摘要:
An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory.
摘要:
A management engine may be used to trap configuration cycles during the boot process and thereafter in response to operating system enumeration. As a result, a virtual bus device can be created. The bus device may be used to provision software to the platform even when the operating system is corrupted or non-functional.
摘要:
In one embodiment, the present invention includes a method for obtaining a pre-boot authentication (PBA) image from a non-volatile storage that is configured with full disk encryption (FDE), and storing the PBA image in a memory. Then a callback protocol can be performed between a loader executing on an engine of a chipset and an integrity checker of a third party that provided the PBA image to confirm integrity of the PBA image, the PBA image is executed if the integrity is confirmed, and otherwise it is deleted. Other embodiments are described and claimed.
摘要:
Systems and methods for managing distributed compute resources are described herein. A system is configured to receive, from an agent operating at a first compute domain of a plurality of compute domains, a request for compute resources; broadcast the request for compute resources to respective agents at the plurality of compute domains; receive a plurality of offers for available compute resources from at least a portion of the plurality of compute domains; transmit, to a selected agent at a selected compute domain of the plurality of compute domains, a commit message to reserve compute resources of the selected compute domain associated with a selected offer of the plurality of offers; and transmit an indication of the commit message to the agent at the first compute domain, wherein the first compute domain is to use the compute resources reserved at the selected compute domain for workloads of the first compute domain.
摘要:
The subject matter described herein provides technical solutions for technical problems facing computing network security. Technical solutions described herein include adaptive sniffing of networking traffic, such as using a brokered network traffic sniffing framework. A brokered sniffing framework may be used to provide dynamic adjustment of network access points and network traffic sampling queries, such as by providing dynamic adjustment in response to changes to the network topology or network traffic. The brokered sniffing framework may provide improved statistical sampling of network traffic using improved network traffic telemetry, such as by modifying a statistical profile of network traffic contents that are collected. The network traffic telemetry may be used to identify various changes in network traffic, such as by identifying statistically significant changes in latencies, bandwidths, or other data center performance metrics.
摘要:
System and techniques for network slice resiliency are described herein. An indication of a fault-attack-failure-outage (FAFO) event for a network slice may be received. Here, the network slice is one of multiple network slices. A capacity in a slice segment may be estimated to determine whether there is enough capacity to meet a service level agreement (SLA) of the multiple network slices based on the FAFO event. In this case, the slice segment is a set of physical resources shared by the multiple network slices. Operation of the slice segment may then be modified based on results from estimating the capacity in the slice segment to address impacts from the FAFO event.
摘要:
A machine-readable storage medium includes instructions stored thereupon, which when executed by processing circuitry of a computing node operable to implement a service mesh control plane (SMCP) in a MEC network, cause the processing circuitry to decode an attestation request received from a sidecar proxy of a deployable instance. The sidecar proxy is instantiated on a MEC host. Evidence information is collected from the deployable instance responsive to the attestation request, the evidence information comprising at least one security configuration of the deployable instance. An attestation of the evidence information is performed using a verified configuration of the deployable instance to generate an integrity report. An attestation token is generated based on the integrity report and is encoded for transmission to the MEC host. The attestation token authorizes the sidecar proxy to obtain configuration to facilitate a data exchange between the deployable instance and at least another deployable instance.
摘要:
Various systems and methods for implementing reputation management and intent-based security mechanisms are described herein. A system for implementing intent-driven security mechanisms, configured to: determine, based on a risk tolerance intent related to execution of an application on a compute node, whether execution of a software-implemented operator requires a trust evaluation; and in response to determining that the software-implemented operator requires the trust evaluation: obtain a reputation score of the software-implemented operator; determine a minimum reputation score from the risk tolerance intent; compare the reputation score of the software-implemented operator to the minimum reputation score; and reject or permit execution of the software-implemented operator based on the comparison
摘要:
Systems and techniques for storage-class memory device including a network interface are described herein. A write for a network communication is received by the host interface of the memory device. Here, the network communication includes a header. The header is written to a non-volatile storage array managed by a memory controller. A network command is detected by the memory device. Here, the network command includes a pointer to the header in the non-volatile storage array. The header is retrieved from the non-volatile storage array and a packet based on the header is transmitted via a network interface of the memory controller.
摘要:
Various examples of device and system implementations and methods for performing end-to-end attestation operations for multi-layer hardware devices are disclosed. In an example, attestation operations are performed by a verifier, including: obtaining layered attestation evidence regarding a state of a compute device, with the layered attestation evidence including attesting evidence provided from a second hardware layer of the compute device, such that the attesting evidence provided from the second hardware layer is generated from attesting evidence provided from a first hardware layer of the compute device to the second hardware layer of the compute device; obtaining endorsement information relating to the layered attestation evidence for the state of the compute device; determining an appraisal policy for performing attestation of the compute device from the layered attestation evidence; and applying the appraisal policy and the endorsement information to the layered attestation evidence, to perform attestation of the compute device.