There is described a method, at a server system, of providing a mobile network operator (MNO) profile to a client device. The client device has a SIM software application stored thereon so as to provide the client device with a secured software implementation of SIM card functionality. The method comprises: (a) based on a unique identifier of the client device, identifying a unique key, KSIM, of the SIM software application stored on the client device; (b) based on an MNO associated with the client device, identifying an unused MNO profile associated with the MNO; (c) encrypting the identified MNO profile so as to provide an encrypted MNO profile, wherein the encrypting comprises encrypting at least part of the identified MNO profile using KSIM; (d) generating an MNO profile download message comprising the encrypted MNO profile and the unique identifier of the client device; and (e) broadcasting the MNO profile download message over a broadcast network so as to enable the client device to access the MNO profile download message. There is also described a related method at a client device, as well as related computer programs and computer-readable media.
A machine learning model protection method comprising: generating, based on a set of parameters that define a machine learning model, an item of software which, when executed by one or more processors, provides an implementation for the machine learning model; and applying one or more software protection techniques to the item of software.
A system and method for creating secure software code. Original code is processed to determine memory states, which are dynamic during execution of the code. Selected functions of the code are duplicated and placed in parallel alternative control paths in order to create protected code with increased path diversity. The state of the memory, or a variable derived therefrom is used to select one of the alternative paths during execution of the protected code.
A method of protecting an implementation of a neural network against a cloning attack, the neural network configured to generate a result based on an input sample from a predetermined domain of possible samples, the neural network trained to provide functionality corresponding to a subset of the domain, wherein the method comprises: receiving, from a user, a plurality of queries having a corresponding query sample from the domain and, for each query, performing a first test to determine whether or not the corresponding query sample is a member of the subset; performing a second test to identify whether the user is performing a cloning attack against the neural network, wherein the second test identifies that the user is performing a cloning attack against the neural network if a number of queries from the plurality of queries for which the corresponding query sample is determined to not be a member of the subset exceeds a first threshold value; and in response to the second test identifying that the user is performing a cloning attack against the neural network, performing one or more countermeasures for the cloning attack.
A method for a testing system to perform fuzzy testing of a software system, wherein the software system comprises a plurality of callable units and is arranged to receive input for the software system to process, the method comprising: determining, for each callable unit of the plurality of callable units, based on one or more security vulnerability metrics, a target number of times that callable unit is to be tested; initializing a ranked plurality of queues, each queue for storing one or more seeds, said initializing comprising storing one or more initial seeds in a corresponding queue of the ranked plurality of queues; performing a sequence of tests, wherein performing each test comprises: obtaining a seed from the highest ranked non-empty queue; performing a mutation process on the obtained seed to generate a test seed, wherein the mutation process is configured, at least in part, by mutation guidance information; providing the test seed as input to the software system for the software system to process; and evaluating the processing of the test seed by the software system to generate a result for the test; wherein each queue in the ranked plurality of queues has an associated seed addition criterion and wherein performing each test comprises either (a) adding the test seed to the highest ranked queue in the ranked plurality of queues for which the test seed meets the seed addition criterion associated with that queue; or (b) discarding the test seed if the test seed does not meet the seed addition criterion associated with any of the queues in the ranked plurality of queues; wherein the seed addition criteria are configured so that, if processing of a first test seed by the software system involves execution of, or an execution path approaching, a callable unit of interest and if processing of a second test seed by the software system does not involve execution of, or an execution path approaching, a callable unit of interest, then the queue to which the first test seed is added is of higher rank than the queue to which the second test seed is added, wherein a callable unit is a callable unit of interest if the current number of tests that have resulted in execution of that callable unit is less than the target number of times that callable unit is to be tested.
Systems, methods, and storage media for creating secured computer code are disclosed. Exemplary implementations may: access computer code; convert the computer code into a numeric description of characteristics of the code; partition the computer code into blocks of code; determine a corresponding ranking of at least some of the blocks of code with an anomaly measure by applying an anomaly detection algorithm to the blocks of code; select anomalous blocks of the blocks of code by applying a threshold to the rankings; and apply code security techniques to at least one of the anomalous blocks of code to thereby create secured computer code.
A method for identifying whether a classification system is configured to use a specific machine-learning classification model, the method comprising: using the classification system to generate, for each test sample in a predetermined test set that comprises a plurality of test samples, a corresponding classification result; and identifying either (i) that the classification system is using the specific machine-learning classification model if, for each test sample in the test set, the corresponding classification result matches a classification result produced for that test sample using the specific machine-learning classification model or (ii) that the classification system is not using the specific machine-learning classification model if there is a test sample in the test set for which the corresponding classification result does not match the classification result produced for that test sample using the specific machine-learning classification model; wherein the test set is associated with the specific machine-learning classification model and, for each test sample in the test set, there is a corresponding small modification for that test sample that causes a change in the classification result produced for that test sample using the specific machine-learning classification model.
A method of performing a cryptographic process in a secured manner, wherein the cryptographic process generates output data based on input data, the generating of the output data involving generating a value y based on an amount of data x, the value y representing a combination, according to a linear transformation L, of respective outputs from a plurality of S-boxes Sn (n=0, . . . , N−1) for integer N>1, wherein each S-box Sn (n=0, . . . , N−1) implements a respective function Hn that is either (a) the composition of a respective first function Fn and a respective linear or affine second function Gn so that Hn=Gn∘Fn, or (b) the composition of a respective first function Fn, a respective linear or affine second function Gn and a respective third function Wn so that Hn=Gn∘Fn∘Wn, wherein the method comprises: performing a first processing stage and a second processing stage to generate the value y based on the amount of data x, wherein: the first processing stage uses a plurality of first lookup tables to generate respective outputs, each output being based on at least part of the amount of data x, wherein, for each S-box Sn (n=0, . . . , N−1), the respective first function Fn is implemented by a corresponding first lookup table; and the second processing stage combines outputs from a plurality of second lookup tables to generate the value y, wherein the input to each second lookup table is formed from the output of a plurality of the first lookup tables, and wherein the set of second lookup tables is based on the second functions Gn (n=0, . . . , N−1) and the linear transformation L.
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
9.
SECURED PERFORMANCE OF AN ELLIPTIC CURVE CRYPTOGRAPHIC PROCESS
A method for performing an elliptic curve cryptographic process to generate output data based on input data, the elliptic curve cryptographic process based on an elliptic curve over a finite field, wherein the generation of the output data comprises generating, based on a predetermined point V of the elliptic curve and a positive R-bit integer k, a first point of the elliptic curve that is based, at least in part, on the point kV of the elliptic curve, wherein k=Σr=0R−1 2rbr and, for each r=0,1, . . . , R−1, br is the bit value of k at bit position r of k, wherein the method comprises: storing, according to a partition of the R bit positions for k into T groups of bit positions Pt (t=0, 1, . . . , T−1), a corresponding lookup table Lt having, for each of the 2|Pt|possible options for assigning to the |Pt| bit positions s ∈ Pt a respective bit value xs, a corresponding point of the elliptic curve that is based, at least in part, on the point (Σs∈Pt2sxs)V of the elliptic curve; obtaining k; and determining the first point as Σt=0T−1lt, where lt is the point of the elliptic curve that corresponds, in lookup table Lt, to the option for assigning to the |Pt| bit positions s ∈ Pt the corresponding bit value bs.
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
10.
METHOD AND SYSTEM FOR PREVENTING AND DETECTING SECURITY THREATS
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
11.
SYSTEMS AND METHODS FOR DETERMINING EXECUTION STATE
There is described a method of enabling identification of the execution state of an item of software at runtime. The method comprises receiving from one or more clients one or more respective labelled sets of invocation data generated at the one or more clients by the execution of an executable of the item of software configured to cause the collection of invocation data at runtime for one or more callable units of the item of software, wherein each labelled set of invocation data comprises a label indicating an execution state of the item of software during a respective portion of runtime and invocation data corresponding to said respective portion of runtime; training, based on said collection of invocation data, an identification algorithm to identify the execution state of the item of software from collected invocation data of the item of software. There is also described a related method of identifying the execution state of an executable during a portion of runtime, as well as related apparatus and computer programs.
G06F 21/52 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
12.
SYSTEMS, METHODS, AND STORAGE MEDIA FOR GENERATING SYNTHESIZED DEPTH DATA
Disclosed implementations include a depth generation method using a novel teacher-student GAN architecture (TS-GAN) to generate depth images for 2-D images, such as RGB images, where no corresponding depth information is available. An example model consists of two components, a teacher and a student. The teacher consists of a fully convolutional encoder-decoder network as a generator along with a fully convolution classification network as the discriminator. The generator takes 2-D images as inputs and aims to output the corresponding depth images. The teacher learns an initial latent mapping between 2-dimensional and co-registered depth images and the student applies the latent mapping to provide feedback to the classification network for refinement.
Disclosed implementations include a method, apparatus and computer media for learning an optimal graph in the form of a tree topology defining a sequence that can be used by a learning network for image recognition. Image data representing the image of an object is received and N landmarks are detected on the image using a deep regression algorithm, wherein N is an integer. A weighted, fully connected, graph is constructed from the landmarks by assigning initial weights for the landmarks randomly. An optimized tree structure is determined based on the initial weights. A sequence is generated by traversing nodes of the tree structure and a series of embeddings representing the object image are generated based on the sequence. The embeddings can be processed by a neural network to generate an image recognition signal based on the embeddings.
G06V 40/16 - Visages humains, p.ex. parties du visage, croquis ou expressions
G06V 10/82 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant les réseaux neuronaux
14.
Secured computer code and systems, methods, and storage media for creating the secured computer code from original computer code
Systems, methods, and storage media for creating secured computer code from original computer code are disclosed. The secured computer code is created from original computer code and has a secured interface between a first code domain and a second code domain of the original computer code, the first code domain including code in a first coding language and the second code domain including code in a second coding language, the first code domain being compiled separately from the second code domain. Exemplary implementations may: identify a code method defined in the first code domain that is declared in the second code domain; create a corresponding code method in the second code domain that has a signature that corresponds to a signature of the code method; and create a transformed code method in the first code domain.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
The disclosure is directed to a method, system and a computer readable medium of fuzzy testing a software system, using a grey-box fuzzy testing framework that optimizes the vulnerability exposure process while addressing security testing challenges. The grey-box fuzzy testing framework, unlike white-box testing, provides a focused and efficient assessment of a software system without analyzing each line of code. The disclosed embodiments provide a robust security mechanism that accumulates information about the system without increasing testing complexity, enabling fast and efficient security testing. The disclosed embodiments use security vulnerability metrics designed to identify vulnerable components in the software systems and ensures thorough testing of these components by assigning weights. A mutation engine may perform small data type mutations at the input's high-level design. The grey-box approach addresses three testing challenges: the system's complexity and size by avoiding intensive code analysis, outsourcing by limiting the knowledge about the system, and input and output fluctuation by creating a massive number of inputs.
G06F 11/36 - Prévention d'erreurs en effectuant des tests ou par débogage de logiciel
G06N 5/04 - Modèles d’inférence ou de raisonnement
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
16.
Method and apparatus for policy-based management of assets
A method and system for managing shared use of an asset. An asset device and an owner device accomplish an initial setup procedure to register the owner with the asset. One or more secure policies are then sent from the owner device, or another device authorized to create policies, to one or more user devices. The policies express user conditions and limitations for using the asset. Subsequently, the user device transmits the secure policy to the asset device. Once the policy has been transferred from the user device to the asset device, user associated with the user device can request use of the asset and will be granted the requested use if the requested use is permitted by the policy.
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method of securing a software routine implemented in a software instance executing in an execution environment, the method comprising: initializing a code block of the software instance with a reference to the software routine by storing the reference such that the stored reference is inaccessible to code outside of the code block; and returning a reference to the code block, the reference to the code block used by the software instance outside of the code block to invoke the software routine; wherein the code block is configured to: (a) invoke the software routine using the stored reference, and, (b) after a predetermined number of invocations of the software routine by the code block, modify the stored reference so as to prevent further invocation of the software routine by the code block.
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A method of performing biometric authentication for a first user, the method comprising: performing one or more first tests, wherein for each first test, performing said first test comprises: obtaining a respective first input for said first test based on one or more biometric characteristics of the first user; determining that the first user is not a predetermined user when a respective first log-likelihood ratio for a first likelihood and a second likelihood does not exceed a respective first threshold for said first test, wherein the first likelihood is a likelihood of obtaining the respective first input based on a first model in which input is obtained from the predetermined user, and wherein the second likelihood is a likelihood of obtaining the respective first input based on a second model in which input is obtained from one or more users other than the predetermined user; determining that the first user is the predetermined user when the respective first log-likelihood ratio exceeds a respective second threshold for said first test, the respective second threshold greater than the respective first threshold; and when the respective first log-likelihood ratio exceeds the respective first threshold and the respective first log-likelihood ratio does not exceed the respective second threshold, either (a) determining to perform a further first test when a number of times that the first test has been performed is less than a predetermined maximum number of times or (b) determining to perform a second test when the number of times that the first test has been performed equals the predetermined maximum number of times; wherein performing the second test comprises: obtaining a second input for the second test based on the one or more biometric characteristics of the first user; and determining that the first user is the predetermined user when a second log-likelihood ratio for a third likelihood and a fourth likelihood exceeds a third threshold, wherein the third likelihood is a likelihood of receiving the respective second input based on the first model, and wherein the fourth likelihood is a likelihood of receiving the second input based on the second model; determining that the first user is not the predetermined user when the second log-likelihood ratio does not exceed the third threshold.
G06F 21/32 - Authentification de l’utilisateur par données biométriques, p.ex. empreintes digitales, balayages de l’iris ou empreintes vocales
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method for detection of modification of an item of content, the method comprising: obtaining, for the item of content, a respective first value of each attribute in a set of one or more attributes of the item of content, the set of one or more attributes selected such that, for each of one or more predetermined types of modification, said type of modification affects the value of at least one attribute in the set of one or more attributes; performing a watermark decoding operation on the item of content; and in response to the watermark decoding operation producing payload data from the item of content: determining that the one or more predetermined types of modification have not been applied to the item of content if, for each attribute in the set of one or more attributes, the respective first value for that attribute matches a respective second value for that attribute determined using the payload; or determining that a modification has been applied to the item of content if, for at least one attribute in the set of one or more attributes, the respective first value for that attribute does not match a respective second value for that attribute determined using the payload.
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
A method for a computer to execute an item of software, the method comprising: the computer executing one or more security modules; the computer executing the item of software, said executing the item of software comprising, at at least one point during execution of the item of software at which a predetermined function is to be performed, attempting to perform the predetermined function by: sending, to an address system, a request for an address of instructions for carrying out the predetermined function, the request comprising an identifier of the predetermined function; receiving, from the address system in response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules; and continuing execution of the item of software at the address received from the address system.
A method for a computer to execute an item of software, the method comprising: the computer executing one or more security modules; the computer executing the item of software, said executing the item of software comprising, at at least one point during execution of the item of software at which a predetermined function is to be performed, attempting to perform the predetermined function by: sending, to an address system, a request for an address of instructions for carrying out the predetermined function, the request comprising an identifier of the predetermined function; receiving, from the address system in response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules; and continuing execution of the item of software at the address received from the address system.
Methods and systems for providing secure digital access to services are described. Embodiments include user behavior tracking, learning, and updating one or more contextual access algorithms and thereafter can act as multi-factor authentications. The method may include receiving data for a group of users and initializing a machine learning algorithm with the group data. The method may also collect individual user data and context data periodically, including characteristic behavior data, and update the machine learning algorithm with the individual user data. The method may further calculate a threshold for tolerance based on the updated algorithm, and verify user requests for access to the service. A multi-factor authentication may be presented to the user when the verifications are not acceptable, such as by being below a threshold. A permissions data structure can be generated and used to control access to the service.
G07C 9/29 - Enregistrement de l’entrée ou de la sortie d'une entité isolée comportant l’utilisation d’un laissez-passer le laissez-passer comportant des éléments électroniques actifs, p.ex. des cartes à puce
Methods and systems for continuously authenticating a user of a device by comparing current sensor data of the device being used with a fingerprint generated from sensor data collected from the device during use by an authorized user. A likelihood value, indicating the likelihood that the user is an authorized user of the device, is generated and the user is authenticated when the likelihood value is determined to be acceptable.
0, to cause relative oscillation of the coil and the magnet so as to induce an electric current in the coil to thereby power the electronics module.
The present application also relates to the apparatus for monitoring and/or controlling the mechanical equipment, and to a method of use of the apparatus with mechanical equipment.
H02K 35/02 - Génératrices avec système de bobines, aimant, induit, ou autre partie du circuit magnétique à mouvement alternatif, oscillant ou vibrant avec des aimants mobiles et des systèmes de bobines fixes
F16F 15/02 - Suppression des vibrations dans les systèmes non rotatifs, p.ex. dans des systèmes alternatifs; Suppression des vibrations dans les systèmes rotatifs par l'utilisation d'organes ne se déplaçant pas avec le système rotatif
G05D 19/02 - Commande des oscillations mécaniques, p.ex. de l'amplitude, de la fréquence, de la phase caractérisée par l'utilisation de moyens électriques
G06Q 30/06 - Transactions d’achat, de vente ou de crédit-bail
G06Q 30/0645 - Transactions de location; Transactions de crédit-bail
H02K 11/00 - Association structurelle de machines dynamo-électriques à des organes électriques ou à des dispositifs de blindage, de surveillance ou de protection
H02J 7/32 - Circuits pour la charge ou la dépolarisation des batteries ou pour alimenter des charges par des batteries pour la charge de batteries par un ensemble comprenant une machine motrice non électrique
26.
SYSTEMS, METHODS, AND STORAGE MEDIA FOR CREATING SECURED TRANSFORMED CODE FROM INPUT CODE USING A NEURAL NETWORK TO OBSCURE A TRANSFORMATION FUNCTION
Systems, methods, and storage media for creating secured transformed code from input code, the input code having at least one code function that includes at least one function value are disclosed. Exemplary implementations may: receive input code; apply an obfuscation algorithm to at least a portion of a selected code function of the input code to thereby create an obfuscated code portion having at least one obfuscated value that is different from the at least one function value; and store the obfuscated code portion on non-transient computer media to create obfuscated code having substantially the same function as the input code.
There are described computer-implemented methods of obtaining a user input. A first such method comprises: (a) providing access to video content, the video content representing a user interface including a plurality of elements for selection by a user; (b) playing a first portion of the video content to the user; (c) detecting a first user interaction occurring in response to the played first portion of the video content; and (d) determining a first element selected by the user based on one or more properties of the detected first user interaction. A second such method comprises: (a) providing access to one or more frames of pre-generated video content encoded in compressed video format; (b) displaying to a user initial video content encoded in compressed video format, the initial video content being based on one or more frames of the pre-generated video content, and the initial video content representing a plurality of graphical elements for selection by a user; (c) detecting a first user interaction occurring in response to the displayed initial video content; (d) determining a first graphical element selected by the user based on one or more properties of the detected first user interaction; (e) in response to the first user interaction, generating new video content encoded in compressed video format based on one or more frames of the pre-generated video content and the one or more properties of the first user interaction; and (f) displaying the new video content to the user.
There are also described corresponding apparatuses, computer programs, and computer-readable media.
H04N 21/442 - Surveillance de procédés ou de ressources, p.ex. détection de la défaillance d'un dispositif d'enregistrement, surveillance de la bande passante sur la voie descendante, du nombre de visualisations d'un film, de l'espace de stockage disponible dans l
28.
Method and system for preventing and detecting security threats
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
A method of securing a software routine implemented in a software instance executing in an execution environment, the method comprising: initializing a code block of the software instance with a reference to the software routine by storing the reference such that the stored reference is inaccessible to code outside of the code block; and returning a reference to the code block, the reference to the code block used by the software instance outside of the code block to invoke the software routine; wherein the code block is configured to: (a) invoke the software routine using the stored reference, and, (b) after a predetermined number of invocations of the software routine by the code block, modify the stored reference so as to prevent further invocation of the software routine by the code block.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/56 - Détection ou gestion de programmes malveillants, p.ex. dispositions anti-virus
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
A method for securing a webpage or a webapp processed by a browser executing on a client system, the method comprising the browser executing an instance of white-box protected code, wherein execution of the instance of white-box protected code causes the client system to: generate a message comprising message data for use by a control system to perform one or more security tests, the control system communicably connected to the client system via a network; send the message to the control system to enable the control system to perform the one or more security tests using the message data; receive a response from the control system based, at least in part, on the message; and process the response.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/16 - Traçabilité de programme ou de contenu, p.ex. par filigranage
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
A method for identifying an object within a video sequence, wherein the video sequence comprises a sequence of images, wherein the method comprises, for each of one or more images of the sequence of images: using a first neural network to determine whether or not an object of a predetermined type is depicted within the image; and in response to the first neural network determining that an object of the predetermined type is depicted within the image, using an ensemble of second neural networks to identify the object determined as being depicted within the image.
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G10L 25/51 - Techniques d'analyses de la parole ou de la voix qui ne se limitent pas à un seul des groupes spécialement adaptées pour un usage particulier pour comparaison ou différentiation
G10L 25/78 - Détection de la présence ou de l’absence de signaux de voix
G06K 9/00 - Méthodes ou dispositions pour la lecture ou la reconnaissance de caractères imprimés ou écrits ou pour la reconnaissance de formes, p.ex. d'empreintes digitales
G06K 9/46 - Extraction d'éléments ou de caractéristiques de l'image
A computer-implemented method, in which an access request in relation to data is received. There is Error Correcting Code (ECC) data relating to the data, and the ECC data is configured to enable correction of multiple-bit errors spanning up to a predetermined number of consecutive bits of the data. The ECC data is configured to enable correction of multiple-bit errors spanning up to a predetermined number of consecutive bits of the data. A first integrity verification verifies the integrity of at least the data. If the first integrity verification procedure fails, an error analysis procedure is performed based on the data and the ECC data. Responsive to generation of corrected data by the error analysis procedure, a second integrity verification verifies the integrity of the corrected data. If the second integrity verification is successful, the access request is allowed using the corrected data.
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
G06F 11/10 - Détection ou correction d'erreur par introduction de redondance dans la représentation des données, p.ex. en utilisant des codes de contrôle en ajoutant des chiffres binaires ou des symboles particuliers aux données exprimées suivant un code, p.ex. contrôle de parité, exclusion des 9 ou des 11
A method for facilitating a user to subsequently access, via an application executed by a user device of the user, an account for one or more services provided by a service provider, wherein said access is controlled based on biometric verification of the user performed, at least in part, at the user device, wherein the method comprises: obtaining reference data from a storage device, wherein the storage device stores biometric data for the user suitable for use in the biometric verification of the user, and wherein the reference data is suitable for use in one or both of: (a) subsequent access of the biometric data from the storage device and (b) authentication of the biometric data; and providing the reference data to an access system used by the service provider so that the access system can associate the reference data with an identifier associated with the user.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method comprising, during runtime of an item of software that comprises one or more portions of code and verification code: the verification code generating verification data using (a) runtime data generated by the one or more portions of code and (b) one or more predetermined parameters, the verification data representing an element of a predetermined first set of data elements; and providing the verification data to an integrity checker arranged to (i) identify that a modification relating to the verification code has not occurred if the verification data represents an element of a predetermined second set of data elements, wherein the second set is a subset of the first set, and (ii) identify that a modification relating to the verification code has occurred if the verification data does not represent an element of the second set; wherein it is computationally infeasible to determine an element of the second set without knowledge of the one or more predetermined parameters or data related to the one or more predetermined parameters; and wherein, in the absence of a modification relating to the verification code, use of the one or more predetermined parameters by the verification code ensures that the verification data represents an element of the second set and use of the runtime data by the verification code controls which element of the second set is represented by the generated verification data.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
Systems, methods, and storage media implemented by a computer for enabling tracking of software are disclosed. Exemplary implementations may: receive marking input code corresponding to a computer program; identify locations of the marking input code that can be modified in ways that preserve functionality of the computer program; choose at least one code transformation with associated intrinsic constants; derive derived constants from the specific intrinsic constants; apply the at least one chosen code transformation, including injecting the derived constants into the marking input code; saving the results of the above steps on computer readable media as marked code; and save metadata including a list of the derived constants on computer readable media in a file that is separate from the marked code.
A method of operating a system, wherein the system comprises a plurality of components, the method comprising: maintaining a distributed ledger, wherein the distributed ledger comprises data records, wherein each data record stores information concerning one or more respective components of the plurality of components; at least one component of the plurality of components processing the information stored in one or more respective data records of the distributed ledger to determine whether the system meets one or more respective security criteria; and one or both of: (i) the at least one component performing a respective first action if the at least one component determines that the system meets the one or more respective security criteria; and (ii) the at least one component performing a respective second action if the at least one component determines that the system does not meet the one or more respective security criteria.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G07C 5/00 - Enregistrement ou indication du fonctionnement de véhicules
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
A method for a first entity and a second entity to establish a shared secret, wherein the first entity and the second entity each have a respective asymmetric key pair that comprises a public key and a corresponding private key, wherein the method comprises: the first entity generating a protected item of software that comprises a representation of the public key of the first entity and a message generator that is configured to use an authentication key; the first entity providing the protected item of software to the second entity; the second entity executing the protected item of software, said executing comprising the message generator generating a message that represents the public key of the second entity and that comprises authentication data generated using the authentication key so that integrity of the message is verifiable using a verification key corresponding to the authentication key; the first entity obtaining the message from the second entity; in response to a set of one or more conditions being satisfied, the first entity and the second entity together performing shared secret establishment to establish the secret, wherein performing the shared secret establishment comprises the first entity using the public key of the second entity as represented in the message and the second entity using the public key of the first entity as represented in the protected item of software, wherein one of the conditions is performance by the first entity of a successful verification of the integrity of the message using the verification key.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
38.
Generating and executing protected items of software
A method of generating a protected item of software, there being an execution path within code for the protected item of software that causes code for one or more second functions to be executed before executing code for a first function, wherein execution of the code for the one or more second functions causes data to be stored at one or more memory locations, the data satisfying a set of one or more predetermined properties, wherein, in the absence of an attack against the protected item of software when the code for the protected item of software is being executed, the first function is arranged to provide first functionality, the method comprising: configuring the code for the first function so that execution, by one or more processors, of the code for the first function provides the first functionality only if the set of one or more predetermined properties is satisfied by data being stored, when the first function is executed, at the one or more memory locations.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
39.
Method and apparatus for feedback-based piracy detection
Watermarking of a content stream is accomplished in a session-based manner to provide watermarking based on a uniquely generated manifest that will result in a stream that allows for unique identification of information. The manifest specifies a sequence of watermarks for successive segments of a content stream designated for a specific receiver. The system and method leverages existing content distribution infrastructure and has many of the benefits of conventional head-end watermarking, allows unique identification of small segments of the data stream and reduces content distribution network storage requirements. Groups of nodes can be provided with unique watermark patterns and detection and watermark pattern reconfiguration can be accomplished in an iterative manner to find a specific node without the need to create unique watermark patterns for each node.
H04N 7/167 - Systèmes rendant le signal de télévision inintelligible et ensuite intelligible
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
H04N 21/8352 - Génération de données de protection, p.ex. certificats impliquant des données d’identification du contenu ou de la source, p.ex. "identificateur unique de matériel" [UMID]
G06T 1/00 - Traitement de données d'image, d'application générale
There are described computer-implemented methods of obtaining a user input. A first such method comprises: (a) providing access to video content, the video content representing a user interface including a plurality of elements for selection by a user; (b) playing a first portion of the video content to the user; (c) detecting a first user interaction occurring in response to the played first portion of the video content; and (d) determining a first element selected by the user based on one or more properties of the detected first user interaction. A second such method comprises: (a) providing access to one or more frames of pre-generated video content encoded in compressed video format; (b) displaying to a user initial video content encoded in compressed video format, the initial video content being based on one or more frames of the pre-generated video content, and the initial video content representing a plurality of graphical elements for selection by a user; (c) detecting a first user interaction occurring in response to the displayed initial video content; (d) determining a first graphical element selected by the user based on one or more properties of the detected first user interaction; (e) in response to the first user interaction, generating new video content encoded in compressed video format based on one or more frames of the pre-generated video content and the one or more properties of the first user interaction; and (f) displaying the new video content to the user.
There are also described corresponding apparatuses, computer programs, and computer-readable media.
A method of individualizing a semiconductor chip of a batch of semiconductor chips with respective individualization data of the semiconductor chip, the method comprising, applying a plurality of circuit layouts to the semiconductor chip to form a plurality of circuits on the semiconductor chip, wherein for each circuit layout, said circuit layout is arranged such that, (a) the corresponding circuit, when triggered, falls into any one of two or more respective triggered states, and (b) one of the two or more respective triggered states is a respective preferred state defined by said circuit layout, wherein the plurality of respective preferred states of the circuits in the plurality of circuits encode the individualization data, and wherein each individualized semiconductor chip of the batch of semiconductor chips comprises a generic circuit.
H01L 23/00 - DISPOSITIFS À SEMI-CONDUCTEURS NON COUVERTS PAR LA CLASSE - Détails de dispositifs à semi-conducteurs ou d'autres dispositifs à l'état solide
G06K 19/077 - Supports d'enregistrement avec des marques conductrices, des circuits imprimés ou des éléments de circuit à semi-conducteurs, p.ex. cartes d'identité ou cartes de crédit avec des puces à circuit intégré - Détails de structure, p.ex. montage de circuits dans le support
H01J 37/317 - Tubes à faisceau électronique ou ionique destinés aux traitements localisés d'objets pour modifier les propriétés des objets ou pour leur appliquer des revêtements en couche mince, p.ex. implantation d'ions
H01L 23/544 - Marques appliquées sur le dispositif semi-conducteur, p.ex. marques de repérage, schémas de test
H01L 25/065 - Ensembles consistant en une pluralité de dispositifs à semi-conducteurs ou d'autres dispositifs à l'état solide les dispositifs étant tous d'un type prévu dans le même sous-groupe des groupes , ou dans une seule sous-classe de , , p.ex. ensembles de diodes redresseuses les dispositifs n'ayant pas de conteneurs séparés les dispositifs étant d'un type prévu dans le groupe
42.
Systems and methods for creating individualized processing chips and assemblies
Systems and methods for producing individualized processing chips, each individualized processing chip being arranged to carry out a common processing operation are disclosed. A processing chip design is received, wherein the common processing operation is specified, at least in part, by the processing chip design. For each individualized processing chip the processing chip design is individualized to produce an individualized processing chip design, in accordance with an individualized set of transformations for the individualized processing chip, by including a respective set of modifications as part of the individualized processing chip design that implement the individualized set of transformations. Each transformation of the individualized set of transformations is a transform for an interconnect, specified in the processing chip design, of at least two logic cells specified in the processing chip design. For each individualized processing chip the individualized processing chip design is provided for fabrication of the individualized processing chip according to the individualized processing chip design. The individualized set of transformations for one individualized chip is different to the individualized set of transformations for at least one other individualized chip.
H01L 27/00 - Dispositifs consistant en une pluralité de composants semi-conducteurs ou d'autres composants à l'état solide formés dans ou sur un substrat commun
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H01L 27/02 - Dispositifs consistant en une pluralité de composants semi-conducteurs ou d'autres composants à l'état solide formés dans ou sur un substrat commun comprenant des éléments de circuit passif intégrés avec au moins une barrière de potentiel ou une barrière de surface
G06F 30/39 - Conception de circuits au niveau physique
G06F 30/32 - Conception de circuits au niveau numérique
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
G06F 21/73 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information par création ou détermination de l’identification de la machine, p.ex. numéros de série
G06F 111/20 - CAO de configuration, p.ex. conception par assemblage ou positionnement de modules sélectionnés à partir de bibliothèques de modules préconçus
43.
Method and apparatus for session-based watermarking of streamed content
Watermarking of a content stream is accomplished in a session based manner to provide watermarking based on a uniquely generated manifest that will result in a stream that allows for unique identification of information. The manifest specifies a sequence of watermarks for successive segments of a content stream designated for a specific receiver. The system and method leverages existing content distribution infrastructure and has many of the benefits of conventional head-end watermarking, allows unique identification of small segments of the data stream and reduces content distribution network storage requirements.
H04N 7/167 - Systèmes rendant le signal de télévision inintelligible et ensuite intelligible
H04N 21/2389 - Traitement de flux multiplexé, p.ex. cryptage de flux multiplexé
H04N 21/845 - Structuration du contenu, p.ex. décomposition du contenu en segments temporels
H04N 21/6377 - Signaux de commande émis par le client et dirigés vers les éléments du serveur ou du réseau vers le serveur
H04N 21/236 - Assemblage d'un flux multiplexé, p.ex. flux de transport, en combinant un flux vidéo avec d'autres contenus ou données additionnelles, p.ex. insertion d'une adresse universelle [URL] dans un flux vidéo, multiplexage de données de logiciel dans un flu; Remultiplexage de flux multiplexés; Insertion de bits de remplissage dans le flux multiplexé, p.ex. pour obtenir un débit constant; Assemblage d'un flux élémentaire mis en paquets
H04N 21/238 - Interfaçage de la voie descendante du réseau de transmission, p.ex. adaptation du débit de transmission d'un flux vidéo à la bande passante du réseau; Traitement de flux multiplexés
H04N 21/8352 - Génération de données de protection, p.ex. certificats impliquant des données d’identification du contenu ou de la source, p.ex. "identificateur unique de matériel" [UMID]
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
44.
Method and apparatus for policy-based management of assets
A method and system for managing shared use of an asset. An asset device and an owner device accomplish an initial setup procedure to register the owner with the asset. One or more secure policies are then sent from the owner device, or another device authorized to create policies, to one or more user devices. The policies express user conditions and limitations for using the asset. Subsequently, the user device transmits the secure policy to the asset device. Once the policy has been transferred from the user device to the asset device, user associated with the user device can request use of the asset and will be granted the requested use if the requested use is permitted by the policy.
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A secure and fault-tolerant, or variation-tolerant, method and system to turn a set of N shares into an identifier even when only M shares from this set have a correct value. A secret sharing algorithm is used to generate a number of candidate identifiers from subsets of shares associated with asset parameters of a collection of assets. The most frequently occurring candidate identifier is then determined to be the final identifier. The method has particular applicability in the fields of node locking and fingerprinting.
G06F 21/70 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur
G06F 21/73 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information par création ou détermination de l’identification de la machine, p.ex. numéros de série
G06F 21/10 - Protection de programmes ou contenus distribués, p.ex. vente ou concession de licence de matériel soumis à droit de reproduction
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method for identifying an object within a video sequence, wherein the video sequence comprises a sequence of images, wherein the method comprises, for each of one or more images of the sequence of images: using a first neural network to determine whether or not an object of a predetermined type is depicted within the image; and in response to the first neural network determining that an object of the predetermined type is depicted within the image, using an ensemble of second neural networks to identify the object determined as being depicted within the image.
G06K 9/00 - Méthodes ou dispositions pour la lecture ou la reconnaissance de caractères imprimés ou écrits ou pour la reconnaissance de formes, p.ex. d'empreintes digitales
G06F 17/30 - Recherche documentaire; Structures de bases de données à cet effet
G06K 9/62 - Méthodes ou dispositions pour la reconnaissance utilisant des moyens électroniques
G10L 25/51 - Techniques d'analyses de la parole ou de la voix qui ne se limitent pas à un seul des groupes spécialement adaptées pour un usage particulier pour comparaison ou différentiation
G10L 25/78 - Détection de la présence ou de l’absence de signaux de voix
G06K 9/46 - Extraction d'éléments ou de caractéristiques de l'image
G06F 16/583 - Recherche caractérisée par l’utilisation de métadonnées, p.ex. de métadonnées ne provenant pas du contenu ou de métadonnées générées manuellement utilisant des métadonnées provenant automatiquement du contenu
G10L 15/16 - Classement ou recherche de la parole utilisant des réseaux neuronaux artificiels
A method for securing a webpage or a webapp processed by a browser executing on a client system, the method comprising the browser executing an instance of white-box protected code, wherein execution of the instance of white-box protected code causes the client system to: generate a message comprising message data for use by a control system to perform one or more security tests, the control system communicably connected to the client system via a network; send the message to the control system to enable the control system to perform the one or more security tests using the message data; receive a response from the control system based, at least in part, on the message; and process the response.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/16 - Traçabilité de programme ou de contenu, p.ex. par filigranage
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
A method for accessing content at a device, wherein the device is arranged to execute a digital rights management (DRM) client of a DRM system and wherein the device is arranged to receive a broadcast signal comprising a plurality of encrypted portions of content for an item of content, each encrypted portion being packaged in a format of a conditional access system and being decryptable using a corresponding decryption key, wherein the method comprises an application executing on the device performing the steps of: for each of one or more of the encrypted portions: converting said encrypted portion from being packaged in the format of the conditional access system to being packaged in a format of the DRM system; providing said encrypted portion is packaged in the format of the DRM system to the DRM client; and either (a) providing a rights object according to the DRM system to the DRM client or (b) triggering the DRM client to obtain a rights object according to the DRM system; wherein the rights object corresponds to said encrypted portion by comprising decryption key data for use by the DRM client to obtain the decryption key corresponding to said encrypted portion.
G06F 21/10 - Protection de programmes ou contenus distribués, p.ex. vente ou concession de licence de matériel soumis à droit de reproduction
H04N 21/2347 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant le cryptage de flux vidéo
H04N 21/4385 - Traitement de flux multiplexé, p.ex. décryptage de flux multiplexé
H04N 21/6334 - Signaux de commande issus du serveur dirigés vers des éléments du réseau ou du client vers le client pour l’autorisation, p.ex. en transmettant une clé
H04N 21/8355 - Génération de données de protection, p.ex. certificats impliquant des données sur l’utilisation, p.ex. nombre de copies ou de visualisations autorisées
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
49.
Enabling a software application to be executed on a mobile station
The invention enables a software application to be executed on a mobile station in dependence of a SIM. Challenge data originating from the software application is input to the SIM to generate first response data using a security function of the SIM. The software application is enabled to be executed in dependence of the first response data. In addition, the challenge data may be transmitted to a verification server for the generation of second response data in dependence of the challenge data and possibly using an authentication center. The software application is then enabled to be executed in further dependence of the second response data.
H04B 1/3816 - TRANSMISSION - Détails des systèmes de transmission non caractérisés par le milieu utilisé pour la transmission Émetteurs-récepteurs, c. à d. dispositifs dans lesquels l'émetteur et le récepteur forment un ensemble structural et dans lesquels au moins une partie est utilisée pour des fonctions d'émission et de réception avec des connecteurs pour programmer des dispositifs d’identification
There is described a method of monitoring a peer-to-peer network. The method comprises: (i) monitoring network traffic between a first peer and the peer-to-peer network so as to identify a first subset of peers in the peer-to-peer network; and (ii) preventing the first peer from communicating with at least one peer in the first subset of peers to thereby cause the first peer to communicate with at least one further peer in the peer-to-peer network so as to enable identification of the at least one further peer. In addition, there is described a peer-to-peer network monitor for monitoring a peer-to-peer network, wherein the monitor is operable to monitor network traffic between a first peer and the peer-to-peer network so as to identify a subset of peers in the peer-to-peer network in communication with the first peer, and wherein the monitor is operable to prevent the first peer from communicating with at least one peer in the subset of peers to thereby cause the first peer to communicate with at least one further peer in the peer-to-peer network so as to enable the monitor to identify the at least one further peer. Corresponding computer programs and computer-readable media are also described.
H04L 41/12 - Découverte ou gestion des topologies de réseau
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p.ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
51.
Enabling a software application to be executed on a hardware device
The invention provides a method, a hardware circuit and a hardware device for enabling a software application to be executed on a hardware device in dependence of the hardware circuit, while preventing the execution of a binary copy of the application in another hardware device. Challenge data originating from the software application is input to a hardware circuit of the hardware device, wherein the hardware circuit is configured to perform a deterministic function. Response data is generated by the hardware device, which is used to manipulate at least a part of the software application to thereby enable the software application to be executed.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/72 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information dans les circuits de cryptographie
52.
Method and apparatus for executing a process on a device using memory privileges
A method and apparatus for executing a process on a device, the device including one or more processors for executing the process and a memory, wherein the process has an associated first type of privilege. The method includes obtaining a portion of the memory for use by the process or for use by a further process being created by the process, wherein the portion of the memory is identified as both writable and executable memory, and wherein the portion of the memory has an associated second type of privilege that is different from the first type of privilege.
G06F 9/455 - Dispositions pour exécuter des programmes spécifiques Émulation; Interprétation; Simulation de logiciel, p.ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 9/50 - Allocation de ressources, p.ex. de l'unité centrale de traitement [UCT]
A method for a first entity to protect a first amount of data and to enable a second entity to perform data processing based on the first amount of data, the method comprising the first entity: applying a predetermined function to the first amount of data to generate a first value; and generating a second amount of data for the second entity to process, said generating comprising combining, using a first combination function, each of a number N of elements of the first amount of data with the first value; wherein the predetermined function is a function for which application of the predetermined function to an input quantity of data generates a corresponding output value, and the predetermined function has a property that, given a second quantity of data generated by modifying each of N elements of a first quantity of data by combining, using the first combination function, each of those N of elements of the first quantity of data with the output value generated by applying the predetermined function to the first quantity of data, the first quantity of data is regenerated from the second quantity of data by combining, using a second combination function, each of the N modified elements with the output value produced by applying the predetermined function to the second quantity of data.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
G06F 21/64 - Protection de l’intégrité des données, p.ex. par sommes de contrôle, certificats ou signatures
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
55.
Method and system for preventing and detecting security threats
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 9/44 - Dispositions pour exécuter des programmes spécifiques
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
56.
Method and system for preventing and detecting security threats
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
57.
System and method for encapsulating and enabling protection through diverse variations in software libraries
A flexible software library in which the software modules are defined as an abstract intermediate representation. The flexible library allows security transformation and performance attribute selections to be made by the end-user, rather than the library creator. Furthermore, since the flexible library contains an abstract representation of the software modules, the library can also be provisioned to contain an arbitrary number of named instances, representing specific sets of values for security and performance decisions, along with the corresponding native object-code resulting from those decisions. This permits distribution of software modules in a completely platform-independent manner while avoiding the disclosure of proprietary information, such as source-files.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
58.
Method and system for preventing and detecting security threats
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 9/44 - Dispositions pour exécuter des programmes spécifiques
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
59.
Challenge-response method and associated computing device
There is described a challenge-response method for a computing device. The method comprises steps of: (a) receiving challenge data at a secured module of the computing device, the challenge data comprising image content encrypted using an encryption key, and the image content including a nonce; (b) the secured module recovering the image content through decryption using one or more keys associated with the encryption key; (c) the secured module of the computing device outputting the recovered image content; (d) capturing the image content as output by the secured module; (e) processing the captured image content so as to obtain the nonce; and (f) providing the nonce as a response. There is also described a computing device arranged to carry out the challenge-response method, a computer program for causing a processor to carry out the challenge-response method, and a computer readable medium storing such a computer program.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/10 - Protection de programmes ou contenus distribués, p.ex. vente ou concession de licence de matériel soumis à droit de reproduction
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secure software agent is provided for embedding within the abstraction layer forming the operating system. A secure store is provided for storing security information unique to one or more instances of the application software. The secure software agent uses the security information for continuous runtime assurance of ongoing operational integrity of the operating system and application software and thus operational integrity of the device.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
A method of providing access to content at a first device, the method comprising: receiving an item of content, wherein at least part of the item of content is encrypted, the encrypted at least part of the item of content being decryptable using at least one decryption key; in a first software client: obtaining a transformed version of the at least one decryption key; performing a decryption operation on the encrypted at least part of the item of content based on the at least one decryption key to obtain an intermediate version of the at least part of the item of content, wherein said performing the decryption operation uses a white-box implementation of the decryption operation that forms part of the first software client and that operates using the transformed version of the at least one decryption key; and performing an encryption operation on at least a portion of the intermediate version based on at least one encryption key to obtain re-encrypted content, wherein said performing the encryption operation uses a white-box implementation of the encryption operation that forms part of the first software client; and providing, to a digital rights management client that executes on the first device, (a) a rights object that enables the digital rights management client to obtain one or more second decryption keys corresponding to the at least one encryption key, the one or more second decryption keys enabling the digital rights management client to decrypt the re-encrypted content and (b) the re-encrypted content.
There is described a method for a first software application to access a secured software application on a computing device. The first software application is not configured to interface with the secured software application. The computing device includes an interfacing application configured to interface with the secured software application. The method comprises the first software application interfacing with the interfacing application to thereby cause the interfacing application to access the secured software application. The first software application is configured to interface with the interfacing application.
There is also described a method of generating an encrypted version of an image using a library of pre-encrypted blocks of data, the same content encryption key having been used to encrypt each of the pre-encrypted blocks of data. The method comprises forming the encrypted version of the image from an ordered sequence of pre-encrypted blocks of data from the library, wherein each pre-encrypted block of data in the ordered sequence corresponds to a respective sub-image of a plurality of sub-images making up the image.
There are also described corresponding computing devices, computer programs and computer-readable media.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/16 - Traçabilité de programme ou de contenu, p.ex. par filigranage
G06F 21/36 - Authentification de l’utilisateur par représentation graphique ou iconique
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04N 21/254 - Gestion au sein du serveur de données additionnelles, p.ex. serveur d'achat ou serveur de gestion de droits
There is described a method of protecting an item of software so as to obfuscate a condition which causes a variation in control flow through a portion of the item of software dependent on whether the condition is satisfied, wherein satisfaction of the condition is based on evaluation of one or more condition variables. The method comprises: (i) modifying the item of software such that the control flow through said portion is not dependent on whether the condition is satisfied; and (ii) inserting a plurality of identity transformations into expressions in said portion of the modified item of software, wherein the identity transformations are defined and inserted such that, in the absence of tampering, they maintain the results of the expressions if the condition is satisfied and such that they alter the results of the expressions if the condition is not satisfied, wherein each identity transformation is directly or indirectly dependent on at least one of the one or more condition variables. New variables may be defined as part of this method. There are also described associated apparatuses, computer programs and the like.
A method, apparatus and product for identifying a bot agent using behavioral features. The method comprising obtaining a set of behavioral features of a usage of an input device during an interaction of an agent with a page, wherein the set of behavioral features are consistent with a human-generated interaction, wherein the set of behavioral features are generated based on events obtained from a client device used by the agent; automatically estimating whether the agent is a bot based on comparison of the set of behavioral features with one or more additional sets of behavioral features, wherein the one or more additional sets of behavioral features were previously obtained based on interactions of one or more agents with one or more pages; and in response to an estimation that the agent is a bot, performing a responsive action.
A method for securely executing an item of software. One or more security modules are executed by a computer and a computer executes the item of software. The execution of the item of software includes, at at least one point during execution of the item of software at which a predetermined function is to be performed, attempting to perform the predetermined function. The attempt to perform the predetermined function including sending, to an address system, a request for an address of instructions for carrying out the predetermined function, the request including an identifier of the predetermined function; receiving, from the address system in response to the request, an address generated by the address system based, at least in part, on (a) the identifier and (b) verification data provided to the address system from at least one of the one or more security modules; and continuing execution of the item of software at the address received from the address system.
A method and system for renewing software at the component-level is provided. A client program includes a base component for loading a software component into at least one loadable region of the program to update the program. Code in the software component is for writing state data associating the state of the update in storage, upon execution of the software component, and testing the state data to verify condition of the updated program and disallowing rollback and roll-forward attacks, the state data comprising hash chain values. The state data for verifying the correctness of the updated program is entangled with application data used for the program functionality. A server includes: an update pool having a plurality of software updates deployed in each client, and a policy control for monitoring and controlling at least one of: the length of time the client runs until the software update is invoked, a chain of the updates; and the granularity of the update.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 8/656 - Mises à jour pendant le fonctionnement
Computer-implemented systems, methods, and computer-readable media for selecting a sequence of content parts from polymorphic content of an audiovisual presentation based on at least one profile of a user include receiving content information associated with polymorphic content, receiving profile information of a user, and selecting for rendering, from amongst the alternative content parts, a sequence of content parts from the polymorphic content based on at least a portion of the profile information.
H04N 7/173 - Systèmes à secret analogiques; Systèmes à abonnement analogiques à deux voies, p.ex. l'abonné envoyant un signal de sélection du programme
H04N 21/254 - Gestion au sein du serveur de données additionnelles, p.ex. serveur d'achat ou serveur de gestion de droits
G06F 3/01 - Dispositions d'entrée ou dispositions d'entrée et de sortie combinées pour l'interaction entre l'utilisateur et le calculateur
H04N 21/4405 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le décryptage de flux vidéo
H04N 21/266 - Gestion de canal ou de contenu, p.ex. génération et gestion de clés et de messages de titres d'accès dans un système d'accès conditionnel, fusion d'un canal de monodiffusion de VOD dans un canal multidiffusion
H04N 21/435 - Traitement de données additionnelles, p.ex. décryptage de données additionnelles ou reconstruction de logiciel à partir de modules extraits du flux de transport
H04N 21/44 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4
A63F 13/73 - Autorisation des programmes ou des dispositifs de jeu, p.ex. vérification de l’authenticité
68.
Obfuscated performance of a predetermined function
A method of obfuscated performance of a predetermined function, wherein for the predetermined function there is a corresponding plurality of first functions so that, for a set of inputs for the function, a corresponding set of outputs may be generated by (a) representing the set of inputs as a corresponding set of values, wherein each value comprises at least part of each input of a corresponding plurality of the inputs, (b) generating a set of one or more results from the set of values, where each result is generated by applying a corresponding first function to a corresponding set of one or more values in the set of values, and (c) forming each output as either a part of a corresponding one of the results or as a combination of at least part of each result of a corresponding plurality of the results; wherein the method comprises: obtaining, for each value in the set of values, one or more corresponding transformed versions of said value, wherein a transformed version of said value is the result of applying a bijection, that corresponds to said transformed version, to said value; and generating a set of transformed results corresponding to the set of results, wherein each transformed result corresponds to a respective result and is generated by applying a second function, that corresponds to the first function that corresponds to the respective result, to a transformed version of the one or more values of the respective set of one or more values for the corresponding first function.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
There is described a chip for performing cryptographic operations. The chip comprises a key storage module, a rule storage module, an interface module and a cryptographic module. The key storage module is configured to store one or more cryptographic keys. The rule storage module is configured to store one or more rules, each rule comprising respective rule data, the rule data identifying a respective predetermined cryptographic operation associated with the rule and further identifying at least one of the one or more cryptographic keys to be used in the respective predetermined cryptographic operation. The interface module is configured to receive a rule execution request, wherein the rule execution request comprises a rule identifier to identify a specific rule of the one or more rules to be executed. The cryptographic module is configured to execute the specific rule so as to perform the respective predetermined cryptographic operation in response to the rule execution request. The chip is configured such that the cryptographic keys and the cryptographic module may only be used by executing rules from the one or more rules in response to associated rule execution requests received by the interface module. There is also described a set top box comprising the chip, a chip-implemented method of performing a cryptographic operation, and a method of loading a new rule into a rule storage module of a chip.
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method comprising: carrying out optimization of an item of software in a first intermediate representation; carrying out protection of the item of software in a second intermediate representation different to the first intermediate representation.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
A method of protecting an item of software, said item of software arranged to perform data processing based on one or more items of data, the method comprising: applying one or more software protection techniques to said item of software to generate a protected item of software, wherein said one or more software protection techniques are arranged so that said protected item of software implements said data processing at least in part as one or more linear algebra operations over a finite ring.
There is disclosed a head-end system in which differently processed copies of content portions are reordered such that copies from different content portions are not interleaved in the final transport stream.
H04N 21/2389 - Traitement de flux multiplexé, p.ex. cryptage de flux multiplexé
H04N 21/236 - Assemblage d'un flux multiplexé, p.ex. flux de transport, en combinant un flux vidéo avec d'autres contenus ou données additionnelles, p.ex. insertion d'une adresse universelle [URL] dans un flux vidéo, multiplexage de données de logiciel dans un flu; Remultiplexage de flux multiplexés; Insertion de bits de remplissage dans le flux multiplexé, p.ex. pour obtenir un débit constant; Assemblage d'un flux élémentaire mis en paquets
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
H04N 21/2343 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant des opérations de reformatage de signaux vidéo pour la distribution ou la mise en conformité avec les requêtes des utilisateurs finaux ou les exigences des dispositifs des utilisateurs finaux
H04N 21/2347 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant le cryptage de flux vidéo
H04N 21/2362 - Génération ou traitement d'informations de service [SI]
H04N 21/2365 - Multiplexage de plusieurs flux vidéo
H04N 21/418 - Carte externe destinée à être utilisée en combinaison avec le dispositif client, p.ex. pour l'accès conditionnel
H04N 21/434 - Désassemblage d'un flux multiplexé, p.ex. démultiplexage de flux audio et vidéo, extraction de données additionnelles d'un flux vidéo; Remultiplexage de flux multiplexés; Extraction ou traitement de SI; Désassemblage d'un flux élémentaire mis en paquets
H04N 21/4405 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le décryptage de flux vidéo
H04N 21/4623 - Traitement de messages de titres d'accès, p.ex. message de contrôle d'accès [ECM], message de gestion d'accès [EMM]
H04N 21/835 - Génération de données de protection, p.ex. certificats
H04N 21/438 - Interfaçage de la voie descendante du réseau de transmission provenant d'un serveur, p.ex. récupération de paquets MPEG d'un réseau IP
Methods and nodes for securing execution of a web application by determining that a call dependency from a first to a second function needs to be protected, adding a Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module. Methods and nodes for secured execution of a web application by invoking a function of the web application, invoking a Partial Execution Stub (PES) function during execution of the function of the web application, sending, from the PES function, a message call with current execution information to a trusted module and receiving, a verification result from the trusted module.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
Methods and devices for thwarting code and control flow based attacks on software. The source code of a subject piece of software is automatically divided into basic blocks of logic. Selected basic blocks are amended so that their outputs are extended. Similarly, other basic blocks are amended such that their inputs are correspondingly extended. The amendments increase or create dependencies between basic blocks such that tampering with one basic block's code causes other basic blocks to malfunction when executed.
There is described a method of obfuscating access to a data store by a software application. The method comprises accessing the data store using access operations. The access operations comprise real access operations and dummy access operations. Each real access operation is operable to access the data store as part of the execution of the software application. There is also described a computer program which, when executed by a processor, causes the processor to carry out the above method. There is also described a computer readable medium storing the above computer program. There is also described a system configured to carry out the above method.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
G06F 21/52 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/78 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du stockage de données
G06F 21/79 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du stockage de données dans les supports de stockage à semi-conducteurs, p.ex. les mémoires adressables directement
G06F 21/75 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information par inhibition de l’analyse de circuit ou du fonctionnement, p.ex. pour empêcher l'ingénierie inverse
There are described methods and apparatus for scrambling digital content, such as video or audio content, by dividing the digital content into blocks set out in an original arrangement, and reordering the blocks from the original arrangement to a scrambled arrangement. Additional manipulation transforms such as rotations and reflections may be applied to individual blocks. A subsequent compression step may then be carried out. Methods and apparatus for carrying out corresponding descrambling of digital content are also described.
H04N 5/913 - Traitement du signal de télévision pour l'enregistrement pour la transposition
H04N 19/88 - Procédés ou dispositions pour le codage, le décodage, la compression ou la décompression de signaux vidéo numériques utilisant le pré-traitement ou le post-traitement spécialement adaptés pour la compression vidéo mettant en œuvre la réorganisation de données entre différentes unités de codage, p.ex. redistribution, entrelacement, brouillage ou permutation de données de pixel ou permutation de données de coefficients de transformée entre différents blocs
H04N 21/2347 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant le cryptage de flux vidéo
H04N 21/4405 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le décryptage de flux vidéo
H04N 19/44 - Décodeurs spécialement adaptés à cet effet, p.ex. décodeurs vidéo asymétriques par rapport à l’encodeur
There is provided a method of protecting the execution of a software application, the method performed by a plurality of processes comprising a process for executing the software application and a plurality of protection processes, wherein each protection process in the plurality of protection processes is configured to: monitor a process state of at least one other process in the plurality of processes to determine whether said process state corresponds to a predetermined process state; and perform a predetermined action in response to a determination that said process state corresponds to the predetermined process state; wherein the plurality of protection processes are configured such that a process state of the process for executing the software application is monitored by at least one protection process and a process state of each protection process is monitored by at least one other protection process in the plurality of protection processes. Additionally provided is a computer program and a system for carrying out the method and a computer readable medium for storing such a computer program.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
There is provided a method of performing a cryptographic algorithm in software, the cryptographic algorithm comprising one or more processing steps, wherein each processing step is arranged to process a respective input to the processing step so as to generate an output corresponding to the input, characterized in that, for each of at least one of the one or more processing steps, the method comprises: providing a respective input for the processing step as an input to a plurality of implementations of the processing step, wherein each implementation is arranged to output a corresponding intermediate result represented using a respective predetermined output representation; and using the representation of the intermediate results to generate a result for the processing step that is based on each of the intermediate results, wherein, if each intermediate result is the output that corresponds to the input for the processing step then the result for the processing step is the output that corresponds to the input for the processing step. Additionally provided is a method of enabling a data processor to perform a cryptographic algorithm in software, the method comprising: generating an implementation of the cryptographic algorithm, the implementation being arranged such that execution of the implementation by a processor causes the processor to carry out a method according to any one of the preceding claims; and configuring the data processor to execute the implementation of the cryptographic algorithm. There is further provided a system and computer program for carrying out such methods, as well as a computer readable medium for storing such a computer program.
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
G06F 9/46 - Dispositions pour la multiprogrammation
79.
Enabling a content receiver to access encrypted content
There is described a method of enabling a content receiver to access encrypted content, the content receiver forming part of a home network. The method comprises executing, on a device that also forms part of the home network, a key provisioning application. The method further comprises the key provisioning application receiving a key provisioning message and, based on the key provisioning message, providing to the content receiver via the home network one or more content decryption keys for decrypting the encrypted content. There is also described a device arranged to carry out this method. In addition, there is described a content receiver arranged to (a) receive from the aforementioned device, via a home network, one or more content decryption keys for accessing encrypted content; and (b) decrypt encrypted content using the one or more content decryption keys. Related computer programs and computer readable mediums are also described.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 12/28 - Réseaux de données à commutation caractérisés par la configuration des liaisons, p.ex. réseaux locaux [LAN Local Area Networks] ou réseaux étendus [WAN Wide Area Networks]
H04N 21/41 - Structure de client; Structure de périphérique de client
H04N 21/418 - Carte externe destinée à être utilisée en combinaison avec le dispositif client, p.ex. pour l'accès conditionnel
H04N 21/436 - Interfaçage d'un réseau de distribution local, p.ex. communication avec un autre STB ou à l'intérieur de la maison
H04N 21/4405 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le décryptage de flux vidéo
H04N 21/4623 - Traitement de messages de titres d'accès, p.ex. message de contrôle d'accès [ECM], message de gestion d'accès [EMM]
H04N 21/6334 - Signaux de commande issus du serveur dirigés vers des éléments du réseau ou du client vers le client pour l’autorisation, p.ex. en transmettant une clé
H04N 21/4408 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le cryptage de flux vidéo, p.ex. re-cryptage d'un flux vidéo décrypté pour la redistribution dans un réseau domestique
There is described a challenge-response method for a client device. The method comprises steps of: (a) receiving challenge data, wherein the challenge data is content encrypted using an encryption key, the content including a nonce; (b) using a secured module of the client device to access the content by decrypting the challenge data using a decryption key of the secured module, the decryption key corresponding to the encryption key; (c) processing a version of the content output by the secured module so as to obtain the nonce; and (d) providing the nonce as a response. There is also described a client device for implementing the above challenge-response method. There is also described a computer program which, when executed by a processor, causes the processor to carry out the above challenge-response method. Finally, there is described a computer readable medium storing the above-mentioned computer program.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A method of storing an amount of data D in association with a device, the method comprising: obtaining a characteristic C of the device; generating error correction data R for the characteristic C, the error correction data R enabling correction of up to a predetermined number of errors in a version of the characteristic C; combining the characteristic C with the amount of data D and an authentication key K to generate storage data P, wherein said combining is arranged so that the amount of data D and the authentication key K are obtainable using the characteristic C and the storage data P; generating a signature using a signature key, the signature being a digital signature of a quantity of data comprising the storage data P, the amount of data D and the authentication key K, wherein the signature key corresponds to a verification key accessible by the device; generating an authentication code for the error correction data R using the authentication key K, wherein the authenticity of the error correction data R is verifiable using the authentication code and the authentication key K; and storing the error correction data R, the storage data P, the signature and the authentication code to thereby store the amount of data D.
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 11/10 - Détection ou correction d'erreur par introduction de redondance dans la représentation des données, p.ex. en utilisant des codes de contrôle en ajoutant des chiffres binaires ou des symboles particuliers aux données exprimées suivant un code, p.ex. contrôle de parité, exclusion des 9 ou des 11
G06F 21/10 - Protection de programmes ou contenus distribués, p.ex. vente ou concession de licence de matériel soumis à droit de reproduction
82.
System and method for generating and protecting cryptographic keys
In the present disclosure, implementations of Diffie-Hellman key agreement are provided that, when embodied in software, resist extraction of cryptographically sensitive parameters during software execution by white-box attackers. Four embodiments are taught that make extraction of sensitive parameters difficult during the generation of the public key and the computation of the shared secret. The embodiments utilize transformed random numbers in the derivation of the public key and shared secret. The traditional attack model for Diffie-Hellman implementations considers only black-box attacks, where attackers analyze only the inputs and outputs of the implementation. In contrast, white-box attacks describe a much more powerful type of attacker who has total visibility into the software implementation as it is being executed.
G06F 7/58 - Générateurs de nombres aléatoires ou pseudo-aléatoires
G06F 7/72 - Méthodes ou dispositions pour effectuer des calculs en utilisant une représentation numérique non codée, c. à d. une représentation de nombres sans base; Dispositifs de calcul utilisant une combinaison de représentations de nombres codées et non codées utilisant l'arithmétique des résidus
H04L 9/30 - Clé publique, c. à d. l'algorithme de chiffrement étant impossible à inverser par ordinateur et les clés de chiffrement des utilisateurs n'exigeant pas le secret
In the present disclosure, a hash function is computed over a known image, for example, an address range in a program. The result of the hash function is known to be the same at two distinct points in time, before the program is run, i.e. signing at build-time, and during the running of the program, i.e. run time. The value that the programmer wishes to hide, i.e. the secret value, is also known at build-time. At build-time, the secret value is combined with the hash in such a way that the combining operation can be reversed at run time. This combined value, i.e. the salt, is stored along with the program. Later, at runtime, the program computes the same hash value as was computed at signing time, and does the reverse combining operation in order to reveal the secret value.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
84.
Securing accessible systems using dynamic data mangling
Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
A method of facilitating a device to obtain a version of an item of content. For each section of the item of content, a content distribution system is arranged to provide one or more versions of that section. At least one section includes a plurality of differently watermarked versions of that section. A request for a section of the item of content is received. If the requested section is a section for which the content distribution system is arranged to provide a plurality of differently watermarked versions of that section, a particular version is identified based on an identifier of the device and a response a response containing an indication of the particular version of the requested section is provided to the device. The response is arranged to cause the device to request the particular version of the requested section from a corresponding location on the content distribution system.
H04N 21/234 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4
H04N 21/835 - Génération de données de protection, p.ex. certificats
G06F 16/21 - Conception, administration ou maintenance des bases de données
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04N 21/2343 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant des opérations de reformatage de signaux vidéo pour la distribution ou la mise en conformité avec les requêtes des utilisateurs finaux ou les exigences des dispositifs des utilisateurs finaux
H04N 21/262 - Ordonnancement de la distribution de contenus ou de données additionnelles, p.ex. envoi de données additionnelles en dehors des périodes de pointe, mise à jour de modules de logiciel, calcul de la fréquence de transmission de carrousel, retardement d
H04N 21/658 - Transmission du client vers le serveur
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
H04N 21/858 - Création de liens entre données et contenu, p.ex. en liant une URL à un objet vidéo en créant une zone active ("hotspot")
There is described a chip comprising a one-time programmable (OTP) memory programmable to store chip configuration data, and a verification module operable to access the OTP memory. The verification module is operable to receive a verification request relating to a specified portion of the OTP memory, the verification request comprising mask data defining the specified portion of the OTP memory. In response to the verification request, the verification module is operable to use the mask data and the OTP memory to generate verification data relating to the specified portion of the OTP memory, the verification data further being generated based on a secret key of the chip.
There is also described a chip-implemented method of generating verification data relating to a specified portion of a one-time programmable (OTP) memory of the chip. There are also described methods for primary or secondary verification systems to verify a configuration of a specified portion of the OTP memory the above mentioned-chip.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
G06F 21/79 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du stockage de données dans les supports de stockage à semi-conducteurs, p.ex. les mémoires adressables directement
87.
System and method of interlocking to protect software-mediated program and device behaviours
There is described a method of controlling access to IP streaming content by a plurality of receivers. The method comprises the steps of (a) for each receiver in the plurality of receivers, providing that receiver with access to first control information for that receiver to enable that receiver to access a first portion of the content; (b) identifying a receiver from the plurality of receivers as an identified receiver; (c) updating the first control information so as to provide updated control information for each receiver, the updated control information being associated with a second portion of the content; and (d) configuring each receiver to fetch the updated control information for that receiver. For the identified receiver, the updated control information is invalid such that the identified receiver is unable to fully access the second portion of the content. A server configured to carry out the method is also described.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04N 21/258 - Gestion de données liées aux clients ou aux utilisateurs finaux, p.ex. gestion des capacités des clients, préférences ou données démographiques des utilisateurs, traitement des multiples préférences des utilisateurs finaux pour générer des données co
H04N 21/262 - Ordonnancement de la distribution de contenus ou de données additionnelles, p.ex. envoi de données additionnelles en dehors des périodes de pointe, mise à jour de modules de logiciel, calcul de la fréquence de transmission de carrousel, retardement d
H04N 21/6334 - Signaux de commande issus du serveur dirigés vers des éléments du réseau ou du client vers le client pour l’autorisation, p.ex. en transmettant une clé
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
H04N 21/442 - Surveillance de procédés ou de ressources, p.ex. détection de la défaillance d'un dispositif d'enregistrement, surveillance de la bande passante sur la voie descendante, du nombre de visualisations d'un film, de l'espace de stockage disponible dans l
A method of providing key information from a sender to one or more receivers, the method comprising: obtaining initial key information comprising a plurality of units that assume respective values; forming encoded key information from the initial key information, wherein the encoded key information comprises a plurality of encoded units that correspond to respective units of the initial key information, wherein said forming comprises, for each unit of the initial key information, selecting an encoding from a plurality of invertible encodings associated with said unit and encoding said value assumed by said unit with said selected encoding to form the corresponding encoded unit; and providing the encoded key information to said one or more receivers.
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
Methods and nodes for securing execution of a web application by determining that a call dependency from a first to a second function needs to be protected, adding a Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module. Methods and nodes for secured execution of a web application by invoking a function of the web application, invoking a Partial Execution Stub (PES) function during execution of the function of the web application, sending, from the PES function, a message call with current execution information to a trusted module and receiving, a verification result from the trusted module.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
A method for generating, from initial content data, output content data for provision to one or more receivers, wherein the initial content data is encoded according to a coding scheme, wherein for a quantity of data encoded according to the coding scheme, the coding scheme provides a mechanism for including in the quantity of encoded data additional data such that a decoder for the coding scheme, upon decoding the quantity of encoded data, does not use the additional data to generate decoded data, the method comprising: selecting one or more portions of the initial content data; for each selected portion, generating a data construct that comprises a plurality of data structures, each data structure comprising data, including a version of the selected portion, that is encrypted using a corresponding encryption process different from each encryption process used to encrypt data in the other data structures, wherein the data construct is arranged such that using a decryption process that corresponds to the encryption process for one data structure on the encrypted data in each data structure in the data construct produces a quantity of data encoded according to the coding scheme that uses the mechanism so that a decoder for the coding scheme would not use any data structure in the data construct other than said one data structure; and using the generated data constructs in the initial content data instead of their corresponding selected portions to form the output content data.
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
H04N 21/2343 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant des opérations de reformatage de signaux vidéo pour la distribution ou la mise en conformité avec les requêtes des utilisateurs finaux ou les exigences des dispositifs des utilisateurs finaux
H04N 21/2347 - Traitement de flux vidéo élémentaires, p.ex. raccordement de flux vidéo ou transformation de graphes de scènes MPEG-4 impliquant le cryptage de flux vidéo
H04N 21/2389 - Traitement de flux multiplexé, p.ex. cryptage de flux multiplexé
H04N 21/4405 - Traitement de flux élémentaires vidéo, p.ex. raccordement d'un clip vidéo récupéré d'un stockage local avec un flux vidéo en entrée ou rendu de scènes selon des graphes de scène MPEG-4 impliquant le décryptage de flux vidéo
H04N 21/8358 - Génération de données de protection, p.ex. certificats impliquant des filigranes numériques
92.
Conditional entitlement processing for obtaining a control word
Embodiments of the invention provide an improved method and an improved receiver for obtaining a control word. Two or more subkeys are obtained in a receiver. Each subkey was encrypted under control of a key received in an entitlement message or transformed under control of a seed received in an entitlement message. After decryption or transformation, the subkeys are combined to obtain the control word. Typically at least one of the entitlement messages is a positive entitlement message and at least one of the entitlement messages is a negative entitlement message. Embodiments of the invention can be used in a conditional access system such as a Pay-TV system.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
H04N 7/16 - Systèmes à secret analogiques; Systèmes à abonnement analogiques
H04N 21/4623 - Traitement de messages de titres d'accès, p.ex. message de contrôle d'accès [ECM], message de gestion d'accès [EMM]
H04N 21/6334 - Signaux de commande issus du serveur dirigés vers des éléments du réseau ou du client vers le client pour l’autorisation, p.ex. en transmettant une clé
H04N 21/266 - Gestion de canal ou de contenu, p.ex. génération et gestion de clés et de messages de titres d'accès dans un système d'accès conditionnel, fusion d'un canal de monodiffusion de VOD dans un canal multidiffusion
A method and system for renewing software at the component-level is provided. A client program includes a base component for loading a software component into at least one loadable region of the program to update the program. Code in the software component is for writing state data associating the state of the update in storage, upon execution of the software component, and testing the state data to verify condition of the updated program and disallowing rollback and roll-forward attacks, the state data comprising hash chain values. The state data for verifying the correctness of the updated program is entangled with application data used for the program functionality. A server includes: an update pool having a plurality of software updates deployed in each client, and a policy control for monitoring and controlling at least one of: the length of time the client runs until the software update is invoked, a chain of the updates; and the granularity of the update.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
94.
Method and apparatus for program flow in software operation
The present disclosure provides a description of a computer implemented method and system for protecting a software program from attack during runtime. The system comprises a plurality of software blocks for providing desired functions during execution of a software program and a trusted address server having a table for mapping predetermined source tokens to destination tokens. The trusted address server couples each of the plurality of software blocks for receipt of predetermined source tokens from any one of the plurality of software blocks, while returning a mapped destination token from the predetermined destination tokens to said any one of the plurality of software blocks in dependence upon the table for mapping predetermined source tokens to destination tokens.
G06F 11/00 - Détection d'erreurs; Correction d'erreurs; Contrôle de fonctionnement
G06F 21/52 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
95.
Method and system for preventing and detecting security threats
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 9/44 - Dispositions pour exécuter des programmes spécifiques
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
96.
Securing accessible systems using base function encoding
Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions.
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
97.
Securing accessible systems using variable dependent coding
Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions.
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
H04L 9/28 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant un algorithme de chiffrement particulier
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 9/14 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité utilisant plusieurs clés ou algorithmes
G06F 21/14 - Protection des logiciels exécutables contre l’analyse de logiciel ou l'ingénierie inverse, p.ex. par masquage
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/54 - Contrôle des usagers, programmes ou dispositifs de préservation de l’intégrité des plates-formes, p.ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p.ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
98.
Method and system for dynamic platform security in a device operating system
A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secure software agent is provided for embedding within the abstraction layer forming the operating system. A secure store is provided for storing security information unique to one or more instances of the application software. The secure software agent uses the security information for continuous runtime assurance of ongoing operational integrity of the operating system and application software and thus operational integrity of the device.
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p.ex. par clés ou règles de contrôle de l’accès
G06F 17/00 - TRAITEMENT ÉLECTRIQUE DE DONNÉES NUMÉRIQUES Équipement ou méthodes de traitement de données ou de calcul numérique, spécialement adaptés à des fonctions spécifiques
A fingerprinting method. For each round in a series of rounds: providing to each receiver in a set of receivers a version of a source item of content, the source item of content corresponding to the round. For the round there is a corresponding part of a fingerprint-code for the receiver, the part includes one or more symbols. The version provided to the receiver represents those one or more symbols. One or more corresponding symbols are obtained from a suspect item as a corresponding part of a suspect-code. For each receiver in the set of receivers, a corresponding score that indicates a likelihood that the receiver is a colluding-receiver is updated.
G06F 21/16 - Traçabilité de programme ou de contenu, p.ex. par filigranage
G09C 5/00 - Appareils ou méthodes de chiffrement ou de déchiffrement non prévus dans les autres groupes de la présente sous-classe, p.ex. comportant la dissimulation ou la déformation de données graphiques telles que dessins, messages écrits ou imprimés
H04L 9/00 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité
H04L 9/32 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
100.
Change-tolerant method for generating identifier for collection of assets in computing environment using error-correction code scheme
A secure and change-tolerant method for obtaining an identifier for a collection of assets associated with a computing environment. Each asset has an asset parameter and the computing environment has a fingerprint based on an original collection of assets and on a codeword generation algorithm on the original collection of assets. The method comprises: retrieving the asset parameters of the collection of assets and processing the retrieved asset parameters to obtain code symbols. An error-correction algorithm is applied to the code symbols to obtain the identifier. The method can be used in node-locking.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
H04L 9/06 - Dispositions pour les communications secrètes ou protégées; Protocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p.ex. système DES
G06F 11/10 - Détection ou correction d'erreur par introduction de redondance dans la représentation des données, p.ex. en utilisant des codes de contrôle en ajoutant des chiffres binaires ou des symboles particuliers aux données exprimées suivant un code, p.ex. contrôle de parité, exclusion des 9 ou des 11
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p.ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
brevets
