Abstract: A code protection scheme for controlling access to a memory region in an integrated circuit includes a processor with an instruction pipeline that includes multiple processing stages. A first processing stage receives one or more instructions. A second processing stage receives address information identifying a protected memory region of the memory from the first processing stage and protection information for an identified protected memory region. The protection information indicates a protection state assigned to each protected memory region. Based on the instruction type of the received instruction and the protection information associated with a particular protected memory region, the second processing stage determines whether to enable or disable access to the particular protected memory region by the processor or other external host.

Abstract: A method of distributing data over multiple Internet connections is provided. The method includes the steps of: (a) providing a client computer with access to a plurality of Internet connections; and (b) providing a host computer for determining the allocation of data to be sent to the client computer over each of the plurality of Internet connections using at least one of (i) predetermined criteria and (ii) dynamically changing criteria.

Abstract: Described systems and methods allow protecting a hardware virtualization system from malicious software. Some embodiments use a hybrid event notification/analysis system, wherein a first component executing within a protected virtual machine (VM) registers as a handler for processor exceptions triggered by violations of memory access permissions, and wherein a second component executing outside the respective VM registers as a handler for VM exit events. The first component filters permission violation events according to a set of rules and only notifies the second component about events which are deemed relevant to security. The second component analyzes notified events to detect malicious software.

Abstract: Scalable techniques for data transfer between virtual machines (VMs) are described. the disclosure provides an apparatus including circuitry, a virtual machine management component for execution by the circuitry to define a plurality of public virtual memory spaces and assign each one of the plurality of public virtual memory spaces to a respective one of a plurality of VMs including a first VM and a second VM, and a virtual machine execution component for execution by the circuitry to execute a first virtual machine process corresponding to the first VM and a second virtual machine process corresponding to the second VM, the first virtual machine process to identify data to be provided to the second VM by the first VM and provide the data to the second VM by writing to a public virtual memory space assigned to the first VM. Other embodiments are described and claimed.

Abstract: A computer architecture is disclosed for implementing a hacking-resistant computing device. The computing device, which could be a mainframe computer, personal computer, smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet, and can directly communicate only with the second partition or with input/output devices directly connected to the first partition. Further, the first partition segments its memory addressing for program code and hardware-protects it from alteration. The second partition is hardware-limited from reading or writing to the memory addressing of the first partition. As a result, the critical data files and program code stored on the first partition are protected from malicious code affecting the second partition.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include storing one or more data volumes to a small computer system interface storage device, and receiving a request to map a given data volume to a host computer. One or more attributes of the given data volume are identified, and using the identified one or more attributes, a unique logical unit number (LUN) for the given data volume is generated. The given data volume is mapped to the host computer via the unique LUN. In some embodiments, the generated LUN includes one of the one or more attributes. In additional embodiments, the generated LUN includes a result of a hash function using the one or more attributes. In storage virtualization environments, the data volume may include secondary logical units, and mapping the given data volume to the host may include binding the SLU to the host.

Abstract: Techniques are described for reducing shared cache memory requests in a multi-threaded microprocessor-based system. One method includes receiving a request for data from a thread, identifying that the request correlates with a pending request associated with a different thread, combining the request with the pending request based on the identifying, and receiving the data after the combining, the receiving being based on the pending request. In some examples, the request may be associated with an address of a cache line in a cache memory.

Abstract: A method for operating a microcontroller, where access rights of processes executed in the microcontroller to different memory areas are stored in a memory protection unit, includes, in the course of a simulation mode, a first process carrying out an access attempt to a certain memory area in a certain manner in the name of a second process; the memory protection unit transferring access rights of the second process for the certain memory area to the first process upon the access attempt. The access rights are read out by the first process and the simulation mode is terminated. The access attempt is preferably thereupon terminated and an access is not carried out according to this access attempt by the first process.

Abstract: The disclosed technology is generally directed to the authentication of software. In one example of the technology, a private attestation key is stored in hardware. In some examples, during a sequential boot process a hash is calculated, in an order in which the software stages are sequentially booted, of each software stage of a plurality of software stages. The hashes of each software stage of the plurality may be cryptographically appended to an accumulation register. The accumulation register may be used to attest to validity of the software stages. The plurality of software stages may include a first bootloader, a runtime for a first core of a multi-core processor, and a runtime for a first execution environment for a second core of the multi-core processor.

Abstract: Described are techniques for use in connection with providing data protection. A storage resource for which data protection is provided by a data protection service may be identified. One or more criteria may be specified denoting one or more trigger conditions for providing data protection by the data protection service, wherein, responsive to an occurrence of any of the one or more trigger conditions, first processing may be performed by the data protection service to protect the storage resource. The one or more criteria may include a first criterion identifying a first amount of data change that has to occur with respect to the storage resource. Notification may be received regarding an occurrence of a first of the one or more trigger conditions. Responsive to receiving the notification, the first processing may be performed by the data protection service.

Abstract: A method for converting metadata in a hierarchical configuration within a filesystem from a first format to a second format includes reading metadata that is in the first format within the hierarchical configuration; writing all of the metadata that is in the first format into a flat file; scanning the metadata to compile a list of inode chunks; sorting the list of inode chunks based on the on disk location of the inode chunks; and writing all of the metadata from the flat file back into the hierarchical configuration, the metadata being in the second format. The method can also include increasing the size of each of a first inode and a second inode within a first inode chunk in the filesystem, assigning the first inode to the first inode chunk, and assigning the second inode to a second inode chunk.

Abstract: An information processing apparatus includes circuitry to check whether a program is active at plural timings. The program is previously terminated while keeping prohibition of at least one operation of the information processing apparatus. The circuitry cancels the prohibition of the at least one operation of the information processing apparatus when the program remains inactive for a given period of time.

Abstract: Preventing timeouts of I/O requests at a data storage system that are associated with cloud-based and/or external data storage systems. Rather than allow a timeout to occur, a response is sent to the host at a predetermined time before timeout, which will prevent the timeout from occurring and may cause the host system to “retry” the I/O operation by issuing another I/O request specifying the same I/O operation. The data storage system may repeat this process a preconfigured number of times or indefinitely, or until the host or user terminates or the application crashes. An I/O request received from a host may be configured in accordance with one or more SAN- or NAS-based protocols, and the I/O request may be translated into an I/O request conforming to one or more cloud-based and/or Internet-based protocols and transmitted to a cloud-based and/or external storage system.

Abstract: Systems and methods are described for verifying functionality of a computing device. Rules are received that are usable to configure a driver verifier function to capture information associated with a device driver identified by the rules. The configured driver verifier function is run on a computing device. The information is captured in response to driver conditions identified by the rules. The computing device is allowed to continue operation when the driver condition includes an error condition of the identified device driver. A communication is initiated to transmit the captured information to a driver verification analysis service.

Abstract: Techniques for enabling enhanced parallelism for sparse linear algebra operations having write-to-read dependencies are disclosed. A hardware processor includes a plurality of processing elements, a memory that is heavily-banked into a plurality of banks, and an arbiter. The arbiter is to receive requests from threads executing at the plurality of processing elements seeking to perform operations involving the memory, and to maintain a plurality of lock buffers corresponding to the plurality of banks. Each of the lock buffers is able to track up to a plurality of memory addresses within the corresponding bank that are to be treated as locked in that the values stored at those memory addresses cannot be updated by those of the threads that did not cause the memory addresses to be locked until those memory addresses have been removed from being tracked by the plurality of lock buffers.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: In one embodiment, a memory interface employs selective memory mode authorization enforcement in accordance with the present description to ensure that memory modes of operation which have not been authorized, are not permitted to proceed. In one embodiment, mode control logic receives from memory control logic of the memory interface, memory mode selection data which is compared to a mode authorization classification structure to determine if the memory mode being selected in association with a memory transaction request is authorized or otherwise permitted. Memory mode enablement logic of the mode control logic enables the requested memory mode associated with a memory transaction request if it is determined that the selected memory mode associated with the memory transaction request is authorized. Other aspects are described herein.

Abstract: The invention relates to a method for processing at least one data packet (78, 156) which comprises a first header (82, 158) and a payload (100, 160), wherein the first header (82, 158) is processed by a first mode and the payload (100, 160) is processed by a second mode, wherein a number of processing steps (172, 174) for carrying out the second mode is greater than a number of processing steps (168, 170) for carrying out the first mode, the two modes being performed separately from one another.

Abstract: The present disclosure discloses a method and system for restarting the network service with zero downtime, comprising: a) listening, by an original process of the network service, on a first port; (b) configuring and initiating a transition process, wherein the configuring includes causing the transition process to listen on a second port different from the first port of the original process; (c) running a connection tracking module and, meanwhile adding an iptables rule to redirect a connection directed to the first port to the second port; (d) waiting until existing connections on the original process are processed completely, then exiting the original process; (e) initiating a new process on the first port according to a new configuring file; (f) reconfiguring the iptables rule to cancel port redirection; and (g) waiting until existing connections on the transition process are processed completely, then exiting the transition process.

Abstract: Methods and apparatuses relating to memory performance monitoring are described, including a processor and method for memory performance monitoring utilizing a monitor flag and first and second allocators for allocating virtual memory regions.

Abstract: A communication device conforming with plural communication standards and having a storage storing a plurality of virtual stacks each having an application program and communication program that implements a protocol stack for communication by the application program. An executor executes the virtual stacks, and a switching controller switches the virtual stacks to be executed by performing a first processing in which at least one part of at least one of the virtual stacks is read from storage and stored into a memory of, and executed by, the executor. Then, in accordance with free capacity in the memory, at least one part of at least one of the virtual stacks executed in the first processing is deleted from memory. In a second processing at least one part of at least one of the virtual stacks is read from the storage and stored into the memory of, and executed by, the executor.

Abstract: A system, method, and computer program product are provided for migrating availability of a resource type in a communication network using network function virtualization, comprising: selecting a resource type; selecting a first section of the network where demand for the resource type is expected to grow; selecting a second section of the network where demand for the resource type is expected to be stable relative to the first section; selecting a third section of the network communicatively coupled to the first and second sections, the third section comprising higher availability of the resource type than the first section; migrating a first virtual network function (VNF) instance from the third section to the first section; and migrating a second virtual network function instance from the second section to the third section.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: The disclosed computer-implemented method for managing delayed allocation on clustered file systems may include (i) receiving, at a global lock manager that stores storage disk allocation information for a plurality of nodes in a clustered file system, a lock request from a node that requests a lock range on a storage disk to store data from a file, (ii) reserving, by the global lock manager, the lock range, (iii) receiving, at the global lock manager, from an additional node, an additional lock request for an additional lock range to store additional data from the file, and (iv) reserving, by the global lock manager, the additional lock range to be adjacent to the lock range on the storage disk based on the additional data on the additional node being from the same file as the data on the node. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus is described. The apparatus includes a storage device having multiple non volatile memory chips and controller circuitry. The controller circuitry is to implement wear leveling of storage cells of the non volatile memory chips at a granularity of segments of storage cell arrays of the non volatile memory chips that share a same disturber node and that are coupled to a same storage cell array wire to diminish disturb errors.

Abstract: Described herein are technical features for freeing a buffer used during execution of a work-item by a multiprocessor. An example method includes identifying a first processing unit that assigned the buffer to the work-item, in response to a request from a second processing unit to free the buffer. The computer-implemented method also includes identifying a bitmap associated with the buffer, the bitmap being in a local memory of the first processing unit. The computer-implemented method also includes updating a bit from the bitmap to indicate that the buffer has been freed, the bit corresponding to the buffer.

Abstract: Aspects of the present invention include a method, system and computer program product that implements a memory management scheme for each processor in a multiprocessor system. The method includes pre-allocating, for each processor in a multiprocessor system, a set of memory buffers; and implementing a metadata bitmap for each pre-allocated set of memory buffers, wherein the metadata bitmap for each pre-allocated set of memory buffers comprises a plurality of bits, and wherein each of the plurality of bits is indicative of a usage state of a corresponding one of the memory buffers within each pre-allocated set of memory buffers.

Abstract: Aspects of the present invention include a method, system and computer program product that implements a memory management scheme for each processor in a multiprocessor system. The method includes pre-allocating, for each processor in a multiprocessor system, a set of memory buffers; and implementing a metadata bitmap for each pre-allocated set of memory buffers, wherein the metadata bitmap for each pre-allocated set of memory buffers comprises a plurality of bits, and wherein each of the plurality of bits is indicative of a usage state of a corresponding one of the memory buffers within each pre-allocated set of memory buffers.

Abstract: Methods and apparatus for locking at least a portion of a shared memory resource. In one embodiment, an electronic device configured to lock at least a portion of a shared memory is disclosed. The electronic device includes a host processor, at least one peripheral processor and a physical bus interface configured to couple the host processor to the peripheral processor. The electronic device further includes a software framework that is configured to: attempt to lock a portion of the shared memory; verify that the peripheral processor has not locked the shared memory; when the portion of the shared memory is successfully locked via the verification that the peripheral processor has not locked the portion of the shared memory, execute a critical section of the shared memory; and otherwise attempt to lock the at least the portion of the shared memory at a later time.

Abstract: Embodiments relate to systems and methods for timeout monitoring of concurrent commands or parallel communication channels comprising assigning or de-assigning each one of the commands or communication channels to a corresponding one of a plurality of timeout timers when corresponding commands are to be transmitted or command acknowledges are received respectively.

Abstract: A processor employs a hardware encryption module in the memory access path between an input/out device and memory to cryptographically isolate secure information. In some embodiments, the encryption module is located at a memory controller of the processor, and each memory access request provided to the memory controller includes VM tag value identifying the source of the memory access request. The VM tag is determined based on a requestor ID identifying the source of the memory access request. The encryption module performs encryption (for write accesses) or decryption (for read accesses) of the data associated with the memory access based on an encryption key associated with the VM tag.

Abstract: A process is disclosed for authorizing a user's access to a limited access network. The process comprises sending an encrypted server random number to a previously registered user. If the user can demonstrate an ability to successfully decrypt the server random number, the user is authenticated and access is authorized. The process further comprises an encrypted user random number. Encryption of the user random number comprises the use of a server-controlled value. The web server's ability to return to the user a decryption of the encrypted user random number serves as confirmation that the web site is legitimate. In a preferred embodiment all communications of login values between the user and the web server are encrypted. In an embodiment a user is provided with a key for encrypting user random numbers and for decrypting server random numbers. The key may be automatically updated on a predetermined schedule.

Abstract: A method of distributing data over multiple Internet connections is provided. The method includes the steps of: (a) providing a client computer with access to a plurality of Internet connections; and (b) providing a host computer for determining the allocation of data to be sent to the client computer over each of the plurality of Internet connections using at least one of (i) predetermined criteria and (ii) dynamically changing criteria.

Abstract: A computer-implemented method for enhancing data protection is disclosed. The method starts with monitoring an operating status of a storage volume at a primary storage of a storage system, where the storage volume is allocated to one or more applications. The method continues with determining whether the operating status of the storage volume satisfies a predetermined condition and notifying a backup application to trigger a backup of the storage volume of the primary storage to a backup storage upon determining that the operating status of the storage volume satisfies the first predetermined condition.

Abstract: An improved method for the prevention of deadlock in a massively parallel processor (MPP) system wherein, prior to a process sending messages to another process running on a remote processor, the process allocates space in a deadlock-avoidance FIFO. The allocated space provides a “landing zone” for requests that the software process (the application software) will subsequently issue using a remote-memory-access function. In some embodiments, the deadlock-avoidance (DLA) function provides two different deadlock-avoidance schemes: controlled discard and persistent reservation. In some embodiments, the software process determines which scheme will be used at the time the space is allocated.

Abstract: A computer architecture is disclosed for implementing a hacking-resistant computing device. The computing device, which could be a mainframe computer, personal computer, smartphone, or any other computing device suitable for network communication, comprises a first partition and a second partition. The second partition can communicate over a network such as the Internet. In contrast, the first partition cannot connect to the Internet, and can directly communicate only with the second partition or with input/output devices directly connected to the first partition. Further, the first partition segments its memory addressing for program code and hardware-protects it from alteration. The second partition is hardware-limited from reading or writing to the memory addressing of the first partition. As a result, the critical data files and program code stored on the first partition are protected from malicious code affecting the second partition.

Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

Abstract: An anomaly detector for a Controller Area Network (CAN) bus performs state space classification on a per-message basis of messages on the CAN bus to label messages as normal or anomalous, and performs temporal pattern analysis as a function of time to label unexpected temporal patterns as anomalous. The anomaly detector issues an alert if an alert criterion is met that is based on the outputs of the state space classification and the temporal pattern analysis. The temporal pattern analysis may compare statistics of messages having analyzed arbitration IDs with statistics for messages having those analyzed arbitration IDs in a training dataset of CAN bus messages, and a temporal pattern is anomalous if there is a statistically significant deviation from the training dataset. The anomaly detector may be implemented on a vehicle Electronic Control Unit (ECU) communicating via a vehicle CAN bus.

Abstract: Embodiments are described for dynamically modifying backup policy of an application using changes in metrics of a data set generated by the application and/or user-specified rules. Each application can have its own backup policy having a protection level that determines a frequency of backup for the application data set. An application can have an initial backup policy. An application backup policy can be based on the application type, a percent of change to the data set since the last backup, a size of the data set, or other metric. A user can specify a rule for the backup policy and protection level for the application. The backup policy or protection level can be dynamically updated in response to changes in the data set or a user-specified rule, on a per-application basis.

Abstract: In accordance with embodiments of the present disclosure, a method may include querying, by an application program executing on a first information handling system, a second information handling system remotely coupled to the first information handling system for data comprising identities of versions or patches of an operating system certified by a provider of the operating system. The method may also include receiving the data in response to the query. The method may further include updating a support matrix associated with the application program based on the identities of certified versions or patches, the support matrix setting forth identities of versions or patches of the operating system supported by the application program.

Abstract: A method designed to configure an IT system having at least one computing core for executing instruction threads, in which each computing core is capable of executing at least two instruction threads at a time in an interlaced manner, and an operating system, being executed on the IT system, capable of providing instruction threads to each computing core. The method includes a step of configuring the operating system being executed in a mode in which it provides each computing core with a maximum of one instruction thread at a time.

Abstract: The disclosed embodiments disclose techniques for managing consistency for a file in a distributed filesystem. Two or more cloud controllers collectively manage distributed filesystem data that is stored in the cloud storage systems; the cloud controllers ensure data consistency for the stored data, and each cloud controller caches portions of the distributed filesystem. During operation, a cloud controller receives from a client a request to access the file. The cloud controller determines a level of consistency that is associated with the file, and then uses this level of consistency to determine whether to communicate with a peer cloud controller when handling the request.

Abstract: A shared memory controller receives, from a computing node, a request associated with a memory transaction involving a particular line in a memory pool. The request includes a node address according to an address map of the computing node. An address translation structure is used to translate the first address into a corresponding second address according to a global address map for the memory pool, and the shared memory controller determines that a particular one of a plurality of shared memory controllers is associated with the second address in the global address map and causes the particular shared memory controller to handle the request.

Abstract: A computer readable medium including executable instructions that when executed perform a method for validating an optimization in generated code using an executable constraints document is provided. The medium can include instructions for relating an assumption to the optimization during code generation. The medium can include instructions for generating the executable constraints document during the code generation, the executable constraints document including information about the relating; and the medium can include instructions for executing the constraints document when the validating is performed, the validating including performing an operation based on a validation result produced by the validating, where the operation includes displaying the validation result to a user, storing the validation result, sending the validation result to a destination, or modifying the generated code.

Abstract: A consistent caching service for managing data consistency between a cache system and backing store is provided. The consistent caching service compares an origin token and a parity token associated with the cached copy of the data item to determine consistency of the data item. The origin and parity tokens may be generated by an operation that caused population of the data item to the cache. The parity token may be invalidated by a write operation of the data item, thus causing a mismatch between the two tokens.

Abstract: Provided is a lock management system, a lock management method and a lock management program whereby lock acquisition and release processes can be carried out at high speed. A lock management system 1 having a multiprocessor includes: a lock acquisition process 310 for carrying out a lock acquisition process for a thread according to one or more lock modes, at least a portion of the lock modes being a shared lock that can be acquired by one or more threads; and lock status holding means 410 for managing the number of threads acquiring a lock, by first information which can express the number of threads by one word that can be handled by an indivisible access command of the multi-processor, and second information representing a whole range of the number of threads that can possibly acquire a lock in each lock mode.

Abstract: Systems and methods are provided to test changes for a mobile app built by web-based tooling directly on a physical mobile device. A first application can be loaded on a mobile device. The first application can receive metadata of a second application. The first application can execute the second application using the metadata. Access to local resources can be intercepted and redirected to the server for processing. Additionally, changes made to the second application using the web-based tooling can be pushed to the first application using a persistent channel allowing the changes to be immediately tested.

Abstract: A smart card management method, a memory storage device, and a memory control circuit unit are provided. The method includes: receiving a first setting command corresponding to a temporary file from a host system. The temporary file is configured to access the smart card, and the first setting command includes a plurality of first setting messages. One of the first setting messages includes first setting command verification information and first location identification information. The first setting command verification information is configured to verify whether the first setting command is configured to set the temporary file, and the first location identification information is configured to find a logical unit corresponding to the first setting message including the first location identification information. The method also includes: recording a first logic range belonging to the temporary file in a look-up table according to the first setting command.

Abstract: A first level buffer chip gates a target second level buffer chip according to a preset mapping relationship, a first chip select signal, and a first higher-order address signal, and forwards a memory access instruction and a lower-order address signal received from a memory controller to the target second level buffer chip. The target second level buffer chip determines a target memory module according to a second chip select signal and a delayed address signal obtained by delay processing on a second higher-order address signal, determines a target memory chip according to the lower-order address signal, acquires target data from the target memory chip according to the memory access instruction, and returns the target data to the memory controller. A cascading manner of a system memory is changed to a tree-like topological form, which avoids a protocol conversion problem and reduces the memory access time.

Abstract: The disclosed embodiments disclose techniques for using byte-range locks to manage multiple concurrent accesses to a file in a distributed filesystem. Two or more cloud controllers collectively manage distributed filesystem data that is stored in the cloud storage systems; the cloud controllers ensure data consistency for the stored data, and each cloud controller caches portions of the distributed filesystem. During operation, a cloud controller receives from a first client a request to access a portion of the file. The cloud controller contacts the owning cloud controller for the portion of the file to request a byte-range lock for that portion of the file. The owning cloud controller returns a byte-range lock to the requesting cloud controller if no other clients of the distributed filesystem are currently locking the requested portion of the file with conflicting accesses.