In some aspects, an apparatus includes a processor and a memory. In some embodiments, the memory includes programmed instructions that, when executed by the processor, cause the apparatus to intercept an I/O transaction between a virtual machine and an I/O device, determine whether data in the I/O transaction indicates a security misconfiguration, and perform a remedial action in response to identifying the security misconfiguration.

Provided is a method, a computer program product, and a system for providing perfect forward secrecy in virtual machines. The method includes receiving a secure memory allocation function from an application, including a connection secret to be stored in memory. The method further includes allocating memory for the connection secret according to the memory size parameter and storing an entry relating to the connection secret in a secure database. The memory information includes a memory location and a memory size of the memory. The method also includes monitoring an operation state relating to the virtual machine. The method further includes receiving, from the application, a secure deallocation function relating to the connection secret and retrieving the memory information from the secure database. The method also includes deleting the connection from the memory and sanitizing the memory location logged by the memory information.

Methods, apparatus, systems and articles of manufacture are disclosed for managing compute resources in a computing environment. Disclosed examples are to select an offering workload in a computing environment to lend at least one resource to a needy workload in the computing environment; Disclosed examples are also to cause a host associated with the offering workload to at least one of (i) instantiate a first virtual machine when the host is implemented with a second virtual machine or (ii) instantiate a first container when the host is implemented with a second container. Disclosed examples are further to assign the first virtual machine or the first container to the needy workload.

An apparatus to facilitate provenance audit trails for microservices architectures is disclosed. The apparatus includes one or more processors to: obtain, by a microservice of a service hosted in a datacenter, provisioned credentials for the microservice based on an attestation protocol; generate, for a task performed by the microservice, provenance metadata for the task, the provenance metadata including identification of the microservice, operating state of at least one of a hardware resource or a software resource used to execute the microservice and the task, and operating state of a sidecar of the microservice during the task; encrypt the provenance metadata with the provisioned credentials for the microservice; and record the encrypted provenance metadata in a local blockchain of provenance metadata maintained for the hardware resource executing the task and the microservice.

While an application or a virtual machine (VM) is running, a device tracks accesses to cache lines to detect access patterns that indicate security attacks, such as cache-based side channel attacks or row hammer attacks. To enable the device to detect accesses to cache lines, the device is connected to processors via a coherence interconnect, and the application/VM data is stored in a local memory of the device. The device collects the cache lines of the application/VM data that are accessed while the application/VM is running into a buffer and the buffer is analyzed for access patterns that indicate security attacks.

An electronic device may include a memory and at least one processor operatively connected with the memory. The at least one processor, including processing circuitry, may run a user application in a first area operating with a first permission and run an operating system in a second area operating with a second permission higher than the first permission. The memory stores instructions configured to, when executed, cause the at least one processor to detect an operation of at least one first device included in the electronic device, in a third area operating with a third permission higher than the second permission, deliver a detection signal for the at least one first device to a fourth area, an execution environment of which is separated from the first area, the second area, and the third area, in the third area, and provide a notification that the at least one first device is operating using at least one specified second device, in the fourth area. The fourth area may be an area on a second virtual machine, an execution environment of which is separated from the first area and the second area being areas on a first virtual machine by a hypervisor executed in the third area.

A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

A method of user equipment (UE) implemented network slice security protection is disclosed. The method comprises the UE receiving a request to initialize an application, querying a UE Route Selection Policy (URSP) stored on the UE, and receiving traffic descriptors and security descriptors in response to the querying. The traffic descriptors identify a network slice for the application. The security descriptors comprise a security flag and a virtualization container ID. The method also comprises the UE initiating the application within a virtualization container corresponding to the virtualization container ID based on the security flag indicating that the network slice is secure and binding traffic for the application in the virtualization container to a PDU session based on the traffic descriptors. The method further comprises communicating, by the application executing within the virtualization container, with a core network over the PDU session via the network slice bound to the virtualization container.

Embodiments herein describe partitioning hardware and software in a system on a chip (SoC) into a hierarchy. In one embodiment, the hierarchy includes three levels of hardware-software configurations, enabling security and/or safety isolation across those three levels. The levels can cover the processor subsystem with compute, memory, acceleration, and peripheral resources shared or divided across those three levels.

Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.