Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: Resource use is recorded with a partitioned reference counter. The sum of all resource counter partitions is equivalent to the total references to a resource. When one resource counter partition reaches zero, it is possible that the resource should be destroyed. To determine if this is the case, all other partitions can be checked for a value of zero. If all the partitions are zero, the resource can be destroyed. Coarse grained partitioning and add/release on all partitions can be employed to avoid extra work associated with a local partition reaching zero. Further, destroying or deleting a resource can be accomplished in a manner that avoids a race condition.

Abstract: Methods of detecting malicious code injected into memory of a computer system are disclosed. The memory injection detection methods may include enumerating memory regions of an address space in memory of computer system to create memory region address information. The memory region address information may be compared to loaded module address information to facilitate detection of malicious code memory injection.

Abstract: A transactional execution of a set of instructions in a transaction of a program may be initiated to collect memory operand access characteristics of a set of instructions of a transaction during the transactional execution. The memory operand access characteristics may be stored upon a termination of the transactional execution of the set of instructions. The memory operand access characteristics may include an address of an accessed storage location, a count of a number of times the storage location is accessed, a purpose value indicating whether the storage location is accessed for a fetch, store, or update operation, a count of a number of times the storage location is accessed for one or more of a fetch, store, or update operation; a translation mode in which the storage location is accessed; and an addressing mode.

Abstract: A code protection scheme for controlling access to a memory region in an integrated circuit includes a processor with an instruction pipeline that includes multiple processing stages. A first processing stage receives one or more instructions. A second processing stage receives address information identifying a protected memory region of the memory from the first processing stage and protection information for an identified protected memory region. The protection information indicates a protection state assigned to each protected memory region. Based on the instruction type of the received instruction and the protection information associated with a particular protected memory region, the second processing stage determines whether to enable or disable access to the particular protected memory region by the processor or other external host.

Abstract: Instructions and logic fork processes and establish child enclaves in a secure enclave page cache (EPC). Instructions specify addresses for secure storage allocated to enclaves of a parent and a child process to store secure enclave control structure (SECS) data, application data, code, etc. The processor includes an EPC to store enclave data of the parent and child processes. Embodiments of the parent may execute, or a system may execute an instruction to copy parent SECS to secure storage for the child, initialize a unique child ID and link to the parent's SECS/ID. Embodiments of the child may execute, or the system may execute an instruction to copy pages from the parent enclave to the enclave of the child where both have the same key, set an entry for EPC mapping to partial completion, and record a page state in the child enclave, if interrupted. Thus copying can be resumed.

Abstract: A computing device, or a security component of a computing device, implements delayed attestation by initially providing first credentials to a remote access device to establish a first level of trust. The first credentials may be provided before or while the computing device or the security component is obtaining security information from a remote security device. The security information is used to generate second credentials that are subsequently provided to the remote access device to establish a second level of trust. The first credentials may comprise an encryption key that can be generated by the security component without having to retrieve information via a network, and the second credentials may comprise an attestation statement that is more trustworthy than the encryption key and that is generated based on a certificate retrieved from a remote security device (e.g., a certificate authority server).

Abstract: A device for processing a virus file, including a memory, and a processor in communication with the memory, the memory stores a virus file information providing instruction, a cleaning instruction, an isolating instruction and a transferring instruction, which are executable by the processor; the virus file information providing instruction indicates to provide virus file information; the cleaning instruction indicates to clean a virus file in a User Equipment (UE) corresponding to the virus file information, based on the virus file information; the isolating instruction indicates to provide isolation space, and utilize the isolation space to isolate the virus file, and the transferring instruction indicates to transfer the virus file, which is cleaned based on the cleaning instruction, to the isolation space.

Abstract: A system and method for processing a plurality of channels, for example audio channels, in parallel is provided. For example, a plurality of telephony channels are processed in order to detect and respond to call progress tones. The channels may be processed according to a common transform algorithm. Advantageously, a massively parallel architecture is employed, in which operations on many channels are synchronized, to achieve a high efficiency parallel processing environment. The parallel processor may be situated on a data bus, separate from a main general purpose processor, or integrated with the processor in a common board or integrated device. All, or a portion of a speech processing algorithm may also be performed in a massively parallel manner.

Abstract: Embodiments include processing systems that determine, based on an instruction address range indicator stored in a first register, whether a next instruction fetch address corresponds to a location within a first memory region associated with a current privilege state or within a second memory region associated with a different privilege state. When the next instruction fetch address is not within the first memory region, the next instruction is allowed to be fetched only when a transition to the different privilege state is legal. In a further embodiment, when a data access address is generated for an instruction, a determination is made, based on a data address range indicator stored in a second register, whether access to a memory location corresponding to the data access address is allowed. The access is allowed when the current privilege state is a privilege state in which access to the memory location is allowed.

Abstract: An architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A set of engines may perform pass-through packet classification, policy processing and/or security processing enabling packet streaming through the architecture at nearly the full line rate. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer.

Abstract: A method includes the following steps. Runtime statistics related to data transaction processing in a concurrent system are collected. A given request to access shared data in the concurrent system is receive. Based on the collected runtime statistics, the number of reattempts the given request can make to access the shared data prior to access control being switched from a hardware transactional memory to a locking mechanism is adaptively determined.

Abstract: A method includes the following steps. Runtime statistics related to data transaction processing in a concurrent system are collected. A given request to access shared data in the concurrent system is receive. Based on the collected runtime statistics, the number of reattempts the given request can make to access the shared data prior to access control being switched from a hardware transactional memory to a locking mechanism is adaptively determined.

Abstract: An approach is provided for protecting data owned by an operating system on a mobile computing device having multiple operating systems. A map specifying protected data regions for the operating systems is generated. The map is secured with a shared key retrieved from a data structure. Based on the shared key, a tuple specifying the data region is retrieved from the data structure. Based on the map, the shared key, and the tuple, and responsive to a data cleanup activity being performed by a software utility being executed on another, currently running operating system included in the multiple operating systems, a data region included in the protected data regions is determined to be owned by the operating system. Based on the data region being owned by the operating system and specified by the map, the data cleanup activity is blocked from being performed on the data region.

Abstract: A transactional execution of a set of instructions in a transaction of a program may be initiated to collect memory operand access characteristics of a set of instructions of a transaction during the transactional execution. The memory operand access characteristics may be stored upon a termination of the transactional execution of the set of instructions. The memory operand access characteristics may include an address of an accessed storage location, a count of a number of times the storage location is accessed, a purpose value indicating whether the storage location is accessed for a fetch, store, or update operation, a count of a number of times the storage location is accessed for one or more of a fetch, store, or update operation; a translation mode in which the storage location is accessed; and an addressing mode.

Abstract: Multi-processor computing device methods manage resource accesses by a signaling event manager signaling processor elements requesting access to a resource to wake up to access the resource when the resource is available or wait for an event when the resource is busy. Processor elements may enter a sleep state while awaiting access to the requested resource. When multiple elements are waiting for the resource, the processor element with a highest assigned priority is signaled to wake up when the resource is available without waking other elements. Priorities may be assigned to processor elements waiting for the resource based on a heuristic or parameter that may depend on a state of the computing device or the processor elements. A sleep duration may be estimated for a processor element waiting for a resource and the processor element may be removed from a scheduling queue or assigned another thread during the sleep duration.

Abstract: Upon initialization or startup of an electronic device, the device checks a predetermined section of non-volatile memory, referred to as the signature byte or lock byte, and allows either the manufacturing mode which allows for installation of the final or production version of firmware to be loaded into non-volatile memory, or the production mode which write-protects certain portions of non-volatile memory before giving operating control of the electronic device to another program, for example, an operating system. By only allowing execution of operating system or other executable code after write-protecting certain portions of non-volatile memory, system security, integrity, and robustness are substantially increased.

Abstract: In a memory system where multiple memory chips communicate their ready/busy status on a shared bus line, a pulse mechanism is used for the individual memory chips to indicate their ready/busy status to the controller. In one example, the controller assigns pulse durations of differing lengths to the memory dies to allow the controller to distinguish between them. Techniques for dealing with bus collisions between the pulses of different chips are also described.

Abstract: An automated aircraft flight data and delivery management system and method operates in a normal state and a demand state. The demand state may be self-initiated or manually-initiated, and may be triggered during situations which include but are not limited to situations when the aircraft is in a potential or confirmed emergency situation. Data transmission increases in intensity when the system is in a demand state.

Abstract: A classification method and system for possible content alteration of a media work may include criteria regarding content that is feasible for alteration. Such criteria may be maintained in records that are accessible to an interested party. Some embodiments may include a record of primary authorization rights applicable to a possible content alteration. A further embodiment feature may include a record of secondary authorization rights applicable to substitute altered content incorporated in a derivative version. Various exemplary techniques may be used to provide audio and/or visual substitution options in a derivative version of the media work in accordance with applicable alteration guidelines.

Abstract: A system and a method are disclosed for managing file locks, including initiating, by a processing device executing a kernel, executions of a number of active tasks that each has acquired a respective lock to a record, and in response to release of a first lock to the record by an active task, waking up a previously-designated worker task out of a number of idle tasks, in which the worker task is to attempt an acquisition of a second lock on behalf of at least one remaining task of the idle tasks.

Abstract: A method and system for managing an embedded secure element (50) accessible as a slave of the resident applications (App1-3) of a host device of the eSE. The eSE includes an issuer security domain (51), ISD, with which cryptographic keys are associated. The method includes, in an application agent embedded in an OS of the host device: sending (420) the ISD a random value; receiving (435) a cryptogram corresponding to the random value encrypted using a key associated with the ISD; sending (440, 450) the random value and the cryptogram to a first extern entity entered in the application agent. The method includes: sending (455, 4555) the random value and the cryptogram from the first entity to a second external entity; verifying (4556) that the second entity possesses keys associated with the ISD from the cryptogram and the random value.

Abstract: Systems and methods are described herein that provide storage array side write locking. In embodiments, data is on storage arrays that are shared by a plurality of clients, and the storage array prevents write contentions on the shared data by employing a storage array side write locking strategy that uses a write lock table to determine whether requested data is currently being serviced by one of the plurality of clients. For example, upon receiving a request for data, the storage array checks a lock table to determine whether any of the requested data is currently write locked (which indications current use of the data). If the grains are not write locked, then the data request may be allowed. If the grains are write locked, then the data request may be denied. In embodiments, the storage array takes steps to determine whether write locks have become stale and should be removed.

Abstract: A technique for applying hardware transaction memory to an arbitrarily large data structure is disclosed. A data updater traverses the data structure to locate an update point using a lockless synchronization technique that synchronizes the data updater with other updaters that may be concurrently updating the data structure. At the update point, the updater performs an update on the data structure using a hardware transactional memory transaction that operates at the update point.

Abstract: In a Hardware Lock Elision (HLE) Environment, predictively determining whether a HLE transaction should actually acquire a lock and execute non-transactionally, is provided. Included is, based on encountering an HLE lock-acquire instruction, determining, based on an HLE predictor, whether to elide the lock and proceed as an HLE transaction or to acquire the lock and proceed as a non-transaction; based on the HLE predictor predicting to elide, setting the address of the lock as a read-set of the transaction, and suppressing any write by the lock-acquire instruction to the lock and proceeding in HLE transactional execution mode until an xrelease instruction is encountered wherein the xrelease instruction releases the lock or the HLE transaction encounters a transactional conflict; and based on the HLE predictor predicting not-to-elide, treating the HLE lock-acquire instruction as a non-HLE lock-acquire instruction, and proceeding in non-transactional mode.

Abstract: In a Hardware Lock Elision (HLE) Environment, predictively determining whether a HLE transaction should actually acquire a lock and execute non-transactionally, is provided. Included is, based on encountering an HLE lock-acquire instruction, determining, based on an HLE predictor, whether to elide the lock and proceed as an HLE transaction or to acquire the lock and proceed as a non-transaction; based on the HLE predictor predicting to elide, setting the address of the lock as a read-set of the transaction, and suppressing any write by the lock-acquire instruction to the lock and proceeding in HLE transactional execution mode until an xrelease instruction is encountered wherein the xrelease instruction releases the lock or the HLE transaction encounters a transactional conflict; and based on the HLE predictor predicting not-to-elide, treating the HLE lock-acquire instruction as a non-HLE lock-acquire instruction, and proceeding in non-transactional mode.

Abstract: In response to a transactional store request, the higher level cache transmits, to the lower level cache, a backup copy of an unaltered target cache line in response to a target real address hitting in the higher level cache, updates the target cache line with store data to obtain an updated target cache line, and records the target real address as belonging to a transaction footprint of the memory transaction. In response to a conflicting access to the transaction footprint prior to completion of the memory transaction, the higher level cache signals failure of the memory transaction to the processor core, invalidates the updated target cache line in the higher level cache, and causes the backup copy of the target cache line in the lower level cache to be restored as a current version of the target cache line.

Abstract: An apparatus include a first core processor, a second core processor, and a lock register coupled to the first core processor and to the second core processor. The apparatus further includes a shared structure responsive to the first core processor and to the second core processor. The shared structure is responsive to an unlock instruction issued by either the first core processor or the second core processor to send a signal to the lock register to reset a lock indication in the lock register.

Abstract: In response to a transactional store request, the higher level cache transmits, to the lower level cache, a backup copy of an unaltered target cache line in response to a target real address hitting in the higher level cache, updates the target cache line with store data to obtain an updated target cache line, and records the target real address as belonging to a transaction footprint of the memory transaction. In response to a conflicting access to the transaction footprint prior to completion of the memory transaction, the higher level cache signals failure of the memory transaction to the processor core, invalidates the updated target cache line in the higher level cache, and causes the backup copy of the target cache line in the lower level cache to be restored as a current version of the target cache line.

Abstract: The present invention relates to remote storage auditing. In another embodiment, a remote storage auditing system may include a first remote storage manager configured to be a data owner, a second remote storage manager configured to be a storage donor, and a remote storage auditor. The first remote storage manager sends a data block and a signed fingerprint for the data block to the second remote storage manager. The second remote storage manager verifies that the signed fingerprint is associated with the data block and stores the data block and signed fingerprint. The second remote storage manager calculates a fingerprint for a sub-block of the data block, and sends the fingerprint for the sub-block and signed fingerprint to the remote storage auditor. The remote storage auditor audits a sub-block of the data block and verifies the fingerprint for the sub-block and signed fingerprint.

Abstract: A data storage system according to certain aspects manages and administers the sharing of storage resources among clients in the shared storage pool. The shared storage pool according to certain aspects can provide readily available remote storage to clients in the pool. A share list for each client may be used to determine where data is stored within the storage pool. The share list may include clients that are known to each client, and therefore, a user may feel more at ease storing the data on the clients in the storage pool. Management and administration of the storage pool and backup and restore jobs can be performed by an entity other than the client, making backup and restore more streamlined and simple for the clients in the pool.

Abstract: A memory management and protection system that manages memory access requests from a number of requestors. Memory accesses are allowed or disallowed based on the privilege level of the master, usually a CPU originating the request based on a Privilege Identifier that accompanies each memory access request. Deputy masters such as DMA controllers inherit the Privilege Identifier of the originating master. An extended memory controller selects the appropriate set of segment registers based on the Privilege Identifier to insure that the request is compared to and translated by the segment register associated with the master originating the request.

Abstract: A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.

Abstract: A computer-enabled system, method, and medium is provided to support analyzing intellectual property documents by linking and annotating patents, copyrights, trademarks, license agreements, and other types of intellectual property documents. The invention is suitable for use by intellectual property professionals in memorializing their thought processes, work products, and reasoning, whether in preliminary or final form, and is flexible to support development and use of a rich linked set representing complex relationships in an intellectual property portfolio. Optionally, marked up, linked documents are divided into data streams, one of the data streams containing the original document for mark-up, and one other data stream containing the annotation data. The marked-up document may be further revised and/or annotated, even by multiple users. The system provides that the same document such as a patent may be centrally stored but independently marked-up by different users (or groups of users).

Abstract: A method, for controlling a layered device driver is discussed. The device driver includes three components divided between user space and kernel space. A control process operating in user space may be used to initiate device driver processes and control a shared memory space.

Abstract: An optimistic, latch-free index traversal (“OLFIT”) concurrency control scheme is disclosed for an index structure for managing a database system. In each node of an index tree, the OLFIT scheme maintains a latch, a version number, and a link to the next node at the same level of the index tree. Index traversal involves consistent node read operations starting from the root. To ensure the consistency of node read operations without latching, every node update operation first obtains a latch and increments the version number after update of the node contents. Every node read operation begins with reading the version number into a register and ends with verifying if the current version number is consistent with the register-stored version number. If they are the same, the read operation is consistent. Otherwise, the node read is retried until the verification succeeds. The concurrency control scheme of the present invention is applicable to many index structures such as the B+-tree and the CSB+-tree.

Abstract: A method is described that includes detecting that a memory access of system management mode program code is attempting to reach program code outside of a protected region of memory by comparing a target memory address of a memory access instruction of the system management program code again information that defines confines of the protection region. The method also includes raising an error signal in response to the detecting.

Abstract: An arithmetic processing device having an allocation unit configured to reserve a memory allocation area in a memory and register address range information indicating an address range of the memory allocation area in an address range table, in response to an execution of a memory area allocation function requesting memory area allocation, and a determination unit configured to refer to the address range table and perform determination processing as to whether or not an access destination address of a memory access instruction is within an address range indicated by the address range information registered in the address range table, in response to an execution of the memory access instruction relating to the memory allocation area.

Abstract: An apparatus for assessing and controlling the quality of a project in a production environment is provided. The apparatus comprises a memory, a processor, and a module stored in memory, executable by the processor, and configured to: receive a deliverable; process the deliverable, wherein processing the deliverable comprises assigning a quality score to the deliverable; compare the quality score value to a threshold value; and determine if the deliverable requires an action in response to comparing the quality score to the threshold value.

Abstract: A method, device and system for resource synchronization control are provided in accordance with the present disclosure. The disclosure relates to a field of information synchronization control. The method for resource synchronization control includes: inquiring, by a first terminal, from a server whether an address of the first terminal in a first terminal list is in a cleared state, the first terminal list has recorded an address of the first terminal; acquiring, by the first terminal, a resource file from a second terminal, if the address of the first terminal is in the cleared state; and notifying, by the first terminal, the server to cancel the cleared state of the address of the first terminal in the first terminal list, after acquiring the resource file.

Abstract: A system includes a multi-process application that runs. A multi-process application runs on primary hosts and is checkpointed by a checkpointer comprised of at least one of a kernel-mode checkpointer module and one or more user-space interceptors providing at least one of barrier synchronization, checkpointing thread, resource flushing, and an application virtualization space. Checkpoints may be written to storage and the application restored from said stored checkpoint at a later time. Checkpointing may be incremental using Page Table Entry (PTE) pages and Virtual Memory Areas (VMA) information. Checkpointing is transparent to the application and requires no modification to the application, operating system, networking stack or libraries. In an alternate embodiment the kernel-mode checkpointer is built into the kernel.

Abstract: Methods and structure for masking of logical unit numbers (LUNs) within a switching device coupled with one or more storage enclosures. Each storage enclosure defines one or more logical volumes each identified by a LUN within the storage enclosures. The switching device gathers LUN definition information regarding each LUN defined by each storage enclosure coupled with the switching device. LUN access permission information may be provided by an administrative node/user defining a level of access permitted or denied for each host system for each LUN for each storage enclosure. The switching device then intercepts a REPORT LUNS command from any host directed to a storage enclosure and responds with only those LUNs to which the requesting host system has permitted access. Further, any other SCSI command intercepted at the switching device directed to a LUN to which the host system does not have access is modified to identify an invalid LUN.

Abstract: To reduce performance losses and costs associated with serializing parallel communications when communicating with other computing devices over a local area network (“LAN”) or a wide area network (“WAN”), bus virtualization is provided to maintain parallelization for inter machine communications over a network. Control lines and data lines associated with a parallel bus communication can be received by a network adapter, and instead of serializing the communications, the network adapter can map each of the control and data lines to respective virtual local area networks (“VLAN”). Multiple VLANs can exist together on a LAN or WAN while logically segmented, allowing the respective VLANs to facilitate communications for the control and data lines over the network.

Abstract: Embodiments include methods, systems, and computer storage devices directed to identifying that a trusted boot mode (TBM) control bit is set in an input/output memory management unit (IOMMU) and configuring the IOMMU to block a DMA request received by the IOMMU from a peripheral in response to the identifying.

Abstract: A unique file-system node identification (ID) is created for each newly created node in a file system repository by combining a grid identification (ID), a repository identification (ID), and a node identification (ID) to form the unique file-system node ID. The unique file-system node ID is associated with a unique association identification (ID) for creating an association for linking the node from a source repository to a target repository when performing a replication operation between a repository and another repository. The different replication instances of the node in the file system repository are distinguished by the unique association ID assigned to each of the replication instances.

Abstract: A processor capable of secure execution. The processor contains an execution unit and secure partition logic that secures a partition in memory. The processor also contains cryptographic logic coupled to the execution unit that encrypts and decrypts secure data and code.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: An apparatus for assessing and controlling the quality of a project in a production environment is provided. The apparatus is configured to: receive a first score, wherein the first score comprises a first numerical value associated with a first level of quality, wherein the first level of quality is associated with a first deliverable; receive a second score, wherein the second score comprises a second numerical value associated with a second level of quality, wherein the second level of quality is associated with the first deliverable; and process the first score and the second score to generate a third score.

Abstract: A method and a device for monitoring an unauthorized memory access to a predetermined memory area in a computing device are described, in which a monitoring medium is provided, having at least one sensor medium, which is set up for the purpose of recognizing an event of the computing device, and at least one recognition medium, which is set up for the purpose of tracking the behavior of the event recognized by the sensor medium, the monitoring medium being integrated into a sequence pattern on the computing device, and the monitoring medium being set up for the purpose of monitoring the sequence pattern at its runtime, in that memory accesses to a memory address or an address range are detected by the monitoring medium as events.

Abstract: Techniques for delivering and measuring storage quality-of-service to virtual machines in a distributed virtual infrastructure. In one example, a method comprises the following steps. A controller obtains quality-of-service data from at least a portion of components of a distributed virtual infrastructure, wherein the components of the distributed virtual infrastructure comprise one or more storage units, one or more processing units, and one or more switches operatively coupled to form the distributed virtual infrastructure. The controller manages at least one input/output request throughout a path defined by at least one of the one or more processing units, at least one of the one or more switches, and at least one of the one or more storage units, based on at least a portion of the collected quality-of-service data.