Abstract: A computer vision processor in an image cluster defines a fenced memory region (FMR) that controls access to image data stored in a first portion of a trusted memory region (TMR). The computer vision processor receives FMR requests from an application implemented in a processing cluster. The FMR requests are to access the image data in the first portion of the TMR. The computer vision processor selectively allows the requesting application to access the image data. In some cases, the computer vision processor acquires the image data and stores the image data in the first portion of the TMR, such as buffers in the TMR. A data fabric selectively permits the image processing application to access the data stored in the TMR based on whether the image cluster has opened or closed the FMR for the portion of the TMR.

Abstract: A user device may determine to back up a hardware key that is associated with a hardware component of the user device. The user device may determine that the user device has an operation key. The user device may retrieve the hardware key from a first data structure that is included in the user device and may encrypt, based on the operation key, the hardware key. The user device may process, after encrypting the hardware key, the hardware key to generate a hash value and may determine that the hash value is not included in a registry of the user device. The user device may transmit, based on determining that the hash value is not included in the registry, the encrypted hardware key to a server device to cause the hardware key to be backed up in a second data structure associated with the server device.

Abstract: In some embodiments, an apparatus includes a memory and a processor. The processor is configured to receive an index file that associates a characteristic in a set of documents with a set of information associated with the characteristic in the set of documents. The processor is further configured to generate an index identifier associated with the index file and calculate a set of pseudorandom logical block identifiers associated with a set of storage locations of a database based on the index identifier. The processor is then configured to parse the index file into a set of index data portions and send a signal to the database to write each index data portion from the set of index data portions at a different storage location within the database as indicated by a different identifier from the set of pseudorandom logical block identifiers.

Abstract: Methods, computing apparatuses, computer readable media and systems are described that are for use with blockchain applications. An authority server may communicate a data package to a mining node. The mining node may receive the data package from the authority server, the data package comprising a plurality of datasets, each dataset comprising signal information. The mining node may analyse the data package to convert the signal information of each dataset to a corresponding data output. The mining node may communicate the plurality of data outputs to an authority server and, upon verification of the plurality of data outputs, the plurality of data outputs may be used in establishing a proof-of-work for appending a block record to a blockchain. Encryption and decryption methods may be used to secure data according to methods described herein. In some examples, the signal information of each dataset relates to a polynucleotide sequence and the corresponding data output relates to a read.

Abstract: A method and system of creating and managing encryption keys that facilitates sharing of encrypted content. The system may include an information management system with a key management server and a computing device having an encryption service module. The encryption service module detects operations at the computing device and encrypts a document with an encryption key created using user information and a secret.

Abstract: A privacy protecting transaction engine for a cloud provider network is described. According to some embodiments, a computer-implemented method includes receiving a request from a customer of a cloud provider network to create a customer cloud in the cloud provider network, generating the customer cloud in the cloud provider network, receiving a first request at the cloud provider network for the customer cloud that includes private information of an end customer of the customer of the cloud provider network, removing the private information from the first request by a privacy protecting transaction engine of the cloud provider network to generate a second request, and sending the second request to the customer cloud for servicing.

Abstract: A system, apparatus, method, and machine-readable medium are described for endorsing authenticators. For example, one embodiment of an apparatus comprises: a first instance of an authenticator associated with a first app to allow a user of the first app to authenticate with a first relying party; a secure key store accessible by the first instance of the authenticator to securely store authentication data related to the first app; and a synchronization processor to share at least a portion of the authentication data with a second instance of the authenticator associated with a second app to be executed on the apparatus.

Abstract: Data storage devices and apparatuses that include a data storage device are disclosed. In some implementations, the apparatus may include a data storage device including a replay protected memory block accessed by a security protocol and a processor configured to generate a command information unit instructing the data storage device to access the replay protected memory block and to provide the data storage device with the command information unit, wherein the command information unit includes a basic header segment included in every information unit transferred between the host and the memory controller and an extra header segment including a host side RPMB message.

Abstract: An encrypted hard disk device is provided, including a near-field communication (NFC) sensing module, a processor, a storage unit, and a power switch. The NFC sensing module is configured to read a user identification (UID) of at least one sensor element. The processor is electrically connected to the NFC sensing module and the storage unit. The processor receives the UID and generates a control signal when the UID is approved. The power switch is electrically connected to the processor and the storage unit and maintains a conducting state according to the control signal and supplies power to the storage unit for accessing the storage unit.

Abstract: A data storage management system is enhanced to accommodate, and moreover to optimize, the storing and retention of deduplicated secondary copies at write-once read-many (WORM) enabled storage platforms. Enhancements include without limitation: user interface (UI) options to enable WORM functionality for secondary storage, whether used for deduplicated or non-deduplicated secondary copies; enhancements to secondary copy (e.g., deduplication copy, backup) operations; and pruning changes. The storage manager is generally responsible for managing the creation, tracking, and deletion of secondary copies, with and without deduplication. Media agents that store secondary copies to and prune them from the WORM-enabled storage platforms also are enhanced for communicating and interoperating with both bucket-level and object-level WORM-enabled storage platforms to implement the features disclosed herein.

Abstract: A data sharing system may facilitate sharing of data with third party systems. In one example, the data sharing system can provide a graphical user interface that displays an available subset of user data for sharing. The available subset may be based on previously shared user data with the third party system. The third party system can provide a selection of data of interest within the available subset, and the selected data can be shared.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: The present disclosure relates to a program verification method and apparatus, a platform, a user terminal, and an online service system, includes: acquiring a root evidence of a server-side program from a blockchain network, and acquiring a verification evidence of the server-side program from a server side, where the root evidence is written into the blockchain network after server-side program review succeeds, and the success of the server-side program review indicates a data processing method of the server-side program satisfies a preset data processing rule; verifying whether the root evidence and the verification evidence are matched, where the root evidence and the verification evidence being matched indicates the server-side program is a program that is operated in a TEE of a computer and is not modified after the root evidence is written into the blockchain network; and determining to connect a user-side program to the server-side program.

Abstract: Methods and systems for gateway agnostic tokenization are disclosed. Gateway agnostic tokenization enables a resource provider to quickly, safely, and efficiently route a token for authorization via any appropriate gateway computer. As part of an interaction with a user, a resource provider can transmit a token to an edge computer. The edge computer can then forward the token to a gateway computer. The gateway computer can identify a data item comprising two ciphertexts associated with the token. The edge computer and gateway computer can collectively decrypt the two ciphertexts to obtain a credential. The gateway computer can then forward the credential to an authorizing entity computer. The authorizing entity computer can then determine whether or not to authorize the interaction.

Abstract: Various embodiments of the present technology generally relate to data delivery. More specifically, some embodiments of the present technology relate to systems and methods for using spatial and temporal analysis to associate data sources with mobile devices. The delivery of data to support a wide variety of services for and about mobile devices that are based on data stored in corporate, commercial, and government databases which is not currently linked to individual mobile devices. Some embodiments allow advertisers to better target their ads to relevant target audiences with greater accuracy.

Abstract: A method and system for analysis of a facility may include providing an emulation host system, first generating a golden circuit model on the emulation host system, first inserting a first hardware trojan model, first emulating operation of the golden circuit model, and second emulating operation of the first hardware trojan model. A facility may include a trojan instrument facility having a trojan detection instrument comparing logic circuit output against a threshold for detecting hardware trojan activity, and outputting alert data, and in relation to opening one of a plurality of scannable access points, a scannable register is inserted into an active scan chain with an associated instrument interface.

Abstract: According to certain embodiments, an electronic device comprises: a secure element storing at least one content application and backup data associated with the at least one content application; a memory storing instructions; and a processor electrically connected to the secure element and the memory and configured to executed the instructions, wherein execution of the instructions by the processor causes the processor to perform a plurality of operations comprising: when receiving a message requesting a backup operation from an external electronic device, loading encrypted backup data from the secure element, transmitting the backup data to the external electronic device, and when receiving a message about backup completion from the external electronic device, setting the backup data to an unavailable state.

Abstract: A method, system and computer readable medium include objects with media content. The method includes receiving, at one or mom servers, a request for the media content to be displayed at an endpoint. The method includes identifying information about an environment associated with the endpoint. The method includes identifying a set of objects to include in a container for the media content based on the information identified about the environment. At least one of the objects includes program code for completing a transaction during display of the media content. Additionally, the method includes sending, by one or more servers, the set of objects to the endpoint.

Abstract: A computer implemented method to provide encrypted protected data in response to an unauthorized access request and unencrypted protected data in response to an authorized access request may include the following steps: receiving a first access request for accessing protected data; determining if the first access request identifies the protected data through a specified namespace; and returning an encrypted version of the protected data in response to the first access request if the first access request did not identify the protected data through the specified namespace. Optionally, the method may include the steps of: receiving a second access request to access the protected data; determining if the second access request identifies the protected data through the specified namespace; and returning an unencrypted version of the protected data in response to the second access request only if the second access request identifies the protected data through the specified namespace.

Abstract: A play method for a streaming media file, and a display apparatus are provided. The method comprises: in response to a command for playing a streaming media file on a display of the display apparatus, obtaining the streaming media file and determining a state of the streaming media file; in response to the state of the streaming media file being encrypted state, flowing video data in the streaming media file into a trusted execution environment of the display apparatus, and determining a state of the video data in the trusted execution environment; and in response to the state of the video data being encrypted state, decrypting the video data, decoding the decrypted video data, and then playing the decoded video data.

Abstract: A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

Abstract: The invention relates to information representation, exchange, validation, and utilization. Embodiments of the invention enable a fully digital shared information reality: an information fabric, in which unlimited numbers of participants can all permanently access (with access controls) information objects that all participants can trust and verify, according to a universal set of protocols that are logically complete, address all stages of information exchange, and enable convincing, persuasive user experience. We disclose foundational embodiments that include methods to properly record, store, communicate and display information in digital form; computational verification and validation of information; and foundational concepts in human-information interaction. The invention teaches that by using unique digital objects, numerous difficulties and inefficiencies in state-of-the-art information exchange are overcome, and the next stage of digital transformation is enabled.

Abstract: A system is a system including: a cloud server configured to perform a machine learning process; and a client apparatus configured to communicate with the cloud server. The client apparatus includes: a generating unit that generates one or a plurality of reference data from a plurality of data used for the machine learning and that generates a plurality of difference data, wherein the reference data is a reference for at least a part of the plurality of data, and each difference data indicates a difference between each of the plurality of data and corresponding reference data out of the one or the plurality of reference data; and a storage unit that stores the plurality of difference data in a storage apparatus of the cloud server.

Abstract: A system accesses a task log comprising text that is confidential information. The system selects a first portion of the task log. The system compares each word in the first portion with keywords that are known to be confidential information. The system determines that a word in the first portion is among the keywords. The system determines a hierarchical relationship between the word and neighboring words. The system determines that the word is associated with the neighboring words based on the hierarchical relationship. The system generates a template pattern comprising the word and one or more words associated with the word. The system obfuscates the template pattern.

Abstract: A compute in memory device comprises a memory array including a plurality of data lines for parallel access to memory array data, and an input/output interface. Data path circuits between the memory array and the input/output interface include a page buffer, each buffer cell of the page buffer including a plurality of storage elements. A plurality of computation circuits is provided connected to respective buffer cells. The computation circuits execute a function of data in the storage elements of the respective buffer cells and can be configured in parallel to generate a results data page including operation results for the plurality of buffer cells. A data analysis circuit is connected to the data path circuits to execute a function of the results data page to generate an analysis result. A register can be provided to store the analysis result accessible via the input/output interface.

Abstract: A method for transmitting a boot code, with improved data security, from a programming device to a microcontroller, including: a) creating a first public key, a first private key, and a password; b) generating a bootloader binary for execution on the microcontroller, c) estimating a tolerable total processing time, which consists of the processing times of steps d) to f); d) transmitting the bootloader binary from the programming device to the microcontroller; e) executing, by the microcontroller, the bootstrap loader code, the decryption routine, and the decrypted bootloader routines; f) transmitting at least the second public key from the microcontroller to the programming device; g) if the actual processing times of steps d) to f) are outside the tolerable total processing time, terminating the method; and h) otherwise, encrypting, by the programming device, the boot code by the second public key and transmitting an encrypted boot code to the microcontroller.

Abstract: A method is provided to dynamically encode data at runtime with a tagged data element in a program associated with an obfuscation algorithm randomly selected during runtime. Instructions for invoking the obfuscation algorithm are generated when a compiler encounters the tagged variable in the source code. At runtime, unencoded data is encoded by the obfuscation algorithm when the unencoded data is copied to the tagged data element; encoded data is re-encoded by the obfuscation algorithm when the encoded data is copied from a differently tagged data element to the tagged data element, wherein the differently tagged data element is associated with a different obfuscation algorithm; and encoded data is decoded by the obfuscation algorithm when the encoded data is copied from the tagged data element to an untagged data element.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: The present disclosure relates to secure storage, in a non-volatile memory, of initial data encrypted using a second data, including selecting a pointer aimed at an initial address of a memory cell of an initial part of the non-volatile memory, and encrypting the pointer using the second data; and-storing the encrypted pointer in the non-volatile memory.

Abstract: An orchestrator device may receive a request from a first module deployed in a second cloud platform in a second jurisdiction, wherein the request is compliant with a jurisdictional characteristic of the second jurisdiction. The orchestrator device may process the request in order to identify a second module deployed in the first cloud platform to which to forward the request. The orchestrator device may forward the request to the second module to enable fulfillment of the request. The orchestrator device may receive a response from the second module, wherein the response is compliant with a jurisdictional characteristic of the first jurisdiction. The orchestrator device may process the response, to identify a third module deployed in the second cloud platform to which to forward the response. The orchestrator device may forward the response, to the third module.

Abstract: Disclosed herein are techniques for protecting web applications from untrusted endpoints using remote browser isolation. In an example scenario, a browser isolation system receives a request from a client browser executing on a client device to connect with a remote application accessible via a private network. A surrogate browser is provided to facilitate communications between the client browser and the remote application. A security policy is enforced against the communications.

Abstract: A system and method reduces use of restricted operations in a cloud computing environment during cybersecurity threat inspection. The method includes: detecting an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS); generating a second key in the KMS, the second key providing access for a principal of an inspection environment; generating a snapshot of the encrypted disk; generating a volume based on the snapshot, wherein the volume is re-encrypted with the second key; generating a snapshot of the re-encrypted volume; generating an inspectable disk from the snapshot of the re-encrypted volume; and initiating inspection for a cybersecurity object on the inspectable disk.

Abstract: Aspects relating to machine learning includes receiving, by a first trusted node, a first target data set sent by a first participant, wherein the first target data set is obtained via encrypting, by the first participant, a data set provided by the first participant based on a first preset encryption mode; decrypting the first target data set, determining first training data, and performing model training for a preset machine learning model based on the first training data to obtain a first intermediate training result; acquiring an encrypted second intermediate training result sent by at least one second trusted node; and performing federated learning for the preset machine learning model based on at least the first intermediate training result and the decrypted second intermediate training result, to update model parameters of the preset machine learning model and obtain a learning completed target model.

Abstract: In an aspect, the present application may describe a method. The method may include: receiving, from a remote computing device, a first indication of consent for an authenticated entity to share data with a first third party server, the first indication of consent associated with a first sharing permission defining a first sharing scope; in response to receiving the first indication of consent: configuring a server to share data for the authenticated entity with the first third party server based on the sharing permission; identifying a first safety score, the first safety score associated with the first third party server; and updating a risk score for the authenticated entity based on the first safety score and the first sharing permission; and sending the updated risk score for the authenticated entity to the remote computing device for display thereon.

Abstract: Devices and techniques for efficient host assisted logical-to-physical (L2P) mapping are described herein. For example, a command can be executed that results in a change as to which physical address of a memory device corresponds to a logical address. The change can be obfuscated as part of an obfuscated L2P map for the memory device and written to storage on the memory device. The change can then be provided a host from the storage.

Abstract: Example implementations include a method, apparatus and computer-readable medium for managing augmented reality (AR) effects on a blockchain, comprising receiving a request to convert an AR effect into a decentralized digital asset. The implementations further include uploading an AR effect package comprising execution files of the AR effect to a decentralized server connected to a peer-to-peer network. The implementations further include generating metadata associated with the AR effect package, wherein the metadata indicates attributes of the AR effect and a storage address of the AR effect package in the decentralized server. The implementations further include generating a token universal resource identifier (tokenURI) linked to the metadata and generating, using a smart contract, the decentralized digital asset corresponding to the AR effect package and the tokenURI for storage on the blockchain and subsequent access by a content creation application.

Abstract: The invention discloses a digital signature system. The digital signature system comprises an electronic device and a data storage device. The electronic device generates a specific data by executing a specific operation, and calculates the specific data via a hash algorithm to generate a hash data. The data storage device comprises a controller, a plurality of flash memories, and a data transmission interface. The electronic device transmits the hash data to the data storage device via the transmission interface. The controller comprises a firmware. The firmware reads an unclonable function, and generates a private key according to the unclonable function, and encrypts the hash data by the private key to obtain a digital signature. The data storage device transmits the digital signature to the electronic device via the transmission interface.

Abstract: A system, method, and apparatus are provided for securely controlling operations of a data processing system in which security subsystem is activated to provide security services by responding to a security service request, evaluating the request against an adjustable set of system security policies to determine if the security service request is granted access to a protected asset, by generating a response to the security service request using the protected asset if the security service request is granted access to the protected asset, by adjusting a security access policy for the protected asset in the adjustable set of system security policies, and by sending the response from the security subsystem to the external application subsystem.

Abstract: Methods, systems, and devices for secure self-purging memory partitions are described. Systems, techniques and devices are described herein in which data stored in a portion of a secure partition of memory may be removed from the secure partition. In some examples, a portion of secure partition may be allocated as self-purging memory such that data stored therein may be selectively removed in response to a logic address associated with the data being overwritten. In some cases, the data may be removed by programming the memory cells associated with the data to a specific voltage distribution. In some cases, the secure partition may include separate portions having different sets of operating parameters for access operations.

Abstract: A method prevents unauthorized access to user data files on a computing device. The device receives a request from an application to open a data file (including file name path). The device determines whether the path corresponds to a designated storage location for user data files and determines whether access to the data file has previously been granted for the application. When the file is a user file with no permission for the application, the device uses a volition table to determine whether access volition has been asserted for the data file by the application within a preceding predefined period of time. When access volition has been asserted, the device permits the application to access the data file. When access volition has not been asserted, the device displays a user interface box prompting a user to decide whether or not to grant the application access to the data file.

Abstract: A method for protecting data in an external memory based on an isolated execution environment is provided. The method is used in a processor in the isolated execution environment of a system-on-a-chip. The method includes: accessing an output command of a main system processor in a main system of the system-on-a-chip; reading first data from a shared memory in the main system according to the output command; encrypting the first data with a private key and generating encrypted first data; and outputting the encrypted first data to the external memory.

Abstract: The disclosure relates to a method of obtaining a cryptographic key in a chipset (1). An initial configuration message may be generated using a physical unclonable function (hereinafter: PUF) (22) of the chipset (1). Said PUF (22) may generate a predetermined value when using the initial configuration message as input to the PUF (22). The initial configuration message may be transmitted to a client access server (31). An altered configuration message may be received from the client access server (31), wherein the altered configuration message is generated by the client access server (31) based on the initial configuration message. The cryptographic key may be obtained from the PUF (22) using the altered configuration message as input to the PUF (22).

Abstract: Methods, systems, and devices for purging data from a memory device are described. A memory system may receive, from a host system, a command to write data to an address storing an encryption key in a first portion of the memory system that is configured to store secure information (e.g., a Replay Protected Memory Block). The encryption key may be configured to encrypt data associated with the host system that is stored in a second portion of the memory system. The memory system may then receive an indication of a purge command from the host system. The memory system may execute the purge command by transferring data from the first portion of the memory system to a third portion of the memory system configured to store secure information and erasing the data from the first portion of the memory system.

Abstract: An example apparatus includes a flash memory card that is removably and securely coupled to a host device (e.g., smartphone). When removed, the apparatus facilitates physical and logical air-gapping and secure, “cold” storage of digital assets. In one example, a flash memory card stores computer-executable instructions to determine that a mobile device is authorized to communicate with the flash memory card when the flash memory card is inserted into a memory card slot of the mobile device. If communication is authorized, the instructions can further cause the memory card to establish communication with the mobile device and cause the mobile device to access a digital asset using a key stored on the memory card. The digital asset can be digitally managed in response to receiving user input at the mobile device.

Abstract: System of decentralized Zero-Trust services for creating, using and analyzing securely commingled Self-Governing data sets that prevents extraction by any party and unauthorized in contradiction to the Self-Governing need-to-know policies defined by each Publisher. Such an invention enables performance of combinatorial analytics, machine learning or artificial intelligence (AI) or other permitted data usage processes applied to commingled data without exposing the Self-Governing data in any manner contravening the embedded and enforced fine-grained security and governance settings which control how and by whom and in what context each data element can be used.

Abstract: Described herein are systems and methods for controlling access to a protected resource based on various criteria. In one exemplary aspect, a method comprises designating a plurality of program data installed on a computing system as protected program data; intercepting, by a kernel mode driver, a request from an untrusted application executing on the computing system to alter at least one of the protected program data; classifying, by a self-defense service, the untrusted application as a malicious application based on the intercepted request and information related to the untrusted application; and responsive to classifying the untrusted application as a malicious application, denying, by the kernel mode driver, access to the at least one of the protected program data.

Abstract: In an embodiment of the present invention, users with the appropriate permission can launch a function inside a system in order to anonymize and export the currently loaded study or studies, or one or more studies identified by a search criteria. The data from the studies that were identified is then anonymized on the system. In an embodiment of the present invention, the data from selected studies is anonymized on a server, and only then transmitted to another network device. In an alternative embodiment of the present invention, the data from selected studies is anonymized on a server, and only then stored to a hard disk or other media.

Abstract: Various embodiments for sending a cryptogram to a point of sale terminal while disconnected from a network. In some embodiments, for example, a computing device that is configured to display a prompt for a selection of a transaction account. An encrypted session key is retrieved through a network in response to determining a number of session keys associated with the transaction account is below a threshold. The computing device is also configured to generate a session key based at least in part on decrypting the encrypted session key using an encryption key and establish a wireless connection with a point of sale terminal for a purchase. A cryptogram is generated from the session key based at least in part on the user device being disconnected from the network. The cryptogram is sent to the point of sale terminal.

Abstract: An operator for a global total order broadcast domain executing a method to send an operation out of band to nodes of participating parties in a partition, receive a certificate and a signature on the operation for each of the participating parties, generate a single party packet based on the received signatures, generate a random symmetric encryption key, send the random symmetric encryption key to the participating parties, encrypt the single party packet with the random symmetric encryption key, generate a pseudo random string for the partition, and record an operation identifier, the encrypted party packet, and the pseudo random string on the global total order broadcast domain.

Abstract: Disclosed is a self-deploying encrypted hard disk, a deployment method thereof, a system and a boot method thereof.