uses the multimedia component for decrypting the media content on the client system. The present method also prevents decryption of the media content on the client system having the Apple OS operating thereon if a portion of the compliance mechanism is invalidated.

Abstract: Systems and methods for electronically publishing content are disclosed. An example method includes receiving a content selection and receiving a selection of rights assigned to the content. The method also includes receiving a selection of one or more tags and associating the content with the rights assigned and the tag to enable a security trimmed rank adjusted search return of the content.

Abstract: An embedded device including a random access memory (RAM) and a processor is provided. The processor includes a processor core and an authentication module. The RAM stores data-to-be-authenticated. The data includes a program code to be executed by the processor core. The authentication module periodically accesses and authenticates the data-to-be-authenticated in the RAM. When the authentication module deems that the program code in the RAM loses its integrity, the authentication module interrupts the processor from further executing the program code.

Abstract: An apparatus for accessing an encrypted memory portion of a memory is provided. The apparatus includes a plurality of signature generators, wherein each signature generator of the plurality of signature generators is configured to generate a signature of a plurality of signatures depending on an instruction of a plurality of instructions, wherein each of the plurality of instructions is a processor instruction for controlling a processor. Moreover, the apparatus includes a key modifier for generating a processed key depending on a standard key and on the plurality of signatures. Furthermore, the apparatus includes a controller for accessing the encrypted memory portion of the memory, wherein the memory access controller is configured to employ the processed key to access the encrypted memory portion of the memory.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to core dump generation during application fault handling and provide a method, system and computer program product for privacy preservation of core dump data during application fault handling. In an embodiment of the invention, a method for privacy preservation of core dump data during application fault handling can be provided. The method can include receiving a crash signal for an application and generating a core dump with object data for the application. The method further can include obfuscating the object data in the core dump and writing the core dump with obfuscated object data to a file. In this way, the privacy of the object data in the core dump can be preserved.

Abstract: A data processing system having a host computer including a key manager, a control unit connected to the host computer, a data storage unit (such as a tape drive) controlled by the control unit, and data storage medium for storing data thereon to be written to or read from by the data storage unit. The key manager stores a data structure having at least one record having a volume serial number, as start location, a length entry, and a key for encrypting and decrypting data on the data storage medium. A data storage medium (such as data tape) is mounted on the data storage unit, and a volume recorded on the tape is retrieved. The control unit retrieves the data structure from the key manager and matches the volume serial number recorded in the retrieved data structure with the volume serial number retrieved from the data storage medium.

Abstract: A system and method for providing transactional data privacy while maintaining data usability, including the use of different obfuscation functions for different data types to securely obfuscate the data, in real-time, while maintaining its statistical characteristics. In accordance with an embodiment, the system comprises an obfuscation process that captures data while it is being received in the form of data changes at a first or source system, selects one or more obfuscation techniques to be used with the data according to the type of data captured, and obfuscates the data, using the selected one or more obfuscation techniques, to create an obfuscated data, for use in generating a trail file containing the obfuscated data, or applying the data changes to a target or second system.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: A technique for enabling hardware transactional memory (HTM) to work more efficiently with readers that can tolerate stale data. In an embodiment, a pre-transaction load request is received from one of the readers, the pre-transaction load request signifying that the reader can tolerate pre-transaction data. A determination is made whether the pre-transaction load request comprises data that has been designated for update by a concurrent HTM transaction. If so, a cache line containing the data is marked as pre-transaction data. The concurrent HTM transaction proceeds without aborting notwithstanding the pre-transaction load request.

Abstract: A technique for enabling hardware transactional memory (HTM) to work more efficiently with readers that can tolerate stale data. In an embodiment, a pre-transaction load request is received from one of the readers, the pre-transaction load request signifying that the reader can tolerate pre-transaction data. A determination is made whether the pre-transaction load request comprises data that has been designated for update by a concurrent HTM transaction. If so, a cache line containing the data is marked as pre-transaction data. The concurrent HTM transaction proceeds without aborting notwithstanding the pre-transaction load request.

Abstract: Techniques for chunk-level client side encryption are provided. In a content addressable storage system, a plurality of chunks is used to implement a hierarchical file system. The hierarchical file system supports both encrypted and non-encrypted volumes. A folders and files layer makes calls directly to a chunk system layer for operations involving non-encrypted volumes. The folders and files layer makes calls to a volume encryption layer for operations involving encrypted volumes. The volume encryption layer receives calls from the folders and files layer through an API that matches the API through which the chunk system layer receives calls from the folders and files layer.

Abstract: Authentication verifying for an object to be certified is carried out. An authentication verifying chip in which authentication verifying information is stored is mounted non-removably on a certificate. A confirmation chip in which the authentication verifying information is encrypted by a crypt key of a certificate issuer and is stored is mounted non-removably on the object to be certified. When verifying the authenticity of the object to be certified, the encrypted authentication verifying information in the confirmation chip is decrypted by the crypt key of the certificate issuer, and it is compared to the authentication verifying information in the authentication verifying chip.

Abstract: Provided are a system and method for software obfuscation for transforming a program from a first form to more secure form that is resistant to static and dynamic attacks. The method utilizes a sophisticated pre-analysis step to comprehend the function-call structure, the function-call layout, and the entire function call graph of the program, in order to determine strategic points in the program for changing the program. This provides resistance to static attacks by transforming the original function-call layout to a new layout. Changing the layout may include changing the function boundaries. The method also provides resistance to static attacks by transforming the original function-call structure to a new structure to be able to self modify as the transformed program executes in memory. Changing the function-call structure may include modifying when and how functions are called, and/or choosing random paths of execution that lead to the same result.

Abstract: Techniques described herein generally relate to methods, data processing devices and computer readable media to ensure that data stored in a remote backing storage device are in encrypted form before that data is transferred to another device or over a network. In some examples, the methods, data processing devices and computer readable media may be arranged to encrypt the data passed to the network when the data stored in the backing storage device is in unencrypted form. Also disclosed are methods, data processing devices and computer readable media that identify when the data stored in the backing storage device is in unencrypted form, including methods that may detect that the data may appear to be in encrypted form as a result of the data being compressed.

Abstract: A method for use in encrypting data using a computer. The method comprises receiving data to be encrypted, defining a set of byte codes comprising user byte codes, storing a transformation vector defined from the set of byte codes, retrieving the transformation vector from the memory, transforming a block of the data from the data to be encrypted, translating values of the user byte codes from the block of data across the transformation vector, randomly selecting one or more reversible operations to perform, performing the reversible operations during the translation of the values of the user byte codes from the block of data, and inserting the translated values of the user byte codes into an encrypted block of data.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method for a first network to receive a packet from a second network is provided, including a router at the first network receiving the packet from the second network, the packet addressed to a client reachable through the first network; the router inspecting the packet for a nonrepudiable marking provided by the second network; if the nonrepudiable marking is present and matches the packet, adding an indicator pointing to the second network in the packet; adding a second nonrepudiable marking to the packet, and transmitting the packet to a destination; and otherwise, dropping the packet.

Abstract: A storage device and method for using a virtual file in a public memory area to access a plurality of protected files in a private memory area are disclosed. In one embodiment, a storage device receives a request from a host for access to a virtual file in the public memory area, wherein the virtual file is associated with a plurality of protected files stored in the private memory area. The storage device responds to the request by selecting and providing the host with access to one of the plurality of protected files stored in the private memory area. The storage device receives an additional request from the host for access to the virtual file and responds to the additional request by selecting and providing the host with access to a different one of the plurality of protected files stored in the private memory area.

Abstract: Some of the embodiments of the present disclosure provide a method comprising acquiring an electrical circuit identifier for an electrical circuit, wherein the electrical circuit identifier is stored in a programmable identifier unit of the electrical circuit; generating, by a computing device external to the electrical circuit, an encrypted identifier that is unique for an electrical device that includes the electrical circuit, wherein the encrypted identifier is based upon the electrical circuit identifier and an encryption block; and storing the encrypted identifier in the programmable identifier unit. Other embodiments are also described and claimed.

Abstract: Systems and methods are disclosed for tracking an object as it traverses a sequential chain. The relationships between the object, its movement through space and time, and the entities associated with the object at a discreet point of time are captured by a sequential chain. A unique identifier may be created that is continuously modified as the object traverses the sequential chain. The unique identifier may be used to capture relationship information between the object and its related entities and movements.

Abstract: A processor system comprising: performing a compilation process on a computer program; encoding an instruction with a selected encoding; encoding the security mutation information in an instruction set architecture of a processor; and executing a compiled computer program in the processor using an added mutation instruction, wherein executing comprises executing a mutation instruction to enable decoding another instruction. A processor system with a random instruction encoding and randomized execution, providing effective defense against offline and runtime security attacks including software and hardware reverse engineering, invasive microprobing, fault injection, and high-order differential and electromagnetic power analysis.

Abstract: A method to generate final software code resistant to reverse engineering analysis from an initial software code, said initial software code transforming an input data to an output data, said final software code being executed by a processor being able to directly handle data of a maximum bit length M, comprising the steps of: building a conversion table comprising in one side one instruction and in the other side a plurality of equivalent instructions or sets of instructions; splitting the input data into a plurality of segments of random length, said segments having a length equal or smaller than the maximum bit length M; for each instruction of a block of instructions, selecting pseudo-randomly an equivalent instruction or set of instructions from the conversion table so as to obtain an equivalent block of instructions; and appending the plurality of equivalent blocks of instructions to obtain the final software code.

Abstract: In one embodiment, a non-transitory computer readable storage medium includes executable instructions to perform a series of operations represented by a first garbled program received from a client on garbled data received from the client. A second garbled program is obtained as a result of execution of the first garbled program. The second garbled program includes a first garbled portion and a second garbled portion. The second garbled portion includes a third garbled portion generated through execution of the first garbled portion, such that the series of operations can be performed without interaction with the client and while maintaining as hidden the underlying content of the first garbled program and the garbled data.