Abstract: There is provided an enhanced method of securely storing and retrieving information in an electronic device. The method comprises generating a plurality of random encryption keys and storing the plurality of random encryption keys in a memory region of a first component of the electronic device. The method may additionally comprise encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device. The method may also comprise transferring encrypted data to the memory of the second component of the electronic device.

Abstract: A system and method for non-retained electronic messaging is described. In one embodiment, the system includes a message receiver module, a message storing and identifier generation module, a message retrieval module and an expunging module. The message receiver module receives a message. The message storing and identifier generation module stores the message in a non-transitory, non-persistent memory of one or more computing devices, generates a message identifier and sends the message identifier to a recipient device. The message retrieval module receives a selection of the message identifier from the recipient device, retrieves the message from the non-transitory, non-persistent memory, and sends the message to the recipient device for presentation. The expunging module expunges the message from the one or more devices responsive to sending the message to the recipient device for presentation.

Abstract: Embodiments of techniques and systems associated with roots-of-trust (RTMs) for measurement of virtual machines (VMs) are disclosed. In some embodiments, a computing platform may provide a virtual machine RTM (vRTM) in a first secure enclave of the computing platform. The computing platform may be configured to perform an integrity measurement of the first secure enclave. The computing platform may provide a virtual machine trusted platform module (vTPM), for a guest VM, outside the first secure enclave of the computing platform. The computing platform may initiate a chain of integrity measurements between the vRTM and a resource of the guest VM. Other embodiments may be described and/or claimed.

Abstract: A method and an apparatus that may safely secure data in an electronic device including a computing resource, that is, software (for example, an operating system) and hardware (for example, a memory and a Central Processing Unit (CPU)) for operating the electronic device are provided. The method includes receiving a request for an application key from a data generation application or a proxy application that executes encryption of data in place of the data generation application, generating an application key using an application Identification (ID) corresponding to the data generation application and a security key stored in a secure area of the electronic device, in response to the request, and encrypting data using the generated application key.

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract: An apparatus to secure input data includes a main processor to enter into a secure mode, a touch panel to detect an input, and a touch integrated circuit (IC) to obtain coordinate data of the input, and to encrypt data related to the input using a secure key, in which the data related to the input is encrypted in the secure mode, and the touch IC transmits the encrypted data to the main processor. A method for securing input data in an electronic device includes entering into a secure mode, receiving an input using a touch panel, obtaining coordinate data of the input using a touch integrated circuit (IC), and encrypting data related to the input using a secure key, in which the data related to the input is encrypted in the secure mode, and the touch IC transmits the encrypted data to the main processor.

Abstract: A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.

Abstract: A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Abstract: Methods of preventing private information, which is hidden within data of a private domain reserved by an application program, from being easily accessed by a CPU and other devices, both where the data of the private domain is decrypted and the access to said data are restricted are disclosed, where the mentioned other devices do not include a decryption module utilized in the methods. Therefore, as long as agreements related to encryptions and decryptions are made in advance between the application program and the decryption module, private information can be well protected.

Abstract: A system for resource sharing across multi-cloud storage arrays includes a plurality of storage arrays and a cloud array storage (CAS) application. The plurality of storage resources are distributed in one or more cloud storage arrays, and each storage resource comprises a unique object identifier that identifies location and structure of the corresponding storage resource at a given point-in-time. The cloud array storage (CAS) application manages the resource sharing process by first taking an instantaneous copy of initial data stored in a first location of a first storage resource at a given point-in-time and then distributing copies of the instantaneous copy to other storage resources in the one or more cloud storage arrays.

Abstract: A method and structure in a computer system, including a mechanism supporting a Secure Object that includes code and data that is cryptographically protected from other software on the computer system.

Abstract: The implementation of a counter in a microcontroller adapted to the JavaCard language while respecting the atomicity of a modification of the value of this counter, wherein the counter is reset by the sending to the microcontroller of an instruction to verify a user code by submitting a correct code, and the value of the counter is decremented by the sending to the microcontroller of the instruction to verify the user code with an erroneous code value.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein to provide a computing device with cooperative first and second binary translators in first and second execution environments having first and second security levels, respectively. The second security level may be more secure than the first security level. Encrypted instructions of the computer program may be loaded into the first execution environment, and the first binary translator may provide, to the second binary translator, an execution context of the computer program for use by the secondary binary translator to decrypt and execute a first portion of the computer program in the second execution environment. The second binary translator may provide, to the first binary translator, another execution context of the computer program for emulation, by the first binary translator, of execution of a second portion of the computer program in the first execution environment.

Abstract: The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor).

Abstract: In an example embodiment, there is disclosed herein an apparatus comprising a wireless transceiver and a controller coupled to the wireless transceiver and configured to receive data via the wireless transceiver. The controller operates the wireless transceiver at a first power save state where the wireless transceiver can receive a frame but other circuits are de-energized. The controller is responsive to the wireless transceiver receiving a frame while the wireless transceiver is in a first power state to determine whether the frame is a predefined wakeup frame. The controller provides additional power to the wireless transceiver responsive to determining the frame is a predefined wakeup frame.

Abstract: In the conventional method of maintaining the confidential a program, wherein a program to be executed in an information processing device is stored in a hard disk, etc., in an encrypted state and the program is decrypted when it is executed, because a decrypted program is written in memory, the program may be illicitly analyzed by a third person. Provided is memory management method wherein code information or data of a program written in a virtual memory is data which is encrypted and inaccessible by a CPU, and when code fetching or data access to the encrypted area occurs, an interruption process is performed wherein with respect to a management unit of the memory management device including the area, an inaccessible state is changed to an accessible state to perform decryption.

Abstract: An instance of a vulnerability risk management (VRM) module and a vulnerability management expert decision system (VMEDS) module are instantiated in a cloud. The VMEDS module imports scan results from a VRM vulnerability database and saves them as vulnerabilities to be reviewed in a VMEDS database. The VMEDS module converts vulnerabilities into facts. The VMEDS module builds a rule set in the knowledge base to verify whether certain vulnerabilities are false positives. Rules related to a vulnerability are received in plain English from a web-based front-end application. The VMEDS module tests each rule against all of the facts using the Rete algorithm. The VMEDS module executes the action associated with the rule derived from the Rete algorithm. The VMEDS module stores the results associated with the executing of the action in the VMEDS database and forwards the results to the VRM module.

Abstract: Generally described herein are methods and systems for enhanced tamper and malware resistant computer architectures. A system for enhanced tamper and malware resistance can include a harvardizer configured to receive comingled instructions and data and produce separated instructions and data. A data memory can be configured to receive the separated data. An instruction memory that is physically separate from the data memory can be configured to receive the separated instructions. The system can include one or more computer processors that can be configured to execute the separated instructions and data. The system can include one or more encryptors or decryptors to help thwart injection based attacks.

Abstract: The invention provides a method, a hardware circuit and a hardware device for enabling a software application to be executed on a hardware device in dependence of the hardware circuit, while preventing the execution of a binary copy of the application in another hardware device. Challenge data originating from the software application is input to a hardware circuit of the hardware device, wherein the hardware circuit is configured to perform a deterministic function. Response data is generated by the hardware device, which is used to manipulate at least a part of the software application to thereby enable the software application to be executed.

Abstract: A storage device contains a smart-card device and a memory device, both connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may he used to store a relatively large amount of data in various partitions. One of these partitions may be a read-only partition that is normally accessible only for read accesses. However, it may sometimes be necessary to update or supplement the data stored in the read-only partition. This is accomplished by a host issuing an appropriate command to the storage device, which may he accompanied by an identifier for an appropriate level of authorization. The controller then changes the attribute of the read-only partition from “read-only” to “read/write” to allow data to be written to the partition. Upon completion, the controller changes the attribute of the partition back to read-only.

Abstract: Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerabili

Abstract: An encrypted storage device for personal information has a control module, a plug and play interface and a storage unit. The Control module has an encryption module and a processing module electrically connected the encryption module and driving the encryption module to perform an encryption/decryption operation. The plug and play interface is electrically connected to the Control module and is adapted to connect with a computer to transmit information to the Control module. The storage unit is electrically connected to the Control module and has a public data area and an encryption area. The public data area has at least one application. The encryption area is used to store the encryption algorithm information, and the encryption algorithm information can be read after identity authenticating and decrypting.

Abstract: A executable content message stream filter applies a plurality of executable content filters to a stream of parsed elements of a network message. Each of the plurality of executable content filters targets executable content and is instantiated based on a set of one or more rule sets selected based, at least in part, on a type of the network message. For each of the plurality of executable content filters, it is determined if one or more of the stream of parsed elements includes executable content targeted by the executable content filter. The executable content message stream filter modifies those of the stream of parsed elements that include the executable content targeted by the plurality of executable content filters to disable the executable content.

Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a device and a remote entity. The device remains anonymous to the remote entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ?-differentially uniform function on the result of the combination, XORing the result of the ?-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code.

Abstract: Techniques are described that generally relate to methods for detecting encryption status of a data file or data stream and selectively encrypting the data file or data stream based on the encryption status of the data file or data stream are generally disclosed. Example methods may include one or more of reading the data file or data stream from a data source, calculating a value of a property of the data file or data stream, comparing the calculated value with a threshold value to determine whether the file is encrypted or unencrypted, and encrypting files that are determined to be unencrypted.

Abstract: A method for increasing security of software is provided. The method includes replacing a part of a code section comprised in a binary source file of the software with a pre-set special command, creating a table of correspondence that contains correspondence information between the part of the code section and the pre-set special command according to the replacing, and inserting the table of correspondence into a command preprocessor execution file of the software.

Abstract: An encryption key may be generated based on personalized unit data associated with a software download recipient, for example, a secure processor. In some aspects, the secure processor may generate a decryption key based on its personalized unit data, and a software download may be performed between the software provider and the secure processor using the generated encryption keys. The secure processor may then decrypt and load the software for execution. The encryption and decryption key generation may also be based on a sequence number or other data indicating one or more previous software downloads at the secure processor. Using the sequence number or other data, sequences of multiple encryption and/or decryption keys may be generated to support multiple software downloads to a secure processor.

Abstract: A secure hardware comprises a secure pipe, a secure DMA, a secure assist and a secure bus, which connects between those blocks. The secure pipe stores a common encryption key in an encryption key table so as not to be able to access from software. The secure DMA comprises a data common key system process function and a hashing process function. The secure assist comprises a common key system process function and an authentication process function, receives an issued command from a program executed by the processor core via a public IF, and performs setting/control of the secure pipe and the secure DMA via the secure bus.

Abstract: In accordance with particular embodiments, a computer-implemented method for execution by one or more processors includes intercepting a communication comprising a message. The method also includes identifying words from within the message. The method further includes storing in a dictionary words from within the message of the communication and one or more parameters of the communication for each of the words. The dictionary comprises a plurality of words from a plurality of intercepted text-based communications. The method also includes receiving an encrypted file that is configured to be decrypted using a password. The method additionally includes identifying words from the dictionary to be used to attempt to decrypt the encrypted file. The identified words are identified based on at least one parameter associated with the encrypted file and the one or more parameters stored in the dictionary.

Abstract: A cloud computing system is disclosed. The cloud computing system includes a management server that manages a plurality of servers and distributes service resources. Each of the servers corresponds to one of a secure server type and a general server type, and the secure server type of server decrypts an encrypted code provided from a client. Accordingly, a secure server can execute a code requiring security. Especially, by classifying a program code as a general code or a secret code, the general server can also perform the partial function of a program.

Abstract: This document discloses data security systems and methods of securing data. A cache memory can be connected between a decryption engine and a central processing unit (“CPU”) to increase security of encrypted data that is stored in a datastore. The decryption engine can retrieve the encrypted data from the datastore, decrypt the data, and store the decrypted data in the cache. In turn, the decrypted data can be accessed by the CPU. The data can be encrypted with a secret key, so that decryption can be performed with the secret key. The key can be varied based on a memory address associated with the data. The key can be protected by restricting direct access to the decryption engine by the CPU.

Abstract: A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor's memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures.

Abstract: A processor comprising: an instruction processing pipeline, configured to receive a sequence of instructions for execution, said sequence comprising at least one instruction including a flow control instruction which terminates the sequence; a hash generator, configured to generate a hash associated with execution of the sequence of instructions; a memory configured to securely receive a reference signature corresponding to a hash of a verified corresponding sequence of instructions; verification logic configured to determine a correspondence between the hash and the reference signature; and authorization logic configured to selectively produce a signal, in dependence on a degree of correspondence of the hash with the reference signature.

Abstract: A method for encrypting a program for subsequent execution by a microprocessor configured to decrypt and execute the encrypted program includes receiving an object file specifying an unencrypted program that includes conventional branch instructions whose target address may be determined pre-run time. The method also includes analyzing the program to obtain chunk information that divides the program into a sequence of chunks each comprising a sequence of instructions and that includes encryption key data associated with each of the chunks. The encryption key data associated with each of the chunks is distinct. The method also includes replacing each of the conventional branch instructions that specifies a target address that is within a different chunk than the chunk in which the conventional branch instruction resides with a branch and switch key instruction. The method also includes encrypting the program based on the chunk information.

Abstract: A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set.

Abstract: The present disclosure discloses a protecting method and system of Java source code. When a first initiating class is invoked, the method comprises following steps, wherein the first initiating class is an initiating class of Java program: the first initiating class decrypts first cipher data to obtain a class loader; the class loader reads second cipher data to the memory and decrypts the second cipher data to obtain a first class, wherein the first class is a class run by a Java virtual machine, and the suffix of the first class is .class; the class loader loads a second initiating class to the memory; wherein the second initiating class is an original class in jar packet of the Java program; and the class loader loads the first class to the Java virtual machine so that the Java virtual machine can invoke a main interface in the second initiating class to run the Java program. The present disclosure can protect Java source code and make it difficult to decompile the Java source code.

Abstract: A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data.

Abstract: An apparatus for generating a decryption key for use to decrypt a block of encrypted instruction data being fetched from an instruction cache in a microprocessor at a fetch address includes a first multiplexer that selects a first key value from a plurality of key values based on a first portion of the fetch address. A second multiplexer selects a second key value from the plurality of key values based on the first portion of the fetch address. A rotater rotates the first key value based on a second portion of the fetch address. An arithmetic unit selectively adds or subtracts the rotated first key value to or from the second key value based on a third portion of the fetch address to generate the decryption key.

Abstract: Embodiments of the present invention provide computer program products, methods, and systems for extracting and revising data for a resource embedded in a dynamic-link library (DLL) assembly. In various embodiments, the DLL assembly is loaded and data for a resource is extracted from the assembly. In particular embodiments, a manifest is created that includes a path for the extracted data extracted. This path includes information on placing the data for the resource into the assembly to construct a necessary DLL structure compatible with the program application. After the extracted data has been edited to create replacement data, in various embodiments, the replacement data is imported into the assembly based on the path for the extracted data and the assembly is compiled to create a revised DLL that may be read by the program application in place of or in addition to the original DLL assembly to utilize the replacement data.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is on the part of the code that accesses buffers (memory locations). Further, the obfuscation process copies or replaces parts of the buffer contents with local variables. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.

Abstract: An encryption/decryption apparatus and method using an advanced encryption standard (AES) Rijndael algorithm are provided. The apparatus includes a round key operator that performs arithmetic operations on a round key for a first round and first partial round keys of round keys for second to last rounds and generates the round keys for the second to last rounds, and a round executor that performs an encryption or decryption operation using the round key for the first round and the round keys for the second to last rounds.

Abstract: Instructions and logic provide SIMD secure hashing round slice functionality. Some embodiments include a processor comprising: a decode stage to decode an instruction for a SIMD secure hashing algorithm round slice, the instruction specifying a source data operand set, a message-plus-constant operand set, a round-slice portion of the secure hashing algorithm round, and a rotator set portion of rotate settings. Processor execution units, are responsive to the decoded instruction, to perform a secure hashing round-slice set of round iterations upon the source data operand set, applying the message-plus-constant operand set and the rotator set, and store a result of the instruction in a SIMD destination register. One embodiment of the instruction specifies a hash round type as one of four MD5 round types. Other embodiments may specify a hash round type by an immediate operand as one of three SHA-1 round types or as a SHA-2 round type.

Abstract: A technique for content management using group rights is described. The technique facilitates a flexible management for a group of content files mainly by effecting a change of group memberships for subsets of the group and a partial update of the content files. As one aspect, a content file manager (20) is provided to create content files associated with group rights. A device (21) is also provided to process such content files. One method aspect comprises assigning a plurality of content items to a new group whose identifier is associated with a new group rights object; determining if any of the content items has been previously distributed; and for each previously-distributed content item, creating an update content file including the group identifier of the new group and excluding the previously-distributed content item itself.

Abstract: Raw or unencrypted data is encrypted using a standard encryption algorithm and stored in a Flash memory array. The raw or unencrypted data may be pre-processed before it is encrypted. Pre-processing may include data scrambling, pre-encryption data mixing, or both. Data scrambling may involve an invertible transformation. The scrambled data may then be used to seed a sequence generator. Each output from the sequence generator may be processed using a bit-by-bit Exclusive Or (XOR) operation to impart random or pseudorandom statistical properties. Pre-encryption data mixing may combine the scrambled (or unscrambled) data with information that is unique to each chunk of data, as well as with a user-supplied secret key. This helps ensure that identical raw data chunks are not stored as identical encrypted data chunks in the Flash memory array.

Abstract: A method and structure for a secure object, as tangibly embodied in a computer-readable storage medium. The secure object includes a cryptographically protected region containing at least one of code and data, an initial integrity tree that protects an integrity of contents of the cryptographically protected region; and an unprotected region that includes a loader, an esm (enter secure mode) instruction, and one or more communication buffers.

Abstract: A method, apparatus and computer program product for providing one-time programs is presented. A program to be converted to a new program having a predetermined lifetime is identified. The program is compiled to produce the new program having a predetermined lifetime and wherein the new program having a predetermined lifetime is guaranteed to only have the predetermined lifetime.

Abstract: Anonymous information sharing systems and methods enable communication of information to parties in a privacy-preserving manner such that no one other than the designated parties can know the source, recipient, and content of the information. Furthermore, the communication can be accomplished without requiring trial decryption, and protection can be provided against of sharing of privileges.