Abstract: Systems and methods are described which utilize a recursive security protocol for the protection of digital data. These may include encrypting a bit stream with a first encryption algorithm and associating a first decryption algorithm with the encrypted bit stream. The resulting bit stream may then be encrypted with a second encryption algorithm to yield a second bit stream. This second bit stream is then associated with a second decryption algorithm. This second bit stream can then be decrypted by an intended recipient using associated keys.

Abstract: Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys.

Abstract: Cloud infrastructure of an information processing system comprises one or more processing devices implementing a plurality of virtual machines. The cloud infrastructure is configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key. At least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job. The encrypted results of the processing job may be stored in a virtual memory of the cloud infrastructure and transmitted to the tenant.

Abstract: Apparatus, systems, and methods may operate to provide, to a memory device, an obfuscated clear-page address derived from a clear-page address that is not the same as a key-page address and/or providing, to the memory device, an obfuscated key-page address derived from the key-page address when the obfuscated clear-page address is the same as the key-page address. Additional apparatus, systems, and methods are disclosed.

Abstract: Technologies are generally described for data filtering for communication devices. In one example, a method of receiving data from a data source on a communication device is disclosed. The method includes determining, at the communication device, a domain name of the data source. The method also includes determining, at the communication device, one or more communication networks the communication device is connected to. The method further includes processing, at the communication device, the domain name for acceptance based on the one or more connected communication networks. The method also includes receiving the data from the data source, at the communication device, if the domain name is accepted.

Abstract: A microprocessor includes a storage element having a plurality of locations each storing decryption key data associated with an encrypted program. A control register field (may be x86 EFLAGS register reserved field) specifies a storage element location associated with a currently executing encrypted program. The microprocessor restores from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction. A fetch unit fetches encrypted instructions of the currently executing encrypted program and decrypts them using the decryption key data stored the storage element location specified by the restored field value. A kill bit associated with each storage element location may be employed if the location is clobbered because more encrypted programs are multitasked than available locations in the storage element, in which case an exception is generated to re-load the clobbered decryption key data in response to the return from interrupt instruction.

Abstract: A circuit for enabling communication of cryptographic data in an integrated circuit is disclosed. The circuit comprises a first interface coupled to receive data having a first security level; a second interface coupled to receive data having a second security level; a cryptographic application; and a routing block coupled between the first and second interfaces and the cryptographic application, the routing block comprising configurable logic, wherein the routing block is configurable to selectively route the data having the first security level by way of the first interface and to route data having the second security level by way of the second interface. A method of enabling communication of cryptographic data in an integrated circuit is also disclosed.

Abstract: An efficient implementation of SHA-512, and similarly SHA-384, on an ARM processor. The implementation maximizes reuse of the register values between iterations so as to minimize the need to load these values from memory. This is achieved by categorizing the iterations into even and odd ones such that the sequence of computation in the even iteration is reversed in the odd iteration and the register values at the end of one iteration are consumed at the beginning of the following one.

Abstract: The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U1) entering into a security domain (SD), the general trust center (TC) distributing to the node at least one keying material share corresponding to the entered security domain, and upon detecting corruption of at least two security domains, determining, for each security domain, based on information registered by the base station (BTS), a respective set of nodes having received keying material corresponding to said security domain,—comparing the respective sets of nodes and identifying the common nodes as being compromised.

Abstract: Techniques for providing storage for electronic records are described herein. According to one embodiment, a command is received from a client through an interface of a storage system. An approval is received from an authorization agent associated with the storage system for the received command. In response to the approval received from the authorization agent for the received command, an operation associated with the received command is performed. Other methods and apparatuses are also described.

Abstract: Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is of the part of the code that performs a Boolean logic operation such as an exclusive OR on two (or more) data variables. In the obfuscated code, each of the two variables is first modified by applying to it a function which deconstructs the value of each of the variables, and then the exclusive OR operation is replaced by an arithmetic operation such as addition, subtraction, or multiplication, which is performed on the two deconstructed variables. The non-obfuscated result is recovered by applying a third function to the value generated by the arithmetic operation. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.

Abstract: Some embodiments of the present invention provide a system for maintaining a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If a violation is detected, the system generates a change recommendation associated with the violation using the compliance policy and provides the change recommendation to an administrator, so that the administrator can use the change recommendation to resolve the violation.

Abstract: A functional unit of a device is associated with a secret. Data stored in a memory location of the device is encrypted using the secret. The memory location of the device is accessible to other functional units; but without knowledge of the secret, the stored encrypted data is useless. The sharing of the secret creates a secure path between memory locations and functional units of the device while maintaining a unitary memory architecture. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: A method, article of manufacture, and apparatus for efficiently processing information are disclosed. In some embodiments, a first signature index is received. The first signature index is compared to a second signature index. A negative signature match is based on the comparison. A file is flagged based on the negative match.

Abstract: A spread spectrum modulation unit (12) performs spread spectrum clocking processing for a basic clock signal (BC) synchronized with the carrier frequency or its harmonic frequency of image information leaked from an unwanted electromagnetic wave. A modulation pattern generation unit (13) generates and outputs, as a modulation pattern signal (MP), a PN code having sign bit data synchronized with each pulse of the obtained spread spectrum clock signal SC. In addition, the modulation pattern generation unit (13) resets the repetition period of the PN code based on a horizontal sync signal (H). A modulated clock generation unit (14) modulates the spread spectrum clock signal (SC) in accordance with the modulation pattern signal (MP). The obtained modulated clock signal (MC) is amplified, generating a leakage prevention signal (JC). A leakage prevention signal containing a sideband component of a satisfactory level can be generated, obtaining a useful leakage prevention effect.

Abstract: A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length.

Abstract: A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass.

Abstract: Various embodiments of the present invention are related to integrated circuits for processing data at a microcontroller interface. The microcontroller interfaces to a memory. The method is employed to process input data provided by the microcontroller during a memory write operation, or input data extracted from the memory during a memory read operation, respectively. A write/read control is used to indicate the memory write or read operation, and a logic address is translated to at least one physical address in the memory. The write/read control and the logic address are further employed to determine a data process mode. In various data processing modes, the input data are processed according to at least one of a plurality of data processing methods to result in processed data in different data formats. Data in different formats may be stored in various regions of the memory.

Abstract: In the field of computer software (code) security, it is known to include verification data such as hash values in or associated with the code to allow subsequent detection of tampering by a attacker with the code. This verification technique is used here in a “White Box” cryptographic process by tying the verification data to the content of functional table lookups present in the object (compiled) code, where values in the table lookups are selectively masked (prior to the source code being compiled into the subject code) by being subject to permutation operations.

Abstract: A method for protecting a privilege level of a system management mode (SMM) of a computer system is disclosed. A SMM program is loaded into a special memory (SMRAM) area within a system memory of a computer. A first program, a second program, and a vector table are loaded into a general area of the system memory. Before the booting process of the computer has been completed, a reference hash value of the first program is determined by the SMM program, and the reference hash value is stored in the SMRAM area. A hash value of the first program is the computed by the SMM program. After the computer has been operating under an operating environment of an operating system, the computed hash value is compared to the reference hash value. When the computed hash value matches the reference hash value, the first program is called by the SMM program.

Abstract: A method for preventing malicious software from execution within a computer system is disclosed. Before any actual execution of an application program on a computer system, the application program needs to be cross-compiled to yield a set of cross-compiled code of the application program. The set of cross-compiled code of the application program can then be executed in an execution module that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.

Abstract: Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things.

Abstract: According to one embodiment, a processor includes an instruction decoder to receive a first instruction to process a SHA1 hash algorithm, the first instruction having a first operand, a second operand, and a third operand, the first operand specifying a first storage location storing four SHA states, the second operand specifying a second storage location storing a plurality of SHA1 message inputs in combination with a fifth SHA1 state. The processor further includes an execution unit coupled to the instruction decoder, in response to the first instruction, to perform at least four rounds of the SHA1 round operations on the SHA1 states and the message inputs obtained from the first and second operands, using a combinational logic function specified in the third operand.

Abstract: In a method for protecting digital information, a processor converts a protected address range into a plurality of address blocks of a storage device based on a preset conversion unit, and generates an address block rearranging rule using the address blocks as a parameter. When it is desired to load data into a space of an address batch of the protected address range, the processor converts the address batch into a plurality of address blocks based on the conversion unit, locates rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loads the data into spaces of the rearranged addresses.

Abstract: Method and apparatus for encryption, and a non-transitory computer-readable medium that stores instructions for performing encryption. The method includes loading a virtual system driver module in a host operating system and constructing a virtual operating system, wherein the virtual operating system comprises a micro-kernel; preparing and providing context of a processor and a memory page table by the virtual system driver for the micro-kernel, and mapping, in the memory page table, original data and a physical address of a buffer area that receives data after encryption computation is completed; and completing the encryption computation in the virtual operating system and saving the computation result in the buffer area.

Abstract: A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Abstract: A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein to provide a computing device with cooperative first and second binary translators in first and second execution environments having first and second security levels, respectively. The second security level may be more secure than the first security level. Encrypted instructions of the computer program may be loaded into the first execution environment, and the first binary translator may provide, to the second binary translator, an execution context of the computer program for use by the secondary binary translator to decrypt and execute a first portion of the computer program in the second execution environment. The second binary translator may provide, to the first binary translator, another execution context of the computer program for emulation, by the first binary translator, of execution of a second portion of the computer program in the first execution environment.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A microprocessor includes an architected register having a bit (may be x86 EFLAGS register reserved bit) set by the microprocessor. A fetch unit fetches encrypted instructions from an instruction cache and decrypts them (via XOR) prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the bit value to a stack in memory and then clears the bit in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register (and in one embodiment, also restores decryption key values) in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions in response to determining that the restored value of the bit is set.

Abstract: The present invention provides a solution to the problem of guaranteeing the integrity of software programs by encrypting all or part of each instruction of a program using a key based on all or part of one or a plurality of previous instructions, thus resulting in a different encryption key per instruction. The invention is applicable to software programs whose structures are not necessarily tree-like in nature and is also applicable when the program includes loops, jumps, calls or breaks etc. The invention allows for an exception to be flagged when an encrypted instruction is wrongly decrypted. There is no need for the first instruction to be in clear, since the instruction key may be appropriately initialized as required. The invention can be realized in software or entirely in hardware thereby eliminating the possibility of a third party intercepting a decrypted instruction or a decryption key.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: A communication system is provided with an information processing device, and a management device capable of updating old data stored in the information processing device by outputting new data to the information processing device. The management device is provided with an old data input device that inputs the old data, a first new data input device that inputs the new data, an encryption device that encrypts the new data by utilizing the old data as a key, and a new data output device that outputs the new data encrypted by the encryption device to the information processing device. The information processing device is provided with an old data storage that stores the old data, a second new data input device that inputs the encrypted new data output by the management device, a decryption device that decrypts the encrypted new data by utilizing the old data as a key, and an updating device that updates the old data stored in the old data storage to the new data decrypted by the decryption device.

Abstract: An improved technique of providing computer code to a set of client computers is disclosed. In the improved technique, a set of files is generated, each file in the set of files including computer code configured to be read by an interpreter on each client computer, the computer code in each file including a set of functions, each function in the set of functions having a name, the name of a function in the set of functions in a first file in the set of files differing from the name of a corresponding function in the set of functions in a second file in the set of files, the computer code in the first file and the computer code in the second file being constructed and arranged to produce functionally equivalent sets of computer instructions when run through the interpreter on each client computer.

Abstract: In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A method of operating a User Equipment (UE) for generating a second scrambling code group where the UE is configured for receiving downlink transmission from a Universal Mobile Telecommunications System Terrestrial Radio Access Network (UTRAN) on a set of at least two downlink carriers including an anchor carrier and at least a first secondary carrier includes: determining a first scrambling code group associated with a first cell on the anchor carrier and deriving the second scrambling code group associated with a second cell on said first secondary carrier using a predefined rule defining the relation between the second scrambling code group and the first scrambling code group.

Abstract: A method, system, and apparatus for managing a plurality of cipher processor units. A cipher module may receive a cipher instruction indicating a cipher algorithm to be used. The cipher module may identify a cipher processing unit of the plurality of cipher processing units associated with the cipher algorithm. The cipher module may execute the cipher instruction using the cipher processing unit and the common register array. The cipher module may store a state of a common register array to be used by the cipher processing unit of the plurality of cipher processing units.

Abstract: A system and method for modifying material related to computer software. The system receives an original disclosure for a software system. A masquerading algorithm is applied to the original disclosure to generate a new disclosure. The subject matter of the new disclosure is different from the original disclosure but has the same functionality. The system also receives original source code for the software system and applies a camouflaging algorithm to the original source code to generate modified source code and conversion data for converting between the modified source code and the original source code.

Abstract: A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key.

Abstract: A system may include a memory having a unique identifier that uniquely identifies the memory. A package may be communicatively coupled to the memory. The package may include a processor, an identifier storage, and a boot storage. The identifier storage may store the unique identifier from the memory. The boot storage may include instructions to control booting of the processor based on the unique identifier in the identifier storage.

Abstract: A module building system, hosted by a server, receives a user script to be run to monitor software on a client using an introspection tool. The server adds safety constraints to the user script and generates a client kernel module using the user script which includes the safety constraints. The server signs the client kernel module and sends the signed client kernel module to the client. The signed client kernel module allows a user to use the introspection tool to load and execute the client module on the client for monitoring the software on the client.

Abstract: A microprocessor includes a model specific register (MSR) having an address, fuses manufactured with a first predetermined value, and a control register. The microprocessor initially loads the first predetermined value from fuses into the control register. The microprocessor also receives a second predetermined value into the control register from system software of a computer system comprising the microprocessor subsequent to initially loading the first predetermined value into the control register. The microprocessor prohibits access to the MSR by an instruction that provides a first password generated by encrypting a function of the first predetermined value and the MSR address with a secret key manufactured into the first instance of the microprocessor and enables access to the MSR by an instruction that provides a second password generated by encrypting the function of the second predetermined value and the MSR address with the secret key.

Abstract: There is provided a method for selectively protecting one of a plurality of methods of a class of an application written in an object-orientated language, in particular Java, wherein a protected application is created by adding a protection module to the application, analyzing a first method to be protected of a plurality of methods of a first class of the application and determining first parameters needed for executing the first method, generating first gate code depending on the determined first parameters, replacing the first code of the first method by said first gate code and storing the replaced first code such that it can be accessed by the protection module during execution of the protected application, wherein, when the first method is called during execution of the protected application, the first gate code collects first data based on the determined first parameters and transmits the collected first data to the protection module, the protection module accesses the stored first code and generates a

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for identifying and encrypting a subset of a plurality of instructions, for execution in a more secure execution environment. In various embodiments, the subset may include a single entry point and a single exit point. In various embodiments, one or more instructions of the plurality of instructions that precede or follow the subset may be executed in a first execution environment with a first security level. In various embodiments, the subset may be executed in a second execution environment with a second security level that is more secure than the first security level.

Abstract: Protection of interpreted programming language code filesystem files from access and alteration may be provided by encrypting a file to be protected in a boot sequence. Run-time examination of a virtual appliance may be deterred by hiding the boot sequence in a restricted virtual appliance platform. No shell or filesystem access may be provided. Thus, permissions on a read-only filesystem (for example) may be kept from being altered. The permissions may be set along with filesystem access control lists to prevent unauthorized examination of the source files.

Abstract: In one embodiment, a picture signature password system may use a picture signature password to determine access to a computing device or service. A display screen 172 may display a personalized digital image 310. A user input device 160 may receive a user drawing set executed by a user over the personalized digital image 310. A processor 120 may authenticate access to the user session if the user drawing set matches a library drawing set associated with the user.

Abstract: A digital rights management (“DRM”) system is described that seeks to restrict the use and execution of certain computer program code to those hardware systems or platforms authorized by the provider of the protected software. To this end, certain computer programs (or portions thereof) are provided to authorized users in an encrypted format. When a “protected” program is to be executed, it is retrieved and stored in its encrypted format in operating system memory where it is accessible to operating system level routines (e.g., a file read operation). It is also decrypted and placed in another memory such that only the process executing the protected program has ready access to it.

Abstract: A method for hindering a cold boot attack on a user equipment (UE) is provided. The method includes, in response to detection of the cold boot attack, executing prioritized security procedures. A user equipment (UE) is also provided that includes a processor configured to execute prioritized security procedures responsive to detection of a cold boot attack.