Abstract: A system includes a processing unit, a memory configured to store at least one first group of instructions and one second group of instructions for execution by the processing unit, the processing unit being configured to sequentially extract from the memory instructions of the first group and instructions of the second group for their execution. The system also includes a controller including a first auxiliary memory configured to store a protection criterion, a comparator configured to compare the storage address of each extracted instruction with the protection criterion, and a control circuit configured to, in response to the storage address meeting the protection criterion, trigger a protection mechanism including at least one prohibition for the processing unit to execute again at least one portion of the instructions of the first group, during the execution of the instructions of the second group.

Abstract: Methods and systems for performing a computational operation on a server host using a secure enclave are provided. Exemplary methods include: receiving an encrypted service request from a client host, the client host encrypting a service request to produce the encrypted service request using a shared secret, the service request specifying the computational operation; decrypting, in a secure enclave that is established by a secure environment, the encrypted service request using the shared secret to produce a decrypted service request; performing the computational operation, in the secure enclave, using the decrypted service request to generate a service result; encrypting, in the secure enclave, the service result using the shared secret to create an encrypted service result; and providing the encrypted service result to the client host, the client host decrypting the encrypted service result using the shared secret.

Abstract: A storage device configured for hardware verification is disclosed. The storage device comprises a first hardware component comprising a connector and a first verification logic. The first validation logic is configured to detect a criterion and generate a first signal via the connector in response to detecting the criterion. The storage device also comprises a second hardware component coupled to the first hardware component via the connector. The second hardware component comprises a second validation logic, where the second validation logic is configured to monitor and receive the first signal via the connector. In response to receiving the first signal, the second validation logic is configured to compare the received first signal to an expected signal and generate a result. The storage device is configured to take an action in response to the result.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: Ad-hoc network comprising a configurator device and a plurality of nodes, wherein each node is an electronic device, wherein each node is connected by a communication connection with at least one of the other nodes and/or with the configurator device, wherein each node can be in different states comprising at least a non-commissioned state (NC), a commissioned state and a trust ring member state (TR) wherein a first node of the plurality of nodes being in the non-commissioned state (NC) is configured to send an non-commissioned advertisement message to the configurator device comprising an identifier of the first node, wherein the configurator device is configured to send an automated commissioning initialization (ACI) message to the first node containing a token, wherein the token is encrypted by a symmetric network key, wherein the first node is configured to send out a commissioning request message containing the received encrypted token, wherein the first node is configured to change its state, when it re

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.

Abstract: Some embodiments of the present disclosure relate to a system that may include a replaceable module and a user device. The replaceable module may include an element and a one-wire authentication element in parallel with the element. The user device may be configured for operable coupling with the replaceable module. The user device may include a power source configured to provide power to the element, an authentication unit configured to perform a verification process for verifying authenticity of the replaceable module, and a signal conditioning unit arranged in a communication path between the one-wire authentication element and the authentication unit.

Abstract: Methods, systems, and devices for virtualized authentication device are described. A virtual device (such as a virtual machine) may be permitted to access secured data within a memory device by an authentication process. The memory device may generate cryptographic keys in portions of the memory device and assign the cryptographic keys to the virtual machines. The virtual machine may use an authentication process using the cryptographic keys to access the secure data in the memory device. The authentication process may include authenticating the identity of the virtual machine and the code operating on the virtual machine based upon comparing cryptographic keys received from the virtual machines to the assigned cryptographic keys in the partitions of the memory device. Once both the identity of the virtual machine is authenticated, the virtual machine may be permitted to access the secure data in the memory device.

Abstract: The present disclosure enables proxied device ownership for a secondary processing system by providing a chassis housing a plurality of devices, a secondary processing system, and a central processing system that includes an integrated switch device that is coupled to each of the plurality of devices and the secondary processing system. The central processing system enter a Basic Input/Output System (BIOS) mode in which the central processing system provides a BIOS that is configured to execute instructions and, using the BIOS, receives a transaction that was generated by the secondary processing system and that is directed to a first device that is include in the plurality of devices, and executes the transaction on the first device.

Abstract: Case management systems and techniques are disclosed. In various embodiments, a definition is received that associates a descendant case role alias with a first case node at a first hierarchical level of a hierarchical data model, the definition further associating a permission with the descendant case role alias and referencing a referenced case role associated with a second case node at a second hierarchical level of the hierarchical data model. The definition is used to extend the permission to a user assigned to the referenced case role with respect to a case instance comprising the hierarchical data model.

Abstract: A trusted orchestrator function subsystem inventory and verification system includes an OS, a BIOS, a management device, and a trusted orchestrator device. In response to presentation of a function subsystem to the OS during runtime, the OS generates a function subsystem detection alert that identifies the function subsystem. In response to the function subsystem detection alert, the BIOS generates and provides a BIOS inventory update that identifies the function subsystem. The management device receives the BIOS inventory update and, in response, forwards the BIOS inventory update. The trusted orchestrator device receives the BIOS inventory update and, in response, determine whether the function subsystem identified in the BIOS inventory update is included in a trusted function subsystem inventory.

Abstract: An embodiment discloses a method for controlling a vehicle virtualization structure-based device including the steps of receiving a request for use of a device from at least one container among a plurality of containers; and determining the use of the device according to a type of the device and a type of the container that transmits the request for use.

Abstract: In accordance with one or more embodiments, authorization and/or authentication protects against unauthorized use of devices and/or features. Devices managing authorization and/or authentication may be connected to communications services, such as the internet or a social network. A user using the communication services may configure a system to authenticate and/or authorize a future action. An authorizer may authorize and/or authenticate by responding via one or more devices and/or social networks to allow an individual to perform an action on a device, as a way of controlling what actions can be taken and who they can be taken by.

Abstract: A method and associated circuits protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit. In the method, each message received with the NFC router is parsed to retrieve a communication pipe identifier and an instruction code. The communication pipe identifier and the instruction code are compared to corresponding information in a filter table. Instruction codes of particular messages that attempt to modify a communication pipe by reassigning one end of the communication pipe from the port of the NFC router to a different circuit are acted upon. These messages are blocked from reaching the secure data circuit when the instruction code is not authorized in the filter table, and these messages are permitted when the instruction code is authorized in the filter table.

Abstract: The disclosed embodiments relate to systems and methods for secure and efficient resource access using distributed directory caching techniques. Techniques include obtaining, from a directory service, client directory data associated with a client; providing the client directory data to a computing device associated with the client for caching on the computing device; identifying a request from the client; receiving, from the computing device, the client directory data that was cached on the computing device; and evaluating the request based on the received client directory data.

Abstract: Embodiments of the present invention disclose an AI processing method and an AI processing apparatus. The method is applied to the AI processing apparatus. An AI processor has at least two working modes, and security of the at least two working modes is different. The method includes: processing, by the AI processor, an AI processing request in a target mode. The target mode is one of the at least two working modes, and the target mode is a working mode determined based on the AI processing request. The AI processor has at least two working modes with different security, and may switch between different working modes.

Abstract: Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.

Abstract: Systems and techniques for real-time feature level software security are described herein. A request may be received from a computing device for data from the feature of the software application. The request for data may include authorization information of a user of the computing device. It may be identified that the feature of the software application contains code containing a reference to a security configuration service. A security configuration may be determined for the feature of the software application by comparing a resource identifier and a feature identifier of the feature of the software application to a set of security configurations of the security configuration service. The security configuration may provide access rules for the feature of the software application. A response may be sent to the computing device based on a comparison of the received authorization information of the user of the computing device to the determined security configuration.

Abstract: The various implementations described herein include methods and devices for creating and using trust binaries and blockchains. In one aspect, a method includes accessing a trust store for the computing device, including obtaining a blockchain for the trust store. A first change to the trust store is identified. In response to identifying the first change, a first block is generated and inserted into the blockchain, where the first block includes a first encrypted digest for the first change and a first block digest. A second change to the trust store is identified. In response to identifying the second change, a second block is generated and inserted into the blockchain, where the second block includes a second encrypted digest for the second change, a second block digest, and the first block digest.

Abstract: A communication apparatus includes at least one memory that stores a set of instructions, and at least one processor that executes the instructions, the instructions, when executed, causing the communication apparatus to perform operations including verifying, by communicating with an external device, whether the external device is an external device that passed a predetermined certification, and displaying a screen for selecting an authenticator, wherein on the screen, a display item for an external authenticator verified as the external device that passed the predetermined certification and a display item for an external authenticator that failed to be verified as the external device that passed the predetermined certification are displayed in a distinguishable manner based on a result of the verification.

Abstract: Various embodiments for a system to utilize user's location pattern as an authentication parameter are disclosed. An embodiment operates by retrieving a location history of a user based on past locations of a user equipment (UE) device at various times and traffic data associated with the location history. A request to access a protected application is received and a present location of the UE device at a time associated with the request is determined. A locational pattern is generated based on both the location history of the user and the traffic data. The present location of the UE device is compared with the locational pattern, and it is determined that a level of authentication necessary to grant access to the protected application is satisfied based on both the comparing and a determination that the present location falls within the locational range generated based on the traffic data.

Abstract: A system includes a storage device to store a plurality of media segment files captured at a first location, and a management server storing first metadata sets respectively associated with at least one characteristic of the plurality of media segment files. The management server may be configured to: receive a message from a user terminal requesting a media segment file based upon the at least one characteristic; transmit a second metadata set corresponding to the at least one characteristic to the user terminal in response to the request message; and transmit, in response to a request for media segment files associated with the second metadata set, the requested media segment files to the user terminal.

Abstract: One embodiment provides a method, including: receiving, in an application on an information handling device, a password reset request from a user; accessing, subsequent to the receiving, a data store comprising a list of answers that are responsive to a list of security questions; constructing, using the data store, a temporary password, wherein the temporary password consists of at least one answer selected from the list of answers; and providing, to the user, a prompt containing an indication of the temporary password, wherein the prompt comprises at least one security question, from the list of security questions, that corresponds to the at least one answer. Other aspects are described and claimed.

Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: An information processing method to be performed by an information processing apparatus according to an embodiment may include: causing an authentication processor to perform a login authentication based on an operation performed on an operation section; and causing an exclusive control executor that gives a usage right to use a function to the operation section after the operation section is authenticated by the login authentication and releases the usage right given to the operation section in a case where no response is received from the operation section for a predetermined time after the usage right is given to determine, based on a detection result by a status detector that detects a status of the information processing apparatus, whether or not to release the usage right given to the operation section after the predetermined time passes.

Abstract: A method of activating a head-worn device is disclosed. The method includes activating the head-worn device and performing a partial bootup. When an instruction to perform a function is received, it is determined whether or not the instruction is permitted for partial bootup execution. The instruction is executed based on the instruction being permitted for partial bootup execution, and a bootup of the head-work device is completed based on the instruction not being permitted for partial bootup execution. The method may further comprise determining if the instruction requires user authentication in order to be executed, and based on the instruction being partial bootup compatible and not requiring user authentication, executing the instruction.

Abstract: An all-in-one computer includes a display, a Universal Serial Bus (USB) Type-C port, a plurality of USB Type-A ports, a USB hub, a demultiplexer, and a Power Delivery (PD) controller. The USB hub is coupled to the plurality of USB Type-A ports. The demultiplexer is coupled between the display, the USB Type-C port, and the USB hub. The PD controller is to control the demultiplexer and the USB hub to pass a display signal input to the USB Type-C port to the display and pass signals input to the USB hub from the plurality of USB Type-A ports to the USB Type-C port with a computing device coupled to the USB Type-C port.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: Using container-centric managed access, an administrator is enabled to define a set of future grants for each object that will be created in the future in a container managed by the administrator. When a user creates a database object, the system checks the future grants to determine if any apply to the user, the database object, or the combination. Any applicable future grants are applied to the database object before the user is allowed to modify it. As a result, the administrator is enabled to control the privileges associated with the database object even before the database object is created, while restricting individual object owners from managing privileges on their owned objects.

Abstract: There are provided systems and methods for a proxy and navigation code injection to prevent malicious messaging attacks. One or more proxy servers may reside in a perimeter network and be used to remove malicious links from messages transmitted to devices protected by the proxy server(s). The proxy server(s) may detect links to external (e.g., Internet-based) resources, such as websites and databases, and may extract data from the external resources. The proxy server(s) may generate static data that prevents processes on the external resources from being executed by devices protects by the proxy server(s). The proxy server(s) may further generate a link to the static data by adding a proxy server network address to the original link. Once the link is generated, it may be used to replace the original link to the external resource to prevent navigation to malicious data.

Abstract: A computing device is provided that includes a processor having a plurality of pins that are electrically coupled to a plurality of pins of a connector, and a memory device storing a state table that maps the plurality of pins of the connector to a plurality of connection types. The processor is configured to perform an authentication process for at least one connection type to determine whether an authenticated device configured for the at least one connection type is coupled to the connector. The authentication process is performed at least in part by sending an authentication signal to one or more of the plurality of pins of the connector mapped to the at least one connection type, and receiving an expected authentication signal response on one or more of the plurality of pins of the connector mapped to the at least one connection type.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture are disclosed that may be implemented, in whole or in part, using one or more processing devices to facilitate and/or support cryptographically associating a particular computing device with a new system owner based at least in part on a new system owner public key of a new system owner public/private key pair and a current system owner private key of a current system owner public/private key pair.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: Aspects of the disclosure relate to malware detection at endpoint devices. A computing platform may send rule information to a browser extension including a set of rules defining reportable behavior of network traffic associated with a website. Subsequently, the computing platform may receive report information including an identification of a loaded web page associated with the website that exhibits the reportable behavior defined by at least one rule of the set of rules and an indication of which rules of the set of rules have been met. Based on receiving the report information, the computing platform may assign a risk score for the identified loaded web page. Thereafter, the computing platform may determine that the risk score is above a predetermined threshold, and in response, the computing platform may send commands to the browser extension directing the browser extension to close the identified loaded web page.

Abstract: An application accessing method can be applied to a terminal, and include: monitoring whether an application invokes privacy content; and authorizing the application with permission to access the privacy content, in response to monitoring that the application invokes the privacy content, and returning other information different from the privacy content. Therefore, the user can realize the purpose of protecting the security of the user's privacy information under the premise of normal use of the application.

Abstract: An electronic apparatus according an embodiment includes a first memory, a second memory, a gate device, and one or more hardware processors. The first memory stores information. The second memory stores state information indicating whether or not update on the information of the first memory is allowed. The gate device is provided on a bus and controls whether or not to permit access to the second memory based on a control instruction. In a predetermined mode, the one or more hardware processors output, to the gate device, a control instruction to permit access to the second memory, set the state information of the second memory to indicate an updatable state, and update the information of the first memory.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component in a user account of a logged-in user. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The user account can be assigned default user privileges by a privilege access management service. The agent can determine whether to permit the intercepted request. The agent can permit the intercepted request if the relationship is validated and if a trusted owner is identified amongst the set of identified owners.

Abstract: Methods, systems, and devices for authenticating software images are described. Software images may include different portions (e.g., different versions, different users) that may be authenticated using hashes associated with an underlying data structure of the portion of the software image. In some examples, hashes (e.g., first hashes) associated with the software image may be generated and stored using a tree structure, such that a previous hash may be used when calculating a hash associated with a new portion of the software image. To authenticate a portion of the software image, a command may be issued, and a second hash may be calculated using the current data structure of the software image. The second hash may be compared to the associated first hash, and the software image may be authenticated based on the hashes matching.

Abstract: An apparatus for releasing received command data includes a processor unit with a code generator, a cryptography module, and a comparison module. The code generator generates a transaction code. The apparatus has a transmitting unit which provides the transaction code via an unsecured data connection, a receiving unit which receives an external authentication code and command data via the unsecured data connection, and a memory unit which stores data of a predefined private key. Also disclosed is a transmission apparatus for command data. The transmission apparatus has a basic receiving unit which receives the transaction code, an input unit which receives the command data, a basic memory unit which stores the data of the predefined private key, a basic processor unit which has a basic cryptography module, and a basic transmitting unit which provides the external authentication code and the command data via the unsecured data connection.

Abstract: Concepts for defining and processing an expression of an enterprise workspace application are presents. Such concepts may associate an expression of an enterprise workspace application with a modified version of the expression and a state flag which is configured to define whether processing of at least part of the expression is to be based on (i.e. employ) the modified version of the expression. In this way, there may be provided concepts for protecting against malicious users setting triggers or overriding function definitions that cause other users to perform unexpected activities.

Abstract: A method includes receiving a request from an operator pattern service to perform an operation on a computing environment and determining whether the operator pattern service has permission to perform the operation on the computing environment. The method further includes in response to determining that the operator pattern service has permission to perform the operation, providing the request to the computing environment for the operation to be performed on the computing environment.

Abstract: Systems and methods for authenticating users in three-dimensional environments are described. In some embodiments, a virtual object and three-dimensional environment are transmitted. Virtual motion data of the virtual object is received. The received virtual motion data is compared against a pattern. Based on the comparison of the patterns, a device is authorized to access a resource. In some embodiments, a pattern may be extracted from the received virtual motion data.

Abstract: Provided is a storage device which communicates with a host device and configured to set a secure mode of a plurality of commands different in kind. An operating method of the storage device includes receiving a secure request indicating a protection of a first command and a protection of a second command of the plurality of commands, from the host device; setting a secure mode of the first and second commands, based on the secure request; receiving a first request indicating a request to execute the first command, from the host device; outputting a first response indicating failure of the first command to the host device, based on the first request; receiving a second request indicating a request to execute the second command, from the host device; and outputting a second response indicating failure of the second command to the host device, based on the second request.

Abstract: System and methods are disclosed that enable data sharing across networks, including peer-to-peer sharing of content over wireless networks using peer mobile devices. A database may store content associated with a first peer mobile device. A request from a requester peer mobile device for content associated with a user of the first peer mobile device may be received at a server. The encrypted request is transmitted by the server to the first peer mobile device which may decrypt the request. An authorization token may be transmitted by the first peer mobile device to the server which may then enable the requesting peer mobile device to access the requested content, which may be accessed from the first peer mobile device and/or a cloud storage system.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: A method for detecting potential information fabrication attempt on a webpage, the method comprising: providing the webpage to a user device, by processing circuitry, the webpage comprising instructions executable by a webpage accessing software of the user device for detecting the potential information fabrication attempt; wherein execution of the instructions by the webpage accessing software results in: detecting the potential information fabrication attempt upon detecting that a first size of a viewport divided by a second size of a window of the webpage accessing software on a display screen of the user device has been reduced, resulting in a scaled-down viewport on the display screen.

Abstract: Systems and techniques are provided for trust agents. Trust agents may be enabled. A state determination may be received from each of the enabled trust agents. The state determination may indicate either a trusted state or an untrusted state. The received state determinations may be combined to determine a security state. A security measure may be enabled or disabled based on the determined security state.

Abstract: An information processing system includes a first external apparatus, a second external apparatus, an information processing apparatus, and an image forming apparatus. The information processing system further includes an issuance unit configured to issue, in the first external apparatus, an access token for accessing a cloud service, a first registration unit configured to receive the access token and register the access token in the second external apparatus in association with an identifier, a display unit configured to display a reauthorization instruction object on a browser of the information processing apparatus, and a second registration unit configured to, in a case where the reauthorization instruction object is pressed and the access token is issued again, register the reissued access token in the second external apparatus in association with the identifier.

Abstract: An information handling system includes a memory to cache a manifest that has authorized programming interfaces of a client application after the manifest was retrieved from the client application. A native service may receive a connection request from the client application, and verify that a digital signature of the client application is valid and untampered. The native service may also retrieve the manifest from the client application, receive an application programming interface request from the client application, and validate whether the application programming interface request is authorized based on the manifest. If the application programming interface request is authorized, then the application programming interface request is processed.