An apparatus comprises a logic processor and at least one hardware device the processor being configured to orchestrate at least one virtual machine, wherein each device and virtual machine respectively forms an isolated execution environment, the processor being configured to: generate a unique ID associated with the request for the result; commit to the unique ID; transmit to the data source the request for data, to trigger the data source to generate and return the result and to generate an authenticity proof of the result by leveraging at least one software attestation technique or at least one hardware attestation technique; verify the authenticity proof; and transmit to the remote application the returned result and verified authenticity proof. This apparatus can be used to provably enforce the correct execution of a given process without relying on the security of a single isolated execution environment only.

Computer systems and methods are disclosed to implement a role manager that automatically analyzes code accessing various resources to generate a role with the necessary resource permissions to execute the code. In embodiments, the role manager may be implemented as part of a workflow orchestration or resource provisioning system that employs code requiring access to different types of resources. In embodiments, the role manager may analyze a code segment to identify the different resources accessed by the code segment and the permissions needed for each access, and generate a role that has the needed permissions. In embodiments, the role manager may automatically manage these roles based on changes to associated code segments. Advantageously, the disclosed role manager removes the need to manually create roles need by code segments ahead of time, and creates roles with minimal privileges required for the code, thereby simplifying achievement of system security.

A method of securing a software routine implemented in a software instance executing in an execution environment, the method comprising: initializing a code block of the software instance with a reference to the software routine by storing the reference such that the stored reference is inaccessible to code outside of the code block; and returning a reference to the code block, the reference to the code block used by the software instance outside of the code block to invoke the software routine; wherein the code block is configured to: (a) invoke the software routine using the stored reference, and, (b) after a predetermined number of invocations of the software routine by the code block, modify the stored reference so as to prevent further invocation of the software routine by the code block.

A computer-implemented method includes receiving content and annotation information that describe a structure of the content, the annotation information having been previously generated by a sub-system that is separate from a content transformation sub-system and at a time before the content was requested to be served; interpreting the annotation information to generate transcoding rules that identify one or more portions of the received content to be transcoded in serving the content; applying the transcoding rules to the content to change the content in a manner that interferes with an ability of malware on a client device to interfere with operation of the content; and providing the transcoded content to a client device that requested the content.

Methods, devices, systems and computer program products are provided for embedding and detection of a watermark message to and from an object-based composite content. One exemplary method includes for embedding a watermark message in an object-based composite content includes designating a plurality of content objects for carrying the watermark message comprising one or more watermark symbols in the composite object-based content that is generated according to an object-based encoding scheme. The method also includes obtaining a mapping of each watermark symbol to a temporal or spatial position of one or more of the designated content objects in the composite content, and embedding each watermark symbol by including each of the one or more of the designated content objects in the composite content in conformance with the temporal or spatial relationship provided by the mapping.

The present invention concerns a method for allocating a space of predetermined size in a memory (2) of a smart card (1), characterized in that it comprises steps of: deterministic preselection (100) in the memory (2), of at least one free zone having a size larger than the predetermined size, selection, (104) in a preselected free zone of a sub-zone having a size equal to the predetermined size, the selection of the sub-zone being variable for one same preselected free zone, use (106) of the selected sub-zone as allocated memory space.

A computer includes a memory and a processor programmed to execute instructions stored in the memory. The instructions include identifying a function in a binary file, assigning one of a plurality of classifications to the function, and determining that the function requires stack cookie protection based at least in part on the classification assigned to the function.

The present invention relates to method of securing a software code comprising at least one constant value, said method generating a secure software code and comprising the steps of: —determining (S1) by a processor in the software code a constant value to be protected, —inserting (S2) by the processor in the software code an indexed array of values such that the constant value to be protected can be determined from one value of the array, —replacing (S3) by the processor in the software code the constant value to be protected by a replacement variable, —inserting (S4) by the processor in the software code a first sequence of instructions which, when executed at runtime: •computes the index in the array of the value from which the constant value to be protected can be determined, •extracts from said array the value located at said computed index in said array, •from said extracted value, determines the constant value to be protected, •sets the value of said replacement variable equal to the determined constant value.

There is provided an apparatus that includes input circuitry to receive input data and output circuitry to output a sequence of instructions to be executed by data processing circuitry. Generation circuitry performs a generation process to generate the sequence of instructions using the input data. The sequence of instructions comprises an indirect control flow instruction having a field that indicates where a target of the indirect control flow instruction is stored. The generation process causes at least one of the instructions in the sequence of instructions to store a state of control flow speculation after execution of the indirect control flow instruction. The at least one of the instructions in the sequence of instructions that stores the state of control flow speculation is inhibited from being subject to data value speculation by the data processing circuitry.

In one implementation, a method for automatically generating a security policy for a controller includes receiving, by a security policy generation system and from a controller development environment, code for a device controller; selecting middleware that enforces a security policy; analyzing the code for the device controller; based at least in part on the analyzing, automatically generating the security policy; and providing the selected middleware along with the generated security policy.