Abstract: A system for updating software installed on an electronic unit on a vehicle can include a processor and a memory. The processor can be disposed on an intermediate communications device. The intermediate communications device can be a mobile device. The memory can store an update request module and an update existence module. The update request module can include instructions that when executed by the processor cause the processor to receive, from the electronic unit on the vehicle, a request for an update of the software. The request can include: (1) an identification of a version of the software currently installed on the electronic unit and (2) a key to specifically identify the electronic unit. The update existence module can include instructions that when executed by the processor cause the processor to receive, from a device associated with development of the software, information about an existence of the update.

Abstract: In one embodiment, a domain controller (a) quarantines unknown devices at a first quarantine point at a first layer of a multi-layer communication model; (b) communicates with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service; (c) receives a provisioning request for a first device via an access point, wherein the access point comprises a second quarantine point at a second layer of the multi-level communication model; (d) verifies a device type of the first device with the DNS service; and (e) responsive to that verification, provisions the first device into the domain. The domain controller may also send a provisioning response to the access point to enable the first device to be removed from the second quarantine point, to enable the first device to communicate with the domain controller. Other embodiments are described and claimed.

Abstract: A system includes persistent storage containing configuration items (CIs) representing discovered attribute values of computing resources associated with a managed network, and an application configured to perform operations, including obtaining test result data generated based on a third-party scanning system executing tests of a particular computing resource associated with the managed network. The test result data includes attribute values of the particular computing resource. The operations also include generating, by way of an embedding model and based on the attribute values, an embedding vector representing the attribute values, and comparing the embedding vector to a plurality of candidate embedding vectors, each representing the discovered attribute values of a corresponding CI of the CIs.

Abstract: An object of the disclosure is to simplify security enhancements based on trusted computing. For this, a first data processing apparatus configured to operate in accordance with one or more platform configuration is provided. The first data processing apparatus includes an attestation processor, a network interface, and a data storage device for storing validation data. The attestation processor is configured to establish attestation data that is indicative of a current platform configuration. The validation data facilitates a validity check of integrity data, which includes the attestation data. The first data processing apparatus is configured to provide the integrity and validation data.

Abstract: An air conditioning control apparatus includes a memory interface performing a data transceiving between a storage medium, a memory, and a controller. The storage medium stores a boot program in a boot program region. The memory stores the boot program of the storage medium. The controller reads out the boot program of the storage medium from the memory when a predetermined period is elapsed, and overwrites the boot program that is read out in the boot program region of the storage medium.

Abstract: A graphical user interface is used to present one or more candidate patch target stages of a software development pipeline. Prior to deployment of a patch to a particular stage, an operation is performed to verify that a version of a deployed software at the particular stage has not changed since a record of a state of the particular stage was obtained. The deployment of the patch to the particular stage is initiated when the version of the deployed software has not changed.

Abstract: A method and system for managing execution of a local craft terminal application on a local computer system comprising accessing one of the plurality of remote network elements and obtaining therefrom a launcher application program configured to manage execution of the local craft terminal application on the local computer system, launching the launcher application program on the local computer system and determining, using the launcher application program, whether the local computer system contains an appropriate copy of the local craft terminal application, and if the local computer system does not contain the appropriate copy of the local craft terminal application, obtaining the appropriate copy of the local craft terminal application from the first one of the plurality of remote network elements.

Abstract: In one embodiment, a domain controller includes a quarantine logic to quarantine unknown devices from unrestricted network access. The quarantine logic comprises a first quarantine point at a first layer of a multi-layer communication model. The domain controller also includes: a first logic to communicate with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service, the domain name associated with a domain to be managed by the domain controller; a second logic to manage a group of devices of the domain; and a third logic to receive a provisioning request for a first device via an access point that comprises a second quarantine point at a second layer of the multi-level communication model. The second layer is a lower layer than the first layer, and the second quarantine point is more restrictive than the first. Other embodiments are described and claimed.

Abstract: A system includes persistent storage containing configuration items (CIs) representing discovered attribute values of computing resources associated with a managed network, and an application configured to perform operations, including obtaining test result data generated based on a third-party scanning system executing tests of a particular computing resource associated with the managed network. The test result data includes attribute values of the particular computing resource. The operations also include generating, by way of an embedding model and based on the attribute values, an embedding vector representing the attribute values, and comparing the embedding vector to a plurality of candidate embedding vectors, each representing the discovered attribute values of a corresponding CI of the CIs.

Abstract: An embodiment may involve a plurality of configuration items and an unmatched configuration item, wherein the unmatched configuration item is associated with a first set of attribute values and a first vulnerability, wherein the first vulnerability is associated with a first set of field values.

Abstract: A method, an apparatus, and a system for detecting a terminal security status are provided. The method includes: receiving a file, and running the file, to generate a dynamic behavior result. The dynamic behavior result includes a behavior sequence that is generated according to a chronological order of occurrence of behaviors. When the file includes an APT, the security protection device obtains a stable behavior feature in the dynamic behavior result, generates a corresponding IOC according to the stable behavior feature, and sends the generated IOC to a terminal. The stable behavior feature is a behavior always existing in a behavior sequence that is generated each time after the file is run.

Abstract: Methods and systems for performing exchange of data with third-party applications are described. The method includes receiving a request for performing document related operation on document using a third-party application. The method includes converting third-party application into containerized application using containerization mechanism. The method includes allocating virtual secured space to containerized application. The method includes encrypting document using public key of containerized application. The method includes providing encrypted document to containerized application that implements limitations on encrypted document. The method includes facilitating performance of document related operation on encrypted document to create updated document. The encrypted document is decrypted using private key of containerized application before performing document related operation on encrypted document.

Abstract: System and method for virtual agent upgrade uses an upgrade proxy service that is instantiated in a computing entity when an upgrade request for a virtual agent in the computing entity is received to upgrade the virtual agent based on virtual agent upgrade data from an application server. The upgrade proxy service is then removed from the computing entity after upgrading the virtual agent.

Abstract: Examples described herein relate to systems and methods for containing a faulty stimulus. A computer-implemented method may include listing in a suspect list every received stimulus including the faulty stimulus, and implicitly testing the stimuli by respectively acting upon those stimuli by a software application. Responsive to successfully acting upon each of the stimuli besides the faulty stimulus, each non-faulty stimulus is deleted from the suspect list and, responsive to such deletion, made available to a downstream node. Responsive to acting upon the faulty stimulus, the software application crashes which leaves the faulty stimulus listed in the suspect list. The software application then restarts and deems the faulty stimulus as being faulty based upon the faulty stimulus still being listed in the suspect list after the restart.

Abstract: Apparatus, method, computer program product and computer readable medium are disclosed for trusted computing. A method comprises: at a trusted execution environment (TEE)-enabling processor, creating a signing TEE; performing a first measurement of the signing TEE, wherein the first measurement comprises at least one measurement of the code of the signing TEE, an identity of the signing TEE and a log of activities performing during the creation of the signing TEE; generating a first signature of the result of the first measurement; sending the result of the first measurement and the first signature to a public register such that a verification of the signing TEE can be made by means of the public register; wherein the signing TEE is configured to verify whether a first TEE is recorded on the public ledger.

Abstract: A method for providing encrypted search includes receiving, at a user device associated with a user, a search query for a keyword that appears in one or more encrypted documents stored on an untrusted storage device and accessing a count table to obtain a count of documents that include the keyword. The method also includes generating a delegatable pseudorandom function (DPRF) based on the keyword, a private cryptographic key, and the count of documents. The method also includes evaluating a first portion of the DPRF and delegating a remaining second portion of the DPRF to the untrusted storage device which causes the untrusted storage device to evaluate the DPRF and access an encrypted search index associated with the documents. The untrusted storage device determines one or more encrypted documents associated with DPRF and returns, to the user device, an identifier for each encrypted document associated with the DPRF.

Abstract: In an aspect of the disclosure, a method, a computer-readable medium, and a device are provided. The device determines that a target event occurred at a first server in a group of servers that are jointly managed. The device obtains, for the first server, a public-private key pair including a first key and a second key. The device provides the first key to the first server such that the first server is accessible by authentication with the first key. The device provides the second key to a client device such that the first server is accessible by the client device by providing the second key to the server. Subsequently, the device revokes the first key from the first server.

Abstract: In an implementation, a method is provided. The method may include: receiving a sensor application by a network platform, the network platform comprising a processing module and a plurality of ports, and wherein a first portion of the processing module is allocated to an operating system of the network platform; allocating a second portion of the processing module to the sensor application by the network platform; executing the sensor application by the second portion of the processing module; emulating a port of the plurality of ports by the second portion of the processing module; and allowing the executed sensor application to interact with the operating system through the emulated port.

Abstract: A computer implemented method for securely extracting secure data from a human capital management (HCM) system, includes receiving setup data from a production tenant of the HCM system, wherein the setup data includes one or more field types describing what type of secure data is stored on the production tenant, creating a scrambling module based on the setup data that is configured to scramble the secure data based on scrambling settings, wherein the scrambling module is configured to upload and install onto the HCM system and to communicate with the production tenant to receive the secure data to scramble the secure data, and uploading the scrambling module to the HCM system.

Abstract: A method includes receiving a firmware update package at an information handling system, the package including a payload containing a first firmware image. In response to executing the firmware update package while the information handling system is under control of an operating system, identifying a non-volatile storage device; authenticating the first firmware image; and storing the first firmware image at the non-volatile storage device. In response to successfully authenticating the first firmware image, initiating a reboot of the information handling system to invoke an initialization routine. The initialization routine includes retrieving the first firmware image from the non-volatile storage device and installing the first firmware image at a first device.

Abstract: Examples include comparison of a part key to machine keys. Examples include identification of a part key assigned to a given machine identifier in a part key mapping of a part received by a computing device, the part key mapping including a plurality of part keys assigned to a plurality of machine identifiers. Examples also include comparison of the identified part key to machine keys stored on the computing device to determine whether the identified part key matches any of the machine keys, and based at least in part on a result of the determination, enabling or inhibiting further utilization of the part.

Abstract: Certain aspects of the present disclosure provide techniques for providing an automated callback service to a user. An example technique includes receiving an indication of a product installation failure, which includes an error code, a context of the computing device, and a product identifier. Based on the product identifier, a phone number is retrieved that is associated with the user of the computing device. A set of solutions predicted to resolve the installation failure is retrieved, based on the error code and the context. A callback is established to the user, and the user is connected with a virtual agent that will provide solutions from the set of solutions in the ranking order retrieved until a solution is determined to resolve the product installation error. The ranking of the predicted solutions is updated for other users in the future who may face a similar product installation error.

Abstract: In one embodiment, a domain controller includes: a quarantine logic to quarantine unknown devices from unrestricted network access, the quarantine logic comprising a first quarantine point at a first layer of a multi-layer communication model; a first logic to communicate with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service, the domain name associated with a domain to be managed by the domain controller; a second logic to manage a group of devices of the domain; and a third logic to receive a provisioning request for a first device via an access point, wherein the access point comprises a second quarantine point at a second layer of the multi-level communication model. Other embodiments are described and claimed.

Abstract: Techniques and systems for storing and retrieving data storage devices of a data storage system are disclosed. In some embodiments, inventory holders are used to store data storage devices used by a data storage system. When data is to be transacted with the data storage devices, mobile drive units locate appropriate inventory holders and transport them to a device reading station, where an appropriate device retrieval unit transacts the data. After the data has been transacted, the data storage devices are returned to the appropriate inventory holders, and the inventory holders are placed by the mobile drive units in locations where they may be accessed in response to further data transactions.

Abstract: The invention provides a method and system for safely switching between product mode and development mode of a terminal, aiming at addressing the problem in the prior art that the terminal in a testing development version may be accidentally circulated into the market and cause hidden safety risk. According to the invention, different Certificate Authorities (CAs) are configured for the terminal at different stages; by storing the public-private key pairs of the certificates issued by different CAs in different secure storage media, only if the secure storage medium corresponding to the current CA state of the terminal is verified to be valid, the flags of the terminal can be successfully rewritten; a safe switching between different CA states of the terminal is realized. It is ensured that the terminal in the testing development stage cannot be used normally, thereby improving the safety of the terminal device.

Abstract: A request to store a container image is received from a device associated with a customer of a computing resource service provider. Validity of a security token associated with the request is authenticated using a cryptographic key maintained as a secret by the computing resource service provider. One or more layers of the container image is built based at least in part on at least one build artifact to form a set of built layers. The software image including the set of built layers is stored in a repository associated with the customer. A manifest of metadata for the set of built layers is stored in a database of a structured data store. The container image is obtained in the form of an obtained container image. The obtained container image is deployed as the software container in at least one virtual machine instance associated with the customer.

Abstract: Provided are a computer program product, system, and method for non-disruptive encoding of source data in a source data set migrated to a target data set. The source data in the source data set is migrated to a target data set by encoding the source data to produce encoded source data to copy to a target data set. In response to receiving write data for the source data set, the write data is encoded to produce encoded write data to copy to the target data set. Input/Output (“I/O”) requests to the source data set are redirected to the target data set having encoded data for the source data set.

Abstract: Techniques for simplifying and reusing visual programming graphs are described herein. In some examples, visual programming graphs may be simplified by decoupling execution signals from data resolution. Execution of a particular node may be triggered through a representation of a signal sent from a signal output slot of another node to a signal input slot on the node being triggered. Additionally, evaluation of data values may be represented by a connection between a data output slot on the node providing the data value to a data input slot on the node receiving the data value. Another technique for simplifying visual programming graphs may include combining and/or collapsing of multiple selected visual programming nodes into a single reusable visual programming node. In some examples, reusable combined visual programming nodes may be exposed using unlocked versions and/or locked versions.

Abstract: A data deletion system may trigger and orchestrate data deletion of data across various data stores. The system may schedule a record having a unique identifier for deletion in response to a data deletion rule. The record may be deleted from a system of record based on the unique identifier. The system may broadcast a deletion message containing the unique identifier. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party. The system may monitor the subscribing entity to determine whether the purge was successfully completed.

Abstract: The embodiments herein are directed to a technique for providing secure communication between nodes of a network environment or within a node of the network using a verified virtual trusted platform module (TPM) of each node. The verified virtual TPM illustratively emulates a hardware TPM device to provide software key management of cryptographic keys used to provide the secure communication over a computer network of the network environment. Illustratively, the verified virtual TPM is configured to enforce a security policy of a trusted code base (TCB) that includes the virtual TPM. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the verified virtual TPM. The predetermined level of confidence is based on an assurance (i.e., grounds) that the verified virtual TPM demonstrates the security property.

Abstract: A banking system operates responsive to data read from data bearing records. The system includes an automated banking machine comprising a card reader. The card reader includes a movable read head that can read card data along a magnetic stripe of a card that was inserted long-edge first. The card reader includes a card entry gate. The gate is opened for a card that is determined to be properly oriented for data reading. The card reader can encrypt card data, including account data. The machine also includes a PIN keypad. The card reader can send encrypted card data to the keypad. The keypad can decipher the encrypted card data. The keypad can encrypt both deciphered card data and a received user PIN. The card data and the PIN are usable by the machine to authorize a user to carry out a financial transfer involving the account.

Abstract: Computer protection is weak with the methods currently available and there are risks of malicious users getting access to computers, corrupting important data, including system data. We are proposing a method for improving access protection, more particularly, by using a slave device that will enable or disable protection for applications as required. The device supports one or more users, none or more user groups, none or one or more Application Security Environments for each user or user group and one or more states for each Application Security Environment. The state of the hardware is manually controlled by the users. Depending on the configuration, each hardware state corresponding to an Application Security Environment corresponds to a set of privileges the processes running in that Application Security Environment have while that Application Security Environment is in that state.

Abstract: A computing system is provided that includes a distribution endpoint including one or more processors configured to receive a request from a developer computing device to update a program managed by the distribution endpoint, the program being previously packaged and signed. The one or more processors of the distribution endpoint are further configured to receive a code file including a change to the program, retrieve a package of the program that has not been updated with the change to the program, generate an updated package of the program by adding the code file to the retrieved package of the program such that the updated package of the program logically represents a package of the updated program, and distribute the updated package of the program to an end user computing device.

Abstract: There is provided a computer implemented method for detection and prevention of an attempt at establishment of a network connection for malicious communication, comprising: detecting a connection establishment process for establishing a network connection, the connection establishment process initiated by code running on a client terminal; analyzing records in at least one stack trace of the initiating code managed at the client terminal, to detect a trial to establish a malicious communication wherein the network connection is used for malicious activity; and blocking establishment of the network connection when the analysis detects the trial to establish the malicious communication based on the network connection.

Abstract: Processing information is disclosed including receiving an application retrieval request sent by a terminal, the application retrieval request including identifying information of the terminal, generating, based on a preset key generation technique, an encryption key based on the identifying information included in the application retrieval request, encrypting, based on the encryption key and a preset encryption technique, designated data in an application to obtain an encrypted application, and sending the encrypted application to the terminal.

Abstract: Examples relate to providing operating system (OS) agnostic validation of firmware images. In some examples, a request to verify a number of firmware images is received, where each of the firmware images is associated with a metadata set. A first installation of a first firmware image of the firmware images is accessed via a physical interface, and a first metadata set is used to verify the first installation, where the first metadata set includes a firmware signature that is used to verify the first installation. At this stage, the request is forwarded to a child management processor, where the management processors are in a trusted group and related according to a tree hierarchy.

Abstract: Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

Abstract: Contents of a memory may be authenticated using redundant encryption. In some examples, data to be stored by a memory is encrypted with two unique encryption keys—a first encryption key is used generate a cipher text and a second encryption key (different than the first encryption key) is used to generate an authentication tag. The cipher text and authentication tag are stored by the memory. At a later time, the cipher text and authentication tag may be retrieved from the memory and decrypted using the respective encryption keys. After decrypting the cipher text and the authentication tag, the data retrieved from the memory may be authenticated by comparing the plaintext generated by decrypting the cipher text and with the plaintext generated by decrypting the authentication tag. A match between the plaintext indicates the data was not corrupted or modified during storage in the memory.

Abstract: Identification information of a program read from outside, such as firmware, is acquired, and usability of a piece of key data in a range corresponding to the identification information is set, among a plurality of pieces of key data to be used for the program. As another example, based on new key data generated based on key data stored in advance in a memory and identification information, firmware corresponding to the identification information is decrypted.

Abstract: Methods, systems, and computer program products for securely processing range predicates on cloud databases are provided herein. A computer-implemented method includes separately encrypting a set of plain text data using two or more encryption functions, thereby producing an encrypted domain comprising at least two distinct groups of encrypted data items; converting a range query over plain text data items into a query over at least one of the distinct groups of encrypted data items; and combining results from the query over the distinct groups of encrypted data items, thereby generating a final encrypted result to the range query.

Abstract: At least one user table in a relational database management system (RDBMS) using a first operator within a structured query language (SQL) command is identified. The first operator within the SQL command is utilized to transfer one or more data items from the at least one user table to a data array within the RDBMS. The data array is processed within the RDBMS, and one or more output values are generated based on the processing.

Abstract: A system may include a host that may include a processor coupled to a non-volatile memory over a secure communication protocol. As a result, prior to release for manufacturing, a binding code may be established between the host and the non-volatile memory. In some embodiments, this binding code may be stored on the non-volatile memory and not on the host. Then during a boot up of the system, the boot up process may be initiated by the host using code associated with the host, followed by secure booting using the secure protocol using code stored on the non-volatile memory.

Abstract: Embodiments of the present invention relate to a method, device and computer program product for container deployment. By comparing the target libraries required by a target container to be deployed and the libraries that have been loaded on the candidate hosts, the costs of deploying the target container on the candidate hosts can be estimated. Then a target host is selected from among the plurality of candidate hosts based on the determined costs.

Abstract: Embodiments of the present invention relate to a method, device and computer program product for container deployment. By comparing the target libraries required by a target container to be deployed and the libraries that have been loaded on the candidate hosts, the costs of deploying the target container on the candidate hosts can be estimated. Then a target host is selected from among the plurality of candidate hosts based on the determined costs.

Abstract: An authentication device is provided that authenticates an electronic device based on the responses from distinct types of physically unclonable functions. The authentication device receives a device identifier associated with the electronic device. It then sends one or more challenges to the electronic device. In response, the authentication device receives one or more responses from the electronic device, the one or more responses including characteristic information generated from two or more distinct types of physically unclonable functions in the electronic device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for automatically determining configuration properties of a compiler. One of the methods includes determining that an executable of the newly created process is a compiler called by the build system to compile source code of a source code file. In response to the determining, a plurality of configuration properties of the compiler called by the build system are determined, the configuration properties including first properties of a plurality of built-in functions of the compiler, second properties of a plurality of built-in types of the compiler, or both. A compiler emulator is configured to emulate the behavior of the compiler called by the build system using the determined configuration properties. Access to the source code is provided to the compiler emulator configured using the determined configuration properties.

Abstract: Embodiments of a method are disclosed. One embodiment is a method for securely updating firmware in a computing device, in which the computing device includes a host processor and a non-volatile memory. The method involves receiving a double-encrypted firmware image from an external firmware source, wherein the double-encrypted firmware image is generated from firmware that is encrypted a first time using a first crypto-key and then encrypted a second time using a second crypto-key. The method also involves receiving the second crypto-key from an external key source, decrypting the double-encrypted firmware image using the second crypto-key to produce an encrypted firmware image, storing the encrypted firmware image in the non-volatile memory of the computing device, reading the encrypted firmware image from the non-volatile memory of the computing device, decrypting the encrypted firmware image using the first crypto-key, and executing the firmware on the computing device.

Abstract: Technologies for supporting and implementing multiple digital rights management protocols on a client device are described. In some embodiments, the technologies include a client device having an architectural enclave which may function to identify one of a plurality of digital rights management protocols for protecting digital information to be received from a content provider or a sensor. The architectural enclave select a preexisting secure information processing environment (SIPE) to process said digital information, if a preexisting SIPE supporting the DRM protocol is present on the client. If a preexisting SIPE supporting the DRM protocol is not present on the client, the architectural enclave may general a new SIPE that supports the DRM protocol on the client. Transmission of the digital information may then be directed to the selected preexisting SIPE or the new SIPE, as appropriate.

Abstract: To customize products, a first entity receives generic products from a supplier entity, wherein the generic products include base software. The first entity provides a customization component for at least a subset of the generic products. Base software in at least the subset of the generic products is executed at the first entity to interact with the customization component to customize at least one feature of at least the subset of generic products.

Abstract: An apparatus for processing logging policies includes: a logging policy input section configured to receive a plurality of logging policies for use with vehicle data; a logging policy storage configured to store the received plurality of logging policies; a logging policy interpreter configured to extract profile data, variable data, and policy data from the plurality of logging policies stored at the logging policy storage; a logging policy analyzer configured to analyze the profile data, the variable data, and the policy data of the respective logging policies extracted by the logging policy interpreter and create an integration rule based on the analyzed data; an integration logging policy generator configured to generate an integration logging policy based on the integration rule created by the logging policy analyzer; and an integration logging policy processor configured to process the integration logging policy generated by the integration logging policy generator.