Abstract: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.

Abstract: An example computing device comprises a first processing unit having first capabilities, a second processing unit having second capabilities, and a shared memory accessible by the first processing unit and the second processing unit. The shared memory stores data objects in association with type information indicating the data type of the data objects. The example computing device further comprises an instruction set to, when executed by a processing unit of the computing device, select one of the first processing unit and the second processing unit to perform a computation of a particular type, using data of a particular type stored in the shared memory, wherein the selection is performed based on a predefined affinity of the first processing unit for the particular computation type and/or the particular data type and a predefined affinity of the second processing unit for the particular computation type and/or the particular data type.

Abstract: An example system in accordance with an aspect of the present disclosure includes a cache engine, a validate engine, and an access engine. The cache engine is to cache, into an address cache of an object reference, an object address corresponding to an object, in response to performing a lookup of the object via at least one indirection. The validate engine is to validate that an object ID of the object located at the cached object address corresponds to a reference object ID that is stored in the object reference and associated with the object. The access engine is to access the object via a lookup of the object address cached in the address cache of the object reference, in response to validating the reference object ID.

Abstract: Examples analyze source code of a task prior to compiling the source code to determine a static property of the task. Examples determine a category for the task based at least in part on the static property. Examples compile the source code to generate a binary of the task. Examples determine execution parameters for the task based at least in part on the category. Examples schedule the binary for execution based at least in part on the execution parameters.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a restriction associated with a resource of the environment, a monitor engine to maintain resource utilization information, and a control engine to limit execution of the procedure based on the restriction and the resource utilization information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a restriction associated with a resource of the environment, receiving a procedure to access the set of data, ascertaining resource utilization information, and providing a view of the set of data based on the restriction and the resource utilization information.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a semantic restriction associated with a semantic term of the environment, a tracker engine to track the procedure during execution, and a control engine to maintain execution of the procedure based on the restriction and trace information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a procedure to access the set of data, receiving a semantic restriction associated with a semantic term of the environment, tracing the procedure during execution, and providing a view of the set of data based on the restriction and a semantic mapping of trace information.

Abstract: A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898) and others of the nodes (computers B, C, filters B1, B2, C1, C2, hosts 890, 892) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorized as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorized. This can provide reassurance that changes in versions of the connection policy won't transiently open a risk of undetected unwanted communication.

Abstract: An example system in accordance with an aspect of the present disclosure includes a cache engine, a validate engine, and an access engine. The cache engine is to cache, into an address cache of an object reference, an object address corresponding to an object, in response to performing a lookup of the object via at least one indirection. The validate engine is to validate that an object ID of the object located at the cached object address corresponds to a reference object ID that is stored in the object reference and associated with the object. The access engine is to access the object via a lookup of the object address cached in the address cache of the object reference, in response to validating the reference object ID.

Abstract: An example computing device comprises a first processing unit having first capabilities, a second processing unit having second capabilities, and a shared memory accessible by the first processing unit and the second processing unit. The shared memory stores data objects in association with type information indicating the data type of the data objects. The example computing device further comprises an instruction set to, when executed by a processing unit of the computing device, select one of the first processing unit and the second processing unit to perform a computation of a particular type, using data of a particular type stored in the shared memory, wherein the selection is performed based on a predefined affinity of the first processing unit for the particular computation type and/or the particular data type and a predefined affinity of the second processing unit for the particular computation type and/or the particular data type.

Abstract: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.

Abstract: In one example in accordance with the present disclosure, a method for data type management may include adding a first data to a first data set. The first data set may belong to a plurality of data sets stored in a memory and each data set in the plurality may correspond to a type table defining data types in the corresponding data set. The method may further include determining that a first data type of the first data is not in a first type table corresponding to the first data set and generating an identifier corresponding to the first data type. The identifier may identify uses of the first data type within each data set in the plurality and may be a standardized value that is used by each data set in the plurality. The method may also include inserting the identifier into the first type table.

Abstract: Examples analyze source code of a task prior to compiling the source code to determine a static property of the task. Examples determine a category for the task based at least in part on the static property. Examples compile the source code to generate a binary of the task. Examples determine execution parameters for the task based at least in part on the category. Examples schedule the binary for execution based at least in part on the execution parameters.

Abstract: A system has a virtual overlay infrastructure mapped onto physical resources for processing, storage and network communications, the virtual infrastructure having virtual entities for processing, storage and network communications. Virtual infrastructures of different users share physical resources but are isolated. Each infrastructure has its own infrastructure controller to create and configure the infrastructure. It has a user accessible part (CFC) for configuration of that user's infrastructure, and a user inaccessible part (UFC) able to access the mapping and the physical resources. This increases user control to ease system administration, while maintaining security by limiting access to the mapping.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a semantic restriction associated with a semantic term of the environment, a tracker engine to track the procedure during execution, and a control engine to maintain execution of the procedure based on the restriction and trace information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a procedure to access the set of data, receiving a semantic restriction associated with a semantic term of the environment, tracing the procedure during execution, and providing a view of the set of data based on the restriction and a semantic mapping of trace information.

Abstract: In one implementation, a data sharing system can comprise a trust engine to identify an environment that satisfies a level of trust, an access engine to request access to a set of data, a procedure engine to receive a procedure, a restriction engine to receive a restriction associated with a resource of the environment, a monitor engine to maintain resource utilization information, and a control engine to limit execution of the procedure based on the restriction and the resource utilization information. In another implementation, a method for sharing a set of data can comprise validating an environment satisfies a level of trust, receiving a restriction associated with a resource of the environment, receiving a procedure to access the set of data, ascertaining resource utilization information, and providing a view of the set of data based on the restriction and the resource utilization information.

Abstract: A technique includes clustering projects that include a new project and previous projects based on relationships between users and the previous projects to identify a project cluster containing the new project. The technique includes clustering the users based on relationships between the users and permissions that were assigned to the users to access resources for previous projects. The technique further includes assigning permissions for the users assigned to the new project to access resources associated with the new project based at least in part on the clustering of users and the clustering of projects.

Abstract: According to an example, trusted function based data access security control may include determining a restriction set by a first entity and related to access to and/or analysis related to data under the control of the first entity. A trusted function including meta-data that describes a transformation of the data may be ascertained. A determination may be made as to whether the meta-data of the trusted function matches the restriction related to the access to and/or analysis related to the data. In response to a determination that the meta-data of the trusted function matches the restriction, the trusted function may be executed to allow controlled access to the data by a second entity. In response to a determination that the meta-data of the trusted function does not match the restriction, execution of the trusted function may be prevented to prevent access to the data by the second entity.

Abstract: In one implementation, a security management system accesses a trusted location signature and a candidate location signature to determine that the candidate location signature is correlated with the trusted location signature, and establishes a trusted state of an entity in response to determining that the candidate location signature is correlated with the trusted location signature.

Abstract: A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898) and others of the nodes (computers B, C, filters B1, B2, C1, C2, hosts 890, 892) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorised as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorised. This can provide reassurance that changes in versions of the connection policy won't transiently open a risk of undetected unwanted communication.

Abstract: A connection policy for a communications network has a local connection policy indicating which paths between a given one of the nodes (computer A, router A, host 898) and others of the nodes (computers B, C, filters B1, B2, C1, C2, hosts 890, 892) are allowable paths, by a symbolic expression of ranges endpoint addresses and other local connection policies in respect of other nodes. It is implemented in a distributed manner by determining, for the given node, which of the allowable paths, are dual authorized as allowable by the other local connection policy relating to the other node at the other end of that path, by Boolean operations on the symbolic expressions. For a given message for a given path between two of the nodes having their own local connection policies, both of these nodes determine whether the given path is currently dual authorized. This can provide reassurance that changes in versions of the connection policy won't transiently open a risk of undetected unwanted communication.