Abstract: An information processing system has a power supply section which detects a predetermined potential applied to a USB terminal and supplying the potential as a source potential, an information detection section which detects the predetermined information supplied to the USB terminal, and a processing section which executes, subsequent to the detection of the predetermined potential, the encoding process or the decoding process in accordance with at least the operating information supplied from the operation key arranged on the body and in accordance with the predetermined information supplied to the USB terminal after detection of the predetermined information. The recording and reproducing operation can be performed with the operating key on the body with power supplied only from the USB terminal.

Abstract: A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer.

Abstract: Methods, media and systems that obfuscate control flow in software programs. The obfuscation can impede or prevent static flow analysis of a software program's control flow. In one embodiment, a method, performed by a data processing system, identifies each branch point in a set of branch points in a first version of software and replaces, in each branch point in the set, a representation of a target of the branch point with a computed value that depends upon at least one prior computed value in a stream of instructions in the first version of software. Other embodiments are also described.

Abstract: A multi-mode Trusted Computing Platform (TCP) comprising a Field Programmable Gate Array (FPGA) device that includes a Type-1-compliant root of trust (ROT), a memory containing a Type-1 security boot image and at least one lower-security boot image, and a memory containing a Type-1-associated operating system (OS) image and at least one lower-security-associated OS image. The TCP is configured to execute a multi-stage boot process that, depending on the presence of one or more valid external inputs, selects and initiates either a Type-1 TCP computing mode or a lower-assurance computing mode.

Abstract: A state sensitive device is described, the device including a state register which stores a record of the effective-state of the device, a mask field having a value which varies according to a value of the state register, and a processor which changes the value of the mask field to a new value of the mask field when there is a change in the value of the state register, wherein, the processor performs a state dependent calculation requiring the value of the mask field as an operand in the state dependent calculation which will yield an incorrect result if the value of the mask field does not properly correspond to the value of the state register. Related methods, systems and apparatus are also described.

Abstract: A control method is executed by an information processing apparatus that includes a first processor; a second processor that executes a program to be protected; first memory that is shared between the first and the second processors; and non-volatile second memory that stores the program to be protected. The control method includes reading the program that is to be protected and stored in the second memory, when the information processing apparatus is started up; encrypting the read program only once after start up of the information processing apparatus; writing the encrypted program into the first memory; and decrypting the encrypted program that is written in the first memory, and causing the second processor to execute the decrypted program.

Abstract: Methods and devices for thwarting code and control flow based attacks on software. The source code of a subject piece of software is automatically divided into basic blocks of logic. Selected basic blocks are amended so that their outputs are extended. Similarly, other basic blocks are amended such that their inputs are correspondingly extended. The amendments increase or create dependencies between basic blocks such that tampering with one basic block's code causes other basic blocks to malfunction when executed.

Abstract: A method and apparatus 20 for securing executable code embodying a cipher 12 using a metamorphic algorithm 24. The metamorphic algorithm 24 dynamically executes polymorphic primitives 43, each of which implements a functional component 41 of the cryptographic algorithm 12. When a halting condition is met, the output of the cryptographic algorithm 12 occurs.

Abstract: A system and method of providing universal digital rights management system protection is described. One feature of the invention concerns systems and methods for repackaging and securing data packaged under any file format type, compression technique, or digital rights management system. Another feature of the invention is directed to systems and methods for securing data by providing scalability through the use of modular data manipulation software objects.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating branches in computer code. A compiler or a post-compilation tool can obfuscate branches by receiving source code, and compiling the source code to yield computer-executable code. The compiler identifies branches in the computer-executable code, and determines a return address and a destination value for each branch. Then, based on the return address and the destination value for each branch, the compiler constructs a binary tree with nodes and leaf nodes, each node storing a balanced value, and each leaf node storing a destination value. The non-leaf nodes are arranged such that searching the binary tree by return address leads to a corresponding destination value. Then the compiler inserts the binary tree in the computer-executable code and replaces each branch with instructions in the computer-executable code for performing a branching operation based on the binary tree.

Abstract: A method and circuit arrangement selectively stream data to an encryption or compression engine based upon encryption and/or compression-related page attributes stored in a memory address translation data structure such as an Effective To Real Translation (ERAT) or Translation Lookaside Buffer (TLB). A memory address translation data structure may be accessed, for example, in connection with a memory access request for data in a memory page, such that attributes associated with the memory page in the data structure may be used to control whether data is encrypted/decrypted and/or compressed/decompressed in association with handling the memory access request.

Abstract: A virtual machine or hardware processor for an IC-card portable electronic device includes a non-volatile memory unit, a remote decryption unit, and associated objects for storing an executable program in an encrypted format in the non-volatile memory. The IC-card stores a licence key to encrypt and decrypt the executable program through an IC-card interface. The IC-card interface extracts and encrypts the operands of the plain executable program into encrypted operands so as to not limit performance. The remote decryption unit detects if an instruction contains encrypted operands, and queries a decryption to the IC-card interface. The IC-card interface decrypts the encrypted operands and re-encrypts the just decrypted operands into obscured operands through a dynamic obscuration key.

Abstract: A computer program product for use with dictated medical patient information resides on a computer-readable medium and comprises computer-readable instructions for causing a computer to analyze the dictated information, identify likely confidential information in the dictated medical patient information, and treat the likely confidential information disparately from likely non-confidential information in the dictated medical patient information.

Abstract: An instruction decryption arrangement includes an input interface configured to receive an encrypted instruction, a decryption key updater configured to output a decryption key, and an instruction decrypter including a first input connected to the input interface and a second input connected to the decryption key updater, and configured to decrypt the encrypted instruction using the decryption key and to provide a decrypted instruction. The decryption key updater is further configured to update the decryption key using at least one of the encrypted instruction and the decrypted instruction. An alternative instruction decryption arrangement includes a key stream module configured to iteratively determine a key state corresponding to a current instruction for a computing unit and an instruction decrypter configured to receive an encrypted instruction related to the current instruction and decrypt the encrypted instruction using the key state to provide a decrypted instruction.

Abstract: The invention provides for a method of encrypting and executing an executable image, comprising; flagging sections of the executable image to be encrypted using commands in source files and compiling said executable images so as to generate object files, linking one or more of said executable images using a linker to produce a final executable image, passing said linked executable images to a post-linker encryption engine to encrypt a relocation fix-up patch table and sections of executable images flagged for encryption, and at load time decrypting relocating and executing the executable images.

Abstract: A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event.

Abstract: A method for maintaining a single file in a shared storage is disclosed. The method comprises storing the single file and corresponding information into a virtual disk so that there is a direct mapping between each file byte and a byte in a sector of the virtual disk; encrypting the virtual disk according to a disk encryption algorithm; and uploading the encrypted virtual disk to the shared storage.

Abstract: Aspects of a method and system for hardware enforced virtualization in an integrated circuit are provided. In this regard, a mode of operation of an integrated circuit may be controlled such that the integrated circuit alternates between a secure mode of operation and an open mode of operation. Various resources of the integrated circuit may be designated as open or secure, and secure resources may be made inaccessible while the integrated circuit operates in the open mode. Access to the secure resources may be controlled based on a configuration of one or more registers and/or switching elements. Resources designated as secure may comprise, for example, a one-time-programmable memory. The integrated circuit may comprise ROM and/or one-time-programmable memory that stores one or more instructions, wherein execution of the one or more instructions may control transitions between the secure mode and the open mode.

Abstract: Various systems and methods for encrypting data are disclosed. In one aspect, the method includes receiving a memory address and a value to be written in the memory address. The method also includes encrypting the value using the memory address as an initial value for an encryption process. The method also includes storing the encrypted value in the memory address.

Abstract: Systems and methods are described which utilize a recursive security protocol for the protection of digital data. These may include encrypting a bit stream with a first encryption algorithm and associating a first decryption algorithm with the encrypted bit stream. The resulting bit stream may then be encrypted with a second encryption algorithm to yield a second bit stream. This second bit stream is then associated with a second decryption algorithm. This second bit stream can then be decrypted by an intended recipient using associated keys.

Abstract: Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys.

Abstract: Various mechanisms are disclosed for protecting the security of memory in a computing environment. A security layer can have an encryption layer and a hashing layer that can dynamically encrypt and then dynamically hash sensitive information, as it is being loaded to dynamic memory of a computing device. For example, a memory unit that can correspond to a memory page can be processed by the security layer, and header data, code, and protect-worthy data can be secured, while other non-sensitive data can be left alone. Once such information is secured and stored in dynamic memory, it can be accessed at a later time by a processor and unencrypted and hash checked. Then, it can be loaded back onto the dynamic memory, thereby preventing direct memory access attacks.

Abstract: Apparatus, systems, and methods may operate to provide, to a memory device, an obfuscated clear-page address derived from a clear-page address that is not the same as a key-page address and/or providing, to the memory device, an obfuscated key-page address derived from the key-page address when the obfuscated clear-page address is the same as the key-page address. Additional apparatus, systems, and methods are disclosed.

Abstract: Cloud infrastructure of an information processing system comprises one or more processing devices implementing a plurality of virtual machines. The cloud infrastructure is configured to receive a processing job from a tenant, to obtain a first key specific to the tenant, to determine a second key utilizing information supplied by the tenant, and to encrypt one or more results of the processing job utilizing a combination of the first key and the second key. At least a portion of the second key is determined by at least one application that is run on at least one virtual machine of the cloud infrastructure in conjunction with performance of the processing job. The encrypted results of the processing job may be stored in a virtual memory of the cloud infrastructure and transmitted to the tenant.

Abstract: Technologies are generally described for data filtering for communication devices. In one example, a method of receiving data from a data source on a communication device is disclosed. The method includes determining, at the communication device, a domain name of the data source. The method also includes determining, at the communication device, one or more communication networks the communication device is connected to. The method further includes processing, at the communication device, the domain name for acceptance based on the one or more connected communication networks. The method also includes receiving the data from the data source, at the communication device, if the domain name is accepted.

Abstract: A microprocessor includes a storage element having a plurality of locations each storing decryption key data associated with an encrypted program. A control register field (may be x86 EFLAGS register reserved field) specifies a storage element location associated with a currently executing encrypted program. The microprocessor restores from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction. A fetch unit fetches encrypted instructions of the currently executing encrypted program and decrypts them using the decryption key data stored the storage element location specified by the restored field value. A kill bit associated with each storage element location may be employed if the location is clobbered because more encrypted programs are multitasked than available locations in the storage element, in which case an exception is generated to re-load the clobbered decryption key data in response to the return from interrupt instruction.

Abstract: An efficient implementation of SHA-512, and similarly SHA-384, on an ARM processor. The implementation maximizes reuse of the register values between iterations so as to minimize the need to load these values from memory. This is achieved by categorizing the iterations into even and odd ones such that the sequence of computation in the even iteration is reversed in the odd iteration and the register values at the end of one iteration are consumed at the beginning of the following one.

Abstract: A circuit for enabling communication of cryptographic data in an integrated circuit is disclosed. The circuit comprises a first interface coupled to receive data having a first security level; a second interface coupled to receive data having a second security level; a cryptographic application; and a routing block coupled between the first and second interfaces and the cryptographic application, the routing block comprising configurable logic, wherein the routing block is configurable to selectively route the data having the first security level by way of the first interface and to route data having the second security level by way of the second interface. A method of enabling communication of cryptographic data in an integrated circuit is also disclosed.

Abstract: Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is of the part of the code that performs a Boolean logic operation such as an exclusive OR on two (or more) data variables. In the obfuscated code, each of the two variables is first modified by applying to it a function which deconstructs the value of each of the variables, and then the exclusive OR operation is replaced by an arithmetic operation such as addition, subtraction, or multiplication, which is performed on the two deconstructed variables. The non-obfuscated result is recovered by applying a third function to the value generated by the arithmetic operation. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.

Abstract: A functional unit of a device is associated with a secret. Data stored in a memory location of the device is encrypted using the secret. The memory location of the device is accessible to other functional units; but without knowledge of the secret, the stored encrypted data is useless. The sharing of the secret creates a secure path between memory locations and functional units of the device while maintaining a unitary memory architecture. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U1) entering into a security domain (SD), the general trust center (TC) distributing to the node at least one keying material share corresponding to the entered security domain, and upon detecting corruption of at least two security domains, determining, for each security domain, based on information registered by the base station (BTS), a respective set of nodes having received keying material corresponding to said security domain,—comparing the respective sets of nodes and identifying the common nodes as being compromised.

Abstract: Techniques for providing storage for electronic records are described herein. According to one embodiment, a command is received from a client through an interface of a storage system. An approval is received from an authorization agent associated with the storage system for the received command. In response to the approval received from the authorization agent for the received command, an operation associated with the received command is performed. Other methods and apparatuses are also described.

Abstract: Some embodiments of the present invention provide a system for maintaining a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If a violation is detected, the system generates a change recommendation associated with the violation using the compliance policy and provides the change recommendation to an administrator, so that the administrator can use the change recommendation to resolve the violation.

Abstract: A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length.

Abstract: A spread spectrum modulation unit (12) performs spread spectrum clocking processing for a basic clock signal (BC) synchronized with the carrier frequency or its harmonic frequency of image information leaked from an unwanted electromagnetic wave. A modulation pattern generation unit (13) generates and outputs, as a modulation pattern signal (MP), a PN code having sign bit data synchronized with each pulse of the obtained spread spectrum clock signal SC. In addition, the modulation pattern generation unit (13) resets the repetition period of the PN code based on a horizontal sync signal (H). A modulated clock generation unit (14) modulates the spread spectrum clock signal (SC) in accordance with the modulation pattern signal (MP). The obtained modulated clock signal (MC) is amplified, generating a leakage prevention signal (JC). A leakage prevention signal containing a sideband component of a satisfactory level can be generated, obtaining a useful leakage prevention effect.

Abstract: A method, article of manufacture, and apparatus for efficiently processing information are disclosed. In some embodiments, a first signature index is received. The first signature index is compared to a second signature index. A negative signature match is based on the comparison. A file is flagged based on the negative match.

Abstract: Various embodiments of the present invention are related to integrated circuits for processing data at a microcontroller interface. The microcontroller interfaces to a memory. The method is employed to process input data provided by the microcontroller during a memory write operation, or input data extracted from the memory during a memory read operation, respectively. A write/read control is used to indicate the memory write or read operation, and a logic address is translated to at least one physical address in the memory. The write/read control and the logic address are further employed to determine a data process mode. In various data processing modes, the input data are processed according to at least one of a plurality of data processing methods to result in processed data in different data formats. Data in different formats may be stored in various regions of the memory.

Abstract: A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass.

Abstract: In the field of computer software (code) security, it is known to include verification data such as hash values in or associated with the code to allow subsequent detection of tampering by a attacker with the code. This verification technique is used here in a “White Box” cryptographic process by tying the verification data to the content of functional table lookups present in the object (compiled) code, where values in the table lookups are selectively masked (prior to the source code being compiled into the subject code) by being subject to permutation operations.

Abstract: A method for protecting a privilege level of a system management mode (SMM) of a computer system is disclosed. A SMM program is loaded into a special memory (SMRAM) area within a system memory of a computer. A first program, a second program, and a vector table are loaded into a general area of the system memory. Before the booting process of the computer has been completed, a reference hash value of the first program is determined by the SMM program, and the reference hash value is stored in the SMRAM area. A hash value of the first program is the computed by the SMM program. After the computer has been operating under an operating environment of an operating system, the computed hash value is compared to the reference hash value. When the computed hash value matches the reference hash value, the first program is called by the SMM program.

Abstract: A method for preventing malicious software from execution within a computer system is disclosed. Before any actual execution of an application program on a computer system, the application program needs to be cross-compiled to yield a set of cross-compiled code of the application program. The set of cross-compiled code of the application program can then be executed in an execution module that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.

Abstract: In a method for protecting digital information, a processor converts a protected address range into a plurality of address blocks of a storage device based on a preset conversion unit, and generates an address block rearranging rule using the address blocks as a parameter. When it is desired to load data into a space of an address batch of the protected address range, the processor converts the address batch into a plurality of address blocks based on the conversion unit, locates rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loads the data into spaces of the rearranged addresses.

Abstract: Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things.

Abstract: According to one embodiment, a processor includes an instruction decoder to receive a first instruction to process a SHA1 hash algorithm, the first instruction having a first operand, a second operand, and a third operand, the first operand specifying a first storage location storing four SHA states, the second operand specifying a second storage location storing a plurality of SHA1 message inputs in combination with a fifth SHA1 state. The processor further includes an execution unit coupled to the instruction decoder, in response to the first instruction, to perform at least four rounds of the SHA1 round operations on the SHA1 states and the message inputs obtained from the first and second operands, using a combinational logic function specified in the third operand.

Abstract: Method and apparatus for encryption, and a non-transitory computer-readable medium that stores instructions for performing encryption. The method includes loading a virtual system driver module in a host operating system and constructing a virtual operating system, wherein the virtual operating system comprises a micro-kernel; preparing and providing context of a processor and a memory page table by the virtual system driver for the micro-kernel, and mapping, in the memory page table, original data and a physical address of a buffer area that receives data after encryption computation is completed; and completing the encryption computation in the virtual operating system and saving the computation result in the buffer area.

Abstract: A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine.

Abstract: A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein to provide a computing device with cooperative first and second binary translators in first and second execution environments having first and second security levels, respectively. The second security level may be more secure than the first security level. Encrypted instructions of the computer program may be loaded into the first execution environment, and the first binary translator may provide, to the second binary translator, an execution context of the computer program for use by the secondary binary translator to decrypt and execute a first portion of the computer program in the second execution environment. The second binary translator may provide, to the first binary translator, another execution context of the computer program for emulation, by the first binary translator, of execution of a second portion of the computer program in the first execution environment.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.