Abstract: With their ubiquitous nature and perceived personalized character portable electronic devices are increasingly forming part of individual's life as applications exist for practically anything today and new ones are released daily. It is therefore increasingly important for these electronic devices to dynamically adapt applications, information, user interface etc.

Abstract: Embodiments relate an address translation/specification (ATS) field. An aspect includes receiving a work queue entry from a work queue in a main memory by a hardware accelerator, the work queue entry corresponding to an operation of the hardware accelerator that is requested by user-space software, the work queue entry comprising a first ATS field that describes a structure of the work queue entry. Another aspect includes, based on determining that the first ATS field is consistent with the operation corresponding to the work queue entry and the structure of the work queue entry, executing the operation corresponding to the work queue entry by the hardware accelerator. Another aspect includes, based on determining that the first ATS field is not consistent with the operation corresponding to the work queue entry and the structure of the work queue entry, rejecting the work queue entry by the hardware accelerator.

Abstract: A system implements dishonest policies for managing unauthorized access requests. The system includes memory management hardware to store a set of dishonest policy bits, each dishonest policy bit that is configured to a predetermined value indicating disallowed access for one of a set of memory ranges. When a processor receives an access request for a location in a memory range to which access is not allowed as indicated by a set dishonest policy bit, the processor returns a false indication according to a dishonest policy that the requested access has been performed.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that maintain control flow integrity for the native code module and constrain store instructions in the native code module by bounding a valid memory region of the native code module with one or more guard regions.

Abstract: The present invention describes an apparatus and method of establishing a peer-to-peer communication session between a host device and a client device. Routing information of the host device is received from a server via a wide area network, routing information of the client device is provided to the server, and authentication information is provided to the host device via the wide area network. Peer-to-peer communication is transmitted to the client device via the wide area network if the client device is authenticated for peer-to-peer communication by the host device.

Abstract: The present invention describes an apparatus and method of establishing a peer-to-peer communication session between a host device and a client device. Routing information of the client device is received from the server by a host device, communication with the server is maintained, and authentication information from the client device is received by the host device. Peer-to-peer communication is transmitted to the client device via the wide area network if the client device is authenticated for peer-to-peer communication by the host device.

Abstract: In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed.

Abstract: A service accessible by a set of entities may be provided to each entity at a different service level (e.g., with a different set of privileges) based on the privilege level of the entity. However, many users may attempt to perform malicious activities through the service, and may do so with impunity if the penalties of detection are inconsequential. Instead, privilege levels of entities may be established based on the claims of assets having identifiable value. Such claims may be established by submitting an asset identifier to the service, such as proof of a software license identified by the submission of a license key purchased at a substantial cost. The penalties of malicious activities performed by such users may include the invalidation of such asset identifiers. Establishing the privilege levels of respective entities in this manner raises the penalties, and hence the deterrence, of attempted malicious use of the service.

Abstract: Embodiments of the invention relate to generating security permissions for applications. A static analysis on an application is carried out to determine security exceptions and to determine the application components responsible for the security exceptions. The determined security exceptions are analyzed to calculate permissions required for each component. A security policy file that includes a hierarchy of the required permissions suitable for the type of application is formatted and applied to the application to provide a security enabled application.

Abstract: Systems and methods for integrating biometric authentication with video conference sessions are described. An individual seeking to participate in a video conference may first be identified with a biometric parameter such as an iris scan based on a comparison of the scanned iris with a database of stored parameters. If authorized, the system may connect the individual to the video session. In addition, the system may generate dynamic tags that allow the participants to identify and locate individuals in the video conference. For example, if one of the participants is speaking and moving within the room, her tag may change color and move with her on the video screen.

Abstract: A processor and method are described for managing different privilege levels associated with different types of program code, including binary translation program code. For example, one embodiment of a method comprises entering into one of a plurality of privilege modes responsive to detecting the execution of a corresponding one of a plurality of different types of program code including native executable program code, translated executable program code, and binary translation program code. In one embodiment, the binary translation program code includes sub-components each of which are associated with a different privilege level for improved security.

Abstract: An arrangement on monitoring of authentication, in particular for motor vehicles, includes a first communication apparatus and at least a second communication apparatus, between which a wireless communication channel can be set up. The communication apparatus items have means for authentication and encryption, with which the exchangeable data may be encrypted via the communication channel. The items of communication apparatus have storage means in which one of the digital keys usable for authentication and encryption can be stored, and in that in the storage device there is either in addition to the digital key and/or in the individual key at least one piece of information regarding at least one past communication between the first communication apparatus and the second apparatus that can be stored in memory.

Abstract: An end device may include a camera configured to capture an image of an object, a touch screen configured to receive a touch input and a processor configured to determine to unlock the end device based, at least in part, on the image of the object and the touch input.

Abstract: An image processing apparatus using an authentication technique that enables user authentication suited to application characteristics and user authorities, thus ensuring security and enhancing usability at the same time. An authority of a user authenticated in a first authentication process for authenticating the user is obtained. When the obtained authority of the user is a predetermined authority, control is provided to give the predetermined authority to the user authenticated in the first authentication process. When the authority of the user is not the predetermined authority, control is provided to authenticate the user in a second authentication process for authenticating the user more securely than in the first authentication process, and when the second authentication process is successful, give the obtained authority to the user.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Systems and methods of providing a secure access layer in a mobile phone and a computer system coupled to the mobile phone to provide authentication for transmitting data between the phone and the computer system.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: An electronic device generates an access signal according to user input. The electronic device includes a processor, a key circuit to generate a key signal according to press of the user, a storage unit to store data, a clock generator circuit to generate a clock signal, and a protection circuit. The protection circuit generates an enable signal or a disable signal according to the key signal and the clock signal to control the storage unit to unlock or lock, and transmits the access signal to the storage unit to access the data.

Abstract: Particular embodiments of a computing device associated with a user may detect an event using a sensor of the computing device. The event may be a lock-triggering event or an unlock-triggering event. The computing device may assess a state of the device. The computing device may also access further information associated with the user. The computing device may also monitor activity on the computing device to detect further events if such further monitoring is warranted. Based on the gathered information, the computing device may update a lock status of the device to lock or unlock access interfaces of the computing device, functionality of the computing device, or content accessible from the computing device. If the event comprised the computing device detecting an attempt by a third party to use the device, the device may attempt to identify the third party to determine if they are authorized to use the device.

Abstract: A set of security claims for a communication channel are obtained, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel. The security claims are stored, as is a digital signature generated over the set of security claims by an entity. The security claims and digital signature are subsequently accessed when a computing device is to transfer data to and/or from the communication channel. The set of security claims is compared to a security policy of the computing device, and the entity that digitally signed the set of security claims is identified. One or more security precautions that the computing device is to use in transferring data to and/or from the communication channel are determined based at least in part on the comparing and the entity that has digitally signed the set of security claims.

Abstract: A security system may include a plurality of electronic devices, each having a unique identification (ID) associated therewith and configured to generate a temporary security code based upon the unique ID. The system may further include at least one mobile wireless communications device including a first Near-Field Communication (NFC) circuit, and a mobile controller configured to receive the temporary security code from a given electronic device from among the plurality of electronic devices. The system may also include an access control device associated with a personnel access position and including a second NFC sensor and a security controller. The security controller may be configured to receive the temporary security code from the first NFC sensor via NFC communications, selectively grant personnel access based upon the received temporary security code, and determine the unique ID associated with the given electronic device.

Abstract: The information processing device connects with an external device by a first connection unit and a second connection unit different from each other. An identification information specific to the information processing device is transmitted from the information processing device to the external device via the first connection unit, and further transmitted from the external device to the information processing device via the second connection unit. The information processing device compares the specific identification information received from the external device with specific identification information for comparison, stored in advance, to determine whether or not the information processing device and the external device are in a simultaneous connection state in which the information processing device and the external device are connected by the first connection unit and the second connection unit.

Abstract: An embodiment includes a method executed by at least one processor comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level. Other embodiments are described herein.

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: A storage device protection system including a protection control unit, a detection unit, an account/password input unit, an ID acquiring unit, and an encryption unit is provided. The detection unit determines whether a storage device and a key storage device are both coupled to a host. The account/password input unit receives an administrator ID and an administrator password. The ID acquiring unit obtains IDs of the storage device and the key storage device. The encryption unit encrypts the administrator ID, the administrator password, and the IDs of the storage device and the key storage device into encryption data. The protection control unit stores the encryption data into the key storage device and sets an access mode of the storage device as a protection status according to the administrator ID and the administrator password. Thereby, the storage device can be effectively unlocked by using the key storage device.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes specifying, with uniform resource identifiers (URIs), substantially all data accessible by applications on a device. The method also includes receiving at a universal interface a request from an application on the device for data that is specified by a URI associated with the request. Substantially all requests for data from applications on the device are received at the universal interface. The method also includes determining, based on the URI associated with the request, a content provider responsible for managing the requested data, and outputting the requested data to the application using the determined content provider to obtain the requested data based on the URI associated with the request.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: Improved techniques for facilitating emergency access to one or more contacts stored on a portable electronic device are disclosed. One or more contacts on the portable electronic device are designated as emergency contacts. While the portable electronic device is password-locked, a request to display the one or more emergency contacts on the password-locked portable electronic device is received. Without requiring a password, the one or more emergency contacts are displayed on the portable electronic device.

Abstract: A restricted transmogrifying driver platform is described herein. In one or more implementations, a platform is provided that enables a restricted execution environment for virtual private network (VPN) drivers and other transmogrifying drivers. The platform may be implemented as an operating system component that exposes an interface through which drivers may register with the platform and be invoked to perform functions supported by the platform. The restricted execution environment places one or more restrictions upon transmogrifying drivers that operate via the platform. For instance, execution may occur in user mode on a per-user basis and within a sandbox. Further, the platform causes associated drivers to run as background processes with relatively low privileges. Further, the platform may suspend the drivers and control operations of the driver by scheduling of background tasks. Accordingly, exposure of the transmogrifying drivers to the system is controlled and limited through the platform.

Abstract: In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed.

Abstract: An information processing device includes an external connection unit which connects to an external device; and a communication control unit which obtains data from a first virtual machine, transmits the data to a second virtual machine, and transmits, to the external connection unit, transmission completion information indicating that the data is already transmitted to the second virtual machine. The external connection unit (i) determines, based on the transmission completion information, whether or not a virtual machine is the second virtual machine to which the data is already transmitted, when the external connection unit receives, from the virtual machine, a request for a connection to the external device, and (ii) permits a connection between the virtual machine and the external device, when the external connection unit determines that the virtual machine is not the second virtual machine to which the data is already transmitted.

Abstract: An image processing apparatus which is capable of realizing security improvements without degrading the usability. A user is authenticated, and an operation screen accepting an operation input from the user is displayed. A job is executed according to an instruction of the user authenticated by the user authenticating unit. It is determined whether or not the job of which execution is instructed by the user, is being executed when the user authenticating unit authenticates the user. A first operation screen through which the user inputs an instruction for the job in execution is displayed when the job executing unit is executing the job, of which execution is instructed by the user, whereas another operation screen through which another user inputs an instruction for another job is displayed when not.

Abstract: An authentication method and system to combat confirmation bias provides for an authentication system that upon matching an access request to a record for a given user in an authentication system further interrogates a set of secondary sources to determine that the individual requesting access is in fact the correct user.

Abstract: A system and method for contextually interpreting image sequences are provided. The method comprises receiving video from one or more video sources, and generating one or more questions associated with one or more portions of the video based on at least one user-defined objective. The method further comprises sending the one or more portions of the video and the one or more questions to one or more assistants, receiving one or more answers to the one or more questions from the one or more assistants, and determining a contextual interpretation of the video based on the one or more answers and the video.

Abstract: A system that includes a memory to store registration information for a particular application hosted by a particular user device, where the registration information includes context information regarding the particular user device and an integrity code based on credentials associated with the particular application.

Abstract: The present invention provides a data management program for performing monitoring so that user data provided to the client cannot be copied and utilized for a purpose other than the intended purpose. When a storage device (8) storing user data (3) is connected to a client computer (12), a management program (4) prohibits writing to all of the external storage devices. The management program (8) makes settings prohibiting usage of a network (7). The management program (4) performs control by acquiring the file name, folder name, and attribute data of the execution file as well as the process name and process ID of the process being executed. The management program (4) has built-in driverware (50) which runs in the kernel mode (15) of an operating system (21) and serves to provide a common interface for the communication of device drivers (35, 36, 42 to 44) and an application program (20).

Abstract: A system is described that can perform a method for receiving a request to modify a universal integrated circuit card, generating a package comprising configuration data for modifying the universal integrated circuit card, instructing an over-the-air system to transmit the package encrypting the package with a transport key to generate an encrypted package, and transmitting the encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card. The system can also perform a method of providing a mobile network operator trusted service manager system information relating to the configuration data to enable the mobile network operator trusted service manager system to manage content and memory allocation of the universal integrated circuit card.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: Embodiments of the present invention include a system and method for implementing a presence system. According to an embodiment of the present invention, responsive to receiving a request for presence information associated with a presentity from a watcher, the presence system receives instructions indicating that an authorization instance other than the presentity shall be given an opportunity to change or verify an authorization rule associated with the request for presence information. As a consequence, the presence system notifies the authorization instance of the request for presence information, thereby enabling the authorization instance to change or verify the authorization rule. The presence system also makes a final decision on the authorization rule on the basis of the instructions and a notification indicating a change or verification of the authorization rule.

Abstract: Disclosed are a method, a terminal, and a service device for providing a data security service for data stored in a terminal or a data security service for backup data of the data of the terminal, backed up onto a backup device.

Abstract: A computer system includes a security processor, a first scan chain coupled to the security processor, a non-secure element, and a second scan chain coupled to the non-secure element. The computer system also includes one or more test access port controllers to control operation of the first and second scan chains, and further includes debug control logic, coupled to the one or more test access port controllers, to enable the one or more test access port controllers to activate debug functionality on the second scan chain but not the first scan chain in response to a predefined condition being satisfied.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files.

Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed.

Abstract: In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy.

Abstract: A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: A time and sleep control system and method is disclosed. According to one embodiment, a computer-implemented method includes providing a first user interface on a computing device that provides digital content to a first user, providing a second user interface associated with an operating environment on the computing device to a second user, where the second user interface provides unrestricted access to the digital content, receiving a request that is configured to be provided by the second user to access the first user interface from the operating environment, where the request allows the second user to provide restricted access to the digital content on the first user interface, granting the request, and receiving a desired time duration on the computing device that is configured to be provided by the second user, where the desired time duration controls a length of time that the first user is allowed to access the first user interface.

Abstract: A method is performed by a computing device. The method includes, (a) at the computing device, wirelessly receiving an authentication code from an authentication card via near-field communications (NFC), (b) providing the authentication code received wirelessly via NFC to an authentication service configured to authenticate the user of the computing device based on the authentication code, and (c) in response to the authentication service authenticating the user based on the authentication code received wirelessly via NFC, providing the user with access to a resource via the computing device. Analogous computer program products and apparatuses are also provided described.