Abstract: In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software.

Abstract: An embodiment generally pertains to a method of secure address handling in a processor. The method includes detecting an instruction that implicitly designates a target address and retrieving an encoded location associated with the target address. The method also includes decoding the encoded location to determine the target address. Another embodiment generally relates to detecting an instruction having an operand designating an encoded target address and determining a location of a target instruction associated with the target address. The method also includes determining a location of a subsequent instruction and encoding the location of the subsequent instruction. The method further includes storing the encoded location of the subsequent instruction.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: A memory system comprises: a memory device including an authentication data area storing authentication unit information and a verification value, and a contents data area storing contents; and a host device configured to receive the authentication unit information and the verification value from the memory device, and perform secure authentication of the memory device based on whether a result of decoding the verification value is equal to the authentication unit information.

Abstract: A method of maintaining a version counter indicative of a version of memory content stored in a processing device. The method comprises selectively operating the device in a first or second mode. Access to the first mode is limited to authorized users and controlled separately from access to the second mode. In the first mode at least an initial integrity protection value is generated for cryptographically protecting an initial counter value of said version counter during operation of the processing device in the second mode; wherein the initial counter value is selected from a sequence of counter values, and the initial integrity protection value is stored as a current integrity protection value in a storage medium. In the second mode, a current counter value is incremented to a subsequent counter value; wherein incrementing includes removing the current integrity protection value from said storage medium.

Abstract: A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data.

Abstract: According to some embodiments, an electronic file security management platform may receive a request from a user to access a first electronic file associated with a first application, such as a word processing document. A security characteristic associated with the user may be determined, and an encrypted version of the first electronic file may be decrypted in accordance with the security characteristic. The electronic file security management platform may then arrange for the user to access the first electronic file via the first application such that: (i) a first portion of the first electronic file is available to the user based on a first security requirement associated with the first portion and the security characteristic, and (ii) a second portion of the first electronic file is not available to the user based on a second security requirement associated with the second portion and the security characteristic.

Abstract: A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor's memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures.

Abstract: A processor comprising: an instruction processing pipeline, configured to receive a sequence of instructions for execution, said sequence comprising at least one instruction including a flow control instruction which terminates the sequence; a hash generator, configured to generate a hash associated with execution of the sequence of instructions; a memory configured to securely receive a reference signature corresponding to a hash of a verified corresponding sequence of instructions; verification logic configured to determine a correspondence between the hash and the reference signature; and authorization logic configured to selectively produce a signal, in dependence on a degree of correspondence of the hash with the reference signature.

Abstract: According to one embodiment, a processor includes an instruction decoder to receive a first instruction to process a SHA1 hash algorithm, the first instruction having a first operand, a second operand, and a third operand, the first operand specifying a first storage location storing four SHA states, the second operand specifying a second storage location storing a plurality of SHA1 message inputs in combination with a fifth SHA1 state. The processor further includes an execution unit coupled to the instruction decoder, in response to the first instruction, to perform at least four rounds of the SHA1 round operations on the SHA1 states and the message inputs obtained from the first and second operands, using a combinational logic function specified in the third operand.

Abstract: Disclosed herein are systems, computer-implemented methods, and tangible computer-readable media for obfuscating constants in a binary. The method includes generating a table of constants, allocating an array in source code, compiling the source code to a binary, transforming the table of constants to match Pcode entries in an indirection table so that each constant in the table of constants can be fetched by an entry in the indirection table. A Pcode is a data representation of a set of instructions populating the indirection table with offsets toward the table of constants storing the indirection table in the allocated array in the compiled binary. The method further includes populating the indirection table with offsets equivalent to the table of constants, and storing the indirection table in the allocated array in the compiled binary. Constants can be of any data type. Constants can be one byte each or more than one byte each.

Abstract: The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.

Abstract: A client device obtains data from a universal serial bus (USB) device and compresses the data. The client device sends the compressed data to a server using a USB redirection. The server decompresses the compressed data and sends the decompressed data to a virtual machine installed in the server. The client device remotely accesses decompressed data when the decompressed data is stored into the virtual machine.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: A memory subsystem and method for loading and storing data at memory addresses of the subsystem. The memory subsystem is functionally connected to a processor and has a first mode of address encryption to convert logical memory addresses generated by the processor into physical memory addresses at which the data are stored in the memory subsystem. The memory subsystem is adapted to pull low a write enable signal to store data in the memory subsystem and to pull high the write enable signal to load data in the memory subsystem, wherein if pulled high the write enable signal alters the address encryption from the first mode to a second mode. The memory subsystem is adapted to be coupled to a local hardware device which supplies a key that acts upon the address encryption of the memory subsystem.

Abstract: Methods of authenticating a combination of a programmable IC and a non-volatile memory device, where the non-volatile memory device stores a configuration data stream implementing a user design in the programmable IC. A first identifier unique to the programmable IC is stored in non-volatile memory in the programmable IC. A second identifier unique to the non-volatile memory device is stored in the non-volatile memory device. As part of the process in which the configuration data stream is used to program the programmable IC with the user design, a function is performed on the two identifiers, producing a key specific to the programmable IC/non-volatile memory device combination. The key is then compared to an expected value. When the key matches the expected value, the user design is enabled. When the key does not match the expected value, at least a portion of the user design is disabled.

Abstract: Moving from server-attached storage to distributed storage brings new vulnerabilities in creating a secure data storage and access facility. The Data Division and Out-of-order keystream Generation technique provides a cryptographic method to protect data in the distributed storage environments. In the technique, the Treating the data as a binary bit stream, our self-encryption (SE) scheme generates a keystream by randomly extracting bits from the stream. The length of the keystream depends on the user's security requirements. The bit stream is encrypted and the ciphertext is stored on the mobile device, whereas the keystream is stored separately. This makes it computationally not feasible to recover the original data stream from the ciphertext alone.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, an encryption accelerator communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor. The encryption accelerator may be configured to encrypt or decrypt data in response to a command from the processor to perform an encryption or decryption task upon data associated with an input/output operation.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: Techniques are described for securely booting and executing a virtual machine (VM) image in an untrusted cloud infrastructure. A multi-core processor may be configured with additional hardware components—referred to as a trust anchor. The trust anchor may be provisioned with a private/public key pair, which allows the multi-core CPU to authenticate itself as being able to securely boot and execute a virtual machine (VM) image in an untrusted cloud infrastructure.

Abstract: Systems and methods for preventing the unauthorized access to data stored on removable media, such as software, include storing a predetermined signature in the area of non-volatile memory in a computer system. Upon initialization of the computer system, a check is made to verify the signature. Only if the signature is verified will decoding software operate.

Abstract: A dynamic random access memory (DRAM) comprising a programmable intelligent search memory (PRISM) for regular expression search using non-deterministic finite state automaton and further comprising a cryptography processing engine for performing encryption and decryption, said PRISM and cryptography processing engines creating a secure DRAM for use in a system.

Abstract: A computing device and a method for controlling access to driver programs obtains a first system time at the time that an application uses a CTL_CODE to access a driver program. The first system time and the CTL_CODE is encrypted to generate an encrypted CTL_CODE which is then sent to the driver program. The encrypted CTL_CODE is decrypted to obtain the first system time and the CTL_CODE therein. A second system time at the time that the driver program receives the encrypted CTL_CODE is obtained and compared with the first system time. Access to the driver program is allowed if a difference between the first system time and the second system time falls within a predetermined range, and access to the driver program is forbidden if the difference is beyond the predetermined range.

Abstract: An apparatus for generating a decryption key for use to decrypt a block of encrypted instruction data being fetched from an instruction cache in a microprocessor at a fetch address includes a first multiplexer that selects a first key value from a plurality of key values based on a first portion of the fetch address. A second multiplexer selects a second key value from the plurality of key values based on the first portion of the fetch address. A rotater rotates the first key value based on a second portion of the fetch address. An arithmetic unit selectively adds or subtracts the rotated first key value to or from the second key value based on a third portion of the fetch address to generate the decryption key.

Abstract: A method for the protection against access to a machine code of a device, has the steps: (a) encrypting a machine code by a device-specific key, which is provided by a TPM (Trusted Platform Module) module present in the device, (b) storing the encrypted machine code in a memory of the device, (c) wherein the device-specific key can no longer be read from the TPM module after a manipulation of the device.

Abstract: A method for providing security for plaintext data being transferred between units in a computer system includes steps of dividing a memory into a series of addressable locations, each of the addressable locations having an address at which can be stored version information, a data authentication tag, and ciphertext corresponding to the plaintext. The system retrieves the ciphertext, the version information, and the data authentication tag, and generates encryption keys for decrypting the information stored at the address. If the data authentication tag indicates the plaintext data are valid, then the system provides the decrypted plaintext to the requestor, or encrypts new plaintext data and stores the corresponding ciphertext with new authentication and version information at the first address.

Abstract: A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

Abstract: A storage device includes a storage area and connected to a computer for causing a file system to operate. The file system causes a data area for storing contents of a plurality of files and a management area for managing the plurality of files to be secured in the storage area. The storage device includes the storage area; a file system monitor for detecting that the file system has performed an operation of erasing a file; and a controller for, when the file system monitor detects an operation of erasing the file, performing erasure or write to put an area corresponding to the erased file in the storage area into an unrecoverable state.

Abstract: A system and method are provided for the cut-through encryption of packets transmitted via a plurality of input/output (IO) ports. A system-on-chip is provided with a first plurality of input first-in first out (FIFO) memories, an encryption processor, and a first plurality of output FIFOs, each associated with a corresponding input FIFO. Also provided is a first plurality of IO ports, each associated with a corresponding output FIFO. At a tail of each input FIFO, packets from the SoC are accepted at a corresponding input data rate. Packet blocks are supplied to the encryption processor, from a head of each input FIFO, in a cut-through manner. The encryption processor supplies encrypted packet blocks to a tail of corresponding output FIFOs. The encrypted packet blocks are transmitted from each output FIFO, via a corresponding IO port at a port speed rate effectively equal to the corresponding input data rate.

Abstract: A system and method for non-retained electronic messaging is described. In one embodiment, the system includes a message receiver module, a message storing and identifier generation module, a message retrieval module and an expunging module. The message receiver module receives a message. The message storing and identifier generation module stores the message in a non-transitory, non-persistent memory of one or more computing devices, generates a message identifier and sends the message identifier to a recipient device. The message retrieval module receives a selection of the message identifier from the recipient device, retrieves the message from the non-transitory, non-persistent memory, and sends the message to the recipient device for presentation. The expunging module expunges the message from the one or more devices responsive to sending the message to the recipient device for presentation.

Abstract: A system for providing high security for data stored in memories in computer systems is disclosed. A different encryption key is used for every memory location, and a write counter hides rewriting of the same data to a given location. As a result, the data for every read or write transaction between the microprocessor and the memory is encrypted differently for each transaction for each address, thereby providing a high level of security for the data stored.

Abstract: There is provided an enhanced method of securely storing and retrieving information in an electronic device. The method comprises generating a plurality of random encryption keys and storing the plurality of random encryption keys in a memory region of a first component of the electronic device. The method may additionally comprise encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device. The method may also comprise transferring encrypted data to the memory of the second component of the electronic device.

Abstract: A method and an apparatus that may safely secure data in an electronic device including a computing resource, that is, software (for example, an operating system) and hardware (for example, a memory and a Central Processing Unit (CPU)) for operating the electronic device are provided. The method includes receiving a request for an application key from a data generation application or a proxy application that executes encryption of data in place of the data generation application, generating an application key using an application Identification (ID) corresponding to the data generation application and a security key stored in a secure area of the electronic device, in response to the request, and encrypting data using the generated application key.

Abstract: Embodiments of techniques and systems associated with roots-of-trust (RTMs) for measurement of virtual machines (VMs) are disclosed. In some embodiments, a computing platform may provide a virtual machine RTM (vRTM) in a first secure enclave of the computing platform. The computing platform may be configured to perform an integrity measurement of the first secure enclave. The computing platform may provide a virtual machine trusted platform module (vTPM), for a guest VM, outside the first secure enclave of the computing platform. The computing platform may initiate a chain of integrity measurements between the vRTM and a resource of the guest VM. Other embodiments may be described and/or claimed.

Abstract: A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Abstract: A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.

Abstract: An apparatus to secure input data includes a main processor to enter into a secure mode, a touch panel to detect an input, and a touch integrated circuit (IC) to obtain coordinate data of the input, and to encrypt data related to the input using a secure key, in which the data related to the input is encrypted in the secure mode, and the touch IC transmits the encrypted data to the main processor. A method for securing input data in an electronic device includes entering into a secure mode, receiving an input using a touch panel, obtaining coordinate data of the input using a touch integrated circuit (IC), and encrypting data related to the input using a secure key, in which the data related to the input is encrypted in the secure mode, and the touch IC transmits the encrypted data to the main processor.

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract: Methods of preventing private information, which is hidden within data of a private domain reserved by an application program, from being easily accessed by a CPU and other devices, both where the data of the private domain is decrypted and the access to said data are restricted are disclosed, where the mentioned other devices do not include a decryption module utilized in the methods. Therefore, as long as agreements related to encryptions and decryptions are made in advance between the application program and the decryption module, private information can be well protected.

Abstract: A system for resource sharing across multi-cloud storage arrays includes a plurality of storage arrays and a cloud array storage (CAS) application. The plurality of storage resources are distributed in one or more cloud storage arrays, and each storage resource comprises a unique object identifier that identifies location and structure of the corresponding storage resource at a given point-in-time. The cloud array storage (CAS) application manages the resource sharing process by first taking an instantaneous copy of initial data stored in a first location of a first storage resource at a given point-in-time and then distributing copies of the instantaneous copy to other storage resources in the one or more cloud storage arrays.

Abstract: The implementation of a counter in a microcontroller adapted to the JavaCard language while respecting the atomicity of a modification of the value of this counter, wherein the counter is reset by the sending to the microcontroller of an instruction to verify a user code by submitting a correct code, and the value of the counter is decremented by the sending to the microcontroller of the instruction to verify the user code with an erroneous code value.

Abstract: A method and structure in a computer system, including a mechanism supporting a Secure Object that includes code and data that is cryptographically protected from other software on the computer system.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein to provide a computing device with cooperative first and second binary translators in first and second execution environments having first and second security levels, respectively. The second security level may be more secure than the first security level. Encrypted instructions of the computer program may be loaded into the first execution environment, and the first binary translator may provide, to the second binary translator, an execution context of the computer program for use by the secondary binary translator to decrypt and execute a first portion of the computer program in the second execution environment. The second binary translator may provide, to the first binary translator, another execution context of the computer program for emulation, by the first binary translator, of execution of a second portion of the computer program in the first execution environment.

Abstract: The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor).

Abstract: An instance of a vulnerability risk management (VRM) module and a vulnerability management expert decision system (VMEDS) module are instantiated in a cloud. The VMEDS module imports scan results from a VRM vulnerability database and saves them as vulnerabilities to be reviewed in a VMEDS database. The VMEDS module converts vulnerabilities into facts. The VMEDS module builds a rule set in the knowledge base to verify whether certain vulnerabilities are false positives. Rules related to a vulnerability are received in plain English from a web-based front-end application. The VMEDS module tests each rule against all of the facts using the Rete algorithm. The VMEDS module executes the action associated with the rule derived from the Rete algorithm. The VMEDS module stores the results associated with the executing of the action in the VMEDS database and forwards the results to the VRM module.

Abstract: In an example embodiment, there is disclosed herein an apparatus comprising a wireless transceiver and a controller coupled to the wireless transceiver and configured to receive data via the wireless transceiver. The controller operates the wireless transceiver at a first power save state where the wireless transceiver can receive a frame but other circuits are de-energized. The controller is responsive to the wireless transceiver receiving a frame while the wireless transceiver is in a first power state to determine whether the frame is a predefined wakeup frame. The controller provides additional power to the wireless transceiver responsive to determining the frame is a predefined wakeup frame.

Abstract: In the conventional method of maintaining the confidential a program, wherein a program to be executed in an information processing device is stored in a hard disk, etc., in an encrypted state and the program is decrypted when it is executed, because a decrypted program is written in memory, the program may be illicitly analyzed by a third person. Provided is memory management method wherein code information or data of a program written in a virtual memory is data which is encrypted and inaccessible by a CPU, and when code fetching or data access to the encrypted area occurs, an interruption process is performed wherein with respect to a management unit of the memory management device including the area, an inaccessible state is changed to an accessible state to perform decryption.

Abstract: The invention provides a method, a hardware circuit and a hardware device for enabling a software application to be executed on a hardware device in dependence of the hardware circuit, while preventing the execution of a binary copy of the application in another hardware device. Challenge data originating from the software application is input to a hardware circuit of the hardware device, wherein the hardware circuit is configured to perform a deterministic function. Response data is generated by the hardware device, which is used to manipulate at least a part of the software application to thereby enable the software application to be executed.

Abstract: A storage device contains a smart-card device and a memory device, both connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may he used to store a relatively large amount of data in various partitions. One of these partitions may be a read-only partition that is normally accessible only for read accesses. However, it may sometimes be necessary to update or supplement the data stored in the read-only partition. This is accomplished by a host issuing an appropriate command to the storage device, which may he accompanied by an identifier for an appropriate level of authorization. The controller then changes the attribute of the read-only partition from “read-only” to “read/write” to allow data to be written to the partition. Upon completion, the controller changes the attribute of the partition back to read-only.

Abstract: Generally described herein are methods and systems for enhanced tamper and malware resistant computer architectures. A system for enhanced tamper and malware resistance can include a harvardizer configured to receive comingled instructions and data and produce separated instructions and data. A data memory can be configured to receive the separated data. An instruction memory that is physically separate from the data memory can be configured to receive the separated instructions. The system can include one or more computer processors that can be configured to execute the separated instructions and data. The system can include one or more encryptors or decryptors to help thwart injection based attacks.