An example system includes: an application comprising code segments and execution location markers which return indicators identifying behavior of the code segments in response to receiving a request to process the application. The example system includes an application manager engine to receive the request and pass the request to the application. The example system includes the application manager engine including an awareness builder engine to: receive from the application, a response to the request that includes the indicators identifying the behavior of the code segments; store the indicators local to the application manager engine; and transmit the response.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating tracer events. One of the methods includes generating, by a first system in an event processing pipeline, tracer event data for a data event; receiving, by a downstream system in the event processing pipeline, data for the data event and the tracer event data for the data event; updating, by the downstream system, the tracer event data for the data event using metric data generated while the downstream system processed the data event; after updating the tracer event data, receiving the data event that has been processed at each of multiple different layers in the event processing pipeline, and the updated tracer event data for the data event; and causing a change to the event processing pipeline using a result of an analysis of the updated tracer event data.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating tracer events. One of the methods includes generating, by a first system in an event processing pipeline, tracer event data for a data event; receiving, by a downstream system in the event processing pipeline, data for the data event and the tracer event data for the data event; updating, by the downstream system, the tracer event data for the data event using metric data generated while the downstream system processed the data event; after updating the tracer event data, receiving the data event that has been processed at each of multiple different layers in the event processing pipeline, and the updated tracer event data for the data event; and causing a change to the event processing pipeline using a result of an analysis of the updated tracer event data.

Exposing a memory cell value during trace replay prior to an execution time at which the memory cell value was recorded into a trace. A computer system identifies a first and a second trace fragment within a trace, each recording an uninterrupted consecutive execution of a plurality of executable instructions. The computer system determines that the first trace fragment is orderable prior to the second trace fragment and, based on an inter-fragment analysis, that a value of a memory cell recorded into the second trace fragment is compatible with the first trace fragment. The computer system generates output data indicating that the value of the memory cell can be exposed, during a replay of the trace, at a first execution time that is prior to a second execution time of an event that caused the value of the memory cell to be recorded into the second trace fragment.

There is disclosed a circuit for monitoring the security of a processor, wherein the circuit is configured to access a memory configured to store execution context data of a software program executed by the processor; to determine one or more signatures from said execution context data; and to compare said signatures with predefined signatures to monitor the security of the processor (110). Developments describe that context data can comprise control flow data, that a signature can comprise a hash value or a similarity signature, or that the integrity of signatures can be verified for example by using a secret key (e.g. obtained by random, or by using a physically unclonable function). Further developments describe various controls or retroactions on the processor, as well as various countermeasures if cyber attacks are determined.

There is disclosed a circuit for monitoring the security of a processor, wherein the circuit is configured to access a memory configured to store execution context data of a software program executed by the processor; to determine one or more signatures from said execution context data; and to compare said signatures with predefined signatures to monitor the security of the processor (110). Developments describe that context data can comprise control flow data, that a signature can comprise a hash value or a similarity signature, or that the integrity of signatures can be verified for example by using a secret key (e.g. obtained by random, or by using a physically unclonable function). Further developments describe various controls or retroactions on the processor, as well as various countermeasures if cyber attacks are determined.

A method of verifying execution sequence integrity of an execution flow includes receiving, by a local monitor of an automated device monitoring system from one or more sensors of an automated device, a unique identifier for each function in a subset of an execution flow for which the local monitor is responsible for monitoring. The method includes combining the received unique identifiers to generate a combination value, applying a hashing algorithm to the combination value to generate a temporary hash value, retrieving, from a data store, a true hash value, determining whether the temporary hash value matches the true hash value, and in response to the temporary hash value not matching the true hash value, generating a fault notification. The true hash value represents a result of applying the hashing algorithm to a combination of actual unique identifiers associated with each function in the subset.

A method of verifying execution sequence integrity of an execution flow includes receiving, by a local monitor of an automated device monitoring system from one or more sensors of an automated device, a unique identifier for each function in a subset of an execution flow for which the local monitor is responsible for monitoring. The method includes combining the received unique identifiers to generate a combination value, applying a hashing algorithm to the combination value to generate a temporary hash value, retrieving, from a data store, a true hash value, determining whether the temporary hash value matches the true hash value, and in response to the temporary hash value not matching the true hash value, generating a fault notification. The true hash value represents a result of applying the hashing algorithm to a combination of actual unique identifiers associated with each function in the subset.

A program information generating system includes circuitry configured to acquire a program including a non-interruption instruction code and an interruption instruction code, and action information indicating an order of execution of the non-interruption instruction code and the interruption instruction code, determine an action interruption position representing a position where interruption has occurred in the action information based on the interruption instruction code and the action information, determine a program interruption position representing a position where interruption has occurred in the program based on the non-interruption instruction code and the action interruption position, and generate program interruption position information for specifying the program interruption position.

In a general aspect, a method can include: executing an operation of a program that loads an arbitrarily chosen value of an initial data item of a series of ordered data; executing a series of calculation operations distributed in the program, that calculate a current data item based on a preceding data item; performing a final calculation operation of the series of operations that calculates a final data item of the data series; and executing an operation of the program that detects a program execution error by comparing the current data item of the data series with an expected value of the current data item or the final data item, the final data item having an expected value that is independent of the number of data items in the data series and is calculated based on the current data item of the data series and a final compensation data item.