A method and apparatus prevents hacker code from infecting an application program by requiring decryption of the application program prior to running the application program on a computer. The method includes steps of: providing a storage device that is a separate unit from components necessary to operate the computer; storing a symmetric private key on the storage device; using the symmetric private key to produce an encrypted application program upon first installation; thereafter decrypting that part of the encrypted application program needed implement a command to run the application program; precluding the computer from running any part of the application program that has not been first encrypted with the symmetric private key; and, decrypting, on the fly, only those follow-on parts of the encrypted application program needed to perform functions called for during operation of the application program.

Described are examples for authenticating a device including detecting an event related to communications with a trusted platform module (TPM) device, performing, in response to detecting the event, one or more security-related functions with the TPM device, such as generating and/or signing one or more digital certificates, which may be based on one or more keys on the TPM device.

Methods, systems and devices for using charged particle beams (CPBs) to write different die-specific, non-volatile, electronically readable data to different dies on a substrate. CPBs can fully write die-specific data within the chip interconnect structure during the device fabrication process, at high resolution and within a small area, allowing one or multiple usefully-sized values to be securely written to service device functions. CPBs can write die-specific data in areas readable or unreadable through a (or any) communications bus. Die-specific data can be used for, e.g.: encryption keys; communications addresses; manufacturing information (including die identification numbers); random number generator improvements; or single, nested, or compartmentalized security codes. Die-specific data and locations for writing die-specific data can be kept in encrypted form when not being written to the substrate to conditionally or permanently prevent any knowledge of said data and locations.

Methods and integrated circuit architectures for assuring the protection of intellectual property between third party IP providers, system designers (e.g., SoC designers), fabrication entities, and assembly entities are provided. Novel design flows for the prevention of IP overuse, IP piracy, and IC overproduction are also provided. A comprehensive framework for forward trust between 3PIP vendors, SoC design houses, fabrication entities, and assembly entities can be achieved, and the unwanted modification of IP can be prevented.

A physical unclonable function (PUF) array includes a plurality of PUF transistor cells each of which includes at least one inverter. An input and an output of the at least one inverter are shorted to a first reference node. There is adjustment circuitry for adjusting a reference voltage of the first reference node, and measurement circuitry for measuring a trip point of the at least one inverter. If the trip point is close to the reference voltage then bits of the at least one inverter are defined as unstable.

Trusted client security factor-based authorizations at a server. The techniques allow the server to authorize client requested operations to access a protected resource or service based on trusted client security factors that are obtained at client machines and provided to the server.

A method for locating a mobile device which is not in possession of the owner using an owner verification server. A mobile network operator server sends a message to the owner verification server requesting verification of ownership. The owner verification server retrieves ownership status and transmits a request to the mobile network operator server to transmit location tracking data when the ownership status indicates that the device is not in the owner's possession. The owner verification server forwards the location tracking data to the device owner.

A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Techniques are described herein that are capable of provisioning a trusted execution environment (TEE) based on (e.g., based at least in part on) a chain of trust that includes a platform on which the TEE executes. Any suitable number of TEEs may be provisioned. For instance, a chain of trust may be established from each TEE to the platform on which an operating system that launched the TEE runs. Any two or more TEEs may be launched by operating system(s) running on the same platform or by different operating systems running on respective platforms. Once the chain of trust is established for a TEE, the TEE can be provisioned with information, including but not limited to policies, secret keys, secret data, and/or secret code. Accordingly, the TEE can be customized with the information without other parties, such as a cloud provider, being able to know or manipulate the information.

According to certain general aspects, the present embodiments relate generally to securing communication between ECUs. Example implementations can include a method of securely transmitting Controller Area Network (CAN) protocol frames via a CAN controller.