Abstract: Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerabili

Abstract: An encrypted storage device for personal information has a control module, a plug and play interface and a storage unit. The Control module has an encryption module and a processing module electrically connected the encryption module and driving the encryption module to perform an encryption/decryption operation. The plug and play interface is electrically connected to the Control module and is adapted to connect with a computer to transmit information to the Control module. The storage unit is electrically connected to the Control module and has a public data area and an encryption area. The public data area has at least one application. The encryption area is used to store the encryption algorithm information, and the encryption algorithm information can be read after identity authenticating and decrypting.

Abstract: Techniques are described that generally relate to methods for detecting encryption status of a data file or data stream and selectively encrypting the data file or data stream based on the encryption status of the data file or data stream are generally disclosed. Example methods may include one or more of reading the data file or data stream from a data source, calculating a value of a property of the data file or data stream, comparing the calculated value with a threshold value to determine whether the file is encrypted or unencrypted, and encrypting files that are determined to be unencrypted.

Abstract: A executable content message stream filter applies a plurality of executable content filters to a stream of parsed elements of a network message. Each of the plurality of executable content filters targets executable content and is instantiated based on a set of one or more rule sets selected based, at least in part, on a type of the network message. For each of the plurality of executable content filters, it is determined if one or more of the stream of parsed elements includes executable content targeted by the executable content filter. The executable content message stream filter modifies those of the stream of parsed elements that include the executable content targeted by the plurality of executable content filters to disable the executable content.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a device and a remote entity. The device remains anonymous to the remote entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ?-differentially uniform function on the result of the combination, XORing the result of the ?-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code.

Abstract: A method for increasing security of software is provided. The method includes replacing a part of a code section comprised in a binary source file of the software with a pre-set special command, creating a table of correspondence that contains correspondence information between the part of the code section and the pre-set special command according to the replacing, and inserting the table of correspondence into a command preprocessor execution file of the software.

Abstract: An encryption key may be generated based on personalized unit data associated with a software download recipient, for example, a secure processor. In some aspects, the secure processor may generate a decryption key based on its personalized unit data, and a software download may be performed between the software provider and the secure processor using the generated encryption keys. The secure processor may then decrypt and load the software for execution. The encryption and decryption key generation may also be based on a sequence number or other data indicating one or more previous software downloads at the secure processor. Using the sequence number or other data, sequences of multiple encryption and/or decryption keys may be generated to support multiple software downloads to a secure processor.

Abstract: A cloud computing system is disclosed. The cloud computing system includes a management server that manages a plurality of servers and distributes service resources. Each of the servers corresponds to one of a secure server type and a general server type, and the secure server type of server decrypts an encrypted code provided from a client. Accordingly, a secure server can execute a code requiring security. Especially, by classifying a program code as a general code or a secret code, the general server can also perform the partial function of a program.

Abstract: In accordance with particular embodiments, a computer-implemented method for execution by one or more processors includes intercepting a communication comprising a message. The method also includes identifying words from within the message. The method further includes storing in a dictionary words from within the message of the communication and one or more parameters of the communication for each of the words. The dictionary comprises a plurality of words from a plurality of intercepted text-based communications. The method also includes receiving an encrypted file that is configured to be decrypted using a password. The method additionally includes identifying words from the dictionary to be used to attempt to decrypt the encrypted file. The identified words are identified based on at least one parameter associated with the encrypted file and the one or more parameters stored in the dictionary.

Abstract: A secure hardware comprises a secure pipe, a secure DMA, a secure assist and a secure bus, which connects between those blocks. The secure pipe stores a common encryption key in an encryption key table so as not to be able to access from software. The secure DMA comprises a data common key system process function and a hashing process function. The secure assist comprises a common key system process function and an authentication process function, receives an issued command from a program executed by the processor core via a public IF, and performs setting/control of the secure pipe and the secure DMA via the secure bus.

Abstract: A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor's memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures.

Abstract: A processor comprising: an instruction processing pipeline, configured to receive a sequence of instructions for execution, said sequence comprising at least one instruction including a flow control instruction which terminates the sequence; a hash generator, configured to generate a hash associated with execution of the sequence of instructions; a memory configured to securely receive a reference signature corresponding to a hash of a verified corresponding sequence of instructions; verification logic configured to determine a correspondence between the hash and the reference signature; and authorization logic configured to selectively produce a signal, in dependence on a degree of correspondence of the hash with the reference signature.

Abstract: This document discloses data security systems and methods of securing data. A cache memory can be connected between a decryption engine and a central processing unit (“CPU”) to increase security of encrypted data that is stored in a datastore. The decryption engine can retrieve the encrypted data from the datastore, decrypt the data, and store the decrypted data in the cache. In turn, the decrypted data can be accessed by the CPU. The data can be encrypted with a secret key, so that decryption can be performed with the secret key. The key can be varied based on a memory address associated with the data. The key can be protected by restricting direct access to the decryption engine by the CPU.

Abstract: A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data.

Abstract: An apparatus for generating a decryption key for use to decrypt a block of encrypted instruction data being fetched from an instruction cache in a microprocessor at a fetch address includes a first multiplexer that selects a first key value from a plurality of key values based on a first portion of the fetch address. A second multiplexer selects a second key value from the plurality of key values based on the first portion of the fetch address. A rotater rotates the first key value based on a second portion of the fetch address. An arithmetic unit selectively adds or subtracts the rotated first key value to or from the second key value based on a third portion of the fetch address to generate the decryption key.

Abstract: A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set.

Abstract: The present disclosure discloses a protecting method and system of Java source code. When a first initiating class is invoked, the method comprises following steps, wherein the first initiating class is an initiating class of Java program: the first initiating class decrypts first cipher data to obtain a class loader; the class loader reads second cipher data to the memory and decrypts the second cipher data to obtain a first class, wherein the first class is a class run by a Java virtual machine, and the suffix of the first class is .class; the class loader loads a second initiating class to the memory; wherein the second initiating class is an original class in jar packet of the Java program; and the class loader loads the first class to the Java virtual machine so that the Java virtual machine can invoke a main interface in the second initiating class to run the Java program. The present disclosure can protect Java source code and make it difficult to decompile the Java source code.

Abstract: A method for encrypting a program for subsequent execution by a microprocessor configured to decrypt and execute the encrypted program includes receiving an object file specifying an unencrypted program that includes conventional branch instructions whose target address may be determined pre-run time. The method also includes analyzing the program to obtain chunk information that divides the program into a sequence of chunks each comprising a sequence of instructions and that includes encryption key data associated with each of the chunks. The encryption key data associated with each of the chunks is distinct. The method also includes replacing each of the conventional branch instructions that specifies a target address that is within a different chunk than the chunk in which the conventional branch instruction resides with a branch and switch key instruction. The method also includes encrypting the program based on the chunk information.

Abstract: Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is on the part of the code that accesses buffers (memory locations). Further, the obfuscation process copies or replaces parts of the buffer contents with local variables. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.

Abstract: An encryption/decryption apparatus and method using an advanced encryption standard (AES) Rijndael algorithm are provided. The apparatus includes a round key operator that performs arithmetic operations on a round key for a first round and first partial round keys of round keys for second to last rounds and generates the round keys for the second to last rounds, and a round executor that performs an encryption or decryption operation using the round key for the first round and the round keys for the second to last rounds.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: Embodiments of the present invention provide computer program products, methods, and systems for extracting and revising data for a resource embedded in a dynamic-link library (DLL) assembly. In various embodiments, the DLL assembly is loaded and data for a resource is extracted from the assembly. In particular embodiments, a manifest is created that includes a path for the extracted data extracted. This path includes information on placing the data for the resource into the assembly to construct a necessary DLL structure compatible with the program application. After the extracted data has been edited to create replacement data, in various embodiments, the replacement data is imported into the assembly based on the path for the extracted data and the assembly is compiled to create a revised DLL that may be read by the program application in place of or in addition to the original DLL assembly to utilize the replacement data.

Abstract: Instructions and logic provide SIMD secure hashing round slice functionality. Some embodiments include a processor comprising: a decode stage to decode an instruction for a SIMD secure hashing algorithm round slice, the instruction specifying a source data operand set, a message-plus-constant operand set, a round-slice portion of the secure hashing algorithm round, and a rotator set portion of rotate settings. Processor execution units, are responsive to the decoded instruction, to perform a secure hashing round-slice set of round iterations upon the source data operand set, applying the message-plus-constant operand set and the rotator set, and store a result of the instruction in a SIMD destination register. One embodiment of the instruction specifies a hash round type as one of four MD5 round types. Other embodiments may specify a hash round type by an immediate operand as one of three SHA-1 round types or as a SHA-2 round type.

Abstract: A technique for content management using group rights is described. The technique facilitates a flexible management for a group of content files mainly by effecting a change of group memberships for subsets of the group and a partial update of the content files. As one aspect, a content file manager (20) is provided to create content files associated with group rights. A device (21) is also provided to process such content files. One method aspect comprises assigning a plurality of content items to a new group whose identifier is associated with a new group rights object; determining if any of the content items has been previously distributed; and for each previously-distributed content item, creating an update content file including the group identifier of the new group and excluding the previously-distributed content item itself.

Abstract: Raw or unencrypted data is encrypted using a standard encryption algorithm and stored in a Flash memory array. The raw or unencrypted data may be pre-processed before it is encrypted. Pre-processing may include data scrambling, pre-encryption data mixing, or both. Data scrambling may involve an invertible transformation. The scrambled data may then be used to seed a sequence generator. Each output from the sequence generator may be processed using a bit-by-bit Exclusive Or (XOR) operation to impart random or pseudorandom statistical properties. Pre-encryption data mixing may combine the scrambled (or unscrambled) data with information that is unique to each chunk of data, as well as with a user-supplied secret key. This helps ensure that identical raw data chunks are not stored as identical encrypted data chunks in the Flash memory array.

Abstract: A method and structure for a secure object, as tangibly embodied in a computer-readable storage medium. The secure object includes a cryptographically protected region containing at least one of code and data, an initial integrity tree that protects an integrity of contents of the cryptographically protected region; and an unprotected region that includes a loader, an esm (enter secure mode) instruction, and one or more communication buffers.

Abstract: Anonymous information sharing systems and methods enable communication of information to parties in a privacy-preserving manner such that no one other than the designated parties can know the source, recipient, and content of the information. Furthermore, the communication can be accomplished without requiring trial decryption, and protection can be provided against of sharing of privileges.

Abstract: An information processing system has a power supply section which detects a predetermined potential applied to a USB terminal and supplying the potential as a source potential, an information detection section which detects the predetermined information supplied to the USB terminal, and a processing section which executes, subsequent to the detection of the predetermined potential, the encoding process or the decoding process in accordance with at least the operating information supplied from the operation key arranged on the body and in accordance with the predetermined information supplied to the USB terminal after detection of the predetermined information. The recording and reproducing operation can be performed with the operating key on the body with power supplied only from the USB terminal.

Abstract: A method, apparatus and computer program product for providing one-time programs is presented. A program to be converted to a new program having a predetermined lifetime is identified. The program is compiled to produce the new program having a predetermined lifetime and wherein the new program having a predetermined lifetime is guaranteed to only have the predetermined lifetime.

Abstract: A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer.

Abstract: Methods, media and systems that obfuscate control flow in software programs. The obfuscation can impede or prevent static flow analysis of a software program's control flow. In one embodiment, a method, performed by a data processing system, identifies each branch point in a set of branch points in a first version of software and replaces, in each branch point in the set, a representation of a target of the branch point with a computed value that depends upon at least one prior computed value in a stream of instructions in the first version of software. Other embodiments are also described.

Abstract: A multi-mode Trusted Computing Platform (TCP) comprising a Field Programmable Gate Array (FPGA) device that includes a Type-1-compliant root of trust (ROT), a memory containing a Type-1 security boot image and at least one lower-security boot image, and a memory containing a Type-1-associated operating system (OS) image and at least one lower-security-associated OS image. The TCP is configured to execute a multi-stage boot process that, depending on the presence of one or more valid external inputs, selects and initiates either a Type-1 TCP computing mode or a lower-assurance computing mode.

Abstract: A control method is executed by an information processing apparatus that includes a first processor; a second processor that executes a program to be protected; first memory that is shared between the first and the second processors; and non-volatile second memory that stores the program to be protected. The control method includes reading the program that is to be protected and stored in the second memory, when the information processing apparatus is started up; encrypting the read program only once after start up of the information processing apparatus; writing the encrypted program into the first memory; and decrypting the encrypted program that is written in the first memory, and causing the second processor to execute the decrypted program.

Abstract: A state sensitive device is described, the device including a state register which stores a record of the effective-state of the device, a mask field having a value which varies according to a value of the state register, and a processor which changes the value of the mask field to a new value of the mask field when there is a change in the value of the state register, wherein, the processor performs a state dependent calculation requiring the value of the mask field as an operand in the state dependent calculation which will yield an incorrect result if the value of the mask field does not properly correspond to the value of the state register. Related methods, systems and apparatus are also described.

Abstract: A method and apparatus 20 for securing executable code embodying a cipher 12 using a metamorphic algorithm 24. The metamorphic algorithm 24 dynamically executes polymorphic primitives 43, each of which implements a functional component 41 of the cryptographic algorithm 12. When a halting condition is met, the output of the cryptographic algorithm 12 occurs.

Abstract: A method and circuit arrangement selectively stream data to an encryption or compression engine based upon encryption and/or compression-related page attributes stored in a memory address translation data structure such as an Effective To Real Translation (ERAT) or Translation Lookaside Buffer (TLB). A memory address translation data structure may be accessed, for example, in connection with a memory access request for data in a memory page, such that attributes associated with the memory page in the data structure may be used to control whether data is encrypted/decrypted and/or compressed/decompressed in association with handling the memory access request.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating branches in computer code. A compiler or a post-compilation tool can obfuscate branches by receiving source code, and compiling the source code to yield computer-executable code. The compiler identifies branches in the computer-executable code, and determines a return address and a destination value for each branch. Then, based on the return address and the destination value for each branch, the compiler constructs a binary tree with nodes and leaf nodes, each node storing a balanced value, and each leaf node storing a destination value. The non-leaf nodes are arranged such that searching the binary tree by return address leads to a corresponding destination value. Then the compiler inserts the binary tree in the computer-executable code and replaces each branch with instructions in the computer-executable code for performing a branching operation based on the binary tree.

Abstract: Methods and devices for thwarting code and control flow based attacks on software. The source code of a subject piece of software is automatically divided into basic blocks of logic. Selected basic blocks are amended so that their outputs are extended. Similarly, other basic blocks are amended such that their inputs are correspondingly extended. The amendments increase or create dependencies between basic blocks such that tampering with one basic block's code causes other basic blocks to malfunction when executed.

Abstract: A system and method of providing universal digital rights management system protection is described. One feature of the invention concerns systems and methods for repackaging and securing data packaged under any file format type, compression technique, or digital rights management system. Another feature of the invention is directed to systems and methods for securing data by providing scalability through the use of modular data manipulation software objects.

Abstract: An instruction decryption arrangement includes an input interface configured to receive an encrypted instruction, a decryption key updater configured to output a decryption key, and an instruction decrypter including a first input connected to the input interface and a second input connected to the decryption key updater, and configured to decrypt the encrypted instruction using the decryption key and to provide a decrypted instruction. The decryption key updater is further configured to update the decryption key using at least one of the encrypted instruction and the decrypted instruction. An alternative instruction decryption arrangement includes a key stream module configured to iteratively determine a key state corresponding to a current instruction for a computing unit and an instruction decrypter configured to receive an encrypted instruction related to the current instruction and decrypt the encrypted instruction using the key state to provide a decrypted instruction.

Abstract: The invention provides for a method of encrypting and executing an executable image, comprising; flagging sections of the executable image to be encrypted using commands in source files and compiling said executable images so as to generate object files, linking one or more of said executable images using a linker to produce a final executable image, passing said linked executable images to a post-linker encryption engine to encrypt a relocation fix-up patch table and sections of executable images flagged for encryption, and at load time decrypting relocating and executing the executable images.

Abstract: A virtual machine or hardware processor for an IC-card portable electronic device includes a non-volatile memory unit, a remote decryption unit, and associated objects for storing an executable program in an encrypted format in the non-volatile memory. The IC-card stores a licence key to encrypt and decrypt the executable program through an IC-card interface. The IC-card interface extracts and encrypts the operands of the plain executable program into encrypted operands so as to not limit performance. The remote decryption unit detects if an instruction contains encrypted operands, and queries a decryption to the IC-card interface. The IC-card interface decrypts the encrypted operands and re-encrypts the just decrypted operands into obscured operands through a dynamic obscuration key.

Abstract: A computer program product for use with dictated medical patient information resides on a computer-readable medium and comprises computer-readable instructions for causing a computer to analyze the dictated information, identify likely confidential information in the dictated medical patient information, and treat the likely confidential information disparately from likely non-confidential information in the dictated medical patient information.

Abstract: A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event.

Abstract: A method for maintaining a single file in a shared storage is disclosed. The method comprises storing the single file and corresponding information into a virtual disk so that there is a direct mapping between each file byte and a byte in a sector of the virtual disk; encrypting the virtual disk according to a disk encryption algorithm; and uploading the encrypted virtual disk to the shared storage.

Abstract: Aspects of a method and system for hardware enforced virtualization in an integrated circuit are provided. In this regard, a mode of operation of an integrated circuit may be controlled such that the integrated circuit alternates between a secure mode of operation and an open mode of operation. Various resources of the integrated circuit may be designated as open or secure, and secure resources may be made inaccessible while the integrated circuit operates in the open mode. Access to the secure resources may be controlled based on a configuration of one or more registers and/or switching elements. Resources designated as secure may comprise, for example, a one-time-programmable memory. The integrated circuit may comprise ROM and/or one-time-programmable memory that stores one or more instructions, wherein execution of the one or more instructions may control transitions between the secure mode and the open mode.

Abstract: Various systems and methods for encrypting data are disclosed. In one aspect, the method includes receiving a memory address and a value to be written in the memory address. The method also includes encrypting the value using the memory address as an initial value for an encryption process. The method also includes storing the encrypted value in the memory address.

Abstract: Various mechanisms are disclosed for protecting the security of memory in a computing environment. A security layer can have an encryption layer and a hashing layer that can dynamically encrypt and then dynamically hash sensitive information, as it is being loaded to dynamic memory of a computing device. For example, a memory unit that can correspond to a memory page can be processed by the security layer, and header data, code, and protect-worthy data can be secured, while other non-sensitive data can be left alone. Once such information is secured and stored in dynamic memory, it can be accessed at a later time by a processor and unencrypted and hash checked. Then, it can be loaded back onto the dynamic memory, thereby preventing direct memory access attacks.