Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Computer instruction/address encryption

Subclass of:

713 - Electrical computers and digital processing systems: support

713189000 - DATA PROCESSING PROTECTION USING CRYPTOGRAPHY

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20110202775ATOMIC HASH INSTRUCTION - A method for performing a hash operation, including providing an atomic hash instruction that directs a microprocessor to perform a the hash operation and to indicate whether the hash operation has been interrupted by an interrupting event; translating the atomic hash instruction into first and second micro instructions; via a hash unit, first executing the first micro instructions to accomplish the hash operation according to the hash mode; and via an integer unit, second executing the second micro instructions in parallel with the first executing to test a bit in a flags register, to update text pointer registers, and to process interrupts during execution of the hash operation. The atomic hash instruction has an opcode field, configured to prescribe the hash operation, and a hash mode field, configured to prescribe that the microprocessor accomplish the hash operation according to a one of a plurality of hash modes.08-18-2011
20120246487System and Method to Protect Java Bytecode Code Against Static And Dynamic Attacks Within Hostile Execution Environments - A method and system that provides secure modules that can address Java platform weaknesses and protect Java bytecode during execution time. The secure modules are implemented in C/C++ as an example. Because implementation of the security modules is made in C/C++, this enables use of security technology that secures C/C++ software code.09-27-2012
20100077228Implementing Portable Content Protection to Secure Secrets - A source-level compiler may randomly select compilation conventions to implement portable content protection, securing the secrets embedded in a program by shuffling associated data. The program may be developed using a source language that is applicative on the associated data. To obscure the embedded secrets, in one embodiment, pre-compiler software may be deployed for compiling the program in a random-execution-order based on a random seed indication that randomly selects compilation conventions and a shuffling algorithm that moves the associated data across the program during execution.03-25-2010
20130080791Security Protocols for Processor-Based Systems - A processor-based system such as a wireless communication module may implement security functions in a cost effective fashion by providing a virtual memory space whose addresses may be recognized. The memory is integrated with an application processor. When those addresses are recognized, access to special security protocols may be allowed. In another embodiment, a variety of dedicated hardware cryptographic accelerators may be provided to implement security protocols in accordance with a variety of different standards. By optimizing the hardware for specific standards, greater performance may be achieved.03-28-2013
20090119516SECURE DEVICE AND READER-WRITER - The invention is to solve a problem such that a server application that a secure device has cannot be used by a client application that a different secure device has.05-07-2009
20090307500PROGRAM OBFUSCATOR - A program obfuscator of the present invention divides a target program into a plurality of blocks and determines program instructions allocated according to an input/output relation between the blocks, in order to diffuse and allocate the program instructions for calculating a value of secret information in various places of the program. More specifically, with regard to a variable for calculating the secret information transferred to and from the blocks, a value of the variable when outputted from a block is equalized to a value of the variable when inputted to a next block. A random variable conversion instruction is added to each of the blocks so that a value of the variable when outputted from each block is in a range of a value expected as an input to the next block.12-10-2009
20130061061PROTECTING LOOK UP TABLES BY MIXING CODE AND OPERATIONS - In the field of computer enabled cryptography, such as a cipher using lookup tables, the cipher is hardened against an attack by a protection process which obscures the lookup tables using the properties of bijective functions and applying masks to the tables' input and output values, for encryption or decryption. This is especially advantageous in a “White Box” environment where an attacker has full access to the cipher algorithm, including the algorithm's internal state during its execution. This method and the associated computing apparatus are useful for protection against known attacks on “White Box” ciphers, by obfuscating lookup table data, thereby increasing the cipher's complexity against reverse engineering and other attacks.03-07-2013
20120117389Methods and Apparatuses for Determining and Using a Configuration of a Composite Object - Methods and apparatuses are provided for determining and using a configuration of a composite object. A method may include receiving information emitted by one or more tags in one or more objects of a composite object. The method may further include determining, based at least in part on the received information, at least a partial configuration of the composite object. The method may additionally include using the determined at least a partial configuration of the composite object as an input to alter an application state. Corresponding apparatuses are also provided.05-10-2012
20110022855SYSTEM AND METHOD FOR THWARTING BUFFER OVERFLOW ATTACKS USING ENCRYPTED PROCESS POINTERS01-27-2011
20110022854Processor-implemented method for ensuring software integrity - The present invention provides a solution to the problem of guaranteeing the integrity of software programmes by encrypting all or part of each instruction of a programme using a key based on all or part of one or a plurality of previous instructions, thus resulting in a different encryption key per instruction. The invention is applicable to software programmes whose structures are not necessarily tree-like in nature and is also applicable when the programme includes loops, jumps, calls or breaks etc. The invention allows for an exception to be flagged when an encrypted instruction is wrongly decrypted. There is no need for the first instruction to be in clear, since the instruction key may be appropriately initialised as required. The invention can be realised in software or entirely in hardware thereby eliminating the possibility of a third party intercepting a decrypted instruction or a decryption key.01-27-2011
20110022853ENCRYPTING DATA IN VOLATILE MEMORY - Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. At least one unencrypted memory allocation function coded in an application is executed to request allocation of unencrypted blocks in the memory device. An encrypted memory allocation function coded in the application is executed to request allocation of encrypted blocks in the memory device. At least one unencrypted Input/Output (I/O) request function coded in the application indicating an I/O operation to perform against the unencrypted blocks in the memory device is executed. At least one encrypted I/O request function coded in the application indicating an I/O operation to perform against the encrypted blocks in the memory device is executed. An operating system uses an encryption key associated with the encrypted blocks to encrypt or decrypt data in the encrypted blocks to perform the encrypted I/O operation in response to processing the encrypted I/O request functions, wherein the unencrypted and encrypted memory allocation functions and unencrypted and encrypted I/O request functions comprise different functions in a library of functions available to the application.01-27-2011
20090235090Method for Decrypting an Encrypted Instruction and System thereof - Methods of preventing private information, which is hidden within data of a private domain reserved by an application program, from being easily accessed by a CPU and other devices, both where the data of the private domain is decrypted and the access to said data are restricted are disclosed, where the mentioned other devices do not include a decryption module utilized in the methods. Therefore, as long as agreements related to encryptions and decryptions are made in advance between the application program and the decryption module, private information can be well protected.09-17-2009
20090235089COMPUTER OBJECT CODE OBFUSCATION USING BOOT INSTALLATION - In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software. This boot loader then selects which particular process to use for the code execution at the time of installation in accordance with the value. This results in different versions of the obfuscated code being provided to each recipient installation, which further enhances security of the code against reverse engineering by hackers.09-17-2009
20090235088Program conversion device, execution support device, and method and computer program for the same - A method invocation modification unit modifies method invocation described in a body program to dynamic invocation and modifies the method invocation to invocation via an execution support device. An encryption unit modifies the body program by encrypting a character string designating the dynamic invocation after modification by the method invocation modification unit. Therefore, the method invocation can be hidden and understanding of the program can be made difficult.09-17-2009
20090006863Storage system comprising encryption function and data guarantee method - This storage system includes a host computer for issuing a read command or a write command of data, a pair of logical volumes corresponding to a pair of virtual devices to be recognized by the host computer, and a device interposed between the host computer and the pair of logical volumes and having a function of encrypting and decrypting data. The storage system additionally includes a path management unit for specifying one path to each of the logical volumes from a plurality of data transfer paths between the host computer and the pair of logical volumes for transferring encrypted data or decrypted data which was encrypted or decrypted via the device with data encryption or decryption function based on a read command or a write command of data from the host computer.01-01-2009
20080301467Memory Security Device - Embodiments of the systems and methods presented herein may provide memory security in a semiconductor device or a computing system using an address encryption section operable to encrypt a write address or a read address, a data encrypting section operable to encrypt data to be written, a write section operable to write encrypted data at an encrypted write address corresponding to a memory, a read section operable to read encrypted data from the encrypted read address corresponding to the memory and a data decryption section operable to decrypt the read encrypted data to obtain read data corresponding to the read address.12-04-2008
20110035601System, method and computer program product for protecting software via continuous anti-tampering and obfuscation transforms - Method, system and computer program product for applying existing anti-tampering and obfuscation technique to virtual machine technology and offers several distinct advantages. The anti-tampering and obfuscation transforms can be applied continuously to prevent adversaries from gaining information about the program through emulation or dynamic analysis. In addition, the encryption can be used to prevent hackers from gaining information using static attacks. The use of a virtual machine also allows for low overhead execution of the obfuscated binaries as well as finer adjustment of the amount of overhead that can be tolerated. In addition, more protection can be applied to specific portions of the application that can tolerate slowdown. The incorporation of a virtual machine also makes it easy to extend the technology to integrate new developments and resistance mechanisms, leading to less development time, increased savings, and quicker deployment.02-10-2011
20090113218SECURE DATA PROCESSING FOR UNALIGNED DATA - A method for data cryptography includes accepting input data, which contains a section that is to undergo a cryptographic operation and starts at an offset with respect to a beginning of the input data, by a Direct Memory Access (DMA) module. The input data is aligned by the DMA module to cancel out the offset. The aligned input data is read out of the DMA module, and the cryptographic operation is performed on the section.04-30-2009
20090172414DEVICE AND METHOD FOR SECURING SOFTWARE - A device that includes a first memory unit adapted to store encrypted instructions, a processor adapted to execute decrypted instructions, a second memory unit accessible by the processor, and a decryption unit. The device is characterized by including a key database and a key selection circuit, wherein the key selection circuit is adapted to select a selected decryption key from the key database for decrypting encrypted instructions. The selection is responsive to a fixed selection information stored within the integrated circuit and to received key selection information.07-02-2009
20110283115DEVICE AND A METHOD FOR GENERATING SOFTWARE CODE - A method to generate final software code resistant to reverse engineering analysis from an initial software code, said initial software code transforming an input data to an output data, said final software code being executed by a processor being able to directly handle data of a maximum bit length M, comprising the steps of: building a conversion table comprising in one side one instruction and in the other side a plurality of equivalent instructions or sets of instructions; splitting the input data into a plurality of segments of random length, said segments having a length equal or smaller than the maximum bit length M; for each instruction of a block of instructions, selecting pseudo-randomly an equivalent instruction or set of instructions from the conversion table so as to obtain an equivalent block of instructions; and appending the plurality of equivalent blocks of instructions to obtain the final software code.11-17-2011
20090006864MICROPROCESSOR WITH IMPROVED TASK MANAGEMENT AND TABLE MANAGEMENT MECHANISM - A tamper resistant microprocessor has a task state table for assigning a task identifier to a task that can take a plurality of states, and storing a state of the task in correspondence to the task identifier; a task register for storing the task identifier of a currently executed task; an interface for reading a program stored in a form encrypted by using a program key at an external memory, in units of cache lines, when a request for the task is made; an encryption processing unit for generating decryption keys that are different for different cache lines, according to the program key, and decrypt a content read by the interface; a cache memory formed by a plurality of cache lines each having a tag, for storing the task identifier corresponding to a decryption key used in decrypting each cache line in the tag of each cache line; and an access check unit for comparing the task identifier stored in the tag of each cache line with a value of the task register, and discarding a content of each cache line when the task identifier in the tag and the value of the task register do not coincide.01-01-2009
20110296206BRANCH TARGET ADDRESS CACHE FOR PREDICTING INSTRUCTION DECRYPTION KEYS IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A branch target address cache (BTAC) caches history information associated with branch and switch key instructions previously executed by a microprocessor. The history information includes a target address and an identifier (index into a register file) for identifying key values associated with each of the previous branch and switch key instructions. A fetch unit receives from the BTAC a prediction that the fetch unit fetched a previous branch and switch key instruction and receives the target address and identifier associated with the fetched branch and switch key instruction. The fetch unit also fetches encrypted instruction data at the associated target address and decrypts (via XOR) the fetched encrypted instruction data based on the key values identified by the identifier, in response to receiving the prediction. If the BTAC predicts correctly, a pipeline flush normally associated with the branch and switch key instruction is avoided.12-01-2011
20110296205MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN MULTIPLE ENCRYPTED PROGRAMS HAVING DIFFERENT ASSOCIATED DECRYPTION KEY VALUES - A microprocessor includes a storage element having a plurality of locations each storing decryption key data associated with an encrypted program. A control register field (may be x86 EFLAGS register reserved field) specifies a storage element location associated with a currently executing encrypted program. The microprocessor restores from memory to the control register a previously saved value of the field in response to executing a return from interrupt instruction. A fetch unit fetches encrypted instructions of the currently executing encrypted program and decrypts them using the decryption key data stored the storage element location specified by the restored field value. A kill bit associated with each storage element location may be employed if the location is clobbered because more encrypted programs are multitasked than available locations in the storage element, in which case an exception is generated to re-load the clobbered decryption key data in response to the return from interrupt instruction.12-01-2011
20110296204MICROPROCESSOR THAT FACILITATES TASK SWITCHING BETWEEN ENCRYPTED AND UNENCRYPTED PROGRAMS - A microprocessor includes an architected register having a bit (may be x86 EFLAGS register reserved bit) set by the microprocessor. A fetch unit fetches encrypted instructions from an instruction cache and decrypts them (via XOR) prior to executing them, in response to the microprocessor setting the bit. The microprocessor saves the bit value to a stack in memory and then clears the bit in response to receiving an interrupt. The fetch unit fetches unencrypted instructions from the instruction cache and executes them without decrypting them after the microprocessor clears the bit. The microprocessor restores the saved value from the stack in memory to the bit in the architected register (and in one embodiment, also restores decryption key values) in response to executing a return from interrupt instruction. The fetch unit resumes fetching and decrypting the encrypted instructions in response to determining that the restored value of the bit is set.12-01-2011
20110296203BRANCH AND SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A microprocessor includes a fetch unit that fetches and decrypts an (atomic) branch and switch key instruction using first decryption key data. If the branch direction is not taken, the fetch unit fetches and decrypts the next sequential instruction after the branch and switch key instruction using the first decryption key data. If the direction is taken, the fetch unit fetches and decrypts a target instruction of the branch and switch key instruction using second decryption key data that is different from the first decryption key data. The instruction points to the decryption key data; alternatively, the microprocessor consults a mapping of target address ranges to decryption key data. An encryption program replaces conventional inter-program-chunk branch instructions with branch and switch key instructions before encrypting the program using information that divides the program into a sequence of chunks each chunk being a sequence of instructions and having distinct associated encryption key data.12-01-2011
20110296202SWITCH KEY INSTRUCTION IN A MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS - A fetch unit fetches a sequence of blocks of encrypted instructions of an encrypted program from an instruction cache at a corresponding sequence of fetch address values. While fetching each block of the sequence, the fetch unit generates a decryption key as a function of key values and the corresponding fetch address value, and decrypts the encrypted instructions using the generated decryption key by XORing them together. A switch key instruction instructs the microprocessor to update the key values in the fetch unit while the fetch unit is fetching the sequence of blocks. The fetch unit inherently provides an effective decryption key length that depends upon the function and amount of key values used. Including one or more switch key instructions within the encrypted program increases the effective decryption key length up to the encrypted program length.12-01-2011
20090119515OBFUSCATION EVALUATION METHOD AND OBFUSCATION METHOD - An obfuscation evaluation method which sufficiently evaluates an obfuscation performed on a program. The obfuscation evaluation method includes: a step (S05-07-2009
20100023780FLASH DEVICE SECURITY METHOD UTILIZING A CHECK REGISTER - Methods of operating memory systems and memory systems are disclosed, such as a memory system having a memory array storing a code generating program to instruct a processor to generate a code, and a register to store a code generated by the processor, where the register is configured to allow a write operation to the memory array in response to a match of a code stored in the register and where the match is controlled in response to a request from a utility program being executed by the processor.01-28-2010
20100169666METHODS AND SYSTEMS TO DIRECLTY RENDER AN IMAGE AND CORRELATE CORRESPONDING USER INPUT IN A SECUIRE MEMORY DOMAIN - Methods and systems to assign an application and a video frame buffer to a protected memory domain to render an image of a keyboard from the protected memory domain to a random position of the video frame buffer and correlate user input from a pointing device to the rendered keyboard image. The keyboard image may be randomly repositioned following a user input. The keyboard image may be rendered over a secure user image. An acknowledgment image may be rendered from the protected memory domain to a random position of the video frame buffer, and may be randomly repositioned in response to a user input that does not correlate to the acknowledgment image. User inputs that do not correlate to a randomly positioned image may be counted, and one or more processes may be aborted when the number of non-correlated user inputs exceeds a threshold.07-01-2010
20090125728SECURITY METHOD OF SYSTEM BY ENCODING INSTRUCTIONS - The provided is a method for securing a system by encoding instructions. The method includes encoding instructions composed by a system developer and storing the encoded instructions through an encoding module during a compiling procedure, and decoding the encoded instructions and executing the decoded instructions through a decoding module. In the method, the instructions are encoded using interdependency between instructions in an instruction set which is composed by a system developer.05-14-2009
20100115290KEYBOARD AND METHOD FOR SECURE TRANSMISSION OF DATA - A keyboard, in particular a POS (point of sale, point of service) keyboard, bank keyboard, keyboard for secure data entry, and a method for secure transmission of data that is entered through various data entry modules such as, e.g., magnetic card readers, chip card readers, key switches, or a keypad, to an external device connected to the keyboard, for example a computer. The keyboard comprises at least one data entry module for entering data and a keyboard control device with at least one receiving device for receiving the entered data, an encryption device for encrypting the received data by means of an encryption algorithm, wherein the encryption algorithm is present in the form of program code, and a transmission device for transmitting the data encrypted by the encryption means to the external device connected to the keyboard control device, wherein the encryption algorithm can be selected by the user from multiple predefined encryption algorithms and associated with the data entry module.05-06-2010
20120110349METHOD FOR OBFUSCATING A COMPUTER PROGRAM - The invention relates to a method for obfuscating a computer program.05-03-2012
20120110348Secure Page Tables in Multiprocessor Environments - A system comprises a memory module configured to store signed page table data and a selected processing element coupled to the memory module. The selected processing element is one of a plurality of processing elements, which together comprise a portion of a multiprocessor system. The selected processing element is configured to authenticate page table management code and, based on authenticated page table management code, to sign page table data that is subsequently stored in the memory module, and to verify signed page table data that is read from the memory module.05-03-2012
20130219192CONTENTS SECURITY APPARATUS AND METHOD THEREOF - A contents security apparatus for preventing Standard Definition (SD) contents which are protected targets of a level which is relatively lower than that of High Definition (HD) contents from being processed through a trust zone of a processor thereof and a method thereof are provided. The contents security apparatus includes a processor for operating a first Operating System (OS) and for storing authentication information of at least one or more contents and a second OS for limiting access to the first OS, wherein the first OS decrypts and processes contents with a high security level and wherein the second OS decrypts and processes contents with a low security level.08-22-2013
20100125740SYSTEM FOR SECURING MULTITHREADED SERVER APPLICATIONS - A system for securing multithreaded server applications addresses the need for improved application performance. The system implements offloading, batching, and scheduling mechanisms for executing multithreaded applications more efficiently. The system significantly reduces overhead associated with the cooperation of the central processing unit with a graphics processing unit, which may handle, for example, cryptographic processing for threads executing on the central processing unit.05-20-2010
20090089589INFORMATION PROCESSING APPARATUS FOR PROTECTED DATA FILES AND INFORMATION PROCESSING METHOD THEREOF - According to one embodiment, a processing environment of protected file data is improved by an inspection module which inspects whether file ARF protected in a predetermined format is usable or unusable, an information table in which usable/unusable data of the ARF is set based on the inspection result of the inspection module, a file cache which stores the ARF, the usable/unusable data of which is set in this table, and a decryption processor which decrypts resource data as the contents of an encrypted data object using the ARF stored in this cache.04-02-2009
20120297203COMPUTING DEVICE AND METHOD FOR CONTROLLING ACCESS TO DRIVER PROGRAMS - A computing device and a method for controlling access to driver programs obtains a first system time at the time that an application uses a CTL_CODE to access a driver program. The first system time and the CTL_CODE is encrypted to generate an encrypted CTL_CODE which is then sent to the driver program. The encrypted CTL_CODE is decrypted to obtain the first system time and the CTL_CODE therein. A second system time at the time that the driver program receives the encrypted CTL_CODE is obtained and compared with the first system time. Access to the driver program is allowed if a difference between the first system time and the second system time falls within a predetermined range, and access to the driver program is forbidden if the difference is beyond the predetermined range.11-22-2012
20080276100Virtual Machine or Hardware Processor for Ic-Card Portable Electronic Devices - A virtual machine or hardware processor for an IC-card portable electronic device includes a non-volatile memory unit, a remote decryption unit, and associated objects for storing an executable program in an encrypted format in the non-volatile memory. The IC-card stores a licence key to encrypt and decrypt the executable program through an IC-card interface. The IC-card interface extracts and encrypts the operands of the plain executable program into encrypted operands so as to not limit performance. The remote decryption unit detects if an instruction contains encrypted operands, and queries a decryption to the IC-card interface. The IC-card interface decrypts the encrypted operands and re-encrypts the just decrypted operands into obscured operands through a dynamic obscuration key.11-06-2008
20090265562DATA CONVERSION METHOD ON STORAGE MEDIUM, APPARATUS AND PROGRAM - In a data conversion auxiliary module which is at a higher level than a file system in a disk management hierarchy, data stored in a storage medium, which becomes an object, is successively accessed. Then, a data conversion module captures a sector-unit access request to a device driver from the file system, converts data of a sector which is returned from the device driver, and writes the conversion data in the sector. Thereby, data conversion can be executed on a specific region of the storage medium, which is associated with the data in the storage medium.10-22-2009
20100281273System and Method for Processor-Based Security - A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event. Lightweight, run-time attestation reports are generated which include selected information about software modules executed by the processors, for use in determining whether the processor is trusted to provide secure services.11-04-2010
20080288785Data Security and Digital Rights Management System - A system and method is described for enhancing data security in a broad range of electronic systems through encryption and decryption of addresses in physical memory to which data is written and from which data is read. It can be implemented through software, hardware, firmware or any combination thereof. Implementation in Digital Rights Management execution using the invention reduces cost, enhances performance, and provides additional transactional security.11-20-2008
20080270806Execution Device - An execution device executes an application program created in an object-oriented language. An application includes one or more classes that each have one or more methods, and confidentiality information that expresses whether or not confidentiality is necessary. The execution device determines whether or not encryption is necessary, with reference to the confidentiality information, and when the method is to be executed, records, in a memory, an object including data that the method manipulates. When it is determined that encryption is necessary, the object is recorded with the data encrypted.10-30-2008
20080288786System with access keys - In an embodiment, a secure module is provided that provides access keys to an unsecured system. In an embodiment, the secure module may generate passcodes and supply the passcodes to the unsecured system. In an embodiment, the access keys are sent to the unsecured system after the receiving the passcode from the unsecured system. In an embodiment, after authenticating the passcode, the secure module does not store the passcode in its memory. In an embodiment, the unsecured module requires the access key to execute a set of instructions or another entity. In an embodiment, the unsecured system does not store access keys. In an embodiment, the unsecured system erases the access key once the unsecured system no longer requires the access key. In an embodiment, the unsecured system receives a new passcode to replace the stored passcode after using the stored passcode. Each of these embodiments may be used separately.11-20-2008
20090164803Cipher Message Assist Instruction - A method, system and program product for executing a cipher message assist instruction in a computer system by specifying, via the cipher message assist instruction, either a capability query installed function or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.06-25-2009
20110225431System and Method for General Purpose Encryption of Data - Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and an encryption accelerator communicatively coupled to the processor. The encryption accelerator may be configured to encrypt and decrypt information in accordance with a plurality of cryptographic functions, receive a command from the processor to perform an encryption or decryption task upon data associated with an input/output operation, and in response to receiving the command, encrypt or decrypt the data associated with the input/output operation based on a particular one of the plurality of cryptographic functions.09-15-2011
20090144561Method and System for Software Protection Using Binary Encoding - Software is protected by encoding the target software instructions and decoding the target instructions.06-04-2009
20110225432METHOD AND CIRCUITRY FOR DETECTING A FAULT ATTACK - A method of detecting a fault attack during a cryptographic operation using at least one look-up table including a plurality of sub-tables each having a same number of values of a fixed bit length, a fixed relation existing between values at same locations in each sub-table, the method including: performing a load operation to retrieve from the look-up table data values from a same location in each sub-table; verifying that the fixed relation exists between at least two of the data values; and generating an output signal based on the verification.09-15-2011
20090199014SYSTEM AND METHOD FOR SECURING AND EXECUTING A FLASH ROUTINE - A microcontroller comprises a random access memory (RAM) device; a non-volatile memory device having a data sector, wherein operation codes are stored as data files in the data sector; and a processor configured to retrieve the operation codes from the data sector, load the retrieved operation codes into the RAM device and run the decrypted operation codes from the RAM device.08-06-2009
20120079286DATA PROCESSING APPARATUS - A data processing apparatus is provided, which detects falsification of software to data and rewriting of the data. The data processing apparatus according to an embodiment of the present invention comprises a security unit which has an encryption circuit for decrypting an encrypted signal including secrecy data. The security unit includes a compression circuit which compresses an access signal used in accessing the security unit and outputs the compression result, and a comparison circuit which compares the compression result outputted from the compression circuit with a previously-calculated expectation value of the compression result of the access signal.03-29-2012
20120079285TWEAKABLE ENCRYPION MODE FOR MEMORY ENCRYPTION WITH PROTECTION AGAINST REPLAY ATTACKS - A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. An incrementing mechanism using the “time stamp” indicator generates a tweak which separates different contexts over different times such that the effect of “Type 2 replay attacks” is mitigated.03-29-2012
20110231673CRYPTOGRAPHIC PROCESSING USING A PROCESSOR - In one embodiment, a cryptography processor compatible with the Advanced Encryption Standard (AES) for encrypting and decrypting has a memory storing each element of an AES State, normally 8-bit long, in a corresponding memory space that is at least 9 bits long. Using the larger memory spaces, the processor performs modified AES transformations on the State. A modified column-mixing transformation uses bit-shifting and XOR operations, thereby avoiding some multiplications and modulo reductions and resulting in some 9-bit State elements. A modified byte-substitution transformation uses a 512-element look-up table to accommodate 9-bit inputs. The modified byte-substitution transformation is combined with a modified row-shifting transformation. The memory has data registers each holding four State elements. A modified expanded key schedule is used in a modified round-key-adding transformation that is combined with the modified column-mixing transformation, wherein all four elements stored in a single data register are processed together in some operations.09-22-2011
20090204823METHOD AND APPARATUS FOR CONTROLLING SYSTEM ACCESS DURING PROTECTED MODES OF OPERATION - A microprocessor to provide software development debugging capabilities while providing security for confidential and/or sensitive information. The processor may operate in one of an open, a secure entry, and a secure mode. In open mode, security measures may prevent access to certain registry bits and access to a private memory area. Secure entry mode may be entered upon receipt of a request to run secure code and/or access the private memory area. The secure code may be authenticated in secure entry mode. Authentication may be performed using digital signatures. Secure mode may be entered if authentication is successful. Authenticate code may be executed in the secure mode environment. The private memory area may be accessible in secure mode.08-13-2009
20120198242DATA PROTECTION WHEN A MONITOR DEVICE FAILS OR IS ATTACKED - In some examples, a system includes a data storage device that stores data and a monitor device that monitors a physical domain in which the data storage device is located and conditions access to data stored by the data storage device based on communication between the monitor device and the data storage device. In some examples, the system is configured to impede access to the data when at least one of operation the monitor device fails or the monitor device is attacked. Additionally, in some examples, the monitor device is configured to restrict access to the data when the monitor device is engaged and an attacker attempts to access the data storage device directly.08-02-2012
20100153745Methods and devices for instruction level software encryption - A method of encrypting compiled computer code instructions to be decrypted instruction by instruction during execution. The computer code instructions are encrypted using a chaining mode so that an encrypted instruction depends on the values of the instruction, the value of the preceding instruction and a pseudo-random number. As it may happen that the instruction can be arrived at from more than one preceding instruction, at least one of the preceding instructions is associated with a random number compensator for use during decryption of the encrypted instruction, so that the decryption of the encrypted instruction yields the same result regardless of which the preceding instruction was. Also provided are an encryption device, a decryption device and method, and a digital support medium storing encrypted compiled computer code instructions.06-17-2010
20100262840METHOD AND DEVICES FOR PROTECTING A MICROCIRCUIT FROM ATTACKS FOR OBTAINING SECRET DATA - A method of protecting a microcircuit against attacks aimed at discovering secret data used on the execution, by the microcircuit, of an encryption algorithm includes generating at least one protection parameter for the secret data and modifying the execution of the encryption algorithm through that protection parameter. Generation of the at least one protection parameter includes defining a function generating, by successively applying to at least one secret parameter which is stored in memory, a sequence of values which can only be determined from that secret parameter and that function, and to generate the protection parameter in a reproducible way from at least one value in that sequence.10-14-2010
20100185876KEYBOARD-INPUT INFORMATION-SECURITY APPARATUS AND METHOD - A keyboard-input information-security apparatus and method are provided. The apparatus includes an interrupt-descriptor table for storing a list of addresses of functions for handling interrupts, and storing an address of a secure input interrupt-service routine at a specific location in an address area for an operating-system input interrupt-service routine supported by an operating system; a secure input-device driver for changing keyboard-interrupt-vector information to invoke the address of the secure input interrupt-service routine when a keyboard interrupt is generated by a keyboard, and receiving and encoding data input via the keyboard based on the address of the secure input interrupt-service routine; and a secure input unit for delivering the encoded data from the secure input-device driver to an application program, thereby providing higher-level security than a conventional keyboard-security scheme, and particularly, effectively blocking a port-polling attack or an action trying to change a setting in a debug register.07-22-2010
20100262839Obfuscating Execution Traces of Computer Program Code - A computer-implemented method of generating tamper-protected computer program code. The method comprises obtaining a representation of the computer program code, the computer program being adapted to cause a data processing system to perform a plurality of computational tasks in a first order of execution, each computational task being represented in the representation of the computer program code by at least one program statement; obtaining a plurality of alternative orders of execution of the computational tasks; generating an executable representation of the program code adapted to cause a data processing system to select a randomized order of execution from the plurality of alternative orders of execution and to execute the computational tasks in the selected randomized order of execution.10-14-2010
20120124393System and Methods for Silencing Hardware Backdoors - Methods for preventing activation of hardware backdoors installed in a digital circuit, the digital circuit comprising one or more hardware units to be protected. A timer is repeatedly initiated for a period less than a validation epoch, and the hardware units are reset upon expiration of the timer to prevent activation of a time-based backdoor. Data being sent to the hardware unit is encrypted in an encryption element to render it unrecognizable to a single-shot cheat code hardware backdoor present in the hardware unit. The instructions being sent to the hardware unit are reordered randomly or pseudo-randomly, with determined sequential restraints, using an reordering element, to render an activation instruction sequence embedded in the instructions unrecognizable to a sequence cheat code hardware backdoor present in the hardware unit.05-17-2012
20100250964APPARATUS AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR THE CAMELLIA CIPHER ALGORITHM - A processor including instruction support for implementing the Camellia block cipher algorithm may issue, for execution, programmer-selectable instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include one or more Camellia instructions defined within the ISA. In addition, the Camellia instructions may be executable by the cryptographic unit to implement portions of a Camellia cipher that is compliant with Internet Engineering Task Force (IETF) Request For Comments (RFC) 3713. In response to receiving a Camellia F( )-operation instruction defined within the ISA, the cryptographic unit may perform an F( ) operation, as defined by the Camellia cipher, upon a data input operand and a subkey operand, in which the data input operand and subkey operand may be specified by the Camellia F( )-operation instruction.09-30-2010
20100229000SOFTWARE COPYRIGHT PROTECTION AND LICENSING SYSTEM USING RFID - The present invention provides a software copyright protection and licensing system (09-09-2010
20100229001NONVOLATILE MEMORY DEVICE AND OPERATING METHOD - Disclosed is an operating method of a non-volatile memory device which comprises randomizing data to store the randomized data; erasing the randomized data; and outputting erase data according to information of a flag cell of the non-volatile memory device at a read operation.09-09-2010
20100250965APPARATUS AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR THE ADVANCED ENCRYPTION STANDARD (AES) ALGORITHM - A processor including instruction support for implementing the Advanced Encryption Standard (AES) block cipher algorithm may issue, for execution, programmer-selectable instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include one or more AES instructions defined within the ISA. In addition, the AES instructions may be executable by the cryptographic unit to implement portions of an AES cipher that is compliant with Federal Information Processing Standards Publication 197 (FIPS 197). In response to receiving a first AES encryption round instruction defined within the ISA, the cryptographic unit may perform an encryption round of the AES cipher on a first group of columns of cipher state having a plurality of rows and columns. A maximum number of columns included in the first group may be fewer than all of the columns of the cipher state.09-30-2010
20100235651SECURE OPERATION OF PROCESSORS - Secure operation of processors is disclosed. A cell processor receives a secure file image from a client device at a processor of a host device (host cell processor), wherein the secure file image includes encrypted contents.09-16-2010
20080294910SYSTEM AND METHOD FOR PROTECTING NUMERICAL CONTROL CODES - A system, method, and computer program for protecting numerical control codes, comprising decrypting an encrypted text file that defines how an event for a tool path data set is processed; processing said decrypted text file to obtain a set of instructions; formatting said set of instructions according to a definition file; and outputting said set of formatted instructions; whereby postprocessed machine controls are written and appropriate means and computer-readable instructions.11-27-2008
20120036371Protection from cryptoanalytic side-channel attacks - A method for protecting a circuit configured for executing functional cryptographic operations according to execution instructions from cryptoanalytic side-channel attacks via differential power analysis (DPA), simple power analysis (SPA) or electromagnetic analysis (EM), includes execution of nonfunctional cryptographic operations in addition to the functional cryptographic operations for masking the functional cryptographic operations.02-09-2012
20090319804Scalable and Extensible Architecture for Asymmetrical Cryptographic Acceleration - Systems and methods for providing asymmetrical cryptographic acceleration are provided. The scalable asymmetric cryptographic accelerator engine uses a layered approach based on the collaboration of firmware and hardware to perform a specific cryptographic operation. Upon receipt of a request for a cryptographic function, the system accesses a sequence of operations required to perform the requested function. A micro code sequence is prepared for each hardware operation and sent to the hardware module. The micro code sequence includes a set of load instructions, a set of data processing instructions, and a set of unload instructions. An instruction may include a register operand having a register type and a register index. Upon receipt of a load instruction, the hardware module updates size information in a content addressable memory for a register included in the instruction. The hardware module continuously monitors the content addressable memory to avoid buffer overflow or underflow conditions.12-24-2009
20090113217MEMORY RANDOMIZATION FOR PROTECTION AGAINST SIDE CHANNEL ATTACKS - Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys.04-30-2009
20100223478SYSTEM AND METHOD FOR PERFORMING EXPONENTIATION IN A CRYPTOGRAPHIC SYSTEM - There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value.09-02-2010
20120144208INDEXED TABLE BASED CODE ENCRYPTING/DECRYPTING DEVICE AND METHOD THEREOF - An indexed table based code encrypting device adapted to encrypt an executable file of a computer program includes: an index creator configured to classify codes of the executable file into code blocks using a call code and store the number of calls and start addresses of the code blocks; and a block encrypter configured to encrypt the code blocks with encryption keys. An encryption key of a code block (hereinafter, first type code block) called once is created by using a code block calling the first type code block and an encryption key of a code block (hereinafter, second type code block) called twice or more is created by using a random number. The encryption keys of the first and second type code blocks are stored in the executable file.06-07-2012
20130132736System And Method For Establishing A Shared Secret For Communication Between Different Security Domains - Embodiments may include generating an initial verifier for a first process, the initial verifier generated based on a trusted image of the first process. Embodiments may include, subsequent to generating an untransformed secret associated with the first process, using a reversible transform to transform the untransformed secret with the initial verifier to generate a transformed secret associated with the first process. Embodiments may also include, subsequent to the first process being launched outside of a secure domain, and dependent upon a second verifier generated from a current state of the first process being the same as the initial verifier: using the reversible transform to reverse transform the transformed secret with the second verifier to generate a de-transformed secret equal to the untransformed secret. Embodiments may include performing a secure communication protected with a cryptographic key generated based on the de-transformed secret. The communication may be performed across different security domains.05-23-2013
20130132737CRYPTOGRAPHIC SUPPORT INSTRUCTIONS - A data processing system 05-23-2013
20130138973SYSTEM AND METHOD FOR DATA OBFUSCATION BASED ON DISCRETE LOGARITHM PROPERTIES - Disclosed herein are systems, computer-implemented methods, and computer-readable storage media for obfuscating data based on a discrete logarithm. A system practicing the method identifies a clear value in source code, replaces the clear value in the source code with a transformed value based on the clear value and a discrete logarithm, and updates portions of the source code that refer to the clear value such that interactions with the transformed value provide a same result as interactions with the clear value. This discrete logarithm approach can be implemented in three variations. The first variation obfuscates some or all of the clear values in loops. The second variation obfuscates data in a process. The third variation obfuscates data pointers, including tables and arrays. The third variation also preserves the ability to use pointer arithmetic.05-30-2013
20100325446Securing Executable Code Integrity Using Auto-Derivative Key - A method for protecting software from tampering includes steps for processing, using a computer, first compiled software stored in a computer memory to generate a cryptographic key, the first compiled software configured to perform software protection functions and defined second functions distinct from the software protection functions when executed by a computer processor, the cryptographic key consisting of a first portion of the first compiled software comprising executable code compiled from the software protection functions, encrypting a second portion of the first compiled software using the cryptographic key to produce second compiled software comprising the first portion in unencrypted form and the second portion encrypted with the cryptographic key, wherein the second portion comprises executable code compiled from the defined second functions, and storing the second compiled software in a computer memory for distribution to a client device.12-23-2010
20110145599Data Stream Filters And Plug-Ins For Storage Managers - A storage manager and related method and computer program product manages client data on a data storage resource and includes the ability to utilize many different types of data stream filters that are neither built into the storage manager nor require a custom programming effort. A storage manager user may readily implement filtering by simply identifying a data stream filter the user wishes the storage manager to use for filtering the user's data. The filter can be an off-the-shelf program that is not part of the storage manager and which does not require client application or storage manager domain knowledge (e.g., knowledge of protocols or data types or formats used by the application or storage manager). The storage manager invokes the identified filter as part of a requested data stream operation and receives a data stream from a data stream source. The data stream is provided to the filter, which filters the data stream. Following filtering, the storage manager receives the data stream from the filter and sends it to a data stream destination.06-16-2011
20110145598Providing Integrity Verification And Attestation In A Hidden Execution Environment - In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed.06-16-2011
20100332852Creating Secure Communication Channels Between Processing Elements - Two processing elements in a single platform may communicate securely to allow the platform to take advantage of the certain cryptographic functionality in one processing element. A first processing element, such as a bridge, may use its cryptographic functionality to request a key exchange with a second processing element, such as a graphics engine. Each processing element may include a global key which is common to the two processing elements and a unique key which is unique to each processing element. A key exchange may be established during the boot process the first time the system boots and, failing any hardware change, the same key may be used throughout the lifetime of the two processing elements. Once a secure channel is set up, any application wishing to authenticate a processing element without public-private cryptographic function may perform the authentication with the other processing element which shares a secure channel with the first processing element.12-30-2010
20110040985SERVER DEVICE, INFORMATION PROVIDING METHOD AND INFORMATION SUCCESSION SYSTEM - An information succession system, which operates in accordance with inputted information to provide access to inputted information, including the personality of the original user, to successors of the original user. An encryption processing unit encrypts inputted information and generates keys used in association with access by users. A character/personality data generation unit generates data indicative of a user's character or personality by analyzing user input information. That character data is stored in a character data memory unit and is associated with the user's identification information. A request information analysis unit analyzes and characterizes requests. Request characteristics are stored in the character data memory unit and associated with the user making the request. A transmitting information generation unit generates transmitting (output) information based on the generated personality data of the user and the characteristic of the request.02-17-2011
20110087895APPARATUS AND METHOD FOR LOCAL OPERAND BYPASSING FOR CRYPTOGRAPHIC INSTRUCTIONS - A processor may include a hardware instruction fetch unit configured to issue instructions for execution, and a hardware functional unit configured to receive instructions for execution, where the instructions include cryptographic instruction(s) and non-cryptographic instruction(s). The functional unit may include a cryptographic execution pipeline configured to execute the cryptographic instructions with a corresponding cryptographic execution latency, and a non-cryptographic execution pipeline configured to execute the non-cryptographic instructions with a corresponding non-cryptographic execution latency that is longer than the cryptographic execution latency. The functional unit may further include a local bypass network configured to bypass results produced by the cryptographic execution pipeline to dependent cryptographic instructions executing within the cryptographic execution pipeline, such that each instruction within a sequence of dependent cryptographic instructions is executable with the cryptographic execution latency, and where the results of the cryptographic execution pipeline are not bypassed to any other functional unit within the processor.04-14-2011
20110078462METHOD FOR MANAGING EXTERNAL STORAGE DEVICES - An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system.03-31-2011
20100017625ARCHITECURE, SYSTEM, AND METHOD FOR OPERATING ON ENCRYPTED AND/OR HIDDEN INFORMATION - An architecture, system and method for operating on encrypted and/or hidden information (e.g., code and/or data). The invention enables creators, owners and/or distributors of proprietary code to keep such code inaccessible to users and user-controlled software programs. A memory architecture includes first and second protected memory spaces, respectively storing operating system instructions and a decrypted version of the encrypted information. The first protected memory space may further store a table linking the locations of the encrypted and/or hidden, decrypted information with a decryption and/or authorization key. The system includes the memory architecture and a processor for executing instructions, and the method loads, stores and operates on the encrypted and/or hidden information according to the memory architecture functionality and/or constraints.01-21-2010
20090031142System, Method and Computer Program Product for Processing a Memory Page - A method for processing a memory page, the method includes: retrieving, in response to a request to provide a first memory page to a processor, first memory page metadata associated with first memory page address information; wherein the first memory page address information is stored in a memory page table; and performing a page operation in response to the memory page metadata; wherein the page operation is selected from a group consisting of compression, cryptography, searching a page for a virus signature, searching a page for digital right management signature, error correction code verification, error correction code addition.01-29-2009
20100058071SYSTEM AND METHOD FOR ENCRYPTING AN ELECTRONIC FILE IN A MOBILE ELECTRONIC DEVICE - A system and method for encrypting an electronic file in a mobile electronic device reads bytes of the electronic file from a cache of a memory system and divides the bytes into a plurality of byte lines. The system and method further assigns a numerical cipher to each byte line and searches a position of each numerical cipher in a corresponding byte line. Furthermore, the system and method encrypt each byte line by inserting one or more random bytes into each byte line, and generates an encrypted electronic file by combining all the encrypted byte lines.03-04-2010
20100058070Message authentication code pre-computation with applications to secure memory - A method comprising the steps of creating a random permutation of data from a data input by executing at least one of a Pseudo-Random Permutation (PRP) and a Pseudo-Random Function (PRF), creating a first data block by combining the random permutation of data with a received second data block and executing an ε-differentially uniform function on the result of the combination, XORing the result of the ε-DU function evaluation with a secret key, and reducing the first data block to a first message authentication code.03-04-2010
20100070780QUANTUM PROGRAM CONCEALING DEVICE AND QUANTUM PROGRAM CONCEALING METHOD - An object of the present invention is to enable an authorized user to execute a quantum program, without letting the authorized user know the operation contents of the quantum program.03-18-2010
20100064144DATA SECURITY - This document discloses data security systems and methods of securing data. A cache memory can be connected between a decryption engine and a central processing unit (“CPU”) to increase security of encrypted data that is stored in a datastore. The decryption engine can retrieve the encrypted data from the datastore, decrypt the data, and store the decrypted data in the cache. In turn, the decrypted data can be accessed by the CPU. The data can be encrypted with a secret key, so that decryption can be performed with the secret key. The key can be varied based on a memory address associated with the data. The key can be protected by restricting direct access to the decryption engine by the CPU.03-11-2010
20100250966PROCESSOR AND METHOD FOR IMPLEMENTING INSTRUCTION SUPPORT FOR HASH ALGORITHMS - A processor including instruction support for implementing hash algorithms may issue, for execution, programmer-selectable hash instructions from a defined instruction set architecture (ISA). The processor may include a cryptographic unit that may receive instructions for execution. The instructions include hash instructions defined within the ISA. In addition, the hash instructions may be executable by the cryptographic unit to implement a hash that is compliant with one or more respective hash algorithm specifications. In response to receiving a particular hash instruction defined within the ISA, the cryptographic unit may retrieve a set of input data blocks from a predetermined set of architectural registers of the processor, and generate a hash value of the set of input data blocks according to a hash algorithm that corresponds to the particular hash instruction.09-30-2010
20100250967Semiconductor integrated circuit and control, method of the same - There is provided a semiconductor integrated circuit including a scan path circuit, which includes an encryption data storage unit that stores a secret key B created by encrypting a chip ID with use of a secret key A, and an encryption circuit that encrypts output data of the scan path circuit based on the secret key B and outputs the encrypted output data. This circuit configuration enables an increase in confidentiality in encryption of a scan test result.09-30-2010
20100122095Hardware-facilitated secure software execution environment - A hardware-facilitated secure software execution environment provides protection of both program instructions and data against unauthorized access and/or execution to maintain confidentiality and integrity of the software or the data during distribution, in external memories, and during execution. The secure computing environment is achieved by using a hardware-based security method and apparatus to provide protection against software privacy and tampering. A Harvard architecture CPU core is instantiated on the same silicon chip along with encryption management unit (EMU) circuitry and secure key management unit (SKU) circuitry. Credential information acquired from one or more sources is combined by the SKU circuitry to generate one or more security keys provided to the EMU for use in decrypting encrypted program instructions and/or data that is obtained from a non-secure, off-chip source such as an external RAM, an information storage device or other network source. In a non-limiting illustrative example implementation, the EMU decrypts a single memory page of encrypted instructions or data per a corresponding encryption key provided by the SKU. Although instantiated on the same chip, the CPU core does not have direct access to the SKU circuitry or to encryption key information generated by the SKU.05-13-2010
20110258461SYSTEM AND METHOD FOR RESOURCE SHARING ACROSS MULTI-CLOUD ARRAYS - A system for resource sharing across multi-cloud storage arrays includes a plurality of storage arrays and a cloud array storage (CAS) application. The plurality of storage resources are distributed in one or more cloud storage arrays, and each storage resource comprises a unique object identifier that identifies location and structure of the corresponding storage resource at a given point-in-time. The cloud array storage (CAS) application manages the resource sharing process by first taking an instantaneous copy of initial data stored in a first location of a first storage resource at a given point-in-time and then distributing copies of the instantaneous copy to other storage resources in the one or more cloud storage arrays. The instantaneous copy comprises a first unique object identifier pointing to the first storage location of the initial data in the first storage resource and when the instantaneous copy is distributed to a second storage resource, the first unique object identifier is copied into a second storage location within the second storage resource and the second storage location of the second storage resource is assigned a second unique object identifier.10-20-2011
20120204039COUNTERACTING MEMORY TRACING ON COMPUTING SYSTEMS BY CODE OBFUSCATION - Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is on the part of the code that accesses buffers (memory locations). Further, the obfuscation process copies or replaces parts of the buffer contents with local variables. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.08-09-2012
20120204038PERFORMING BOOLEAN LOGIC OPERATIONS USING ARITHMETIC OPERATIONS BY CODE OBFUSCATION - Method and apparatus for obfuscating computer software code, to protect against reverse-engineering of the code. The obfuscation here is of the part of the code that performs a Boolean logic operation such as an exclusive OR on two (or more) data variables. In the obfuscated code, each of the two variables is first modified by applying to it a function which deconstructs the value of each of the variables, and then the exclusive OR operation is replaced by an arithmetic operation such as addition, subtraction, or multiplication, which is performed on the two deconstructed variables. The non-obfuscated result is recovered by applying a third function to the value generated by the arithmetic operation. This obfuscation is typically carried out by suitably annotating (modifying) the original source code.08-09-2012
20090319805TECHNIQUES FOR PERFORMING SYMMETRIC CRYPTOGRAPHY - Techniques are described for performing decryption using a key-specific decryption engine. A message including an encrypted data portion is received. The encrypted data portion is formed by performing a symmetric encryption operation using a symmetric key. The encrypted data portion is decrypted using a key-specific decryption engine which does not use the symmetric key as an input. Also described are techniques for generating the key-specific decryption engine which may be implemented using boolean functions determined for the symmetric key.12-24-2009
20080282093METHODS AND APPARATUS FOR SECURE PROGRAMMING AND STORAGE OF DATA USING A MULTIPROCESSOR IN A TRUSTED MODE - Methods and apparatus provide for: entering a secure mode in which a given processor may initiate a transfer of information into or out of said processor, but no external device may initiate a transfer of information into or out of said processor; and programming at least one trusted data storage location using a direct memory access (DMA) command to be one of read-only, write-only, readable and writeable, limited access, and reset, where said at least one trusted data storage location is located external to said processor.11-13-2008
20080229115PROVISION OF FUNCTIONALITY VIA OBFUSCATED SOFTWARE - In an example embodiment, executable files are individually encrypted utilizing a symmetric cryptographic key. For each user to be given access to the obfuscated file, the symmetric cryptographic key is encrypted utilizing a public key of a respective public/private key pair. A different public key/private key pair is utilized for each user. Obfuscated files are formed comprising the encrypted executable files and a respective encrypted symmetric cryptographic key. The private keys of the public/private key pairs are stored on respective smart cards. The smart cards are distributed to the users. When a user wants to invoke the functionality of an obfuscated file, the user provides the private key via his/her smart card. The private key is retrieved and is utilized to decrypt the appropriate portion of the obfuscated file. The symmetric cryptographic key obtained therefrom is utilized to decrypt the encrypted executable file.09-18-2008
20080229116Performing AES encryption or decryption in multiple modes with a single instruction - A machine-readable medium may have stored thereon an instruction, which when executed by a machine causes the machine to perform a method. The method may include combining a first operand of the instruction and a second operand of the instruction to produce a result. The result may be encrypted using a key in accordance with an Advanced Encryption Standard (AES) algorithm to produce an encrypted result. The method may also include placing the encrypted result in a location of the first operand of the instruction.09-18-2008
20080229117Apparatus for preventing digital piracy - A method for preventing digital piracy in a computing environment comprises loading an application into the computing environment, wherein the application is encrypted using a cryptographic key; assigning a virtual address space to the application; loading the cryptographic key for the application into a register which is accessible only by a central processing unit; and storing an index value for the key in the register in a page table entry which corresponds to the virtual address space for the application, thereby linking the virtual address space to the key for the application.09-18-2008
20120311350MEMORY MANAGMENT METHOD - In the conventional method of maintaining the confidential a program, wherein a program to be executed in an information processing device is stored in a hard disk, etc., in an encrypted state and the program is decrypted when it is executed, because a decrypted program is written in memory, the program may be illicitly analyzed by a third person. Provided is memory management method wherein code information or data of a program written in a virtual memory is data which is encrypted and inaccessible by a CPU, and when code fetching or data access to the encrypted area occurs, an interruption process is performed wherein with respect to a management unit of the memory management device including the area, an inaccessible state is changed to an accessible state to perform decryption.12-06-2012
20100318810INSTRUCTION CARDS FOR STORAGE DEVICES - A card can be communicationally coupled to a storage device. The card can then cause the storage device to perform stand-alone tasks without a computing device. The card can invoke instructions already present in the firmware of the storage device or the card can first copy instructions to the firmware and then invoke them. The card can cause the storage device to perform actions, such as a secure erase, and the storage device can remain inaccessible until such actions are performed, even if power is interrupted. The card can also receive information from the storage devices and then use that information with a new storage device to, for example, enable the new storage device to take the place of, and reconstruct the data of, the old storage device in a storage array directly from other storage devices in the array and without burdening a computing device or array controller.12-16-2010
20110055592METHOD OF OBFUSCATING A CODE - A method of obfuscating a code is provided, wherein the method comprises performing a first level obfuscating technique on a code to generate a first obfuscated code, and performing a second level obfuscating technique on the first obfuscated code. In particular, the code may be a software code or a software module. Furthermore, the first level obfuscating technique and the second obfuscating may be different. In particular, the second level obfuscating technique may perform a deobfuscation.03-03-2011
20080244275Instruction Transform for the Prevention and Propagation of Unauthorized Code Injection - A method and structure of instruction transformation. Applying the principals of biodiversity to instruction transformation applicable to devices and embedded systems and networks containing many devices not only protects individual devices from attack from unauthorized code, but additionally retards propagation of such unauthorized code to other devices in the system or network in communication with a potentially infected device.10-02-2008
20100287384ARRANGEMENT FOR AND METHOD OF PROTECTING A DATA PROCESSING DEVICE AGAINST AN ATTACK OR ANALYSIS - In order to further develop an arrangement for as well as a method of protecting at least one data processing device, in particular at least one embedded system, for example at least one chip card or smart card, against at least one attack, in particular against at least one side-channel attack, for example against at least one current trace analysis, the data processing device, in particular at least one integrated circuit of the data processing device, carrying out calculations, in particular cryptographic operations wherein an attack, for example an E[lectro]M[agnetic] radiation attack, or an analysis, for example a D[ifferential]P[ower]A[nalysis], such attack or such analysis in particular targeted on finding out a private key, is to be securely averted, it is proposed to blind all intermediate results of the calculations by at least one random variable.11-11-2010
20100293391MULTIPOINT GENERAL-PURPOSE INPUT/OUTPUT CONTROL INTERFACE DEVICE - A multipoint general-purpose input/output control interface device is provided, which is a control interface device that is applicable to, but not limited to, PCI transmission interface, and can be installed in or removed from a computer system or a game machine as desired to use the computer system or the game machine to control a timer and access or encrypt static random access memory and general purpose input/output (GPIO).11-18-2010
20110138194Method for increasing I/O performance in systems having an encryption co-processor - A system and method for improving performance while transferring encrypted data in an input/output (I/O) operation are provided. The method includes receiving a block of data. The method also includes dividing the block of data into a plurality of sub-blocks of data. The method further includes performing a first operation on a first sub-block. The method also includes performing a second operation on a second sub-block at substantially the same time as performing the first operation on the first sub-block. The method still further includes reassembling the plurality of sub-blocks into the block of data.06-09-2011
20100180129APPARATUS COMPRISING A PLURALITY OF ARITHMETIC LOGIC UNITS - An arrangement of arithmetic logic units carries out an operation on at least one operand, wherein the operation is determined by operation codes received by the arithmetic logic units. The operation codes and at least one operand are received on a first clock cycle. The result of the operation is output from at least one arithmetic logic unit to at least one further arithmetic logic unit. A result of the plurality of arithmetic logic units is then output on a next clock cycle.07-15-2010
20090300368USER INTERFACE FOR SECURE DATA ENTRY - A computer input device for operation with a computer includes an input transducer, which is coupled to receive an input from a user and to generate a data signal responsively to the input. An encryption processor is coupled to process the data signal so as to output data to the computer. The encryption processor has a first operational mode in which the encryption processor encrypts the data signal using an encryption key not accessible to the computer so that the data are unintelligible to the computer, and a second operational mode in which the data are intelligible to the computer. A mode switch is operative so as to switch between the first and second operational modes of the encryption processor. An output transducer is coupled to provide to the user an indication of whether the encryption processor is in the first or the second operational mode.12-03-2009
20090292931APPARATUS AND METHOD FOR ISOLATING A SECURE EXECUTION MODE IN A MICROPROCESSOR - An apparatus providing for a secure execution environment, including a microprocessor and a secure non-volatile memory. The microprocessor executes non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The microprocessor has secure execution mode logic that is configured to provide for a secure execution mode within the microprocessor for execution of the secure application program. The secure execution mode logic records the state of the microprocessor in a non-volatile indicator register upon entry into the secure execution mode and upon exit from the secure execution mode. The secure non-volatile memory is coupled to the microprocessor via a private bus and is configured to store the secure application program. Transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.11-26-2009
20100017624From polymorphic executable to polymorphic operating system - A method, capable of being implemented in executable instructions or programmes in device(s), including computer system(s) or computer-controlled device(s) or operating-system-controlled device(s) or system(s) that is/are capable of running executable code, providing for the creation in Device(s) of executable code, such as boot code, programmes, applications, device drivers, or a collection of such executables constituting an operating system, in the form of executable code embedded or stored into hardware, such as embedded or stored in all types of storage medium, including read-only or rewriteable or volatile or non-volatile storage medium, such as in the form of virtual disk in physical memory or internal Dynamic Random Access Memory or hard disk or solid state flash disk or Read Only Memory, or read only or rewriteable CD/DVD/HD-DVD/Blu-Ray DVD or hardware chip or chipset etc.; the executable code being in the form of Polymorphic Executable (PE) or Executable with Unexecutable Code (EUC) or Polymorphic Executable with Unexecutable Code (PEUC) or Polymorphic Operating System (POS) containing PE, EUC and PEUC runnable in an authenticated or authorized state for the protection of intellectual property.01-21-2010
20080263366SELF-VERIFYING SOFTWARE TO PREVENT REVERSE ENGINEERING AND PIRACY - Reverse engineering and piracy of software is prevented by encrypting code blocks of a program. A program is modified to include additional protective code, including a protective code launcher which is launched with the program. Decryption and execution code is also provided for the protective code launcher and one or more code blocks of the program. A given code block is encrypted using a key which is based on a previous code block, and the previous code block is encrypted using a key which is based on a further previous code block, and so forth. If a hacker modifies the program, such as to avoid a message which requires the user to purchase the program, the program will be disabled. The program can also be encrypted based on computer hardware such as a hard disk serial number so that it will only operate on a particular computer.10-23-2008
20090172415PROCESSOR APPARATUS - The control unit includes a CPU which generates an access signal for performing writing or reading on the external memory, encryption/decryption means which, when the access signal is used for writing, encrypts an address designated by the CPU to generate a write address and encrypts write data contained in the access signal to generate write encrypted data, and which, when the access signal is used for reading, encrypts an address designated by the CPU to generate a read address and decrypts the encrypted data read from the external memory to generate plaintext data, and external control means which writes the write encrypted data in a position designated by the write address generated by the encryption/decryption means and which reads the encrypted data from a position designated by the read address generated by the encryption/decryption means and supplies the same to the encryption/decryption means for its decryption.07-02-2009
20120233472SECURING NON-VOLATILE MEMORY REGIONS - Methods, apparatus and articles of manufacture to secure non-volatile memory regions are disclosed. An example method disclosed herein comprises associating a first key pair and a second key pair different than the first key pair with a process, using the first key pair to secure a first region of a non-volatile memory for the process, and using the second key pair to secure a second region of the non-volatile memory for the same process, the second region being different than the first region.09-13-2012
20120047373MEMORY SUBSYSTEM AND METHOD THEREFOR - A memory subsystem and method for loading and storing data at memory addresses of the subsystem. The memory subsystem is functionally connected to a processor and has a first mode of address encryption to convert logical memory addresses generated by the processor into physical memory addresses at which the data are stored in the memory subsystem. The memory subsystem is adapted to pull low a write enable signal to store data in the memory subsystem and to pull high the write enable signal to load data in the memory subsystem, wherein if pulled high the write enable signal alters the address encryption from the first mode to a second mode. The memory subsystem is adapted to be coupled to a local hardware device which supplies a key that acts upon the address encryption of the memory subsystem.02-23-2012
20120011371METHOD AND APPARATUS FOR SECURING INDIRECT FUNCTION CALLS BY USING PROGRAM COUNTER ENCODING - A method for securing indirect function calls by using program counter encoding is provided. The method includes inserting a decoding code for an address of a library function stored in a GOT (Global Offset Table) entry into a PLT (Procedure Linkage Table) entry when an object file is built; generating an encoding key corresponding to the decoding code; and encoding the GOT entry corresponding to the library function by using the encoding key when program execution begins.01-12-2012
20120017097System And Method For Securely Storing Data In An Electronic Device - There is provided an enhanced method of securely storing and retrieving information in an electronic device. The method comprises generating a plurality of random encryption keys and storing the plurality of random encryption keys in a memory region of a first component of the electronic device. The method may additionally comprise encrypting data using a different one of the plurality of random encryption keys for each of a plurality of regions of a memory of a second component of the electronic device. The method may also comprise transferring encrypted data to the memory of the second component of the electronic device.01-19-2012
20120023337ESTABLISHING A SECURE MEMORY PATH IN A UNITARY MEMORY ARCHITECTURE - A functional unit of a device is associated with a secret. Data stored in a memory location of the device is encrypted using the secret. The memory location of the device is accessible to other functional units; but without knowledge of the secret, the stored encrypted data is useless. The sharing of the secret creates a secure path between memory locations and functional units of the device while maintaining a unitary memory architecture. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.01-26-2012
20120159194RELATING TO CRYPTOGRAPHY - A method and apparatus 06-21-2012
20120159193SECURITY THROUGH OPCODE RANDOMIZATION - An opcode obfuscation system is described herein that varies the values of opcodes used by operating system or application code while the application is stored in memory. The system puts application code through a translation process as the application code is loaded, so that the code sits in memory with an altered instruction set. If new and potentially malicious code is injected into the process, its instruction set will not match that of the translated application code. As time to execute the application code approaches, the system puts the application code through a reverse translation process that converts the application code back to the original opcodes. Any malicious code injected into the process will also undergo the reverse translation, which will have the effect of making the malicious code detectable as invalid or erroneous.06-21-2012
20110099387METHOD AND APPARATUS FOR ENFORCING A PREDETERMINED MEMORY MAPPING - A system and a method are disclosed for enforcing a predetermined mapping of addresses in a physical address space to addresses in a virtual address space in a data processing system including a processor in the virtual address space and a memory in a physical address space. During the compilation and linking of an application to be run on the data processing system, in at least one embodiment, the mapping table is generated linking the virtual addresses to physical addresses. This mapping table is kept secret. A second mapping table is generated using a cryptographic function of the physical address with the virtual address as a key to link virtual addresses to intermediate addresses. The second mapping table is loaded into the memory management unit. The data processing system further includes cryptographic hardware to convert the intermediate address to the physical address using the inverse of the cryptographic function which was used to calculate the intermediate address.04-28-2011
20120216051BUILDING AND DISTRIBUTING SECURE OBJECT SOFTWARE - A method and structure for enhancing protection for at least one of software and data being executed on a computer. A file to comprise a secure object is constructed, using a processor on a build machine, the secure object to be executed on a target machine different from the build machine. The secure object comprises at least one of code and data that is to be encrypted when the secure object is stored on the target machine. The encrypted stored secure object is decrypted by the target machine when executed by the target machine after retrieval from a memory on the target machine. The decryption uses a system key of the target machine. The secure object is stored, upon completion of construction, in an encrypted state as a completed secure object, and the secure object is completed without the build machine having the system key of the target machine.08-23-2012
20100241872Partially Reversible Key Obfuscation - Techniques are provided to obfuscate seed values to produce a decryption key for a simplified content protection scheme. A first repeatable sequence is performed that encrypts a value stored in a first memory location using a value stored in the second memory location to produce an encrypted value and the value stored in the first memory location is overwritten with the encrypted value and then applying a constraining function to the value stored in the second memory location to produce a result and the value stored in the second memory location is overwritten with the result, wherein the result contains a less entropy compared an entropy level of the value in the second memory location prior to applying the constraining function. This sequence is repeated, but the values used in the first and second memory locations are used in opposite fashion. Techniques are also provided to perform the reverse operation and de-obfuscate a decryption key.09-23-2010
20100205459METHOD AND SYSTEM FOR PROTECTING AGAINST ACCESS TO A MACHINE CODE OF A DEVICE - A method for the protection against access to a machine code of a device, has the steps: (a) encrypting a machine code by a device-specific key, which is provided by a TPM (Trusted Platform Module) module present in the device, (b) storing the encrypted machine code in a memory of the device, (c) wherein the device-specific key can no longer be read from the TPM module after a manipulation of the device.08-12-2010
20120272072APPARATUS AND METHOD FOR PROCESSING APPLICATION PACKAGE IN PORTABLE TERMINAL - An apparatus and method for improving the security of an application package from a user abnormally acquiring a system supreme authority in a portable terminal are provided. The apparatus includes an application manager for, at application package generation, collecting data for package generation, performing a compiling process for the collected data, encrypting an execution file of the application package among the compiled data, and packaging the compiled data comprising the encrypted execution file.10-25-2012
20100299538Systems and Methods for Low-Latency Encrypted Storage - Encrypted storage often introduces unwanted latency in access. This delay can result in a processor having to wait for critical data thus slowing performance. Generally speaking, the latency is at most an issue when reading from encrypted storage, since the processor may need the information read from encrypted storage to proceed. During a write operation, there typically is not an issue because the processor does not need to wait for the end of the write operation to proceed. A variant of counter (CTR) mode for a block cipher can be used to perform the majority of the decryption operation without knowledge of the ciphertext, therefore the majority of the decryption operation can be performed concurrently with the retrieval of the ciphertext from memory. In order to further secure the encrypted storage, a light encryption can be performed to further obfuscate the ciphertext.11-25-2010
20100299537SECURE PROCESSING DEVICE WITH KEYSTREAM CACHE AND RELATED METHODS - A secure processing device may include an external memory storing encrypted data, and a processor cooperating with the external memory. The processor is configured to generate address requests for the encrypted data in the external memory, cache keystreams based upon an encryption key, and generate decrypted plaintext based upon the cached keystreams and the encrypted data requested from the external memory. For example, the processor may be further configured to predict a future address request, and the future address request may be associated with a cached keystream.11-25-2010
20120317423Memory randomization for protection against side channel attacks - Side channel attacks against a computing device are prevented by combinations of scrambling data to be stored in memory and scrambling the memory addresses of the data using software routines to execute scrambling and descrambling functions. Encrypted versions of variables, data and lookup tables, commonly employed in cryptographic algorithms, are thus dispersed into pseudorandom locations. Data and cryptographic primitives that require data-dependent memory accesses are thus shielded from attacks that could reveal memory access patterns and compromise cryptographic keys.12-13-2012
20120260106SYSTEM AND METHOD FOR BINARY LAYOUT RANDOMIZATION - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for binary layout randomization. A system performs binary layout randomization by loading computer code into memory and identifying a section of the computer code to randomize. A loader remaps the section of computer code to a different location in memory utilizing a remapping algorithm. The loader can shuffle sections of code in place or move sections of code elsewhere. The loader patches relative addresses to point to the updated locations in memory. After the system patches the addresses, the system executes the computer code from memory. In one embodiment, the system encrypts the computer code prior to loading the computer code into memory. The loader decrypts the encrypted computer code prior to remapping the section of computer code to a different location in memory. Optionally, the loader can decrypt the encrypted computer code after patching relative addresses.10-11-2012
20120221864METHOD AND APPARATUS FOR COMPUTER CODE OBFUSCATION AND DEOBFUSCATION USING BOOT INSTALLATION - In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software.08-30-2012
20120260107Instruction Encryption/Decryption Arrangement and Method with Iterative Encryption/Decryption Key Update - An instruction decryption arrangement includes an input interface configured to receive an encrypted instruction, a decryption key updater configured to output a decryption key, and an instruction decrypter including a first input connected to the input interface and a second input connected to the decryption key updater, and configured to decrypt the encrypted instruction using the decryption key and to provide a decrypted instruction. The decryption key updater is further configured to update the decryption key using at least one of the encrypted instruction and the decrypted instruction. An alternative instruction decryption arrangement includes a key stream module configured to iteratively determine a key state corresponding to a current instruction for a computing unit and an instruction decrypter configured to receive an encrypted instruction related to the current instruction and decrypt the encrypted instruction using the key state to provide a decrypted instruction.10-11-2012
20120272073ENCRYPTING DATA IN VOLATILE MEMORY - Provided are a computer program product, system, and method to allocate blocks of memory in a memory device having a plurality of blocks. An unencrypted memory allocation function requests allocation of unencrypted blocks in the memory device. An encrypted memory allocation function requests allocation of encrypted blocks in the memory device. An unencrypted Input/Output (I/O) request performs an I/O operation against the unencrypted blocks in the memory device. An encrypted I/O request function performs an I/O operation against the encrypted blocks in the memory device. An operating system uses an encryption key associated with the encrypted blocks to encrypt or decrypt data in the encrypted blocks to perform the encrypted I/O operation in response to processing the encrypted I/O request functions, wherein the unencrypted and encrypted memory allocation functions and unencrypted and encrypted I/O request functions comprise different functions in a library of functions available to the application.10-25-2012
20110239005Secure Repository With Layers Of Tamper Resistance And System And Method For Providing Same - A secure repository individualized for a hardware environment and a method and system for providing the same. The secure repository includes a hidden cryptographic key and code that applies the key without requiring access to a copy of the key. The code that implements the secure repository is generated in a manner that is at least partly based on a hardware ID associated with the hardware environment in which the secure repository is to be installed, and may also be based on a random number. Cryptographic functions implemented by the secure repository include decryption of encrypted information and validation of cryptographically signed information. The secure repository may be coupled to an application program, which uses cryptographic services provided by the secure repository, by way of a decoupling interface that provides a common communication and authentication interface for diverse types of secure repositories. The decoupling interface may take the form of a single application programmer interface (API) usable with multiple dynamically linkable libraries.09-29-2011
20120331308METHODS, APPARATUS AND SYSTEMS TO IMPROVE SECURITY IN COMPUTER SYSTEMS - According to some implementations methods, apparatus and systems are provided involving the use of processors having at least one core with a security component, the security component adapted to read and verify data within data blocks stored in a L1 instruction cache memory and to allow the execution of data block instructions in the core only upon the instructions being verified by the use of a cryptographic algorithm.12-27-2012
20120331307METHODS, APPARATUS AND SYSTEMS TO IMPROVE SECURITY IN COMPUTER SYSTEMS - In one implementation a computer system stores a software program that contains some instructions organized in blocks wherein each block contains a first part with instructions and a second part with an electronic signature or hash value, wherein the computer system includes a security component within the processor that allows the execution of instructions of the first part of a block of data only if the hash value of the data is correct.12-27-2012
20110320825FUNCTION VIRTUALIZATION FACILITY FOR FUNCTION QUERY OF A PROCESSOR - Selected installed function of a multi-function instruction is hidden such that even though a processor is capable of performing the hidden installed function, the availability of the hidden function is hidden such that responsive to the multi-function instruction querying the availability of functions, only functions not hidden are reported as installed.12-29-2011
20120102336Security of Program Executables and Microprocessors Based on Compiler-Architecture Interaction - A method, for use in a processor context, wherein instructions in a program executable are encoded with plural instruction set encodings. A method wherein a control instruction encoded with an instruction set encoding contains information about decoding of an instruction that is encoded with another instruction set encoding scheme. A method wherein instruction set encodings are randomly generated at compile time. A processor framework wherein an instruction is decoded during execution with the help of information provided by a previously decoded control instruction.04-26-2012
20100229002SYSTEMS AND METHODS FOR WATERMARKING SOFTWARE AND OTHER MEDIA - Systems and methods are disclosed for embedding information in software and/or other electronic content such that the information is difficult for an unauthorized party to detect, remove, insert, forge, and/or corrupt. The embedded information can be used to protect electronic content by identifying the content's source, thus enabling unauthorized copies or derivatives to be reliably traced, and thus facilitating effective legal recourse by the content owner. Systems and methods are also disclosed for protecting, detecting, removing, and decoding information embedded in electronic content, and for using the embedded information to protect software or other media from unauthorized analysis, attack, and/or modification.09-09-2010
20130013934Infinite Key Memory Transaction Unit - A system for providing high security for data stored in memories in computer systems is disclosed. A different encryption key is used for every memory location, and a write counter hides rewriting of the same data to a given location. As a result, the data for every read or write transaction between the microprocessor and the memory is encrypted differently for each transaction for each address, thereby providing a high level of security for the data stored.01-10-2013
20130019108ADDRESS TRANSLATION UNIT, DEVICE AND METHOD FOR REMOTE DIRECT MEMORY ACCESS OF A MEMORY - A method for Remote Direct Memory Access (RDMA) of a memory of a processor. An address translation unit comprises an address translator and a signer. The address translator is configured to translate a received virtual address in a real address of the memory. The signer is configured to cryptographically sign the real address.01-17-2013
20110154059CUMULATIVE INTEGRITY CHECK VALUE (ICV) PROCESSOR BASED MEMORY CONTENT PROTECTION - In general, in one aspect, the disclosure describes a process that includes a cryptographic engine and first and second registers. The cryptographic engine is to encrypt data to be written to memory, to decrypt data read from memory, to generate read integrity check values (ICVs) and write ICVs for memory accesses. The cryptographic engine is also to create a cumulative read ICV and a cumulative write ICV by XORing the generated read ICV and the generated write ICV with a current read MAC and a current write ICV respectively and to validate data integrity by comparing the cumulative read ICV and the cumulative write ICV. The first and second registers are to store the cumulative read and write ICVs respectively at the processor. Other embodiments are described and claimed.06-23-2011
20110246789INTEGRATED CIRCUIT PROTECTED AGAINST HORIZONTAL SIDE CHANNEL ANALYSIS - An integrated circuit including a multiplication function configured to execute a multiplication operation of two binary words x and y including a plurality of basic multiplication steps of components xi of word x by components yj of word y is described. The multiplication function of the integrated circuit is configured to execute two successive multiplications by modifying, in a random or pseudo-random manner, an order in which the basic multiplication steps of components xi by components yj are executed.10-06-2011
20120254628CIPHER MESSAGE EXECUTION IN A COMPUTING SYSTEM - A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.10-04-2012
20130097432PROVIDING CONSISTENT CRYPTOGRAPHIC OPERATIONS - A method, system, and computer usable program product for providing consistent cryptographic operations in a data processing environment using protected structured data objects are provided in the illustrative embodiments. A data input is received from an originating application by a security plug-in, both the application and the security plug-in executing in the data processing system. A security schema object is received by the security plug-in, the security schema object describing a sequence of cryptographic operations, wherein the security schema object includes a plurality of components each component describing an aspect of the cryptographic operations. The data input is transformed into a secure structured data object by the security plug-in using the sequence of cryptographic operations. A property of the secure structured data object is populated using data about the security schema object. The secure structured data object is transmitted to a consumer application.04-18-2013
20130103955Controlling Transmission of Unauthorized Unobservable Content in Email Using Policy - A system, method, and apparatus is disclosed to control mail server in handling encrypted messages according to a policy.04-25-2013
20110213988DIGITAL INFORMATION PROTECTING METHOD AND APPARATUS, AND COMPUTER ACCESSIBLE RECORDING MEDIUM - A method for protecting digital information includes: converting a protected address range into a plurality of address blocks based on a preset conversion unit, and generating an address block rearranging rule using the address blocks as a parameter; when it is desired to load data into an address batch of the protected address range, converting the address batch into a plurality address blocks based on the conversion unit; and locating rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loading the data into the rearranged addresses. Thus, the data can be stored in the address batch scatteredly, and the protected data cannot be recomposed into the original correct data when stolen.09-01-2011
20110225433ELECTRIC LOCKING AND SEALING DEVICE, CASE COMPRISING THE SAME, AND CONTROL SYSTEM THEREFOR - An electronic locking and sealing device, including: a housing, a lock tongue, an operating unit, a main control unit, and a connecting part, the operating unit is disposed in the housing and fixedly connected to the lock tongue, and operates to push out or to take back the locking tongue from or in the housing, the main control unit is connected to the operating unit, and operates to receive an external control instruction whereby automatically controlling the operating unit, and the connecting part has a hole disposed at the center thereof and corresponding to the lock tongue.09-15-2011
20130151865Securing microprocessors against information leakage and physical tampering - A processor system comprising: performing a compilation process on a computer program; encoding an instruction with a selected encoding; encoding the security mutation information in an instruction set architecture of a processor; and executing a compiled computer program in the processor using an added mutation instruction, wherein executing comprises executing a mutation instruction to enable decoding another instruction. A processor system with a random instruction encoding and randomized execution, providing effective defense against offline and runtime security attacks including software and hardware reverse engineering, invasive microprobing, fault injection, and high-order differential and electromagnetic power analysis.06-13-2013
20120260105SYSTEM AND METHOD FOR DEFENDING AGAINST REVERSE ENGINEERING OF SOFTWARE, FIRMWARE AND HARDWARE - A method for defending a software against reverse engineering in a target environment includes acquiring information from the target environment, encrypting the software to be protected with the acquired information, sending the encrypted software with the acquired information to an execution environment, acquiring information from the execution environment, comparing the information from the execution environment with the acquired information from the target environment to authenticate the execution environment as the target environment, and if the two set of information match, decrypting the software to be protected, and if two set of information do not match, destroying said software.10-11-2012
20100318811CRYPTOGRAPHIC PROCESSOR - A cryptographic processor includes: first and second round function operation circuits, each of which executes cryptographic processing; and a control circuit configured to operate the first and second round function operation circuits by randomly switching between a parallel operation mode used to operate the first and second round function operation circuits in parallel and a serial operation mode used to operate the first and second round function operation circuits in series.12-16-2010
20120284532METHOD AND SYSTEM FOR RECOVERING CRYPTOGRAPHIC OPERATIONS AND/OR SECRETS - A computerized system and method for identifying one or more cryptographic operations from software code, comprising: performing processing associated with identifying, one or more cryptographic operations in the software code, the software code being run on a processor; and performing processing associated with identifying a boundary for each cryptographic operation in the software code.11-08-2012
20110296201METHOD AND APPARATUS FOR TRUSTED EXECUTION IN INFRASTRUCTURE AS A SERVICE CLOUD ENVIRONMENTS - The present disclosure presents a method and apparatus configured to provide for the trusted execution of virtual machines (VMs) on a virtualization server, e.g., for executing VMs on a virtualization server provided within Infrastructure as a Service (IaaS) cloud environment. A physical multi-core CPU may be configured with a hardware trust anchor. The trust anchor itself may be configured to manage session keys used to encrypt/decrypt instructions and data when a VM (or hypervisor) is executed on one of the CPU cores. When a context switch occurs due to an exception, the trust anchor swaps the session key used to encrypt/decrypt the contents of memory and cache allocated to a VM (or hypervisor).12-01-2011
20110314303COMPUTING DEVICE CONFIGURED FOR OPERATING WITH INSTRUCTIONS IN UNIQUE CODE - A computing device having a memory for holding software instructions produced in a code, which is unique for a particular computing device. A code conversion unit converts the unique code into a generic code representing the instructions. The generic code different from the unique code is common for computing devices having a processor of a similar type. A processing circuit of the computing device is linked to the output of the code conversion unit for processing instructions in the generic code.12-22-2011
20130191649MEMORY ADDRESS TRANSLATION-BASED DATA ENCRYPTION/COMPRESSION - A method and circuit arrangement selectively stream data to an encryption or compression engine based upon encryption and/or compression-related page attributes stored in a memory address translation data structure such as an Effective To Real Translation (ERAT) or Translation Lookaside Buffer (TLB). A memory address translation data structure may be accessed, for example, in connection with a memory access request for data in a memory page, such that attributes associated with the memory page in the data structure may be used to control whether data is encrypted/decrypted and/or compressed/decompressed in association with handling the memory access request.07-25-2013
20130191650METHODS AND APPARATUS FOR SECURING A DATABASE - Methods and apparatus for a system to maintain confidentiality of data in a database management system by selecting encryption schemes for data items, storing encrypted data in databases, transforming SQL queries to run over encrypted data, and executing queries over encrypted data on the database server.07-25-2013
20130198530Low-Power Multi-Standard Cryptography Processing Units with Common Flip-Flop/Register Banks - A method, system, and apparatus for managing a plurality of cipher processor units. A cipher module may receive a cipher instruction indicating a cipher algorithm to be used. The cipher module may identify a cipher processing unit of the plurality of cipher processing units associated with the cipher algorithm. The cipher module may execute the cipher instruction using the cipher processing unit and the common register array. The cipher module may store a state of a common register array to be used by the cipher processing unit of the plurality of cipher processing units.08-01-2013
20120066516METHOD FOR FAST DECRYPTION OF PROCESSOR INSTRUCTIONS - A processor, circuit and method provide for fast decryption of encrypted program instructions for execution by the processor. A programmable look-up coding is used to decode a field within the instructions. The decoded field for the instructions are recombined with the remaining portion of the same instructions to yield the decoded instructions. The programmable look-up coding can be programmed and controlled by a process executing at a higher privilege level than the program represented by the instructions, so that security against code-modifying attacks is enhanced.03-15-2012
20130205139Scrambling An Address And Encrypting Write Data For Storing In A Storage Device - An address to access a location in a storage device (08-08-2013
20120096283OPTIONAL FUNCTION MULTI-FUNCTION INSTRUCTION IN AN EMULATED COMPUTING ENVIRONMENT - A method, system and program product for executing a multi-function instruction in an emulated computer system by specifying, via the multi-function instruction, either a capability query or execution of a selected function of one or more optional functions, wherein the selected function is an installed optional function, wherein the capability query determines which optional functions of the one or more optional functions are installed on the computer system.04-19-2012
20120096282MICROPROCESSOR THAT FETCHES AND DECRYPTS ENCRYPTED INSTRUCTIONS IN SAME TIME AS PLAIN TEXT INSTRUCTIONS - A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key.04-19-2012
20130212407METHOD FOR MANAGING MEMORY SPACE IN A SECURE NON-VOLATILE MEMORY OF A SECURE ELEMENT - The invention relates to a method for managing non-volatile memory space in a secure processor comprising a secure non-volatile internal memory, the method comprising steps of: selecting data elements to remove from the internal memory, generating, by the secure processor, a data block comprising the selected data elements, and a signature computed from the selected data elements using a secret key generated by the secure processor, transmitting the data block by the secure processor, and storing the transmitted data block in an external memory.08-15-2013

Patent applications in class Computer instruction/address encryption