Abstract: In one embodiment, the data storage apparatus includes a control unit configured to decode at least one input command and configured to generate at least one of a read signal and a start signal in response to the input command. The start signal indicates to start an internal mode determination process. The data storage apparatus also includes a memory unit configured to output data in response to the read signal, and a coding unit configured to start and perform the internal mode determination process in response to the start signal. The internal mode determination process includes autonomously determining a coding mode, and the coding unit is configured to code the output data based on the determined coding mode to produce coded data.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A mobile device is provided which includes a working memory having a memory area divided into a secure domain and a non-secure domain; and a system-on-chip configured to access and process contents stored in the secure domain. The system-on-chip includes a processing unit driven by at least one of a secure operating system and a non-secure operating system; at least one hardware block configured to access the contents according to control of the processing unit comprising a master port and a slave port which are set to have different security attributes; at least one memory management unit configured to control access of the at least one hardware block to the working memory; and an access control unit configured to set security attributes of the slave port and the master port or an access authority on each of the secure domain and the non-secure domain of the working memory.

Abstract: A system and method of processing an encrypted instruction stream in hardware is disclosed. Main memory stores the encrypted instruction stream and unencrypted data. A central processing unit (CPU) is operatively coupled to the main memory. A decryptor is operatively coupled to the main memory and located within the CPU. The decryptor decrypts the encrypted instruction stream upon receipt of an instruction fetch signal from a CPU core. Unencrypted data is passed through to the CPU core without decryption upon receipt of a data fetch signal.

Abstract: Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like.

Abstract: A system and method for providing transactional data privacy while maintaining data usability, including the use of different obfuscation functions for different data types to securely obfuscate the data, in real-time, while maintaining its statistical characteristics. In accordance with an embodiment, the system comprises an obfuscation process that captures data while it is being received in the form of data changes at a first or source system, selects one or more obfuscation techniques to be used with the data according to the type of data captured, and obfuscates the data, using the selected one or more obfuscation techniques, to create an obfuscated data, for use in generating a trail file containing the obfuscated data, or applying the data changes to a target or second system.

Abstract: Systems and methods for electronically publishing content are disclosed. An example method includes receiving a content selection and receiving a selection of rights assigned to the content. The method also includes receiving a selection of one or more tags and associating the content with the rights assigned and the tag to enable a security trimmed rank adjusted search return of the content.

Abstract: A method for preventing unauthorized recording of media content on an Apple operating system (OS). The present method registers a compliance mechanism on a client system having the Apple OS operating thereon. The compliance mechanism comprises a framework for validating the compliance mechanism on the client system, and a multimedia component opened by the framework. The present method uses the multimedia component for decrypting the media content on the client system. The present method also prevents decryption of the media content on the client system having the Apple OS operating thereon if a portion of the compliance mechanism is invalidated.

Abstract: An embedded device including a random access memory (RAM) and a processor is provided. The processor includes a processor core and an authentication module. The RAM stores data-to-be-authenticated. The data includes a program code to be executed by the processor core. The authentication module periodically accesses and authenticates the data-to-be-authenticated in the RAM. When the authentication module deems that the program code in the RAM loses its integrity, the authentication module interrupts the processor from further executing the program code.

Abstract: A system and method for providing transactional data privacy while maintaining data usability, including the use of different obfuscation functions for different data types to securely obfuscate the data, in real-time, while maintaining its statistical characteristics. In accordance with an embodiment, the system comprises an obfuscation process that captures data while it is being received in the form of data changes at a first or source system, selects one or more obfuscation techniques to be used with the data according to the type of data captured, and obfuscates the data, using the selected one or more obfuscation techniques, to create an obfuscated data, for use in generating a trail file containing the obfuscated data, or applying the data changes to a target or second system.

Abstract: A data processing system having a host computer including a key manager, a control unit connected to the host computer, a data storage unit (such as a tape drive) controlled by the control unit, and data storage medium for storing data thereon to be written to or read from by the data storage unit. The key manager stores a data structure having at least one record having a volume serial number, as start location, a length entry, and a key for encrypting and decrypting data on the data storage medium. A data storage medium (such as data tape) is mounted on the data storage unit, and a volume recorded on the tape is retrieved. The control unit retrieves the data structure from the key manager and matches the volume serial number recorded in the retrieved data structure with the volume serial number retrieved from the data storage medium.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to core dump generation during application fault handling and provide a method, system and computer program product for privacy preservation of core dump data during application fault handling. In an embodiment of the invention, a method for privacy preservation of core dump data during application fault handling can be provided. The method can include receiving a crash signal for an application and generating a core dump with object data for the application. The method further can include obfuscating the object data in the core dump and writing the core dump with obfuscated object data to a file. In this way, the privacy of the object data in the core dump can be preserved.

Abstract: A technique for enabling hardware transactional memory (HTM) to work more efficiently with readers that can tolerate stale data. In an embodiment, a pre-transaction load request is received from one of the readers, the pre-transaction load request signifying that the reader can tolerate pre-transaction data. A determination is made whether the pre-transaction load request comprises data that has been designated for update by a concurrent HTM transaction. If so, a cache line containing the data is marked as pre-transaction data. The concurrent HTM transaction proceeds without aborting notwithstanding the pre-transaction load request.

Abstract: A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements ai, bi, ei, and fi for a current round (i) of a secure hash algorithm 2 (SHA2) hash algorithm. The instruction indicates a second source of a second packed data. The first packed data has a width in bits that is less than a combined width in bits of eight state data elements ai, bi, ci, di, ei, fi, gi, hi of the SHA2 hash algorithm. The method also includes storing a result in a destination indicated by the instruction in response to the instruction. The result includes updated state data elements ai+, bi+, ei+, and fi+ that have been updated from the corresponding state data elements ai, bi, ei, and fi by at least one round of the SHA2 hash algorithm.

Abstract: An apparatus for accessing an encrypted memory portion of a memory is provided. The apparatus includes a plurality of signature generators, wherein each signature generator of the plurality of signature generators is configured to generate a signature of a plurality of signatures depending on an instruction of a plurality of instructions, wherein each of the plurality of instructions is a processor instruction for controlling a processor. Moreover, the apparatus includes a key modifier for generating a processed key depending on a standard key and on the plurality of signatures. Furthermore, the apparatus includes a controller for accessing the encrypted memory portion of the memory, wherein the memory access controller is configured to employ the processed key to access the encrypted memory portion of the memory.

Abstract: A technique for enabling hardware transactional memory (HTM) to work more efficiently with readers that can tolerate stale data. In an embodiment, a pre-transaction load request is received from one of the readers, the pre-transaction load request signifying that the reader can tolerate pre-transaction data. A determination is made whether the pre-transaction load request comprises data that has been designated for update by a concurrent HTM transaction. If so, a cache line containing the data is marked as pre-transaction data. The concurrent HTM transaction proceeds without aborting notwithstanding the pre-transaction load request.

Abstract: Techniques for chunk-level client side encryption are provided. In a content addressable storage system, a plurality of chunks is used to implement a hierarchical file system. The hierarchical file system supports both encrypted and non-encrypted volumes. A folders and files layer makes calls directly to a chunk system layer for operations involving non-encrypted volumes. The folders and files layer makes calls to a volume encryption layer for operations involving encrypted volumes. The volume encryption layer receives calls from the folders and files layer through an API that matches the API through which the chunk system layer receives calls from the folders and files layer.

Abstract: Authentication verifying for an object to be certified is carried out. An authentication verifying chip in which authentication verifying information is stored is mounted non-removably on a certificate. A confirmation chip in which the authentication verifying information is encrypted by a crypt key of a certificate issuer and is stored is mounted non-removably on the object to be certified. When verifying the authenticity of the object to be certified, the encrypted authentication verifying information in the confirmation chip is decrypted by the crypt key of the certificate issuer, and it is compared to the authentication verifying information in the authentication verifying chip.

Abstract: Provided are a system and method for software obfuscation for transforming a program from a first form to more secure form that is resistant to static and dynamic attacks. The method utilizes a sophisticated pre-analysis step to comprehend the function-call structure, the function-call layout, and the entire function call graph of the program, in order to determine strategic points in the program for changing the program. This provides resistance to static attacks by transforming the original function-call layout to a new layout. Changing the layout may include changing the function boundaries. The method also provides resistance to static attacks by transforming the original function-call structure to a new structure to be able to self modify as the transformed program executes in memory. Changing the function-call structure may include modifying when and how functions are called, and/or choosing random paths of execution that lead to the same result.

Abstract: Techniques described herein generally relate to methods, data processing devices and computer readable media to ensure that data stored in a remote backing storage device are in encrypted form before that data is transferred to another device or over a network. In some examples, the methods, data processing devices and computer readable media may be arranged to encrypt the data passed to the network when the data stored in the backing storage device is in unencrypted form. Also disclosed are methods, data processing devices and computer readable media that identify when the data stored in the backing storage device is in unencrypted form, including methods that may detect that the data may appear to be in encrypted form as a result of the data being compressed.

Abstract: A method for use in encrypting data using a computer. The method comprises receiving data to be encrypted, defining a set of byte codes comprising user byte codes, storing a transformation vector defined from the set of byte codes, retrieving the transformation vector from the memory, transforming a block of the data from the data to be encrypted, translating values of the user byte codes from the block of data across the transformation vector, randomly selecting one or more reversible operations to perform, performing the reversible operations during the translation of the values of the user byte codes from the block of data, and inserting the translated values of the user byte codes into an encrypted block of data.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method for a first network to receive a packet from a second network is provided, including a router at the first network receiving the packet from the second network, the packet addressed to a client reachable through the first network; the router inspecting the packet for a nonrepudiable marking provided by the second network; if the nonrepudiable marking is present and matches the packet, adding an indicator pointing to the second network in the packet; adding a second nonrepudiable marking to the packet, and transmitting the packet to a destination; and otherwise, dropping the packet.

Abstract: A storage device and method for using a virtual file in a public memory area to access a plurality of protected files in a private memory area are disclosed. In one embodiment, a storage device receives a request from a host for access to a virtual file in the public memory area, wherein the virtual file is associated with a plurality of protected files stored in the private memory area. The storage device responds to the request by selecting and providing the host with access to one of the plurality of protected files stored in the private memory area. The storage device receives an additional request from the host for access to the virtual file and responds to the additional request by selecting and providing the host with access to a different one of the plurality of protected files stored in the private memory area.

Abstract: Some of the embodiments of the present disclosure provide a method comprising acquiring an electrical circuit identifier for an electrical circuit, wherein the electrical circuit identifier is stored in a programmable identifier unit of the electrical circuit; generating, by a computing device external to the electrical circuit, an encrypted identifier that is unique for an electrical device that includes the electrical circuit, wherein the encrypted identifier is based upon the electrical circuit identifier and an encryption block; and storing the encrypted identifier in the programmable identifier unit. Other embodiments are also described and claimed.

Abstract: Systems and methods are disclosed for tracking an object as it traverses a sequential chain. The relationships between the object, its movement through space and time, and the entities associated with the object at a discreet point of time are captured by a sequential chain. A unique identifier may be created that is continuously modified as the object traverses the sequential chain. The unique identifier may be used to capture relationship information between the object and its related entities and movements.

Abstract: A processor system comprising: performing a compilation process on a computer program; encoding an instruction with a selected encoding; encoding the security mutation information in an instruction set architecture of a processor; and executing a compiled computer program in the processor using an added mutation instruction, wherein executing comprises executing a mutation instruction to enable decoding another instruction. A processor system with a random instruction encoding and randomized execution, providing effective defense against offline and runtime security attacks including software and hardware reverse engineering, invasive microprobing, fault injection, and high-order differential and electromagnetic power analysis.

Abstract: A method to generate final software code resistant to reverse engineering analysis from an initial software code, said initial software code transforming an input data to an output data, said final software code being executed by a processor being able to directly handle data of a maximum bit length M, comprising the steps of: building a conversion table comprising in one side one instruction and in the other side a plurality of equivalent instructions or sets of instructions; splitting the input data into a plurality of segments of random length, said segments having a length equal or smaller than the maximum bit length M; for each instruction of a block of instructions, selecting pseudo-randomly an equivalent instruction or set of instructions from the conversion table so as to obtain an equivalent block of instructions; and appending the plurality of equivalent blocks of instructions to obtain the final software code.

Abstract: In one embodiment, a non-transitory computer readable storage medium includes executable instructions to perform a series of operations represented by a first garbled program received from a client on garbled data received from the client. A second garbled program is obtained as a result of execution of the first garbled program. The second garbled program includes a first garbled portion and a second garbled portion. The second garbled portion includes a third garbled portion generated through execution of the first garbled portion, such that the series of operations can be performed without interaction with the client and while maintaining as hidden the underlying content of the first garbled program and the garbled data.

Abstract: Various embodiments described herein relate to apparatus for executing software in a secure computing environment. A secure processor can be used and configured to request a context swap from a first context to a second context when switching execution from a first portion of software to a second portion of software. A context manager, which can be in communication with the secure processor, can be configured to receive and initiate a requested context swap. A trust vector verifier, which can be in communication with the secure processor and the context manager, can be configured to load a trust vector descriptor upon command from a context manager.

Abstract: Mechanisms are provided for handling a database client request. An encrypted database client request (DCR) is received, by an unsecure access local agent, from a client computing device as part of a session between the client computing device and a database data processing system. The unsecure access local agent retrieves a database session information (DSI) address corresponding to the session and generates a first unique identifiable key (UIK) based on a portion of the encrypted DCR. The unsecure access local agent generates a DSI mapping data structure that maps the first UIK to the DSI address. A secure access local agent of the database data processing system processes the encrypted DCR using the DSI mapping data structure.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A method for encrypting data on a disk drive using self encrypting drive is provided. The method includes encryption of data chunks of a computing device. The method further includes associating the encrypted data chunks with encryption key indexes of the computing device. Moreover, the method further includes receiving the encryption key indexes for given logical block addresses of the data chunks. The method further includes determining the encryption keys to be used to encrypt the data chunks based on the encryption key indexes of the data chunks to the disk drive.

Abstract: Various techniques for providing a device token protocol for authorization and persistent authentication shared across applications are disclosed. In some embodiments, a device token protocol for authorization and persistent authentication shared across applications includes sending user credentials to a remote server to authenticate a user on a device for a plurality of applications; and receiving a device token from the remote server for the user to authenticate the user for the plurality of applications on the device, in which the device token facilitates authentication and authorization.

Abstract: A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer.

Abstract: Technologies for preventing software-based side-channel attacks are generally disclosed. In some examples, a computing device may receive a cryptographic program having one or more programming instructions for performing a key handling operation and may add one or more programming instructions for performing an anti-attack operation to the one or more programming instructions for performing the key handling operation. The computing device may transmit the resulting cryptographic program with the anti-attack operation to an execution device. The execution device, such as a cloud computing system, may execute the cryptographic program, thereby causing execution of the anti-attack operation. The execution of cryptographic program may prevent a side-channel attack by masking the number of key performance events that occur.

Abstract: An information processing apparatus includes an encrypting unit that encrypts a value to be kept secret with a predetermined cipher key. The information processing apparatus includes a converting unit that converts, when the value to be kept secret is an initial value written at the time of initialization of a storage device in which a value encrypted by the encrypting unit is stored, the value encrypted by the encrypting unit into a value which is reversibly convertible and is independent of the cipher key used by the encrypting unit. The information processing apparatus includes a storing unit that stores the value converted by the converting unit in the storage device.

Abstract: A method and apparatus for inputting and outputting data by using a virtualization technique are provided. The method includes generating a virtual operating system (OS) for the external device, which is connected to a host, based on OS information stored in the external device, setting a partial area of a storage of the host as virtual storage for the external device, and storing the data in the virtual storage or a memory of the external device in response to a request for inputting and outputting the data from the virtual OS.

Abstract: A system 100 for increasing data security comprises predetermined system data 104 to be protected. A cryptographic unit 108 is used for cryptographic processing of respective blocks of the content data in dependence on respective keys. A key provider 106 determines the respective key used for the processing of a respective block of the content data in dependence on a respective portion 112 of the predetermined system data 104, the portion not including all the predetermined system data, wherein different respective portions of the predetermined system data are selected for the respective blocks of content data. A server system 200 for increasing data security comprises an output 202 for providing processed content data 110 to a client system 100, the client system comprising predetermined system data 104 to be protected. The server system 200 also comprises a cryptographic unit 208 and a key provider 206.

Abstract: A data processing apparatus (30) comprising: a local source of data (4); a first controller (31); and a tamper-resistant second controller (32) configured to communicate with the first controller, the first controller being configured to control and receive data from the local source of data and from a sensing unit connected to the first controller via a communication interface and to perform a series of calculation operations on the data, wherein the second controller is configured to verify the integrity of a selected subset of the operations performed by the first controller.

Abstract: A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams.

Abstract: Apparatus, method and program product detect an attempt to tamper with a microchip by determining that an electrical path comprising one or more connections and a metal plate attached to the backside of a microchip has become disconnected or otherwise altered. A tampering attempt may also be detected in response to the presence of an electrical path that should not be present, as may result from the microchip being incorrectly reconstituted. Actual and/or deceptive paths may be automatically selected and monitored to further confound a reverse engineering attempt.

Abstract: Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server being coupled to the client computer via the network, wherein the database comprises a first relation, wherein the first relation comprises first data items, wherein the first data items are encrypted with a first cryptographic key in the first relation, wherein the first data items form a partially ordered set in the first relation, the partial order being formed with respect to the first data items in non-encrypted form, wherein the client computer has installed thereon an application program, the application program being operational to perform the steps of receiving a search request specifying a search interval and determining the first data item forming an interval boundary of the search interval.

Abstract: Executing polymorphic binary code of a predetermined function includes acquiring polymorphic binary code of the function, the code having instruction blocks and control instructions. One block acquires a random number; the other defines a specific generator that generates target instructions to execute the function. The control instructions place the target instructions in memory. Each instruction has an opcode that codes a nature of an operation to be executed, and operands that define parameters of the operation. The generator incorporates coding variants of the function and selection instructions. Each variant generates instructions that perform the function. These instructions differ from each other and enable choosing a variant, based on the random number, to generate the target instructions. The choice is made only between different coding variants of the predetermined function.

Abstract: A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information.

Abstract: A method for enabling a client in a user device to securely evaluate a linear branching program. The program may include decision nodes and end-labels. A decision node is associated with a comparison computation for comparing a first value with a second value and a decision rule that links the outcome of the comparison computation to a further decision node or end-label. The method includes transforming the comparison computation into encrypted evaluation sequences on the basis of an additive homomorphic cryptosystem. An evaluation sequence of a decision node includes a sequence of numbers in which the outcome of a comparison computation at a node is embedded; and, evaluating evaluation sequences, evaluating including detecting presence of a predetermine value in an evaluation sequence of a node and determining an evaluation sequence of a further node or an end-label on the basis of the detection of the predetermined value.

Abstract: According to an embodiment, an information processing apparatus includes a main processor, a secure operating system (OS) module, a non-secure OS module, a secure monitor memory setting module, a timer, and an address space controller. When receiving a notification of an interrupt from the timer, a secure monitor instructs the secure OS module to execute certain processing. The secure OS module is configured to execute certain processing instructed by the secure monitor and store data of a result of the processing in a first memory area.

Abstract: Techniques for memory compartmentalization for trusted execution of a virtual machine (VM) on a multi-core processing architecture are described. Memory compartmentalization may be achieved by encrypting layer 3 (L3) cache lines using a key under the control of a given VM within the trust boundaries of the processing core on which that VMs is executed. Further, embodiments described herein provide an efficient method for storing and processing encryption related metadata associated with each encrypt/decrypt operation performed for the L3 cache lines.

Abstract: A system includes an interface with a plurality of sub-addresses. The interface receives critical data and non-critical data. The critical data are received only at more specific sub-addresses of the interface. The interface transfers the critical data received at the sub-addresses to a critical processor, such that the critical data avoids being received by or being processed by a non-critical processor. The interface transfers the non-critical data from the interface to the non-critical processor. The configuration of the interface is hard-coded such that the configuration of the interface is fixed at power up of the interface and is non-changeable by the non-critical processor. The interface includes an external platform interface that is external to the critical processor, the non-critical processor, and a local controller. The external platform interface includes a limited ability to store the critical and non-critical data.