A segmentation firewall executing on a host enforces a segmentation policy. In a co-existence mode, the segmentation firewall operates in co-existence with a system firewall that enforces a security policy. The segmentation firewall is configured to either drop packets that do not match any permissive rule or pass packets that match a permissive rule to the system firewall to enable the system firewall to determine whether to drop or accept the passed packets. To enable efficient operation of the segmentation firewall when operating in co-existence with the system firewall, the segmentation firewall may include a plurality of rule chains and may be configured to exit a chain and bypass remaining rule chains upon an input packet matching a permissive rule of the segmentation policy.

A hardware secure element is described. The hardware secure element includes a microprocessor and a memory, such as a non-volatile memory. The memory stores a plurality of software routines executable by the microprocessor. Each software routine starts at a respective memory start address. The hardware secure element also includes a receiver circuit and a hardware message handler module. The receiver circuit is configured to receive command data that includes a command. The hardware message handler module is configured to determine a software routine to be executed by the microprocessor as a function of the command, and also configured to provide address data to the microprocessor that indicates the software routine to be executed.

Dynamically overriding a function based on a capability set. A computer system reads a portion of an executable image file. The portion includes a first memory address corresponding to a first callee function implementation. The first memory address was inserted into the portion by a compiler toolchain. Based on extensible metadata included in the executable image file, and based on a capability set that is specific to the computer system, the computer system determines a second memory address corresponding to a second callee function implementation. Before execution of the portion, the computer system modifies the portion to replace the first memory address with the second memory address.

Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Methods and systems described herein utilize a jump table in directly-addressable, near code, to facilitate improved execution of frequent calls to executable code from other workloads outside of the near code. By executing a directly-addressable call and jump instruction to access frequently-accessed executable code, indirect call instructions are avoided.

Presented herein are methods and systems for generating intermediate code files adjusted to prevent return oriented programming exploitation, comprising receiving compiled intermediate code file(s) comprise a plurality of routines and adjusting them prior to generation of a respective executable file for execution by one or more processor. The adjusting comprising analyzing a symbol table of the intermediate code file(s) to identify a beginning address of each of the routines, analyzing each of the routines to identify indirect branch instructions in the routines, and replacing each detected indirect branch instruction with invocation of a verification code segment configured to verify that the respective indirect branch instruction points to the beginning address of one of the routines. In runtime, the verification code segment causes the processor(s) to initiate one or more predefined actions in case the indirect branch instruction isn't pointing to the beginning address of one of the plurality of routines.

Embodiments of the present specification provide an application processing method and apparatus. The method includes: checking whether an invoking condition corresponding to a jump control of a home application is triggered; in response to the invoking condition being triggered, invoking the jump control and displaying a jump window of the jump control on a current interface; and in response to an operation of jumping to a destination application triggered by a user through the jump window, redirecting the user from the current interface to an interface corresponding to the destination application. The jump control is associated with at least one destination application, and the destination application includes one or more of a sub-application of the home application or another application.

Systems of the present disclosure provide a versatile, reusable mock server to respond to Application-Programming-Interface (API) requests. The mock server receives an API request and a cookie associated with the API request. The API server identifies response instructions found in the cookie. The response instructions may include a static response value, a name of an API server for the mock server to imitate, or code for the mock server to execute in the process of generating a mock API response. The mock server generates a mock API response based on the response instructions and sends the mock API response in reply to the API request.

Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

A method for controlling execution of call stack frames within an actively running computer application includes adding at least one frame controlling instruction to modify behaviour of the code in such that a stack frame executing the code can be controlled on demand. Additionally, bytecode offsets to line numbers mapping manipulation is performed to conceal added instructions and match the original source code. The method allows stack frame operations including, but not limited to, restarting stack frames, creating new stack frames, dropping stack frames, handling software developer errors, halting stack frames.