Entries |
Document | Title | Date |
20080229115 | PROVISION OF FUNCTIONALITY VIA OBFUSCATED SOFTWARE - In an example embodiment, executable files are individually encrypted utilizing a symmetric cryptographic key. For each user to be given access to the obfuscated file, the symmetric cryptographic key is encrypted utilizing a public key of a respective public/private key pair. A different public key/private key pair is utilized for each user. Obfuscated files are formed comprising the encrypted executable files and a respective encrypted symmetric cryptographic key. The private keys of the public/private key pairs are stored on respective smart cards. The smart cards are distributed to the users. When a user wants to invoke the functionality of an obfuscated file, the user provides the private key via his/her smart card. The private key is retrieved and is utilized to decrypt the appropriate portion of the obfuscated file. The symmetric cryptographic key obtained therefrom is utilized to decrypt the encrypted executable file. | 09-18-2008 |
20080229116 | Performing AES encryption or decryption in multiple modes with a single instruction - A machine-readable medium may have stored thereon an instruction, which when executed by a machine causes the machine to perform a method. The method may include combining a first operand of the instruction and a second operand of the instruction to produce a result. The result may be encrypted using a key in accordance with an Advanced Encryption Standard (AES) algorithm to produce an encrypted result. The method may also include placing the encrypted result in a location of the first operand of the instruction. | 09-18-2008 |
20080229117 | Apparatus for preventing digital piracy - A method for preventing digital piracy in a computing environment comprises loading an application into the computing environment, wherein the application is encrypted using a cryptographic key; assigning a virtual address space to the application; loading the cryptographic key for the application into a register which is accessible only by a central processing unit; and storing an index value for the key in the register in a page table entry which corresponds to the virtual address space for the application, thereby linking the virtual address space to the key for the application. | 09-18-2008 |
20080244275 | Instruction Transform for the Prevention and Propagation of Unauthorized Code Injection - A method and structure of instruction transformation. Applying the principals of biodiversity to instruction transformation applicable to devices and embedded systems and networks containing many devices not only protects individual devices from attack from unauthorized code, but additionally retards propagation of such unauthorized code to other devices in the system or network in communication with a potentially infected device. | 10-02-2008 |
20080263366 | SELF-VERIFYING SOFTWARE TO PREVENT REVERSE ENGINEERING AND PIRACY - Reverse engineering and piracy of software is prevented by encrypting code blocks of a program. A program is modified to include additional protective code, including a protective code launcher which is launched with the program. Decryption and execution code is also provided for the protective code launcher and one or more code blocks of the program. A given code block is encrypted using a key which is based on a previous code block, and the previous code block is encrypted using a key which is based on a further previous code block, and so forth. If a hacker modifies the program, such as to avoid a message which requires the user to purchase the program, the program will be disabled. The program can also be encrypted based on computer hardware such as a hard disk serial number so that it will only operate on a particular computer. | 10-23-2008 |
20080270806 | Execution Device - An execution device executes an application program created in an object-oriented language. An application includes one or more classes that each have one or more methods, and confidentiality information that expresses whether or not confidentiality is necessary. The execution device determines whether or not encryption is necessary, with reference to the confidentiality information, and when the method is to be executed, records, in a memory, an object including data that the method manipulates. When it is determined that encryption is necessary, the object is recorded with the data encrypted. | 10-30-2008 |
20080276100 | Virtual Machine or Hardware Processor for Ic-Card Portable Electronic Devices - A virtual machine or hardware processor for an IC-card portable electronic device includes a non-volatile memory unit, a remote decryption unit, and associated objects for storing an executable program in an encrypted format in the non-volatile memory. The IC-card stores a licence key to encrypt and decrypt the executable program through an IC-card interface. The IC-card interface extracts and encrypts the operands of the plain executable program into encrypted operands so as to not limit performance. The remote decryption unit detects if an instruction contains encrypted operands, and queries a decryption to the IC-card interface. The IC-card interface decrypts the encrypted operands and re-encrypts the just decrypted operands into obscured operands through a dynamic obscuration key. | 11-06-2008 |
20080282093 | METHODS AND APPARATUS FOR SECURE PROGRAMMING AND STORAGE OF DATA USING A MULTIPROCESSOR IN A TRUSTED MODE - Methods and apparatus provide for: entering a secure mode in which a given processor may initiate a transfer of information into or out of said processor, but no external device may initiate a transfer of information into or out of said processor; and programming at least one trusted data storage location using a direct memory access (DMA) command to be one of read-only, write-only, readable and writeable, limited access, and reset, where said at least one trusted data storage location is located external to said processor. | 11-13-2008 |
20080288785 | Data Security and Digital Rights Management System - A system and method is described for enhancing data security in a broad range of electronic systems through encryption and decryption of addresses in physical memory to which data is written and from which data is read. It can be implemented through software, hardware, firmware or any combination thereof. Implementation in Digital Rights Management execution using the invention reduces cost, enhances performance, and provides additional transactional security. | 11-20-2008 |
20080288786 | System with access keys - In an embodiment, a secure module is provided that provides access keys to an unsecured system. In an embodiment, the secure module may generate passcodes and supply the passcodes to the unsecured system. In an embodiment, the access keys are sent to the unsecured system after the receiving the passcode from the unsecured system. In an embodiment, after authenticating the passcode, the secure module does not store the passcode in its memory. In an embodiment, the unsecured module requires the access key to execute a set of instructions or another entity. In an embodiment, the unsecured system does not store access keys. In an embodiment, the unsecured system erases the access key once the unsecured system no longer requires the access key. In an embodiment, the unsecured system receives a new passcode to replace the stored passcode after using the stored passcode. Each of these embodiments may be used separately. | 11-20-2008 |
20080294910 | SYSTEM AND METHOD FOR PROTECTING NUMERICAL CONTROL CODES - A system, method, and computer program for protecting numerical control codes, comprising decrypting an encrypted text file that defines how an event for a tool path data set is processed; processing said decrypted text file to obtain a set of instructions; formatting said set of instructions according to a definition file; and outputting said set of formatted instructions; whereby postprocessed machine controls are written and appropriate means and computer-readable instructions. | 11-27-2008 |
20080301467 | Memory Security Device - Embodiments of the systems and methods presented herein may provide memory security in a semiconductor device or a computing system using an address encryption section operable to encrypt a write address or a read address, a data encrypting section operable to encrypt data to be written, a write section operable to write encrypted data at an encrypted write address corresponding to a memory, a read section operable to read encrypted data from the encrypted read address corresponding to the memory and a data decryption section operable to decrypt the read encrypted data to obtain read data corresponding to the read address. | 12-04-2008 |
20090006863 | Storage system comprising encryption function and data guarantee method - This storage system includes a host computer for issuing a read command or a write command of data, a pair of logical volumes corresponding to a pair of virtual devices to be recognized by the host computer, and a device interposed between the host computer and the pair of logical volumes and having a function of encrypting and decrypting data. The storage system additionally includes a path management unit for specifying one path to each of the logical volumes from a plurality of data transfer paths between the host computer and the pair of logical volumes for transferring encrypted data or decrypted data which was encrypted or decrypted via the device with data encryption or decryption function based on a read command or a write command of data from the host computer. | 01-01-2009 |
20090006864 | MICROPROCESSOR WITH IMPROVED TASK MANAGEMENT AND TABLE MANAGEMENT MECHANISM - A tamper resistant microprocessor has a task state table for assigning a task identifier to a task that can take a plurality of states, and storing a state of the task in correspondence to the task identifier; a task register for storing the task identifier of a currently executed task; an interface for reading a program stored in a form encrypted by using a program key at an external memory, in units of cache lines, when a request for the task is made; an encryption processing unit for generating decryption keys that are different for different cache lines, according to the program key, and decrypt a content read by the interface; a cache memory formed by a plurality of cache lines each having a tag, for storing the task identifier corresponding to a decryption key used in decrypting each cache line in the tag of each cache line; and an access check unit for comparing the task identifier stored in the tag of each cache line with a value of the task register, and discarding a content of each cache line when the task identifier in the tag and the value of the task register do not coincide. | 01-01-2009 |
20090031142 | System, Method and Computer Program Product for Processing a Memory Page - A method for processing a memory page, the method includes: retrieving, in response to a request to provide a first memory page to a processor, first memory page metadata associated with first memory page address information; wherein the first memory page address information is stored in a memory page table; and performing a page operation in response to the memory page metadata; wherein the page operation is selected from a group consisting of compression, cryptography, searching a page for a virus signature, searching a page for digital right management signature, error correction code verification, error correction code addition. | 01-29-2009 |
20090089589 | INFORMATION PROCESSING APPARATUS FOR PROTECTED DATA FILES AND INFORMATION PROCESSING METHOD THEREOF - According to one embodiment, a processing environment of protected file data is improved by an inspection module which inspects whether file ARF protected in a predetermined format is usable or unusable, an information table in which usable/unusable data of the ARF is set based on the inspection result of the inspection module, a file cache which stores the ARF, the usable/unusable data of which is set in this table, and a decryption processor which decrypts resource data as the contents of an encrypted data object using the ARF stored in this cache. | 04-02-2009 |
20090113217 | MEMORY RANDOMIZATION FOR PROTECTION AGAINST SIDE CHANNEL ATTACKS - Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys. | 04-30-2009 |
20090113218 | SECURE DATA PROCESSING FOR UNALIGNED DATA - A method for data cryptography includes accepting input data, which contains a section that is to undergo a cryptographic operation and starts at an offset with respect to a beginning of the input data, by a Direct Memory Access (DMA) module. The input data is aligned by the DMA module to cancel out the offset. The aligned input data is read out of the DMA module, and the cryptographic operation is performed on the section. | 04-30-2009 |
20090119515 | OBFUSCATION EVALUATION METHOD AND OBFUSCATION METHOD - An obfuscation evaluation method which sufficiently evaluates an obfuscation performed on a program. The obfuscation evaluation method includes: a step (S | 05-07-2009 |
20090119516 | SECURE DEVICE AND READER-WRITER - The invention is to solve a problem such that a server application that a secure device has cannot be used by a client application that a different secure device has. | 05-07-2009 |
20090125728 | SECURITY METHOD OF SYSTEM BY ENCODING INSTRUCTIONS - The provided is a method for securing a system by encoding instructions. The method includes encoding instructions composed by a system developer and storing the encoded instructions through an encoding module during a compiling procedure, and decoding the encoded instructions and executing the decoded instructions through a decoding module. In the method, the instructions are encoded using interdependency between instructions in an instruction set which is composed by a system developer. | 05-14-2009 |
20090144561 | Method and System for Software Protection Using Binary Encoding - Software is protected by encoding the target software instructions and decoding the target instructions. | 06-04-2009 |
20090164803 | Cipher Message Assist Instruction - A method, system and program product for executing a cipher message assist instruction in a computer system by specifying, via the cipher message assist instruction, either a capability query installed function or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system. | 06-25-2009 |
20090172414 | DEVICE AND METHOD FOR SECURING SOFTWARE - A device that includes a first memory unit adapted to store encrypted instructions, a processor adapted to execute decrypted instructions, a second memory unit accessible by the processor, and a decryption unit. The device is characterized by including a key database and a key selection circuit, wherein the key selection circuit is adapted to select a selected decryption key from the key database for decrypting encrypted instructions. The selection is responsive to a fixed selection information stored within the integrated circuit and to received key selection information. | 07-02-2009 |
20090172415 | PROCESSOR APPARATUS - The control unit includes a CPU which generates an access signal for performing writing or reading on the external memory, encryption/decryption means which, when the access signal is used for writing, encrypts an address designated by the CPU to generate a write address and encrypts write data contained in the access signal to generate write encrypted data, and which, when the access signal is used for reading, encrypts an address designated by the CPU to generate a read address and decrypts the encrypted data read from the external memory to generate plaintext data, and external control means which writes the write encrypted data in a position designated by the write address generated by the encryption/decryption means and which reads the encrypted data from a position designated by the read address generated by the encryption/decryption means and supplies the same to the encryption/decryption means for its decryption. | 07-02-2009 |
20090199014 | SYSTEM AND METHOD FOR SECURING AND EXECUTING A FLASH ROUTINE - A microcontroller comprises a random access memory (RAM) device; a non-volatile memory device having a data sector, wherein operation codes are stored as data files in the data sector; and a processor configured to retrieve the operation codes from the data sector, load the retrieved operation codes into the RAM device and run the decrypted operation codes from the RAM device. | 08-06-2009 |
20090204823 | METHOD AND APPARATUS FOR CONTROLLING SYSTEM ACCESS DURING PROTECTED MODES OF OPERATION - A microprocessor to provide software development debugging capabilities while providing security for confidential and/or sensitive information. The processor may operate in one of an open, a secure entry, and a secure mode. In open mode, security measures may prevent access to certain registry bits and access to a private memory area. Secure entry mode may be entered upon receipt of a request to run secure code and/or access the private memory area. The secure code may be authenticated in secure entry mode. Authentication may be performed using digital signatures. Secure mode may be entered if authentication is successful. Authenticate code may be executed in the secure mode environment. The private memory area may be accessible in secure mode. | 08-13-2009 |
20090235088 | Program conversion device, execution support device, and method and computer program for the same - A method invocation modification unit modifies method invocation described in a body program to dynamic invocation and modifies the method invocation to invocation via an execution support device. An encryption unit modifies the body program by encrypting a character string designating the dynamic invocation after modification by the method invocation modification unit. Therefore, the method invocation can be hidden and understanding of the program can be made difficult. | 09-17-2009 |
20090235089 | COMPUTER OBJECT CODE OBFUSCATION USING BOOT INSTALLATION - In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software. This boot loader then selects which particular process to use for the code execution at the time of installation in accordance with the value. This results in different versions of the obfuscated code being provided to each recipient installation, which further enhances security of the code against reverse engineering by hackers. | 09-17-2009 |
20090235090 | Method for Decrypting an Encrypted Instruction and System thereof - Methods of preventing private information, which is hidden within data of a private domain reserved by an application program, from being easily accessed by a CPU and other devices, both where the data of the private domain is decrypted and the access to said data are restricted are disclosed, where the mentioned other devices do not include a decryption module utilized in the methods. Therefore, as long as agreements related to encryptions and decryptions are made in advance between the application program and the decryption module, private information can be well protected. | 09-17-2009 |
20090265562 | DATA CONVERSION METHOD ON STORAGE MEDIUM, APPARATUS AND PROGRAM - In a data conversion auxiliary module which is at a higher level than a file system in a disk management hierarchy, data stored in a storage medium, which becomes an object, is successively accessed. Then, a data conversion module captures a sector-unit access request to a device driver from the file system, converts data of a sector which is returned from the device driver, and writes the conversion data in the sector. Thereby, data conversion can be executed on a specific region of the storage medium, which is associated with the data in the storage medium. | 10-22-2009 |
20090292931 | APPARATUS AND METHOD FOR ISOLATING A SECURE EXECUTION MODE IN A MICROPROCESSOR - An apparatus providing for a secure execution environment, including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The microprocessor has secure execution mode logic that is configured to provide for a secure execution mode within the microprocessor for execution of the secure application program. The secure execution mode logic records the state of the microprocessor in a non-volatile indicator register upon entry into the secure execution mode and upon exit from the secure execution mode. The secure non-volatile memory is coupled to the microprocessor via a private bus and is configured to store the secure application program. Transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor. | 11-26-2009 |
20090300368 | USER INTERFACE FOR SECURE DATA ENTRY - A computer input device for operation with a computer includes an input transducer, which is coupled to receive an input from a user and to generate a data signal responsively to the input. An encryption processor is coupled to process the data signal so as to output data to the computer. The encryption processor has a first operational mode in which the encryption processor encrypts the data signal using an encryption key not accessible to the computer so that the data are unintelligible to the computer, and a second operational mode in which the data are intelligible to the computer. A mode switch is operative so as to switch between the first and second operational modes of the encryption processor. An output transducer is coupled to provide to the user an indication of whether the encryption processor is in the first or the second operational mode. | 12-03-2009 |
20090307500 | PROGRAM OBFUSCATOR - A program obfuscator of the present invention divides a target program into a plurality of blocks and determines program instructions allocated according to an input/output relation between the blocks, in order to diffuse and allocate the program instructions for calculating a value of secret information in various places of the program. More specifically, with regard to a variable for calculating the secret information transferred to and from the blocks, a value of the variable when outputted from a block is equalized to a value of the variable when inputted to a next block. A random variable conversion instruction is added to each of the blocks so that a value of the variable when outputted from each block is in a range of a value expected as an input to the next block. | 12-10-2009 |
20090319804 | Scalable and Extensible Architecture for Asymmetrical Cryptographic Acceleration - Systems and methods for providing asymmetrical cryptographic acceleration are provided. The scalable asymmetric cryptographic accelerator engine uses a layered approach based on the collaboration of firmware and hardware to perform a specific cryptographic operation. Upon receipt of a request for a cryptographic function, the system accesses a sequence of operations required to perform the requested function. A micro code sequence is prepared for each hardware operation and sent to the hardware module. The micro code sequence includes a set of load instructions, a set of data processing instructions, and a set of unload instructions. An instruction may include a register operand having a register type and a register index. Upon receipt of a load instruction, the hardware module updates size information in a content addressable memory for a register included in the instruction. The hardware module continuously monitors the content addressable memory to avoid buffer overflow or underflow conditions. | 12-24-2009 |
20090319805 | TECHNIQUES FOR PERFORMING SYMMETRIC CRYPTOGRAPHY - Techniques are described for performing decryption using a key-specific decryption engine. A message including an encrypted data portion is received. The encrypted data portion is formed by performing a symmetric encryption operation using a symmetric key. The encrypted data portion is decrypted using a key-specific decryption engine which does not use the symmetric key as an input. Also described are techniques for generating the key-specific decryption engine which may be implemented using boolean functions determined for the symmetric key. | 12-24-2009 |
20100017624 | From polymorphic executable to polymorphic operating system - A method, capable of being implemented in executable instructions or programmes in device(s), including computer system(s) or computer-controlled device(s) or operating-system-controlled device(s) or system(s) that is/are capable of running executable code, providing for the creation in Device(s) of executable code, such as boot code, programmes, applications, device drivers, or a collection of such executables constituting an operating system, in the form of executable code embedded or stored into hardware, such as embedded or stored in all types of storage medium, including read-only or rewriteable or volatile or non-volatile storage medium, such as in the form of virtual disk in physical memory or internal Dynamic Random Access Memory or hard disk or solid state flash disk or Read Only Memory, or read only or rewriteable CD/DVD/HD-DVD/Blu-Ray DVD or hardware chip or chipset etc.; the executable code being in the form of Polymorphic Executable (PE) or Executable with Unexecutable Code (EUC) or Polymorphic Executable with Unexecutable Code (PEUC) or Polymorphic Operating System (POS) containing PE, EUC and PEUC runnable in an authenticated or authorized state for the protection of intellectual property. | 01-21-2010 |
20100017625 | ARCHITECURE, SYSTEM, AND METHOD FOR OPERATING ON ENCRYPTED AND/OR HIDDEN INFORMATION - An architecture, system and method for operating on encrypted and/or hidden information (e.g., code and/or data). The invention enables creators, owners and/or distributors of proprietary code to keep such code inaccessible to users and user-controlled software programs. A memory architecture includes first and second protected memory spaces, respectively storing operating system instructions and a decrypted version of the encrypted information. The first protected memory space may further store a table linking the locations of the encrypted and/or hidden, decrypted information with a decryption and/or authorization key. The system includes the memory architecture and a processor for executing instructions, and the method loads, stores and operates on the encrypted and/or hidden information according to the memory architecture functionality and/or constraints. | 01-21-2010 |
20100023780 | FLASH DEVICE SECURITY METHOD UTILIZING A CHECK REGISTER - Methods of operating memory systems and memory systems are disclosed, such as a memory system having a memory array storing a code generating program to instruct a processor to generate a code, and a register to store a code generated by the processor, where the register is configured to allow a write operation to the memory array in response to a match of a code stored in the register and where the match is controlled in response to a request from a utility program being executed by the processor. | 01-28-2010 |
20100058070 | Message authentication code pre-computation with applications to secure memory - A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ε-differentially uniform function on the result of the combination, XORing the result of the ε-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code. | 03-04-2010 |
20100058071 | SYSTEM AND METHOD FOR ENCRYPTING AN ELECTRONIC FILE IN A MOBILE ELECTRONIC DEVICE - A system and method for encrypting an electronic file in a mobile electronic device reads bytes of the electronic file from a cache of a memory system and divides the bytes into a plurality of byte lines. The system and method further assigns a numerical cipher to each byte line and searches a position of each numerical cipher in a corresponding byte line. Furthermore, the system and method encrypt each byte line by inserting one or more random bytes into each byte line, and generates an encrypted electronic file by combining all the encrypted byte lines. | 03-04-2010 |
20100064144 | DATA SECURITY - This document discloses data security systems and methods of securing data. A cache memory can be connected between a decryption engine and a central processing unit (“CPU”) to increase security of encrypted data that is stored in a datastore. The decryption engine can retrieve the encrypted data from the datastore, decrypt the data, and store the decrypted data in the cache. In turn, the decrypted data can be accessed by the CPU. The data can be encrypted with a secret key, so that decryption can be performed with the secret key. The key can be varied based on a memory address associated with the data. The key can be protected by restricting direct access to the decryption engine by the CPU. | 03-11-2010 |
20100070780 | QUANTUM PROGRAM CONCEALING DEVICE AND QUANTUM PROGRAM CONCEALING METHOD - An object of the present invention is to enable an authorized user to execute a quantum program, without letting the authorized user know the operation contents of the quantum program. | 03-18-2010 |
20100077228 | Implementing Portable Content Protection to Secure Secrets - A source-level compiler may randomly select compilation conventions to implement portable content protection, securing the secrets embedded in a program by shuffling associated data. The program may be developed using a source language that is applicative on the associated data. To obscure the embedded secrets, in one embodiment, pre-compiler software may be deployed for compiling the program in a random-execution-order based on a random seed indication that randomly selects compilation conventions and a shuffling algorithm that moves the associated data across the program during execution. | 03-25-2010 |
20100115290 | KEYBOARD AND METHOD FOR SECURE TRANSMISSION OF DATA - A keyboard, in particular a POS (point of sale, point of service) keyboard, bank keyboard, keyboard for secure data entry, and a method for secure transmission of data that is entered through various data entry modules such as, e.g., magnetic card readers, chip card readers, key switches, or a keypad, to an external device connected to the keyboard, for example a computer. The keyboard comprises at least one data entry module for entering data and a keyboard control device with at least one receiving device for receiving the entered data, an encryption device for encrypting the received data by means of an encryption algorithm, wherein the encryption algorithm is present in the form of program code, and a transmission device for transmitting the data encrypted by the encryption means to the external device connected to the keyboard control device, wherein the encryption algorithm can be selected by the user from multiple predefined encryption algorithms and associated with the data entry module. | 05-06-2010 |
20100122095 | Hardware-facilitated secure software execution environment - A hardware-facilitated secure software execution environment provides protection of both program instructions and data against unauthorized access and/or execution to maintain confidentiality and integrity of the software or the data during distribution, in external memories, and during execution. The secure computing environment is achieved by using a hardware-based security method and apparatus to provide protection against software privacy and tampering. A Harvard architecture CPU core is instantiated on the same silicon chip along with encryption management unit (EMU) circuitry and secure key management unit (SKU) circuitry. Credential information acquired from one or more sources is combined by the SKU circuitry to generate one or more security keys provided to the EMU for use in decrypting encrypted program instructions and/or data that is obtained from a non-secure, off-chip source such as an external RAM, an information storage device or other network source. In a non-limiting illustrative example implementation, the EMU decrypts a single memory page of encrypted instructions or data per a corresponding encryption key provided by the SKU. Although instantiated on the same chip, the CPU core does not have direct access to the SKU circuitry or to encryption key information generated by the SKU. | 05-13-2010 |
20100125740 | SYSTEM FOR SECURING MULTITHREADED SERVER APPLICATIONS - A system for securing multithreaded server applications addresses the need for improved application performance. The system implements offloading, batching, and scheduling mechanisms for executing multithreaded applications more efficiently. The system significantly reduces overhead associated with the cooperation of the central processing unit with a graphics processing unit, which may handle, for example, cryptographic processing for threads executing on the central processing unit. | 05-20-2010 |
20100153745 | Methods and devices for instruction level software encryption - A method of encrypting compiled computer code instructions to be decrypted instruction by instruction during execution. The computer code instructions are encrypted using a chaining mode so that an encrypted instruction depends on the values of the instruction, the value of the preceding instruction and a pseudo-random number. As it may happen that the instruction can be arrived at from more than one preceding instruction, at least one of the preceding instructions is associated with a random number compensator for use during decryption of the encrypted instruction, so that the decryption of the encrypted instruction yields the same result regardless of which the preceding instruction was. Also provided are an encryption device, a decryption device and method, and a digital support medium storing encrypted compiled computer code instructions. | 06-17-2010 |
20100169666 | METHODS AND SYSTEMS TO DIRECLTY RENDER AN IMAGE AND CORRELATE CORRESPONDING USER INPUT IN A SECUIRE MEMORY DOMAIN - Methods and systems to assign an application and a video frame buffer to a protected memory domain to render an image of a keyboard from the protected memory domain to a random position of the video frame buffer and correlate user input from a pointing device to the rendered keyboard image. The keyboard image may be randomly repositioned following a user input. The keyboard image may be rendered over a secure user image. An acknowledgment image may be rendered from the protected memory domain to a random position of the video frame buffer, and may be randomly repositioned in response to a user input that does not correlate to the acknowledgment image. User inputs that do not correlate to a randomly positioned image may be counted, and one or more processes may be aborted when the number of non-correlated user inputs exceeds a threshold. | 07-01-2010 |
20100180129 | APPARATUS COMPRISING A PLURALITY OF ARITHMETIC LOGIC UNITS - An arrangement of arithmetic logic units carries out an operation on at least one operand, wherein the operation is determined by operation codes received by the arithmetic logic units. The operation codes and at least one operand are received on a first clock cycle. The result of the operation is output from at least one arithmetic logic unit to at least one further arithmetic logic unit. A result of the plurality of arithmetic logic units is then output on a next clock cycle. | 07-15-2010 |
20100185876 | KEYBOARD-INPUT INFORMATION-SECURITY APPARATUS AND METHOD - A keyboard-input information-security apparatus and method are provided. The apparatus includes an interrupt-descriptor table for storing a list of addresses of functions for handling interrupts, and storing an address of a secure input interrupt-service routine at a specific location in an address area for an operating-system input interrupt-service routine supported by an operating system; a secure input-device driver for changing keyboard-interrupt-vector information to invoke the address of the secure input interrupt-service routine when a keyboard interrupt is generated by a keyboard, and receiving and encoding data input via the keyboard based on the address of the secure input interrupt-service routine; and a secure input unit for delivering the encoded data from the secure input-device driver to an application program, thereby providing higher-level security than a conventional keyboard-security scheme, and particularly, effectively blocking a port-polling attack or an action trying to change a setting in a debug register. | 07-22-2010 |
20100205459 | METHOD AND SYSTEM FOR PROTECTING AGAINST ACCESS TO A MACHINE CODE OF A DEVICE - A method for the protection against access to a machine code of a device, has the steps: (a) encrypting a machine code by a device-specific key, which is provided by a TPM (Trusted Platform Module) module present in the device, (b) storing the encrypted machine code in a memory of the device, (c) wherein the device-specific key can no longer be read from the TPM module after a manipulation of the device. | 08-12-2010 |
20100223478 | SYSTEM AND METHOD FOR PERFORMING EXPONENTIATION IN A CRYPTOGRAPHIC SYSTEM - There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value. | 09-02-2010 |
20100229000 | SOFTWARE COPYRIGHT PROTECTION AND LICENSING SYSTEM USING RFID - The present invention provides a software copyright protection and licensing system ( | 09-09-2010 |
20100229001 | NONVOLATILE MEMORY DEVICE AND OPERATING METHOD - Disclosed is an operating method of a non-volatile memory device which comprises randomizing data to store the randomized data; erasing the randomized data; and outputting erase data according to information of a flag cell of the non-volatile memory device at a read operation. | 09-09-2010 |
20100229002 | SYSTEMS AND METHODS FOR WATERMARKING SOFTWARE AND OTHER MEDIA - Systems and methods are disclosed for embedding information in software and/or other electronic content such that the information is difficult for an unauthorized party to detect, remove, insert, forge, and/or corrupt. The embedded information can be used to protect electronic content by identifying the content's source, thus enabling unauthorized copies or derivatives to be reliably traced, and thus facilitating effective legal recourse by the content owner. Systems and methods are also disclosed for protecting, detecting, removing, and decoding information embedded in electronic content, and for using the embedded information to protect software or other media from unauthorized analysis, attack, and/or modification. | 09-09-2010 |
20100235651 | SECURE OPERATION OF PROCESSORS - Secure operation of processors is disclosed. A cell processor receives a secure file image from a client device at a processor of a host device (host cell processor), wherein the secure file image includes encrypted contents. | 09-16-2010 |
20100241872 | Partially Reversible Key Obfuscation - Techniques are provided to obfuscate seed values to produce a decryption key for a simplified content protection scheme. A first repeatable sequence is performed that encrypts a value stored in a first memory location using a value stored in the second memory location to produce an encrypted value and the value stored in the first memory location is overwritten with the encrypted value and then applying a constraining function to the value stored in the second memory location to produce a result and the value stored in the second memory location is overwritten with the result, wherein the result contains a less entropy compared an entropy level of the value in the second memory location prior to applying the constraining function. This sequence is repeated, but the values used in the first and second memory locations are used in opposite fashion. Techniques are also provided to perform the reverse operation and de-obfuscate a decryption key. | 09-23-2010 |
20100250964 | APPARATUS AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR THE CAMELLIA CIPHER ALGORITHM - A processor including instruction support for implementing the Camellia block cipher algorithm may issue, for execution, programmer-selectable instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include one or more Camellia instructions defined within the ISA. In addition, the Camellia instructions may be executable by the cryptographic unit to implement portions of a Camellia cipher that is compliant with Internet Engineering Task Force (IETF) Request For Comments (RFC) 3713. In response to receiving a Camellia F( )-operation instruction defined within the ISA, the cryptographic unit may perform an F( ) operation, as defined by the Camellia cipher, upon a data input operand and a subkey operand, in which the data input operand and subkey operand may be specified by the Camellia F( )-operation instruction. | 09-30-2010 |
20100250965 | APPARATUS AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR THE ADVANCED ENCRYPTION STANDARD (AES) ALGORITHM - A processor including instruction support for implementing the Advanced Encryption Standard (AES) block cipher algorithm may issue, for execution, programmer-selectable instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include one or more AES instructions defined within the ISA. In addition, the AES instructions may be executable by the cryptographic unit to implement portions of an AES cipher that is compliant with Federal Information Processing Standards Publication 197 (FIPS 197). In response to receiving a first AES encryption round instruction defined within the ISA, the cryptographic unit may perform an encryption round of the AES cipher on a first group of columns of cipher state having a plurality of rows and columns. A maximum number of columns included in the first group may be fewer than all of the columns of the cipher state. | 09-30-2010 |
20100250966 | PROCESSOR AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR HASH ALGORITHMS - A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction. | 09-30-2010 |
20100250967 | Semiconductor integrated circuit and control, method of the same - There is provided a semiconductor integrated circuit including a scan path circuit, which includes an encryption data storage unit that stores a secret key B created by encrypting a chip ID with use of a secret key A, and an encryption circuit that encrypts output data of the scan path circuit based on the secret key B and outputs the encrypted output data. This circuit configuration enables an increase in confidentiality in encryption of a scan test result. | 09-30-2010 |
20100262839 | Obfuscating Execution Traces of Computer Program Code - A computer-implemented method of generating tamper-protected computer program code. The method comprises obtaining a representation of the computer program code, the computer program being adapted to cause a data processing system to perform a plurality of computational tasks in a first order of execution, each computational task being represented in the representation of the computer program code by at least one program statement; obtaining a plurality of alternative orders of execution of the computational tasks; generating an executable representation of the program code adapted to cause a data processing system to select a randomized order of execution from the plurality of alternative orders of execution and to execute the computational tasks in the selected randomized order of execution. | 10-14-2010 |
20100262840 | METHOD AND DEVICES FOR PROTECTING A MICROCIRCUIT FROM ATTACKS FOR OBTAINING SECRET DATA - A method of protecting a microcircuit against attacks aimed at discovering secret data used on the execution, by the microcircuit, of an encryption algorithm includes generating at least one protection parameter for the secret data and modifying the execution of the encryption algorithm through that protection parameter. Generation of the at least one protection parameter includes defining a function generating, by successively applying to at least one secret parameter which is stored in memory, a sequence of values which can only be determined from that secret parameter and that function, and to generate the protection parameter in a reproducible way from at least one value in that sequence. | 10-14-2010 |
20100281273 | System and Method for Processor-Based Security - A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event. Lightweight, run-time attestation reports are generated which include selected information about software modules executed by the processors, for use in determining whether the processor is trusted to provide secure services. | 11-04-2010 |
20100287384 | ARRANGEMENT FOR AND METHOD OF PROTECTING A DATA PROCESSING DEVICE AGAINST AN ATTACK OR ANALYSIS - In order to further develop an arrangement for as well as a method of protecting at least one data processing device, in particular at least one embedded system, for example at least one chip card or smart card, against at least one attack, in particular against at least one side-channel attack, for example against at least one current trace analysis, the data processing device, in particular at least one integrated circuit of the data processing device, carrying out calculations, in particular cryptographic operations wherein an attack, for example an E[lectro]M[agnetic] radiation attack, or an analysis, for example a D[ifferential]P[ower]A[nalysis], such attack or such analysis in particular targeted on finding out a private key, is to be securely averted, it is proposed to blind all intermediate results of the calculations by at least one random variable. | 11-11-2010 |
20100293391 | MULTIPOINT GENERAL-PURPOSE INPUT/OUTPUT CONTROL INTERFACE DEVICE - A multipoint general-purpose input/output control interface device is provided, which is a control interface device that is applicable to, but not limited to, PCI transmission interface, and can be installed in or removed from a computer system or a game machine as desired to use the computer system or the game machine to control a timer and access or encrypt static random access memory and general purpose input/output (GPIO). | 11-18-2010 |
20100299537 | SECURE PROCESSING DEVICE WITH KEYSTREAM CACHE AND RELATED METHODS - A secure processing device may include an external memory storing encrypted data, and a processor cooperating with the external memory. The processor is configured to generate address requests for the encrypted data in the external memory, cache keystreams based upon an encryption key, and generate decrypted plaintext based upon the cached keystreams and the encrypted data requested from the external memory. For example, the processor may be further configured to predict a future address request, and the future address request may be associated with a cached keystream. | 11-25-2010 |
20100299538 | Systems and Methods for Low-Latency Encrypted Storage - Encrypted storage often introduces unwanted latency in access. This delay can result in a processor having to wait for critical data thus slowing performance. Generally speaking, the latency is at most an issue when reading from encrypted storage, since the processor may need the information read from encrypted storage to proceed. During a write operation, there typically is not an issue because the processor does not need to wait for the end of the write operation to proceed. A variant of counter (CTR) mode for a block cipher can be used to perform the majority of the decryption operation without knowledge of the ciphertext, therefore the majority of the decryption operation can be performed concurrently with the retrieval of the ciphertext from memory. In order to further secure the encrypted storage, a light encryption can be performed to further obfuscate the ciphertext. | 11-25-2010 |
20100318810 | INSTRUCTION CARDS FOR STORAGE DEVICES - A card can be communicationally coupled to a storage device. The card can then cause the storage device to perform stand-alone tasks without a computing device. The card can invoke instructions already present in the firmware of the storage device or the card can first copy instructions to the firmware and then invoke them. The card can cause the storage device to perform actions, such as a secure erase, and the storage device can remain inaccessible until such actions are performed, even if power is interrupted. The card can also receive information from the storage devices and then use that information with a new storage device to, for example, enable the new storage device to take the place of, and reconstruct the data of, the old storage device in a storage array directly from other storage devices in the array and without burdening a computing device or array controller. | 12-16-2010 |
20100318811 | CRYPTOGRAPHIC PROCESSOR - A cryptographic processor includes: first and second round function operation circuits, each of which executes cryptographic processing; and a control circuit configured to operate the first and second round function operation circuits by randomly switching between a parallel operation mode used to operate the first and second round function operation circuits in parallel and a serial operation mode used to operate the first and second round function operation circuits in series. | 12-16-2010 |
20100325446 | Securing Executable Code Integrity Using Auto-Derivative Key - A method for protecting software from tampering includes steps for processing, using a computer, first compiled software stored in a computer memory to generate a cryptographic key, the first compiled software configured to perform software protection functions and defined second functions distinct from the software protection functions when executed by a computer processor, the cryptographic key consisting of a first portion of the first compiled software comprising executable code compiled from the software protection functions, encrypting a second portion of the first compiled software using the cryptographic key to produce second compiled software comprising the first portion in unencrypted form and the second portion encrypted with the cryptographic key, wherein the second portion comprises executable code compiled from the defined second functions, and storing the second compiled software in a computer memory for distribution to a client device. | 12-23-2010 |
20100332852 | Creating Secure Communication Channels Between Processing Elements - Two processing elements in a single platform may communicate securely to allow the platform to take advantage of the certain cryptographic functionality in one processing element. A first processing element, such as a bridge, may use its cryptographic functionality to request a key exchange with a second processing element, such as a graphics engine. Each processing element may include a global key which is common to the two processing elements and a unique key which is unique to each processing element. A key exchange may be established during the boot process the first time the system boots and, failing any hardware change, the same key may be used throughout the lifetime of the two processing elements. Once a secure channel is set up, any application wishing to authenticate a processing element without public-private cryptographic function may perform the authentication with the other processing element which shares a secure channel with the first processing element. | 12-30-2010 |
20110022853 | ENCRYPTING DATA IN VOLATILE MEMORY - Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. At least one unencrypted memory allocation function coded in an application is executed to request allocation of unencrypted blocks in the memory device. An encrypted memory allocation function coded in the application is executed to request allocation of encrypted blocks in the memory device. At least one unencrypted Input/Output (I/O) request function coded in the application indicating an I/O operation to perform against the unencrypted blocks in the memory device is executed. At least one encrypted I/O request function coded in the application indicating an I/O operation to perform against the encrypted blocks in the memory device is executed. An operating system uses an encryption key associated with the encrypted blocks to encrypt or decrypt data in the encrypted blocks to perform the encrypted I/O operation in response to processing the encrypted I/O request functions, wherein the unencrypted and encrypted memory allocation functions and unencrypted and encrypted I/O request functions comprise different functions in a library of functions available to the application. | 01-27-2011 |
20110022854 | Processor-implemented method for ensuring software integrity - The present invention provides a solution to the problem of guaranteeing the integrity of software programmes by encrypting all or part of each instruction of a programme using a key based on all or part of one or a plurality of previous instructions, thus resulting in a different encryption key per instruction. The invention is applicable to software programmes whose structures are not necessarily tree-like in nature and is also applicable when the programme includes loops, jumps, calls or breaks etc. The invention allows for an exception to be flagged when an encrypted instruction is wrongly decrypted. There is no need for the first instruction to be in clear, since the instruction key may be appropriately initialised as required. The invention can be realised in software or entirely in hardware thereby eliminating the possibility of a third party intercepting a decrypted instruction or a decryption key. | 01-27-2011 |
20110022855 | SYSTEM AND METHOD FOR THWARTING BUFFER OVERFLOW ATTACKS USING ENCRYPTED PROCESS POINTERS | 01-27-2011 |
20110035601 | System, method and computer program product for protecting software via continuous anti-tampering and obfuscation transforms - Method, system and computer program product for applying existing anti-tampering and obfuscation technique to virtual machine technology and offers several distinct advantages. The anti-tampering and obfuscation transforms can be applied continuously to prevent adversaries from gaining information about the program through emulation or dynamic analysis. In addition, the encryption can be used to prevent hackers from gaining information using static attacks. The use of a virtual machine also allows for low overhead execution of the obfuscated binaries as well as finer adjustment of the amount of overhead that can be tolerated. In addition, more protection can be applied to specific portions of the application that can tolerate slowdown. The incorporation of a virtual machine also makes it easy to extend the technology to integrate new developments and resistance mechanisms, leading to less development time, increased savings, and quicker deployment. | 02-10-2011 |
20110040985 | SERVER DEVICE, INFORMATION PROVIDING METHOD AND INFORMATION SUCCESSION SYSTEM - An information succession system, which operates in accordance with inputted information to provide access to inputted information, including the personality of the original user, to successors of the original user. An encryption processing unit encrypts inputted information and generates keys used in association with access by users. A character/personality data generation unit generates data indicative of a user's character or personality by analyzing user input information. That character data is stored in a character data memory unit and is associated with the user's identification information. A request information analysis unit analyzes and characterizes requests. Request characteristics are stored in the character data memory unit and associated with the user making the request. A transmitting information generation unit generates transmitting (output) information based on the generated personality data of the user and the characteristic of the request. | 02-17-2011 |
20110055592 | METHOD OF OBFUSCATING A CODE - A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation. | 03-03-2011 |
20110078462 | METHOD FOR MANAGING EXTERNAL STORAGE DEVICES - An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system. | 03-31-2011 |
20110087895 | APPARATUS AND METHOD FOR LOCAL OPERAND BYPASSING FOR CRYPTOGRAPHIC INSTRUCTIONS - A processor may include a hardware instruction fetch unit configured to issue instructions for execution, and a hardware functional unit configured to receive instructions for execution, where the instructions include cryptographic instruction(s) and non-cryptographic instruction(s). The functional unit may include a cryptographic execution pipeline configured to execute the cryptographic instructions with a corresponding cryptographic execution latency, and a non-cryptographic execution pipeline configured to execute the non-cryptographic instructions with a corresponding non-cryptographic execution latency that is longer than the cryptographic execution latency. The functional unit may further include a local bypass network configured to bypass results produced by the cryptographic execution pipeline to dependent cryptographic instructions executing within the cryptographic execution pipeline, such that each instruction within a sequence of dependent cryptographic instructions is executable with the cryptographic execution latency, and where the results of the cryptographic execution pipeline are not bypassed to any other functional unit within the processor. | 04-14-2011 |
20110099387 | METHOD AND APPARATUS FOR ENFORCING A PREDETERMINED MEMORY MAPPING - A system and a method are disclosed for enforcing a predetermined mapping of addresses in a physical address space to addresses in a virtual address space in a data processing system including a processor in the virtual address space and a memory in a physical address space. During the compilation and linking of an application to be run on the data processing system, in at least one embodiment, the mapping table is generated linking the virtual addresses to physical addresses. This mapping table is kept secret. A second mapping table is generated using a cryptographic function of the physical address with the virtual address as a key to link virtual addresses to intermediate addresses. The second mapping table is loaded into the memory management unit. The data processing system further includes cryptographic hardware to convert the intermediate address to the physical address using the inverse of the cryptographic function which was used to calculate the intermediate address. | 04-28-2011 |
20110138194 | Method for increasing I/O performance in systems having an encryption co-processor - A system and method for improving performance while transferring encrypted data in an input/output (I/O) operation are provided. The method includes receiving a block of data. The method also includes dividing the block of data into a plurality of sub-blocks of data. The method further includes performing a first operation on a first sub-block. The method also includes performing a second operation on a second sub-block at substantially the same time as performing the first operation on the first sub-block. The method still further includes reassembling the plurality of sub-blocks into the block of data. | 06-09-2011 |
20110145598 | Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. | 06-16-2011 |
20110145599 | Data Stream Filters And Plug-Ins For Storage Managers - A storage manager and related method and computer program product manages client data on a data storage resource and includes the ability to utilize many different types of data stream filters that are neither built into the storage manager nor require a custom programming effort. A storage manager user may readily implement filtering by simply identifying a data stream filter the user wishes the storage manager to use for filtering the user's data. The filter can be an off-the-shelf program that is not part of the storage manager and which does not require client application or storage manager domain knowledge (e.g., knowledge of protocols or data types or formats used by the application or storage manager). The storage manager invokes the identified filter as part of a requested data stream operation and receives a data stream from a data stream source. The data stream is provided to the filter, which filters the data stream. Following filtering, the storage manager receives the data stream from the filter and sends it to a data stream destination. | 06-16-2011 |
20110154059 | CUMULATIVE INTEGRITY CHECK VALUE (ICV) PROCESSOR BASED MEMORY CONTENT PROTECTION - In general, in one aspect, the disclosure describes a process that includes a cryptographic engine and first and second registers. The cryptographic engine is to encrypt data to be written to memory, to decrypt data read from memory, to generate read integrity check values (ICVs) and write ICVs for memory accesses. The cryptographic engine is also to create a cumulative read ICV and a cumulative write ICV by XORing the generated read ICV and the generated write ICV with a current read MAC and a current write ICV respectively and to validate data integrity by comparing the cumulative read ICV and the cumulative write ICV. The first and second registers are to store the cumulative read and write ICVs respectively at the processor. Other embodiments are described and claimed. | 06-23-2011 |
20110202775 | ATOMIC HASH INSTRUCTION - A method for performing a hash operation, including providing an atomic hash instruction that directs a microprocessor to perform a the hash operation and to indicate whether the hash operation has been interrupted by an interrupting event; translating the atomic hash instruction into first and second micro instructions; via a hash unit, first executing the first micro instructions to accomplish the hash operation according to the hash mode; and via an integer unit, second executing the second micro instructions in parallel with the first executing to test a bit in a flags register, to update text pointer registers, and to process interrupts during execution of the hash operation. The atomic hash instruction has an opcode field, configured to prescribe the hash operation, and a hash mode field, configured to prescribe that the microprocessor accomplish the hash operation according to a one of a plurality of hash modes. | 08-18-2011 |
20110213988 | DIGITAL INFORMATION PROTECTING METHOD AND APPARATUS, AND COMPUTER ACCESSIBLE RECORDING MEDIUM - A method for protecting digital information includes: converting a protected address range into a plurality of address blocks based on a preset conversion unit, and generating an address block rearranging rule using the address blocks as a parameter; when it is desired to load data into an address batch of the protected address range, converting the address batch into a plurality address blocks based on the conversion unit; and locating rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loading the data into the rearranged addresses. Thus, the data can be stored in the address batch scatteredly, and the protected data cannot be recomposed into the original correct data when stolen. | 09-01-2011 |
20110225431 | System and Method for General Purpose Encryption of Data - Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and an encryption accelerator communicatively coupled to the processor. The encryption accelerator may be configured to encrypt and decrypt information in accordance with a plurality of cryptographic functions, receive a command from the processor to perform an encryption or decryption task upon data associated with an input/output operation, and in response to receiving the command, encrypt or decrypt the data associated with the input/output operation based on a particular one of the plurality of cryptographic functions. | 09-15-2011 |
20110225432 | METHOD AND CIRCUITRY FOR DETECTING A FAULT ATTACK - A method of detecting a fault attack during a cryptographic operation using at least one look-up table including a plurality of sub-tables each having a same number of values of a fixed bit length, a fixed relation existing between values at same locations in each sub-table, the method including: performing a load operation to retrieve from the look-up table data values from a same location in each sub-table; verifying that the fixed relation exists between at least two of the data values; and generating an output signal based on the verification. | 09-15-2011 |
20110225433 | ELECTRIC LOCKING AND SEALING DEVICE, CASE COMPRISING THE SAME, AND CONTROL SYSTEM THEREFOR - An electronic locking and sealing device, including: a housing, a lock tongue, an operating unit, a main control unit, and a connecting part, the operating unit is disposed in the housing and fixedly connected to the lock tongue, and operates to push out or to take back the locking tongue from or in the housing, the main control unit is connected to the operating unit, and operates to receive an external control instruction whereby automatically controlling the operating unit, and the connecting part has a hole disposed at the center thereof and corresponding to the lock tongue. | 09-15-2011 |
20110231673 | CRYPTOGRAPHIC PROCESSING USING A PROCESSOR - In one embodiment, a cryptography processor compatible with the Advanced Encryption Standard (AES) for encrypting and decrypting has a memory storing each element of an AES State, normally 8-bit long, in a corresponding memory space that is at least 9 bits long. Using the larger memory spaces, the processor performs modified AES transformations on the State. A modified column-mixing transformation uses bit-shifting and XOR operations, thereby avoiding some multiplications and modulo reductions and resulting in some 9-bit State elements. A modified byte-substitution transformation uses a 512-element look-up table to accommodate 9-bit inputs. The modified byte-substitution transformation is combined with a modified row-shifting transformation. The memory has data registers each holding four State elements. A modified expanded key schedule is used in a modified round-key-adding transformation that is combined with the modified column-mixing transformation, wherein all four elements stored in a single data register are processed together in some operations. | 09-22-2011 |
20110239005 | Secure Repository With Layers Of Tamper Resistance And System And Method For Providing Same - A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories. The decoupling interface may take the form of a single application programmer interface (API) usable with multiple dynamically linkable libraries. | 09-29-2011 |
20110246789 | INTEGRATED CIRCUIT PROTECTED AGAINST HORIZONTAL SIDE CHANNEL ANALYSIS - An integrated circuit including a multiplication function configured to execute a multiplication operation of two binary words x and y including a plurality of basic multiplication steps of components xi of word x by components yj of word y is described. The multiplication function of the integrated circuit is configured to execute two successive multiplications by modifying, in a random or pseudo-random manner, an order in which the basic multiplication steps of components xi by components yj are executed. | 10-06-2011 |
20110258461 | SYSTEM AND METHOD FOR RESOURCE SHARING ACROSS MULTI-CLOUD ARRAYS - A system for resource sharing across multi-cloud storage arrays includes a plurality of storage arrays and a cloud array storage (CAS) application. The plurality of storage resources are distributed in one or more cloud storage arrays, and each storage resource comprises a unique object identifier that identifies location and structure of the corresponding storage resource at a given point-in-time. The cloud array storage (CAS) application manages the resource sharing process by first taking an instantaneous copy of initial data stored in a first location of a first storage resource at a given point-in-time and then distributing copies of the instantaneous copy to other storage resources in the one or more cloud storage arrays. The instantaneous copy comprises a first unique object identifier pointing to the first storage location of the initial data in the first storage resource and when the instantaneous copy is distributed to a second storage resource, the first unique object identifier is copied into a second storage location within the second storage resource and the second storage location of the second storage resource is assigned a second unique object identifier. | 10-20-2011 |
20110283115 | DEVICE AND A METHOD FOR GENERATING SOFTWARE CODE - A method to generate final software code resistant to reverse engineering analysis from an initial software code, said initial software code transforming an input data to an output data, said final software code being executed by a processor being able to directly handle data of a maximum bit length M, comprising the steps of: building a conversion table comprising in one side one instruction and in the other side a plurality of equivalent instructions or sets of instructions; splitting the input data into a plurality of segments of random length, said segments having a length equal or smaller than the maximum bit length M; for each instruction of a block of instructions, selecting pseudo-randomly an equivalent instruction or set of instructions from the conversion table so as to obtain an equivalent block of instructions; and appending the plurality of equivalent blocks of instructions to obtain the final software code. | 11-17-2011 |
20110296201 | METHOD AND APPARATUS FOR TRUSTED EXECUTION IN INFRASTRUCTURE AS A SERVICE CLOUD ENVIRONMENTS - The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor). | 12-01-2011 |
20110296202 | SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length. | 12-01-2011 |
20110296203 | BRANCH AND SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A microprocessor includes a fetch unit that fetches and decrypts an (atomic) branch and switch key instruction using first decryption key data. If the branch direction is not taken, the fetch unit fetches and decrypts the next sequential instruction after the branch and switch key instruction using the first decryption key data. If the direction is taken, the fetch unit fetches and decrypts a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data. The instruction points to the decryption key data; alternatively, the microprocessor consults a mapping of target address ranges to decryption key data. An encryption program replaces conventional inter-program-chunk branch instructions with branch and switch key instructions before encrypting the program using information that divides the program into a sequence of chunks each chunk being a sequence of instructions and having distinct associated encryption key data. | 12-01-2011 |
20110296204 | MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN ENCRYPTED AND UNENCRYPTED PROGRAMS - A microprocessor includes an architected register having a bit (may be x86 EFLAGS register reserved bit) set by the microprocessor. A fetch unit fetches encrypted instructions from an instruction cache and decrypts them (via XOR) prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the bit value to a stack in memory and then clears the bit in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register (and in one embodiment, also restores decryption key values) in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions in response to determining that the restored value of the bit is set. | 12-01-2011 |
20110296205 | MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN MULTIPLE ENCRYPTED PROGRAMS HAVING DIFFERENT ASSOCIATED DECRYPTION KEY VALUES - A microprocessor includes a storage element having a plurality of locations each storing decryption key data associated with an encrypted program. A control register field (may be x86 EFLAGS register reserved field) specifies a storage element location associated with a currently executing encrypted program. The microprocessor restores from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction. A fetch unit fetches encrypted instructions of the currently executing encrypted program and decrypts them using the decryption key data stored the storage element location specified by the restored field value. A kill bit associated with each storage element location may be employed if the location is clobbered because more encrypted programs are multitasked than available locations in the storage element, in which case an exception is generated to re-load the clobbered decryption key data in response to the return from interrupt instruction. | 12-01-2011 |
20110296206 | BRANCH TARGET ADDRESS CACHE FOR PREDICTING INSTRUCTION DECRYPTION KEYS IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A branch target address cache (BTAC) caches history information associated with branch and switch key instructions previously executed by a microprocessor. The history information includes a target address and an identifier (index into a register file) for identifying key values associated with each of the previous branch and switch key instructions. A fetch unit receives from the BTAC a prediction that the fetch unit fetched a previous branch and switch key instruction and receives the target address and identifier associated with the fetched branch and switch key instruction. The fetch unit also fetches encrypted instruction data at the associated target address and decrypts (via XOR) the fetched encrypted instruction data based on the key values identified by the identifier, in response to receiving the prediction. If the BTAC predicts correctly, a pipeline flush normally associated with the branch and switch key instruction is avoided. | 12-01-2011 |
20110314303 | COMPUTING DEVICE CONFIGURED FOR OPERATING WITH INSTRUCTIONS IN UNIQUE CODE - A computing device having a memory for holding software instructions produced in a code, which is unique for a particular computing device. A code conversion unit converts the unique code into a generic code representing the instructions. The generic code different from the unique code is common for computing devices having a processor of a similar type. A processing circuit of the computing device is linked to the output of the code conversion unit for processing instructions in the generic code. | 12-22-2011 |
20110320825 | FUNCTION VIRTUALIZATION FACILITY FOR FUNCTION QUERY OF A PROCESSOR - Selected installed function of a multi-function instruction is hidden such that even though a processor is capable of performing the hidden installed function, the availability of the hidden function is hidden such that responsive to the multi-function instruction querying the availability of functions, only functions not hidden are reported as installed. | 12-29-2011 |
20120011371 | METHOD AND APPARATUS FOR SECURING INDIRECT FUNCTION CALLS BY USING PROGRAM COUNTER ENCODING - A method for securing indirect function calls by using program counter encoding is provided. The method includes inserting a decoding code for an address of a library function stored in a GOT (Global Offset Table) entry into a PLT (Procedure Linkage Table) entry when an object file is built; generating an encoding key corresponding to the decoding code; and encoding the GOT entry corresponding to the library function by using the encoding key when program execution begins. | 01-12-2012 |
20120017097 | System And Method For Securely Storing Data In An Electronic Device - There is provided an enhanced method of securely storing and retrieving information in an electronic device. The method comprises generating a plurality of random encryption keys and storing the plurality of random encryption keys in a memory region of a first component of the electronic device. The method may additionally comprise encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device. The method may also comprise transferring encrypted data to the memory of the second component of the electronic device. | 01-19-2012 |
20120023337 | ESTABLISHING A SECURE MEMORY PATH IN A UNITARY MEMORY ARCHITECTURE - A functional unit of a device is associated with a secret. Data stored in a memory location of the device is encrypted using the secret. The memory location of the device is accessible to other functional units; but without knowledge of the secret, the stored encrypted data is useless. The sharing of the secret creates a secure path between memory locations and functional units of the device while maintaining a unitary memory architecture. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract. | 01-26-2012 |
20120036371 | Protection from cryptoanalytic side-channel attacks - A method for protecting a circuit configured for executing functional cryptographic operations according to execution instructions from cryptoanalytic side-channel attacks via differential power analysis (DPA), simple power analysis (SPA) or electromagnetic analysis (EM), includes execution of nonfunctional cryptographic operations in addition to the functional cryptographic operations for masking the functional cryptographic operations. | 02-09-2012 |
20120047373 | MEMORY SUBSYSTEM AND METHOD THEREFOR - A memory subsystem and method for loading and storing data at memory addresses of the subsystem. The memory subsystem is functionally connected to a processor and has a first mode of address encryption to convert logical memory addresses generated by the processor into physical memory addresses at which the data are stored in the memory subsystem. The memory subsystem is adapted to pull low a write enable signal to store data in the memory subsystem and to pull high the write enable signal to load data in the memory subsystem, wherein if pulled high the write enable signal alters the address encryption from the first mode to a second mode. The memory subsystem is adapted to be coupled to a local hardware device which supplies a key that acts upon the address encryption of the memory subsystem. | 02-23-2012 |
20120066516 | METHOD FOR FAST DECRYPTION OF PROCESSOR INSTRUCTIONS - A processor, circuit and method provide for fast decryption of encrypted program instructions for execution by the processor. A programmable look-up coding is used to decode a field within the instructions. The decoded field for the instructions are recombined with the remaining portion of the same instructions to yield the decoded instructions. The programmable look-up coding can be programmed and controlled by a process executing at a higher privilege level than the program represented by the instructions, so that security against code-modifying attacks is enhanced. | 03-15-2012 |
20120079285 | TWEAKABLE ENCRYPION MODE FOR MEMORY ENCRYPTION WITH PROTECTION AGAINST REPLAY ATTACKS - A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. An incrementing mechanism using the “time stamp” indicator generates a tweak which separates different contexts over different times such that the effect of “Type 2 replay attacks” is mitigated. | 03-29-2012 |
20120079286 | DATA PROCESSING APPARATUS - A data processing apparatus is provided, which detects falsification of software to data and rewriting of the data. The data processing apparatus according to an embodiment of the present invention comprises a security unit which has an encryption circuit for decrypting an encrypted signal including secrecy data. The security unit includes a compression circuit which compresses an access signal used in accessing the security unit and outputs the compression result, and a comparison circuit which compares the compression result outputted from the compression circuit with a previously-calculated expectation value of the compression result of the access signal. | 03-29-2012 |
20120096282 | MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS IN SAME TIME AS PLAIN TEXT INSTRUCTIONS - A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key. | 04-19-2012 |
20120096283 | OPTIONAL FUNCTION MULTI-FUNCTION INSTRUCTION IN AN EMULATED COMPUTING ENVIRONMENT - A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system. | 04-19-2012 |
20120102336 | Security of Program Executables and Microprocessors Based on Compiler-Architecture Interaction - A method, for use in a processor context, wherein instructions in a program executable are encoded with plural instruction set encodings. A method wherein a control instruction encoded with an instruction set encoding contains information about decoding of an instruction that is encoded with another instruction set encoding scheme. A method wherein instruction set encodings are randomly generated at compile time. A processor framework wherein an instruction is decoded during execution with the help of information provided by a previously decoded control instruction. | 04-26-2012 |
20120110348 | Secure Page Tables in Multiprocessor Environments - A system comprises a memory module configured to store signed page table data and a selected processing element coupled to the memory module. The selected processing element is one of a plurality of processing elements, which together comprise a portion of a multiprocessor system. The selected processing element is configured to authenticate page table management code and, based on authenticated page table management code, to sign page table data that is subsequently stored in the memory module, and to verify signed page table data that is read from the memory module. | 05-03-2012 |
20120110349 | METHOD FOR OBFUSCATING A COMPUTER PROGRAM - The invention relates to a method for obfuscating a computer program. | 05-03-2012 |
20120117389 | Methods and Apparatuses for Determining and Using a Configuration of a Composite Object - Methods and apparatuses are provided for determining and using a configuration of a composite object. A method may include receiving information emitted by one or more tags in one or more objects of a composite object. The method may further include determining, based at least in part on the received information, at least a partial configuration of the composite object. The method may additionally include using the determined at least a partial configuration of the composite object as an input to alter an application state. Corresponding apparatuses are also provided. | 05-10-2012 |
20120124393 | System and Methods for Silencing Hardware Backdoors - Methods for preventing activation of hardware backdoors installed in a digital circuit, the digital circuit comprising one or more hardware units to be protected. A timer is repeatedly initiated for a period less than a validation epoch, and the hardware units are reset upon expiration of the timer to prevent activation of a time-based backdoor. Data being sent to the hardware unit is encrypted in an encryption element to render it unrecognizable to a single-shot cheat code hardware backdoor present in the hardware unit. The instructions being sent to the hardware unit are reordered randomly or pseudo-randomly, with determined sequential restraints, using an reordering element, to render an activation instruction sequence embedded in the instructions unrecognizable to a sequence cheat code hardware backdoor present in the hardware unit. | 05-17-2012 |
20120144208 | INDEXED TABLE BASED CODE ENCRYPTING/DECRYPTING DEVICE AND METHOD THEREOF - An indexed table based code encrypting device adapted to encrypt an executable file of a computer program includes: an index creator configured to classify codes of the executable file into code blocks using a call code and store the number of calls and start addresses of the code blocks; and a block encrypter configured to encrypt the code blocks with encryption keys. An encryption key of a code block (hereinafter, first type code block) called once is created by using a code block calling the first type code block and an encryption key of a code block (hereinafter, second type code block) called twice or more is created by using a random number. The encryption keys of the first and second type code blocks are stored in the executable file. | 06-07-2012 |
20120159193 | SECURITY THROUGH OPCODE RANDOMIZATION - An opcode obfuscation system is described herein that varies the values of opcodes used by operating system or application code while the application is stored in memory. The system puts application code through a translation process as the application code is loaded, so that the code sits in memory with an altered instruction set. If new and potentially malicious code is injected into the process, its instruction set will not match that of the translated application code. As time to execute the application code approaches, the system puts the application code through a reverse translation process that converts the application code back to the original opcodes. Any malicious code injected into the process will also undergo the reverse translation, which will have the effect of making the malicious code detectable as invalid or erroneous. | 06-21-2012 |
20120159194 | RELATING TO CRYPTOGRAPHY - A method and apparatus | 06-21-2012 |
20120198242 | DATA PROTECTION WHEN A MONITOR DEVICE FAILS OR IS ATTACKED - In some examples, a system includes a data storage device that stores data and a monitor device that monitors a physical domain in which the data storage device is located and conditions access to data stored by the data storage device based on communication between the monitor device and the data storage device. In some examples, the system is configured to impede access to the data when at least one of operation the monitor device fails or the monitor device is attacked. Additionally, in some examples, the monitor device is configured to restrict access to the data when the monitor device is engaged and an attacker attempts to access the data storage device directly. | 08-02-2012 |
20120204038 | PERFORMING BOOLEAN LOGIC OPERATIONS USING ARITHMETIC OPERATIONS BY CODE OBFUSCATION - Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is of the part of the code that performs a Boolean logic operation such as an exclusive OR on two (or more) data variables. In the obfuscated code, each of the two variables is first modified by applying to it a function which deconstructs the value of each of the variables, and then the exclusive OR operation is replaced by an arithmetic operation such as addition, subtraction, or multiplication, which is performed on the two deconstructed variables. The non-obfuscated result is recovered by applying a third function to the value generated by the arithmetic operation. This obfuscation is typically carried out by suitably annotating (modifying) the original source code. | 08-09-2012 |
20120204039 | COUNTERACTING MEMORY TRACING ON COMPUTING SYSTEMS BY CODE OBFUSCATION - Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is on the part of the code that accesses buffers (memory locations). Further, the obfuscation process copies or replaces parts of the buffer contents with local variables. This obfuscation is typically carried out by suitably annotating (modifying) the original source code. | 08-09-2012 |
20120216051 | BUILDING AND DISTRIBUTING SECURE OBJECT SOFTWARE - A method and structure for enhancing protection for at least one of software and data being executed on a computer. A file to comprise a secure object is constructed, using a processor on a build machine, the secure object to be executed on a target machine different from the build machine. The secure object comprises at least one of code and data that is to be encrypted when the secure object is stored on the target machine. The encrypted stored secure object is decrypted by the target machine when executed by the target machine after retrieval from a memory on the target machine. The decryption uses a system key of the target machine. The secure object is stored, upon completion of construction, in an encrypted state as a completed secure object, and the secure object is completed without the build machine having the system key of the target machine. | 08-23-2012 |
20120221864 | METHOD AND APPARATUS FOR COMPUTER CODE OBFUSCATION AND DEOBFUSCATION USING BOOT INSTALLATION - In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software. | 08-30-2012 |
20120233472 | SECURING NON-VOLATILE MEMORY REGIONS - Methods, apparatus and articles of manufacture to secure non-volatile memory regions are disclosed. An example method disclosed herein comprises associating a first key pair and a second key pair different than the first key pair with a process, using the first key pair to secure a first region of a non-volatile memory for the process, and using the second key pair to secure a second region of the non-volatile memory for the same process, the second region being different than the first region. | 09-13-2012 |
20120246487 | System and Method to Protect Java Bytecode Code Against Static And Dynamic Attacks Within Hostile Execution Environments - A method and system that provides secure modules that can address Java platform weaknesses and protect Java bytecode during execution time. The secure modules are implemented in C/C++ as an example. Because implementation of the security modules is made in C/C++, this enables use of security technology that secures C/C++ software code. | 09-27-2012 |
20120254628 | CIPHER MESSAGE EXECUTION IN A COMPUTING SYSTEM - A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system. | 10-04-2012 |
20120260105 | SYSTEM AND METHOD FOR DEFENDING AGAINST REVERSE ENGINEERING OF SOFTWARE, FIRMWARE AND HARDWARE - A method for defending a software against reverse engineering in a target environment includes acquiring information from the target environment, encrypting the software to be protected with the acquired information, sending the encrypted software with the acquired information to an execution environment, acquiring information from the execution environment, comparing the information from the execution environment with the acquired information from the target environment to authenticate the execution environment as the target environment, and if the two set of information match, decrypting the software to be protected, and if two set of information do not match, destroying said software. | 10-11-2012 |
20120260106 | SYSTEM AND METHOD FOR BINARY LAYOUT RANDOMIZATION - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for binary layout randomization. A system performs binary layout randomization by loading computer code into memory and identifying a section of the computer code to randomize. A loader remaps the section of computer code to a different location in memory utilizing a remapping algorithm. The loader can shuffle sections of code in place or move sections of code elsewhere. The loader patches relative addresses to point to the updated locations in memory. After the system patches the addresses, the system executes the computer code from memory. In one embodiment, the system encrypts the computer code prior to loading the computer code into memory. The loader decrypts the encrypted computer code prior to remapping the section of computer code to a different location in memory. Optionally, the loader can decrypt the encrypted computer code after patching relative addresses. | 10-11-2012 |
20120260107 | Instruction Encryption/Decryption Arrangement and Method with Iterative Encryption/Decryption Key Update - An instruction decryption arrangement includes an input interface configured to receive an encrypted instruction, a decryption key updater configured to output a decryption key, and an instruction decrypter including a first input connected to the input interface and a second input connected to the decryption key updater, and configured to decrypt the encrypted instruction using the decryption key and to provide a decrypted instruction. The decryption key updater is further configured to update the decryption key using at least one of the encrypted instruction and the decrypted instruction. An alternative instruction decryption arrangement includes a key stream module configured to iteratively determine a key state corresponding to a current instruction for a computing unit and an instruction decrypter configured to receive an encrypted instruction related to the current instruction and decrypt the encrypted instruction using the key state to provide a decrypted instruction. | 10-11-2012 |
20120272072 | APPARATUS AND METHOD FOR PROCESSING APPLICATION PACKAGE IN PORTABLE TERMINAL - An apparatus and method for improving the security of an application package from a user abnormally acquiring a system supreme authority in a portable terminal are provided. The apparatus includes an application manager for, at application package generation, collecting data for package generation, performing a compiling process for the collected data, encrypting an execution file of the application package among the compiled data, and packaging the compiled data comprising the encrypted execution file. | 10-25-2012 |
20120272073 | ENCRYPTING DATA IN VOLATILE MEMORY - Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. An unencrypted memory allocation function requests allocation of unencrypted blocks in the memory device. An encrypted memory allocation function requests allocation of encrypted blocks in the memory device. An unencrypted Input/Output (I/O) request performs an I/O operation against the unencrypted blocks in the memory device. An encrypted I/O request function performs an I/O operation against the encrypted blocks in the memory device. An operating system uses an encryption key associated with the encrypted blocks to encrypt or decrypt data in the encrypted blocks to perform the encrypted I/O operation in response to processing the encrypted I/O request functions, wherein the unencrypted and encrypted memory allocation functions and unencrypted and encrypted I/O request functions comprise different functions in a library of functions available to the application. | 10-25-2012 |
20120284532 | METHOD AND SYSTEM FOR RECOVERING CRYPTOGRAPHIC OPERATIONS AND/OR SECRETS - A computerized system and method for identifying one or more cryptographic operations from software code, comprising: performing processing associated with identifying, one or more cryptographic operations in the software code, the software code being run on a processor; and performing processing associated with identifying a boundary for each cryptographic operation in the software code. | 11-08-2012 |
20120297203 | COMPUTING DEVICE AND METHOD FOR CONTROLLING ACCESS TO DRIVER PROGRAMS - A computing device and a method for controlling access to driver programs obtains a first system time at the time that an application uses a CTL_CODE to access a driver program. The first system time and the CTL_CODE is encrypted to generate an encrypted CTL_CODE which is then sent to the driver program. The encrypted CTL_CODE is decrypted to obtain the first system time and the CTL_CODE therein. A second system time at the time that the driver program receives the encrypted CTL_CODE is obtained and compared with the first system time. Access to the driver program is allowed if a difference between the first system time and the second system time falls within a predetermined range, and access to the driver program is forbidden if the difference is beyond the predetermined range. | 11-22-2012 |
20120311350 | MEMORY MANAGMENT METHOD - In the conventional method of maintaining the confidential a program, wherein a program to be executed in an information processing device is stored in a hard disk, etc., in an encrypted state and the program is decrypted when it is executed, because a decrypted program is written in memory, the program may be illicitly analyzed by a third person. Provided is memory management method wherein code information or data of a program written in a virtual memory is data which is encrypted and inaccessible by a CPU, and when code fetching or data access to the encrypted area occurs, an interruption process is performed wherein with respect to a management unit of the memory management device including the area, an inaccessible state is changed to an accessible state to perform decryption. | 12-06-2012 |
20120317423 | Memory randomization for protection against side channel attacks - Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys. | 12-13-2012 |
20120331307 | METHODS, APPARATUS AND SYSTEMS TO IMPROVE SECURITY IN COMPUTER SYSTEMS - In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct. | 12-27-2012 |
20120331308 | METHODS, APPARATUS AND SYSTEMS TO IMPROVE SECURITY IN COMPUTER SYSTEMS - According to some implementations methods, apparatus and systems are provided involving the use of processors having at least one core with a security component, the security component adapted to read and verify data within data blocks stored in a L1 instruction cache memory and to allow the execution of data block instructions in the core only upon the instructions being verified by the use of a cryptographic algorithm. | 12-27-2012 |
20130007469 | SECURELY MANAGING THE EXECUTION OF SCREEN RENDERING INSTRUCTIONS IN A HOST OPERATING SYSTEM AND VIRTUAL MACHINE - Provided are a computer readable storage medium, computer apparatus, and method for securely managing the execution of screen rendering instructions in a host operating system and virtual machine. A first rendering instruction hooking section is set to a first mode to hook a screen rendering instruction issued by a virtual machine application in a virtual machine. A second rendering instruction hooking section is set to a second mode to hook instructions issued by the virtual machine application. The hooked screen rendering instruction issued by the virtual machine application are encrypted in response to the setting of the first mode to produce illegible output. The hooked screen rendering instruction issued by the virtual machine application are encrypted in response to the setting of the second mode. The encrypted hooked screen rendering instruction encrypted in the second mode are issued to a host operating system to decrypt. | 01-03-2013 |
20130013934 | Infinite Key Memory Transaction Unit - A system for providing high security for data stored in memories in computer systems is disclosed. A different encryption key is used for every memory location, and a write counter hides rewriting of the same data to a given location. As a result, the data for every read or write transaction between the microprocessor and the memory is encrypted differently for each transaction for each address, thereby providing a high level of security for the data stored. | 01-10-2013 |
20130019108 | ADDRESS TRANSLATION UNIT, DEVICE AND METHOD FOR REMOTE DIRECT MEMORY ACCESS OF A MEMORY - A method for Remote Direct Memory Access (RDMA) of a memory of a processor. An address translation unit comprises an address translator and a signer. The address translator is configured to translate a received virtual address in a real address of the memory. The signer is configured to cryptographically sign the real address. | 01-17-2013 |
20130061061 | PROTECTING LOOK UP TABLES BY MIXING CODE AND OPERATIONS - In the field of computer enabled cryptography, such as a cipher using lookup tables, the cipher is hardened against an attack by a protection process which obscures the lookup tables using the properties of bijective functions and applying masks to the tables' input and output values, for encryption or decryption. This is especially advantageous in a “White Box” environment where an attacker has full access to the cipher algorithm, including the algorithm's internal state during its execution. This method and the associated computing apparatus are useful for protection against known attacks on “White Box” ciphers, by obfuscating lookup table data, thereby increasing the cipher's complexity against reverse engineering and other attacks. | 03-07-2013 |
20130080791 | Security Protocols for Processor-Based Systems - A processor-based system such as a wireless communication module may implement security functions in a cost effective fashion by providing a virtual memory space whose addresses may be recognized. The memory is integrated with an application processor. When those addresses are recognized, access to special security protocols may be allowed. In another embodiment, a variety of dedicated hardware cryptographic accelerators may be provided to implement security protocols in accordance with a variety of different standards. By optimizing the hardware for specific standards, greater performance may be achieved. | 03-28-2013 |
20130097432 | PROVIDING CONSISTENT CRYPTOGRAPHIC OPERATIONS - A method, system, and computer usable program product for providing consistent cryptographic operations in a data processing environment using protected structured data objects are provided in the illustrative embodiments. A data input is received from an originating application by a security plug-in, both the application and the security plug-in executing in the data processing system. A security schema object is received by the security plug-in, the security schema object describing a sequence of cryptographic operations, wherein the security schema object includes a plurality of components each component describing an aspect of the cryptographic operations. The data input is transformed into a secure structured data object by the security plug-in using the sequence of cryptographic operations. A property of the secure structured data object is populated using data about the security schema object. The secure structured data object is transmitted to a consumer application. | 04-18-2013 |
20130103955 | Controlling Transmission of Unauthorized Unobservable Content in Email Using Policy - A system, method, and apparatus is disclosed to control mail server in handling encrypted messages according to a policy. | 04-25-2013 |
20130117577 | Secure Memory Transaction Unit - A method for providing security for plaintext data being transferred between units in a computer system includes steps of dividing a memory into a series of addressable locations, each of the addressable locations having an address at which can be stored version information, a data authentication tag, and ciphertext corresponding to the plaintext. The system retrieves the ciphertext, the version information, and the data authentication tag, and generates encryption keys for decrypting the information stored at the address. If the data authentication tag indicates the plaintext data are valid, then the system provides the decrypted plaintext to the requestor, or encrypts new plaintext data and stores the corresponding ciphertext with new authentication and version information at the first address. | 05-09-2013 |
20130132736 | System And Method For Establishing A Shared Secret For Communication Between Different Security Domains - Embodiments may include generating an initial verifier for a first process, the initial verifier generated based on a trusted image of the first process. Embodiments may include, subsequent to generating an untransformed secret associated with the first process, using a reversible transform to transform the untransformed secret with the initial verifier to generate a transformed secret associated with the first process. Embodiments may also include, subsequent to the first process being launched outside of a secure domain, and dependent upon a second verifier generated from a current state of the first process being the same as the initial verifier: using the reversible transform to reverse transform the transformed secret with the second verifier to generate a de-transformed secret equal to the untransformed secret. Embodiments may include performing a secure communication protected with a cryptographic key generated based on the de-transformed secret. The communication may be performed across different security domains. | 05-23-2013 |
20130132737 | CRYPTOGRAPHIC SUPPORT INSTRUCTIONS - A data processing system | 05-23-2013 |
20130138973 | SYSTEM AND METHOD FOR DATA OBFUSCATION BASED ON DISCRETE LOGARITHM PROPERTIES - Disclosed herein are systems, computer-implemented methods, and computer-readable storage media for obfuscating data based on a discrete logarithm. A system practicing the method identifies a clear value in source code, replaces the clear value in the source code with a transformed value based on the clear value and a discrete logarithm, and updates portions of the source code that refer to the clear value such that interactions with the transformed value provide a same result as interactions with the clear value. This discrete logarithm approach can be implemented in three variations. The first variation obfuscates some or all of the clear values in loops. The second variation obfuscates data in a process. The third variation obfuscates data pointers, including tables and arrays. The third variation also preserves the ability to use pointer arithmetic. | 05-30-2013 |
20130151865 | Securing microprocessors against information leakage and physical tampering - A processor system comprising: performing a compilation process on a computer program; encoding an instruction with a selected encoding; encoding the security mutation information in an instruction set architecture of a processor; and executing a compiled computer program in the processor using an added mutation instruction, wherein executing comprises executing a mutation instruction to enable decoding another instruction. A processor system with a random instruction encoding and randomized execution, providing effective defense against offline and runtime security attacks including software and hardware reverse engineering, invasive microprobing, fault injection, and high-order differential and electromagnetic power analysis. | 06-13-2013 |
20130191649 | MEMORY ADDRESS TRANSLATION-BASED DATA ENCRYPTION/COMPRESSION - A method and circuit arrangement selectively stream data to an encryption or compression engine based upon encryption and/or compression-related page attributes stored in a memory address translation data structure such as an Effective To Real Translation (ERAT) or Translation Lookaside Buffer (TLB). A memory address translation data structure may be accessed, for example, in connection with a memory access request for data in a memory page, such that attributes associated with the memory page in the data structure may be used to control whether data is encrypted/decrypted and/or compressed/decompressed in association with handling the memory access request. | 07-25-2013 |
20130191650 | METHODS AND APPARATUS FOR SECURING A DATABASE - Methods and apparatus for a system to maintain confidentiality of data in a database management system by selecting encryption schemes for data items, storing encrypted data in databases, transforming SQL queries to run over encrypted data, and executing queries over encrypted data on the database server. | 07-25-2013 |
20130198530 | Low-Power Multi-Standard Cryptography Processing Units with Common Flip-Flop/Register Banks - A method, system, and apparatus for managing a plurality of cipher processor units. A cipher module may receive a cipher instruction indicating a cipher algorithm to be used. The cipher module may identify a cipher processing unit of the plurality of cipher processing units associated with the cipher algorithm. The cipher module may execute the cipher instruction using the cipher processing unit and the common register array. The cipher module may store a state of a common register array to be used by the cipher processing unit of the plurality of cipher processing units. | 08-01-2013 |
20130205139 | Scrambling An Address And Encrypting Write Data For Storing In A Storage Device - An address to access a location in a storage device ( | 08-08-2013 |
20130212407 | METHOD FOR MANAGING MEMORY SPACE IN A SECURE NON-VOLATILE MEMORY OF A SECURE ELEMENT - The invention relates to a method for managing non-volatile memory space in a secure processor comprising a secure non-volatile internal memory, the method comprising steps of: selecting data elements to remove from the internal memory, generating, by the secure processor, a data block comprising the selected data elements, and a signature computed from the selected data elements using a secret key generated by the secure processor, transmitting the data block by the secure processor, and storing the transmitted data block in an external memory. | 08-15-2013 |
20130219192 | CONTENTS SECURITY APPARATUS AND METHOD THEREOF - A contents security apparatus for preventing Standard Definition (SD) contents which are protected targets of a level which is relatively lower than that of High Definition (HD) contents from being processed through a trust zone of a processor thereof and a method thereof are provided. The contents security apparatus includes a processor for operating a first Operating System (OS) and for storing authentication information of at least one or more contents and a second OS for limiting access to the first OS, wherein the first OS decrypts and processes contents with a high security level and wherein the second OS decrypts and processes contents with a low security level. | 08-22-2013 |
20130232343 | SOFTWARE SELF-DEFENSE SYSTEMS AND METHODS - Systems and methods are disclosed for protecting a computer program from unauthorized analysis and modification. Obfuscation transformations can be applied to the computer program's local structure, control graph, and/or data structure to render the program more difficult to understand and/or modify. Tamper-resistance mechanisms can be incorporated into the computer program to detect attempts to tamper with the program's operation. Once an attempt to tamper with the computer program is detected, the computer program reports it to an external agent, ceases normal operation, and/or reverses any modifications made by the attempted tampering. The computer program can also be watermarked to facilitate identification of its owner. The obfuscation, tamper-resistance, and watermarking transformations can be applied to the computer program's source code, object code, or executable image. | 09-05-2013 |
20130254557 | MESSAGE AUTHENTICATION CODE PRE-COMPUTATION WITH APPLICATIONS TO SECURE MEMORY - A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ε-differentially uniform function on the result of the combination, XORing the result of the ε-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code. | 09-26-2013 |
20130283064 | METHOD AND APPARATUS TO PROCESS SHA-1 SECURE HASHING ALGORITHM - A processor includes an instruction decoder to receive a first instruction to process a SHA-1 hash algorithm, the first instruction having a first operand to store a SHA-1 state, a second operand to store a plurality of messages, and a third operand to specify a hash function, and an execution unit coupled to the instruction decoder to perform a plurality of rounds of the SHA-1 hash algorithm on the SHA-1 state specified in the first operand and the plurality of messages specified in the second operand, using the hash function specified in the third operand. | 10-24-2013 |
20130326236 | Security of Program Executables and Microprocessors Based on Compiler-Architecture Interaction - A method, for use in a processor context, wherein instructions in a program executable are encoded with plural instruction set encodings. A method wherein a control instruction encoded with an instruction set encoding contains information about decoding of an instruction that is encoded with another instruction set encoding scheme. A method wherein instruction set encodings are randomly generated at compile time. A processor framework wherein an instruction is decoded during execution with the help of information provided by a previously decoded control instruction. | 12-05-2013 |
20130332746 | METHOD, A DEVICE AND A COMPUTER PROGRAM SUPPORT FOR EXECUTION OF ENCRYPTED COMPUTER CODE - A device stores program code in a plurality of slots in its memory. When a processor of the device receives a call to an encrypted function, it uses a slot table to find the location of the cipher function and the cipher module and the key to decrypt the encrypted module. The encrypted module is decrypted, executed, re-encrypted and moved to a new memory slot. The cipher function used is moved to a further new slot and the slot table is updated. Also provided is a method and a computer program support. The invention can make it more difficult to analyse execution traces of the program code. | 12-12-2013 |
20130339755 | Method for Enhancing Data Reliability in a Computer - A method for enhancing reliability of data is provided. A computer configured to provide output datum (Ds) from input datum (De), includes at least two data processing modules, and a computing member connected to each module. The method includes computing, with each module, intermediate datum (D | 12-19-2013 |
20130346758 | MANAGING USE OF A FIELD PROGRAMMABLE GATE ARRAY WITH ISOLATED COMPONENTS - Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. For example, data written by the FPGA to memory is encrypted, and is decrypted within the FPGA when read back from memory. Data transferred between the FPGA and other components such as the CPU or GPU, whether directly or through memory, can similarly be encrypted using cryptographic keys known to the communicating components. Transferred data also can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. | 12-26-2013 |
20130346759 | MANAGING USE OF A FIELD PROGRAMMABLE GATE ARRAY WITH REPROGAMMABLE CRYPTOGRAPHIC OPERATIONS - Field programmable gate arrays can be used as a shared programmable co-processor resource in a general purpose computing system. Components of an FPGA are isolated to protect the FPGA and data transferred between the FPGA and other components of the computer system. Transferred data can be digitally signed by the FPGA or other component to provide authentication. Code for programming the FPGA can be encrypted and signed by the author, loaded into the FPGA in an encrypted state, and then decrypted and authenticated by the FPGA itself, before programming the FPGA with the code. This code can be used to change the cryptographic operations performed in the FPGA, including keys, or decryption and encryption algorithms, or both. | 12-26-2013 |
20130346760 | SYSTEMS, METHODS AND APPARATUSES FOR THE APPLICATION-SPECIFIC IDENTIFICATION OF DEVICES - The systems, methods and apparatuses described herein provide a computing environment that manages application specific identification of devices. An apparatus according to the present disclosure may comprise a non-volatile storage storing identifier (ID) base data and a processor. The processor may be configured to validate a certificate of an application being executed on the apparatus. The certificate may contain a code signer ID for a code signer of the application. The processor may further be configured to receive a request for a unique ID of the application, generate the unique ID from the code signer ID and the ID base data and return the generated unique ID. | 12-26-2013 |
20140032932 | METHOD, MANUFACTURE, AND APPARATUS FOR SECURE DEBUG AND CRASH LOGGING OF OBFUSCATED LIBRARIES - A method, apparatus, and manufacture for debugging and crash logging is provided. A log file is received, where the log file includes encrypted log messages that indicate execution trace of obfuscated code while leaving code locations of corresponding code in the obfuscated code unknown. The encrypted log messages include execution way-point indices. Next, at least a portion of the log file is then decrypted. A debug log viewer is then employed to view the decrypted log file. The debug log viewer includes an execution way-point manifest that correlates each of the execution way-point indices to a corresponding code location. | 01-30-2014 |
20140047244 | PROTECTION OF INTERPRETED SOURCE CODE IN VIRTUAL APPLIANCES - Protection of interpreted programming language code filesystem files from access and alteration may be provided by encrypting a file to be protected in a boot sequence. Run-time examination of a virtual appliance may be deterred by hiding the boot sequence in a restricted virtual appliance platform. No shell or filesystem access may be provided. Thus, permissions on a read-only filesystem (for example) may be kept from being altered. The permissions may be set along with filesystem access control lists to prevent unauthorized examination of the source files. | 02-13-2014 |
20140047245 | IDENTIFICATION AND EXECUTION OF SUBSETS OF A PLURALITY OF INSTRUCTIONS IN A MORE SECURE EXECUTION ENVIRONMENT - Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein for identifying and encrypting a subset of a plurality of instructions, for execution in a more secure execution environment. In various embodiments, the subset may include a single entry point and a single exit point. In various embodiments, one or more instructions of the plurality of instructions that precede or follow the subset may be executed in a first execution environment with a first security level. In various embodiments, the subset may be executed in a second execution environment with a second security level that is more secure than the first security level. | 02-13-2014 |
20140059358 | REVOKEABLE MSR PASSWORD PROTECTION - A microprocessor includes a model specific register (MSR) having an address, fuses manufactured with a first predetermined value, and a control register. The microprocessor initially loads the first predetermined value from fuses into the control register. The microprocessor also receives a second predetermined value into the control register from system software of a computer system comprising the microprocessor subsequent to initially loading the first predetermined value into the control register. The microprocessor prohibits access to the MSR by an instruction that provides a first password generated by encrypting a function of the first predetermined value and the MSR address with a secret key manufactured into the first instance of the microprocessor and enables access to the MSR by an instruction that provides a second password generated by encrypting the function of the second predetermined value and the MSR address with the secret key. | 02-27-2014 |
20140082370 | METHODS, APPARATUS AND SYSTEMS TO IMPROVE SECURITY IN COMPUTER SYSTEMS - In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct. | 03-20-2014 |
20140082371 | SECURE PROCESSOR AND A PROGRAM FOR A SECURE PROCESSOR - The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside. | 03-20-2014 |
20140089679 | SECURE EXECUTION OF A COMPUTER PROGRAM USING BINARY TRANSLATORS - Embodiments of apparatus, computer-implemented methods, systems, devices, and computer-readable media are described herein to provide a computing device with cooperative first and second binary translators in first and second execution environments having first and second security levels, respectively. The second security level may be more secure than the first security level. Encrypted instructions of the computer program may be loaded into the first execution environment, and the first binary translator may provide, to the second binary translator, an execution context of the computer program for use by the secondary binary translator to decrypt and execute a first portion of the computer program in the second execution environment. The second binary translator may provide, to the first binary translator, another execution context of the computer program for emulation, by the first binary translator, of execution of a second portion of the computer program in the first execution environment. | 03-27-2014 |
20140089680 | SECURE PROCESSOR AND A PROGRAM FOR A SECURE PROCESSOR - The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside. | 03-27-2014 |
20140089681 | SECURE PROCESSOR AND A PROGRAM FOR A SECURE PROCESSOR - The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside. | 03-27-2014 |
20140095891 | INSTRUCTION SET FOR SHA1 ROUND PROCESSING ON 128-BIT DATA PATHS - According to one embodiment, a processor includes an instruction decoder to receive a first instruction to process a SHA1 hash algorithm, the first instruction having a first operand, a second operand, and a third operand, the first operand specifying a first storage location storing four SHA states, the second operand specifying a second storage location storing a plurality of SHA1 message inputs in combination with a fifth SHA1 state. The processor further includes an execution unit coupled to the instruction decoder, in response to the first instruction, to perform at least four rounds of the SHA1 round operations on the SHA1 states and the message inputs obtained from the first and second operands, using a combinational logic function specified in the third operand. | 04-03-2014 |
20140095892 | DIGITAL INFORMATION PROTECTING METHOD AND APPARATUS, AND COMPUTER ACCESSIBLE RECORDING MEDIUM - In a method for protecting digital information, a processor converts a protected address range into a plurality of address blocks of a storage device based on a preset conversion unit, and generates an address block rearranging rule using the address blocks as a parameter. When it is desired to load data into a space of an address batch of the protected address range, the processor converts the address batch into a plurality of address blocks based on the conversion unit, locates rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loads the data into spaces of the rearranged addresses. | 04-03-2014 |
20140095893 | METHOD AND APPARATUS FOR ENCRYPTION - Method and apparatus for encryption, and a non-transitory computer-readable medium that stores instructions for performing encryption. The method includes loading a virtual system driver module in a host operating system and constructing a virtual operating system, wherein the virtual operating system comprises a micro-kernel; preparing and providing context of a processor and a memory page table by the virtual system driver for the micro-kernel, and mapping, in the memory page table, original data and a physical address of a buffer area that receives data after encryption computation is completed; and completing the encryption computation in the virtual operating system and saving the computation result in the buffer area. | 04-03-2014 |
20140095894 | Policy-Based Application Management - Improved techniques for managing enterprise applications on mobile devices are described herein. Each enterprise mobile application running on the mobile device has an associated policy through which it interacts with its environment. The policy selectively blocks or allows activities involving the enterprise application in accordance with rules established by the enterprise. Together, the enterprise applications running on the mobile device form a set of managed applications. Managed applications are typically allowed to exchange data with other managed applications, but are blocked from exchanging data with other applications, such as the user's own personal applications. Policies may be defined to manage data sharing, mobile resource management, application specific information, networking and data access solutions, device cloud and transfer, dual mode application software, enterprise app store access, and virtualized application and resources, among other things. | 04-03-2014 |
20140101458 | CODE TAMPERING PROTECTION FOR INSECURE ENVIRONMENTS - In the field of computer software (code) security, it is known to include verification data such as hash values in or associated with the code to allow subsequent detection of tampering by a attacker with the code. This verification technique is used here in a “White Box” cryptographic process by tying the verification data to the content of functional table lookups present in the object (compiled) code, where values in the table lookups are selectively masked (prior to the source code being compiled into the subject code) by being subject to permutation operations. | 04-10-2014 |
20140101459 | MODE-BASED SECURE MICROCONTROLLER - Various embodiments of the present invention are related to integrated circuits for processing data at a microcontroller interface. The microcontroller interfaces to a memory. The method is employed to process input data provided by the microcontroller during a memory write operation, or input data extracted from the memory during a memory read operation, respectively. A write/read control is used to indicate the memory write or read operation, and a logic address is translated to at least one physical address in the memory. The write/read control and the logic address are further employed to determine a data process mode. In various data processing modes, the input data are processed according to at least one of a plurality of data processing methods to result in processed data in different data formats. Data in different formats may be stored in various regions of the memory. | 04-10-2014 |
20140101460 | ARCHITECTURE AND INSTRUCTION SET FOR IMPLEMENTING ADVANCED ENCRYPTION STANDARD (AES) - A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass. | 04-10-2014 |
20140143553 | Method and Apparatus for Encapsulating and Encrypting Files in Computer Device - A method for maintaining a single file in a shared storage is disclosed. The method comprises storing the single file and corresponding information into a virtual disk so that there is a direct mapping between each file byte and a byte in a sector of the virtual disk; encrypting the virtual disk according to a disk encryption algorithm; and uploading the encrypted virtual disk to the shared storage. | 05-22-2014 |
20140164787 | CONTROL METHOD AND INFORMATION PROCESSING APPARATUS - A control method is executed by an information processing apparatus that includes a first processor; a second processor that executes a program to be protected; first memory that is shared between the first and the second processors; and non-volatile second memory that stores the program to be protected. The control method includes reading the program that is to be protected and stored in the second memory, when the information processing apparatus is started up; encrypting the read program only once after start up of the information processing apparatus; writing the encrypted program into the first memory; and decrypting the encrypted program that is written in the first memory, and causing the second processor to execute the decrypted program. | 06-12-2014 |
20140164788 | Secure Switch Between Modes - A state sensitive device is described, the device including a state register which stores a record of the effective-state of the device, a mask field having a value which varies according to a value of the state register, and a processor which changes the value of the mask field to a new value of the mask field when there is a change in the value of the state register, wherein, the processor performs a state dependent calculation requiring the value of the mask field as an operand in the state dependent calculation which will yield an incorrect result if the value of the mask field does not properly correspond to the value of the state register. Related methods, systems and apparatus are also described. | 06-12-2014 |
20140173293 | Hardware Based Return Pointer Encryption - A processor, a method and a computer-readable storage medium for encrypting a return address are provided. The processor comprises hardware logic configured to encrypt an instruction pointer and push the encrypted instruction pointer onto a stack. The logic is further configured to retrieve the encrypted instruction pointer from the stack, decrypt the instruction pointer and redirect execution to the decrypted instruction pointer. | 06-19-2014 |
20140181532 | ENCRYPTED FLASH-BASED DATA STORAGE SYSTEM WITH CONFIDENTIALITY MODE - Raw or unencrypted data is encrypted using a standard encryption algorithm and stored in a Flash memory array. The raw or unencrypted data may be pre-processed before it is encrypted. Pre-processing may include data scrambling, pre-encryption data mixing, or both. Data scrambling may involve an invertible transformation. The scrambled data may then be used to seed a sequence generator. Each output from the sequence generator may be processed using a bit-by-bit Exclusive Or (XOR) operation to impart random or pseudorandom statistical properties. Pre-encryption data mixing may combine the scrambled (or unscrambled) data with information that is unique to each chunk of data, as well as with a user-supplied secret key. This helps ensure that identical raw data chunks are not stored as identical encrypted data chunks in the Flash memory array. | 06-26-2014 |
20140181533 | SECURE OBJECT HAVING PROTECTED REGION, INTEGRITY TREE, AND UNPROTECTED REGION - A method and structure for a secure object, as tangibly embodied in a computer-readable storage medium. The secure object includes a cryptographically protected region containing at least one of code and data, an initial integrity tree that protects an integrity of contents of the cryptographically protected region; and an unprotected region that includes a loader, an esm (enter secure mode) instruction, and one or more communication buffers. | 06-26-2014 |
20140189368 | INSTRUCTION AND LOGIC TO PROVIDE SIMD SECURE HASHING ROUND SLICE FUNCTIONALITY - Instructions and logic provide SIMD secure hashing round slice functionality. Some embodiments include a processor comprising: a decode stage to decode an instruction for a SIMD secure hashing algorithm round slice, the instruction specifying a source data operand set, a message-plus-constant operand set, a round-slice portion of the secure hashing algorithm round, and a rotator set portion of rotate settings. Processor execution units, are responsive to the decoded instruction, to perform a secure hashing round-slice set of round iterations upon the source data operand set, applying the message-plus-constant operand set and the rotator set, and store a result of the instruction in a SIMD destination register. One embodiment of the instruction specifies a hash round type as one of four MD5 round types. Other embodiments may specify a hash round type by an immediate operand as one of three SHA-1 round types or as a SHA-2 round type. | 07-03-2014 |
20140195820 | APPARATUS FOR GENERATING A DECRYPTION KEY FOR USE TO DECRYPT A BLOCK OF ENCRYPTED INSTRUCTION DATA BEING FETCHED FROM AN INSTRUCTION CACHE IN A MICROPROCESSOR - An apparatus for generating a decryption key for use to decrypt a block of encrypted instruction data being fetched from an instruction cache in a microprocessor at a fetch address includes a first multiplexer that selects a first key value from a plurality of key values based on a first portion of the fetch address. A second multiplexer selects a second key value from the plurality of key values based on the first portion of the fetch address. A rotater rotates the first key value based on a second portion of the fetch address. An arithmetic unit selectively adds or subtracts the rotated first key value to or from the second key value based on a third portion of the fetch address to generate the decryption key. | 07-10-2014 |
20140195821 | METHOD FOR ENCRYPTING A PROGRAM FOR SUBSEQUENT EXECUTION BY A MICROPROCESSOR CONFIGURED TO DECRYPT AND EXECUTE THE ENCRYPTED PROGRAM - A method for encrypting a program for subsequent execution by a microprocessor configured to decrypt and execute the encrypted program includes receiving an object file specifying an unencrypted program that includes conventional branch instructions whose target address may be determined pre-run time. The method also includes analyzing the program to obtain chunk information that divides the program into a sequence of chunks each comprising a sequence of instructions and that includes encryption key data associated with each of the chunks. The encryption key data associated with each of the chunks is distinct. The method also includes replacing each of the conventional branch instructions that specifies a target address that is within a different chunk than the chunk in which the conventional branch instruction resides with a branch and switch key instruction. The method also includes encrypting the program based on the chunk information. | 07-10-2014 |
20140195822 | MICROPROCESSOR THAT SECURELY DECRYPTS AND EXECUTES ENCRYPTED INSTRUCTIONS - A microprocessor is provided with a method for decrypting encrypted instruction data into plain text instruction data and securely executing the same. The microprocessor includes a master key register file comprising a plurality of master keys. Selection logic circuitry in the microprocessor selects a combination of at least two of the plurality of master keys. Key expansion circuitry in the microprocessor performs mathematical operations on the selected master keys to generate a decryption key having a long effective key length. Instruction decryption circuitry performs an efficient mathematical operation on the encrypted instruction data and the decryption key to decrypt the encrypted instruction data into plain text instruction data. | 07-10-2014 |
20140195823 | MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN ENCRYPTED AND UNENCRYPTED PROGRAMS - A microprocessor includes an architected register having a bit. The microprocessor sets the bit. The microprocessor also includes a fetch unit that fetches encrypted instructions from an instruction cache and decrypts them prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the value of the bit to a stack in memory and then clears the bit, in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them, after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register, in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions, in response to determining that the restored value of the bit is set. | 07-10-2014 |
20140195824 | PROTECTING METHOD AND SYSTEM OF JAVA SOURCE CODE - The present disclosure discloses a protecting method and system of Java source code. When a first initiating class is invoked, the method comprises following steps, wherein the first initiating class is an initiating class of Java program: the first initiating class decrypts first cipher data to obtain a class loader; the class loader reads second cipher data to the memory and decrypts the second cipher data to obtain a first class, wherein the first class is a class run by a Java virtual machine, and the suffix of the first class is .class; the class loader loads a second initiating class to the memory; wherein the second initiating class is an original class in jar packet of the Java program; and the class loader loads the first class to the Java virtual machine so that the Java virtual machine can invoke a main interface in the second initiating class to run the Java program. The present disclosure can protect Java source code and make it difficult to decompile the Java source code. | 07-10-2014 |
20140215225 | METHOD FOR INCREASING THE SECURITY OF SOFTWARE - A method for increasing security of software is provided. The method includes replacing a part of a code section comprised in a binary source file of the software with a pre-set special command, creating a table of correspondence that contains correspondence information between the part of the code section and the pre-set special command according to the replacing, and inserting the table of correspondence into a command preprocessor execution file of the software. | 07-31-2014 |
20140223195 | Encrypted Storage Device for Personal Information - An encrypted storage device for personal information has a control module, a plug and play interface and a storage unit. The Control module has an encryption module and a processing module electrically connected the encryption module and driving the encryption module to perform an encryption/decryption operation. The plug and play interface is electrically connected to the Control module and is adapted to connect with a computer to transmit information to the Control module. The storage unit is electrically connected to the Control module and has a public data area and an encryption area. The public data area has at least one application. The encryption area is used to store the encryption algorithm information, and the encryption algorithm information can be read after identity authenticating and decrypting. | 08-07-2014 |
20140245026 | SYSTEM AND METHOD FOR RESOURCE SHARING ACROSS MULTI-CLOUD ARRAYS - A system for resource sharing across multi-cloud storage arrays includes a plurality of storage arrays and a cloud array storage (CAS) application. The plurality of storage resources are distributed in one or more cloud storage arrays, and each storage resource comprises a unique object identifier that identifies location and structure of the corresponding storage resource at a given point-in-time. The cloud array storage (CAS) application manages the resource sharing process by first taking an instantaneous copy of initial data stored in a first location of a first storage resource at a given point-in-time and then distributing copies of the instantaneous copy to other storage resources in the one or more cloud storage arrays. The instantaneous copy comprises a first unique object identifier pointing to the first storage location of the initial data in the first storage resource and when the instantaneous copy is distributed to a second storage resource, the first unique object identifier is copied into a second storage location within the second storage resource and the second storage location of the second storage resource is assigned a second unique object identifier. | 08-28-2014 |
20140258733 | ROOTS-OF-TRUST FOR MEASUREMENT OF VIRTUAL MACHINES - Embodiments of techniques and systems associated with roots-of-trust (RTMs) for measurement of virtual machines (VMs) are disclosed. In some embodiments, a computing platform may provide a virtual machine RTM (vRTM) in a first secure enclave of the computing platform. The computing platform may be configured to perform an integrity measurement of the first secure enclave. The computing platform may provide a virtual machine trusted platform module (vTPM), for a guest VM, outside the first secure enclave of the computing platform. The computing platform may initiate a chain of integrity measurements between the vRTM and a resource of the guest VM. Other embodiments may be described and/or claimed. | 09-11-2014 |
20140258734 | DATA SECURITY METHOD AND ELECTRONIC DEVICE IMPLEMENTING THE SAME - A method and an apparatus that may safely secure data in an electronic device including a computing resource, that is, software (for example, an operating system) and hardware (for example, a memory and a Central Processing Unit (CPU)) for operating the electronic device are provided. The method includes receiving a request for an application key from a data generation application or a proxy application that executes encryption of data in place of the data generation application, generating an application key using an application Identification (ID) corresponding to the data generation application and a security key stored in a secure area of the electronic device, in response to the request, and encrypting data using the generated application key. | 09-11-2014 |
20140281581 | Storage Device - A storage device includes a storage area and connected to a computer for causing a file system to operate. The file system causes a data area for storing contents of a plurality of files and a management area for managing the plurality of files to be secured in the storage area. The storage device includes the storage area; a file system monitor for detecting that the file system has performed an operation of erasing a file; and a controller for, when the file system monitor detects an operation of erasing the file, performing erasure or write to put an area corresponding to the erased file in the storage area into an unrecoverable state. | 09-18-2014 |
20140298039 | PROGRAMMABLE INTELLIGENT SEARCH MEMORY ENABLED SECURE DRAM - A dynamic random access memory (DRAM) comprising a programmable intelligent search memory (PRISM) for regular expression search using non-deterministic finite state automaton and further comprising a cryptography processing engine for performing encryption and decryption, said PRISM and cryptography processing engines creating a secure DRAM for use in a system. | 10-02-2014 |
20140317418 | SERVER, CLIENT DEVICE, AND USB REDIRECTION METHOD - A client device obtains data from a universal serial bus (USB) device and compresses the data. The client device sends the compressed data to a server using a USB redirection. The server decompresses the compressed data and sends the decompressed data to a virtual machine installed in the server. The client device remotely accesses decompressed data when the decompressed data is stored into the virtual machine. | 10-23-2014 |
20140325238 | SYSTEM AND METHOD FOR VALIDATING PROGRAM EXECUTION AT RUN-TIME - A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor's memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures. | 10-30-2014 |
20140325239 | SYSTEM AND METHOD FOR VALIDATING PROGRAM EXECUTION AT RUN-TIME USING CONTROL FLOW SIGNATURES - A processor comprising: an instruction processing pipeline, configured to receive a sequence of instructions for execution, said sequence comprising at least one instruction including a flow control instruction which terminates the sequence; a hash generator, configured to generate a hash associated with execution of the sequence of instructions; a memory configured to securely receive a reference signature corresponding to a hash of a verified corresponding sequence of instructions; verification logic configured to determine a correspondence between the hash and the reference signature; and authorization logic configured to selectively produce a signal, in dependence on a degree of correspondence of the hash with the reference signature. | 10-30-2014 |
20140372771 | Piracy Prevention and Usage Control System Using Access-Controlled Encrypted Data Containers - This is a system for controlling and restricting access (reading, writing, creating, deleting, manipulating, and control) to data and data representations of arbitrary processing engines through the use of secure containers, an access processing engine, and cryptographic keys. | 12-18-2014 |
20150012757 | SYSTEM AND METHOD FOR ROUTING-BASED INTERNET SECURITY - Method and system for improving the security of storing digital data in a memory or its delivery as a message over the Internet from a sender to a receiver using one or more hops is disclosed. The message is split at the sender into multiple overlapping or non-overlapping slices according to a slicing scheme, and the slices are encapsulated in packets each destined to a different relay server as an intermediate node according to a delivery scheme. The relay servers relay the received slices to another other relay server or to the receiver. Upon receiving all the packets containing all the slices, the receiver combines the slices reversing the slicing scheme, whereby reconstructing the message sent. | 01-08-2015 |
20150019878 | Apparatus and Method for Memory Address Encryption - An apparatus for encrypting an input memory address to obtain an encrypted memory address is provided. The apparatus comprises an input interface for receiving the input memory address being an address of a memory. Moreover, the apparatus comprises an encryption module for encrypting the input memory address depending on a cryptographic key to obtain the encrypted memory address. The encryption module is configured to encrypt the input memory address by applying a map mapping the input memory address to the encrypted memory address, wherein the encryption module is configured to apply the map by conducting a multiplication and a modulo operation using the cryptographic key and a divisor of the modulo operation, such that the map is bijective. | 01-15-2015 |
20150026483 | Systems and Methods for Mobile Application Protection - Systems and methods are provided for mobile application protection. An executable code associated with an application is received. An encrypted code and a wrapper code are generated based at least in part on the executable code. The encrypted code is capable of being decrypted based at least in part on the wrapper code. An application package including the encrypted code and the wrapper code is generated for a mobile device. | 01-22-2015 |
20150033034 | MEASURING A SECURE ENCLAVE - Embodiments of an invention for measuring a secure enclave are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive a first, a second, and a third instruction. The execution unit is to execute the first, the second, and the third instruction. Execution of the first instruction includes initializing a measurement field in a control structure of a secure enclave with an initial value. Execution of the second instruction includes adding a region to the secure enclave. Execution of the third instruction includes measuring a subregion of the region. | 01-29-2015 |
20150039905 | SYSTEM FOR PROCESSING AN ENCRYPTED INSTRUCTION STREAM IN HARDWARE - A system and method of processing an encrypted instruction stream in hardware is disclosed. Main memory stores the encrypted instruction stream and unencrypted data. A central processing unit (CPU) is operatively coupled to the main memory. A decryptor is operatively coupled to the main memory and located within the CPU. The decryptor decrypts the encrypted instruction stream upon receipt of an instruction fetch signal from a CPU core. Unencrypted data is passed through to the CPU core without decryption upon receipt of a data fetch signal. | 02-05-2015 |
20150039906 | SYSTEMS AND METHODS FOR LONG UNIVERSAL RESOURCE LOCATOR COMPRESSION - Methods and systems for managing universal resource locators (URLs) at a server include receiving, at the server, a search query from a client device; creating, by the server, a compressed hash value based on the search query; processing, by the server, the search query to yield a search result; and transmitting the compressed hash value to the client for storage in a browser history. | 02-05-2015 |
20150039907 | Method of Adapting a Uniform Access Indexing Process to a Non-Uniform Access Memory, and Computer System - Method and apparatus for constructing an index that scales to a large number of records and provides a high transaction rate. New data structures and methods are provided to ensure that an indexing algorithm performs in a way that is natural (efficient) to the algorithm, while a non-uniform access memory device sees IO (input/output) traffic that is efficient for the memory device. One data structure, a translation table, is created that maps logical buckets as viewed by the indexing algorithm to physical buckets on the memory device. This mapping is such that write performance to non-uniform access SSD and flash devices is enhanced. Another data structure, an associative cache is used to collect buckets and write them out sequentially to the memory device as large sequential writes. Methods are used to populate the cache with buckets (of records) that are required by the indexing algorithm. Additional buckets may be read from the memory device to cache during a demand read, or by a scavenging process, to facilitate the generation of free erase blocks. | 02-05-2015 |
20150052368 | DIFFERENTIAL POWER ANALYSIS - RESISTANT CRYPTOGRAPHIC PROCESSING - Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack. | 02-19-2015 |
20150058639 | ENCRYPTION PROCESSING DEVICE AND STORAGE DEVICE - According to one embodiment, an encryption processing device includes a plurality of generating circuits to generate respective mask values for respective second data units, by using identification information to identify a first data unit and first key data, wherein the first data unit includes the second data units, each of which serves as a unit of an encryption operation, and a plurality of arithmetic circuits encrypting the respective second data units, by using the respective mask values, the second data units, and second key data, wherein the generating circuits perform parallel processing. | 02-26-2015 |
20150089243 | Secure Evaluation of a Program - A method for enabling a client in a user device to securely evaluate a linear branching program. The program may include decision nodes and end-labels. A decision node is associated with a comparison computation for comparing a first value with a second value and a decision rule that links the outcome of the comparison computation to a further decision node or end-label. The method includes transforming the comparison computation into encrypted evaluation sequences on the basis of an additive homomorphic cryptosystem. An evaluation sequence of a decision node includes a sequence of numbers in which the outcome of a comparison computation at a node is embedded; and, evaluating evaluation sequences, evaluating including detecting presence of a predetermine value in an evaluation sequence of a node and determining an evaluation sequence of a further node or an end-label on the basis of the detection of the predetermined value. | 03-26-2015 |
20150095658 | CLIENT COMPUTER FOR QUERYING A DATABASE STORED ON A SERVER VIA A NETWORK - The invention relates to a client computer for querying a database stored on a server via a network, the server being coupled to the client computer via the network, wherein the database comprises a first relation, wherein the first relation comprises first data items, wherein the first data items are encrypted with a first cryptographic key in the first relation, wherein the first data items form a partially ordered set in the first relation, the partial order being formed with respect to the first data items in non-encrypted form, wherein the client computer has installed thereon an application program, the application program being operational to perform the steps of receiving a search request specifying a search interval and determining the first data item forming an interval boundary of the search interval. | 04-02-2015 |
20150095659 | METHOD OF EXECUTING, BY A MICROPROCESSOR, A POLYMORPHIC BINARY CODE OF A PREDETERMINED FUNCTION - Executing polymorphic binary code of a predetermined function includes acquiring polymorphic binary code of the function, the code having instruction blocks and control instructions. One block acquires a random number; the other defines a specific generator that generates target instructions to execute the function. The control instructions place the target instructions in memory. Each instruction has an opcode that codes a nature of an operation to be executed, and operands that define parameters of the operation. The generator incorporates coding variants of the function and selection instructions. Each variant generates instructions that perform the function. These instructions differ from each other and enable choosing a variant, based on the random number, to generate the target instructions. The choice is made only between different coding variants of the predetermined function. | 04-02-2015 |
20150127955 | METHOD AND APPARATUS FOR INPUTTING/OUTPUTTING VIRTUAL OPERATING SYSTEM FROM REMOVABLE STORAGE DEVICE ON A HOST USING VIRTUALIZATION TECHNIQUE - A method and apparatus for inputting and outputting data by using a virtualization technique are provided. The method includes generating a virtual operating system (OS) for the external device, which is connected to a host, based on OS information stored in the external device, setting a partial area of a storage of the host as virtual storage for the external device, and storing the data in the virtual storage or a memory of the external device in response to a request for inputting and outputting the data from the virtual OS. | 05-07-2015 |
20150134973 | SOFTWARE-BASED SIDE-CHANNEL ATTACK PREVENTION - Technologies for preventing software-based side-channel attacks are generally disclosed. In some examples, a computing device may receive a cryptographic program having one or more programming instructions for performing a key handling operation and may add one or more programming instructions for performing an anti-attack operation to the one or more programming instructions for performing the key handling operation. The computing device may transmit the resulting cryptographic program with the anti-attack operation to an execution device. The execution device, such as a cloud computing system, may execute the cryptographic program, thereby causing execution of the anti-attack operation. The execution of cryptographic program may prevent a side-channel attack by masking the number of key performance events that occur. | 05-14-2015 |
20150326389 | SECURING ACCESSIBLE SYSTEMS USING DYNAMIC DATA MANGLING - Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions. | 11-12-2015 |
20150347724 | SECURE EXECUTION OF ENCRYPTED PROGRAM INSTRUCTIONS - Provided are facilities for secure execution of an encrypted executable comprising an encrypted instruction. The secure execution includes obtaining the encrypted instruction, decrypting the encrypted instruction using a decryption key being maintained in a secure location within a processor, and storing the decrypted instruction to a secure storage for execution, where the decryption key remains in the secure location during the decrypting and the storing to facilitate maintaining security of the decryption key. | 12-03-2015 |
20150358300 | MEMORY ENCRYPTION METHOD COMPATIBLE WITH A MEMORY INTERLEAVED SYSTEM AND CORRESPONDING SYSTEM - A method for managing an operation of an encrypted global interleaved memory space physically implemented according to an interleaving addressing scheme in encrypted memory banks of a plurality of memories respectively belonging to a plurality of channels. The method includes providing each channel with a local address pointer configured to be incrementally moved along the global memory space each time the global memory space is addressed at the current address pointed by the pointer, and in an absence of movement of the local pointer of a channel during a time period, addressing the global memory space from the channel through the address interleaving with a specific transaction at the current address, and upon reception at the channel of the specific transaction having been initiated by the channel, re-encrypting data located at the current address with a new encryption key and incrementing the local address pointer to its next position. | 12-10-2015 |
20150363335 | Memory Device, Memory System, and Operating Method of Memory System - A memory device, a memory system, and an operating method of the memory system is provided. The operating method includes operations of transmitting an authentication request to a memory device using a memory controller; converting the authentication request to a first address using the memory device; processing authentication data that corresponds to the first address and indicates a physical characteristic of the memory device and transmitting the authentication data as an authentication response to the authentication request to the memory controller using the memory device; and verifying whether the authentication response received from the memory device is an authentication response to the authentication request using the memory controller. | 12-17-2015 |
20150371063 | Encryption Method for Execute-In-Place Memories - Encryption/decryption techniques for external memory are described herein. In an example embodiment, a device comprises an internal memory and an external memory controller. The internal memory is configured to store a key. The external memory controller is configured to encrypt, with the key, an address for an access operation to an external memory device to obtain an encrypted address, and to encrypt or decrypt a block of data for the access operation based on the encrypted address. | 12-24-2015 |
20160006708 | INFORMATION PROCESSING APPARATUS AND MOBILE TERMINAL DEVICE - A management server ( | 01-07-2016 |
20160012212 | Securing microprocessors against information leakage and physical tampering | 01-14-2016 |
20160026468 | SM4 ACCELERATION PROCESSORS, METHODS, SYSTEMS, AND INSTRUCTIONS - A processor of an aspect includes a plurality of packed data registers, and a decode unit to decode an instruction. The instruction is to indicate one or more source packed data operands. The one or more source packed data operands are to have four 32-bit results of four prior SM4 cryptographic rounds, and four 32-bit values. The processor also includes an execution unit coupled with the decode unit and the plurality of the packed data registers. The execution unit, in response to the instruction, is to store four 32-bit results of four immediately subsequent and sequential SM4 cryptographic rounds in a destination storage location that is to be indicated by the instruction. | 01-28-2016 |
20160026806 | CRYPTOGRAPHIC SUPPORT INSTRUCTIONS - A data processing system includes a single instruction multiple data register file and single instruction multiple processing circuitry. The single instruction multiple data processing circuitry supports execution of cryptographic processing instructions for performing parts of a hash algorithm. The operands are stored within the single instruction multiple data register file. The cryptographic support instructions do not follow normal lane-based processing and generate output operands in which the different portions of the output operand depend upon multiple different elements within the input operand. | 01-28-2016 |
20160034694 | SYSTEM, METHOD AND COMPUTER-ACCESSIBLE MEDIUM FOR FACILITATING LOGIC ENCRYPTION - Exemplary systems, methods and computer-accessible mediums for encrypting at least one integrated circuit (IC) can include determining, using an interference graph, at least one location for a proposed insertion of at least one gate in or at the at least one IC, and inserting the gate(s) into the IC(s) at the location(s). The interference graph can be constructed based at least in part on an effect of the location(s) on at least one further location of the IC(s). | 02-04-2016 |
20160062919 | DOUBLE-MIX FEISTEL NETWORK FOR KEY GENERATION OR ENCRYPTION - A method of providing security in a computer system includes dividing a block of data into initial left and right halves, and calculating updated left and right halves for each of a plurality of rounds. Calculating the updated left half includes applying a first function to an input left half to produce a first result, and mixing the first result with an input right half. Calculating the updated right half includes applying a second function to the input left half to produce a second result, and mixing the second result with a round key. The input left and right halves are the initial left and right halves for the first round, and thereafter the updated left and right halves for an immediately preceding round. And method may include producing a block of ciphertext with a key composed of the updated left and right halves for the last round. | 03-03-2016 |
20160063279 | PERIODIC MEMORY REFRESH IN A SECURE COMPUTING SYSTEM - A method of providing security in a computer system includes performing a memory refresh of a window of memory locations in a memory, and in which each memory location stores a version value and a block of ciphertext. The version value may be updated with each write operation at a memory location; and the block of ciphertext may be produced with a key that changes with each write operation and from memory location to memory location. The memory refresh may include performing a periodic read operation followed by a corresponding write operation at each memory location. Between the read and write operations, the version value stored at the memory location may be compared with a chronologically earliest version value stored at any memory location of the window, and validity of the block of ciphertext stored at the memory location may be verified based on the comparison. | 03-03-2016 |
20160065368 | ADDRESS-DEPENDENT KEY GENERATOR BY XOR TREE - A method of providing security in a computer system includes producing a plurality of sub-keys from key material and a respective address of a memory location in a memory and possibly other information. The method may include mixing the sub-keys together using a binary tree of exclusive-or operations, and to produce an intermediate result. The method may include performing a scrambling operation on the intermediate result to produce a key with which a block of ciphertext may be produced. And the method may include performing a write operation to write the block of ciphertext at the memory location having the respective address. In this regard, the memory may include a window of memory locations each of which stores a respective block of ciphertext produced with a respective key that changes from memory location to memory location. | 03-03-2016 |
20160078252 | ADDRESS DEPENDENT DATA ENCRYPTION - Encryption of data within a memory | 03-17-2016 |
20160085634 | AVOIDING ENCRYPTION OF CERTAIN BLOCKS IN A DEDUPLICATION VAULT - Avoiding encryption of certain blocks in a deduplication vault. In one example embodiment, a method of avoiding encryption of certain blocks during a backup of a source storage into a deduplication vault storage may include analyzing each allocated plain text block stored in a source storage at a point in time to determine if the allocated plain text block is already stored in the deduplication vault storage. If the allocated plain text block is not stored in the deduplication vault storage, the block may be encrypted and the encrypted block may be analyzed to determine if the encrypted block is already stored in the deduplication vault storage. If neither the allocated plain text block nor the encrypted block is already stored in the deduplication vault storage, the encrypted block may be stored in the deduplication vault storage. | 03-24-2016 |
20160092688 | INSTRUCTIONS AND LOGIC TO PROVIDE SIMD SM3 CRYPTOGRAPHIC HASHING FUNCTIONALITY - Instructions and logic provide SIMD SM3 cryptographic hashing functionality. Some embodiments include a processor comprising: a decoder to decode instructions for a SIMD SM3 message expansion, specifying first and second source data operand sets, and an expansion extent. Processor execution units, responsive to the instruction, perform a number of SM3 message expansions, from the first and second source data operand sets, determined by the specified expansion extent and store the result into a SIMD destination register. Some embodiments also execute instructions for a SIMD SM3 hash round-slice portion of the hashing algorithm, from an intermediate hash value input, a source data set, and a round constant set. Processor execution units perform a set of SM3 hashing round iterations upon the source data set, applying the intermediate hash value input and the round constant set, and store a new hash value result in a SIMD destination register. | 03-31-2016 |
20160092702 | CRYPTOGRAPHIC PONTER ADDRESS ENCODING - A computing device includes technologies for securing indirect addresses (e.g., pointers) that are used by a processor to perform memory access (e.g., read/write/execute) operations. The computing device encodes the indirect address using metadata and a cryptographic algorithm. The metadata may be stored in an unused portion of the indirect address. | 03-31-2016 |
20160094555 | SYSTEM AND METHODS FOR EXECUTING ENCRYPTED MANAGED PROGRAMS - The present disclosure relates to systems and methods for enabling execution of encrypted managed programs in common managed execution environments. In particular the disclosure relates to method of loading and associating an extension module to the managed execution environment configured to receive execution event notifications. The events corresponding to the execution of encrypted methods are intercepted and passed on to a decryption module operable to execute within an hypervisor environment, such that the managed encrypted program is decrypted, executed in a secured location, preventing access of untrusted party. The decryption module is further configured to discard decrypted instruction if cooperation of the extension module is required, or upon program termination. | 03-31-2016 |
20160104009 | DECRYPTION OF ENCRYPTED INSTRUCTIONS USING KEYS SELECTED ON BASIS OF INSTRUCTION FETCH ADDRESS - A microprocessor and method are provided for securely decrypting and executing encrypted instructions within a microprocessor. A plurality of master keys are stored in a secure memory. Encrypted instructions are fetched from an instruction cache. A set of one or more master keys are selected from the secure memory based upon an encrypted instruction fetch address. The selected set of master keys or a decryption key derived therefrom is used to decrypt the encrypted instructions fetched from the instruction cache. The decrypted instructions are then securely executed within the microprocessor. In one implementation, the master keys are intervolved with each other to produce a new decryption key with every fetch quantum. Moreover, a new set of master keys is selected with every new block of instructions. | 04-14-2016 |
20160104010 | MICROPROCESSOR WITH SECURE EXECUTION MODE AND STORE KEY INSTRUCTIONS - A microprocessor conditionally grants a request to switch from a normal execution mode in which encrypted instructions cannot be executed, into a secure execution mode (SEM). Thereafter, the microprocessor executes a plurality of instructions, including a store-key instruction to write a set of one or more cryptographic key values into a secure memory of the microprocessor. After fetching an encrypted program from an instruction cache, the microprocessor decrypts the encrypted program into plaintext instructions using decryption logic within the microprocessor's instruction-processing pipeline. | 04-14-2016 |
20160104011 | MICROPROCESSOR WITH ON-THE-FLY SWITCHING OF DECRYPTION KEYS - A microprocessor is provided in which an encrypted program can replace the decryption keys that are used to decrypt sections of the encrypted program. The microprocessor may be decrypting and executing a first section of the encrypted program when it encounters, decrypts, and executes an encrypted store-key instruction to store a new set of decryption keys. After executing the store-key instruction, the microprocessor decrypts and executes a subsequent section of the encrypted program using the new set of decryption keys. On-the-fly key switching may occur numerous times with successive encrypted store-key instructions and successive sets of encrypted instructions. | 04-14-2016 |
20160105282 | KEY EXPANSION LOGIC USING DECRYPTION KEY PRIMITIVES - A secure memory, key expansion logic, and decryption logic are provided for a microprocessor that executes encrypted instructions. The secure memory stores a plurality of decryption key primitives. The key expansion logic selects two or more decryption key primitives from the secure memory and then derives a decryption key from them. The decryption logic uses the decryption key to decrypt an encrypted instruction fetched from the instruction cache. The decryption key primitives are selected on the basis of an encrypted instruction address, one of them is rotated by an amount also determined by the encrypted instruction address, and then they are additively or subtractively accumulated, also on the basis of the encrypted instruction address. | 04-14-2016 |
20160117501 | SYSTEM AND METHOD FOR VALIDATING PROGRAM EXECUTION AT RUN-TIME - A pipelined processor comprising a cache memory system, fetching instructions for execution from a portion of said cache memory system, an instruction commencing processing before a digital signature of the cache line that contained the instruction is verified against a reference signature of the cache line, the verification being done at the point of decoding, dispatching, or committing execution of the instruction, the reference signature being stored in an encrypted form in the processor's memory, and the key for decrypting the said reference signature being stored in a secure storage location. The instruction processing proceeds when the two signatures exactly match and, where further instruction processing is suspended or processing modified on a mismatch of the two said signatures. | 04-28-2016 |
20160119125 | FLEXIBLE ARCHITECTURE AND INSTRUCTION FOR ADVANCED ENCRYPTION STANDARD (AES) - A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers. | 04-28-2016 |
20160119129 | FLEXIBLE ARCHITECTURE AND INSTRUCTION FOR ADVANCED ENCRYPTION STANDARD (AES) - A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers. | 04-28-2016 |
20160119130 | FLEXIBLE ARCHITECTURE AND INSTRUCTION FOR ADVANCED ENCRYPTION STANDARD (AES) - A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers. | 04-28-2016 |
20160119137 | DIVERSIFIED INSTRUCTION SET PROCESSING TO ENHANCE SECURITY - Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes receiving a block of information from non-processor memory at an interface between the non-processor memory and processor memory comprising two or more processor memory levels, determining whether the block of information received from the non-processor memory at the interface corresponds to encrypted instruction code, and decrypting the block of information at the interface between the non-processor memory and the processor memory for storage in one of the two or more levels of the processor memory in response to a determination that the received block of information corresponds to the encrypted instruction code. The block of information is stored at the one of the two or more levels of the processor memory without being decrypted when the received block of information is determined to correspond to data. | 04-28-2016 |
20160162694 | INSTRUCTIONS PROCESSORS, METHODS, AND SYSTEMS TO PROCESS SECURE HASH ALGORITHMS - A method of an aspect includes receiving an instruction. The instruction indicates a first source of a first packed data including state data elements a | 06-09-2016 |
20160170769 | TECHNOLOGIES FOR INDIRECT BRANCH TARGET SECURITY | 06-16-2016 |
20160171186 | CONTENT DISTRIBUTION WITH RENEWABLE CONTENT PROTECTION | 06-16-2016 |
20160171248 | Using Trusted Execution Environments for Security of Code and Data | 06-16-2016 |
20160196219 | FLEXIBLE ARCHITECTURE AND INSTRUCTION FOR ADVANCED ENCRYPTION STANDARD (AES) | 07-07-2016 |
20160197949 | SECURE DIGITAL TRAFFIC ANALYSIS | 07-07-2016 |
20160253520 | METHOD AND APPARATUS FOR DEVICE STATE BASED ENCRYPTION KEY | 09-01-2016 |
20160378688 | PROCESSORS, METHODS, SYSTEMS, AND INSTRUCTIONS TO SUPPORT LIVE MIGRATION OF PROTECTED CONTAINERS - A processor includes a decode unit to decode an instruction that is to indicate a page of a protected container memory, and a storage location outside of the protected container memory. An execution unit, in response to the instruction, is to ensure that there are no writable references to the page of the protected container memory while it has a write protected state. The execution unit is to encrypt a copy of the page of the protected container memory. The execution unit is to store the encrypted copy of the page to the storage location outside of the protected container memory, after it has been ensured that there are no writable references. The execution unit is to leave the page of the protected container memory in the write protected state, which is also valid and readable, after the encrypted copy has been stored to the storage location. | 12-29-2016 |
20160378996 | ESTABLISHING HARDWARE ROOTS OF TRUST FOR INTERNET-OF-THINGS DEVICES - An Internet-of-Things (IoT) device platform to communicate in a trusted portion of an IoT network is disclosed. The trusted IoT platform can include a secure IoT system-on-chip (SoC) and can be integrated into various devices such that each of the devices may implement “roots of trust” to establish a trusted portion, or a trusted backbone, of the IoT network. | 12-29-2016 |
20160378997 | IMAGE FORMING APPARATUS, METHOD FOR WRITING DATA THEREOF, AND NON-TRANSITORY COMPUTER READABLE RECORDING MEDIUM - An image forming apparatus includes a function unit configured to perform a predetermined function, a volatile memory configured to store data which is necessary for performing the function of the function unit, and a controller configured to control the function unit using the encrypted data stored in the volatile memory, and to encrypt data to be stored in the volatile memory and write the data on a predetermined area of the volatile memory. | 12-29-2016 |
20170235963 | METHOD, APPARATUS, SYSTEM AND NON-TRANSITORY COMPUTER READABLE MEDIUM FOR CODE PROTECTION | 08-17-2017 |