Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.

Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

In some implementations, a device may receive, at an operating system, a request for a random number from an application. The device may provide a command to generate an entropy input, based on the request for the random number and through a driver that is isolated from the operating system, to a quantum random number generator that is isolated from one or more processors hosting the operating system. Accordingly, the device may receive the entropy input, from the quantum random number generator, using the driver, and may generate the random number based at least in part on the entropy input. The device may provide the random number to the application.

This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

The present invention relates to a method for access control of a multimedia system to a secure operating system and a mobile terminal for implementing the method. The method includes the steps of: initiating an application access request for selecting a trusted application from a client application of a multimedia system to a secure operating system; making a decision as to whether the client application is a malicious application, and if not, proceeding to a next step, if yes, returning Selection Failure to the client application and performing an interrupt handling; sending the application access request from the multimedia system to the secure system; and acquiring, at the secure operating system, the trusted application based on the application access request and returning the trusted application to the multimedia system. The malicious accesses initiated by a malicious application to a trusted application in a securing operating system can be prevented without switching between systems, and the problem that a trusted application cannot be accessed due to malicious access can be avoided.

The disclosure is directed towards controlling the persistency of information provided to a service worker. A method includes receiving a response that includes response data. The response is received at a security service and was transmitted by a second computing device in response to receiving an information request from a first computing device. The first computing device implements a service worker. Sensitive data included in the response data is identified. The response includes caching instructions that instruct the service worker to cache the sensitive data at the first computing device. In response to identifying the sensitive data, the caching instructions are updated such that any portion of the response data that the updated caching instructions instruct the service worker to cache at the first computing device excludes the sensitive data. The updated response is transmitted to the first computing device and includes the response data and the updated caching instructions.

A method, apparatus, and computer program product are provided for using confidential computing to execute code on sensitive data in an encrypted area of an apparatus limiting access to data and code to only their respective owners. Methods may include: generating an outer enclave and at least one inner enclave within the outer enclave; providing an outer enclave key and an inner enclave key to a service provider; providing an inner enclave key to a data provider; receiving, from the data provider, a data retrieval location; processing data from the respective retrieval location at the data provider inner enclave using data provider code to generate data provider processed data; providing the data provider processed data to the service provider inner enclave; and processing the data provider processed data with service provider code to generate resultant data; decrypting the resultant data in the outer enclave.

The present disclosure describes techniques for changing a required authentication type based on a request for a particular type of information. For example, consider a situation where a user has asked a virtual assistant “who owns this device?” By default, the device may allow biometric authentication to unlock. In response to identification of the owner by the virtual assistant, however, the device may require one or more other types of authentication (e.g., manual entry of a passcode) to unlock the device. In various embodiments, the disclosed techniques may increase the security of the device by making it more difficult for malicious entities to obtain the sensitive information or to access device functionality once the sensitive information has been disclosed. In various embodiments, this may prevent or reduce unauthorized access to the device.

A method for managing an application and a terminal device. The method includes: launching an application in response to an operation on the application received from a user, wherein a time limit is preset for the application, displaying a notification indicating that a use duration of the application reaches the time limit and a time extension is requested at a predetermined moment before the time limit expires, displaying an interface for an identity authentication after the time extension is selected by the user, and extending the use duration of the application when an identity authentication of the user succeeds. Thus the use duration of the application is manageable and controllable.

The claimed group of technical solutions relates to the field of controlling electronic devices with the aid of a graphical user interface, in particular to a method and a system for activating an interface with the aid of a specified type of user input. The technical result of the claimed solution consists in providing the option of activating a graphical user interface with the aid of a user input path from two different corner areas of a display. The claimed method is implemented by creating a pattern of gesture activation of an application, comprising an input path using corner regions of a screen.