Abstract: A method for controlling access to data storage based on application rights dictating usage ability of a user includes: receiving, by a first application of a computing device, a data access request from a second application of the computing device, the data access request including a user identifier, namespace identifier, application identifier associated with the second application, and data command; verifying data access authorization for a user of the second application and for the second application program based on a first permission stored in an application-application rights table associated with the user identifier, application identifier, the data command; verifying data access authorization for the first application based on a second permission stored in an application-storage rights table associated with the namespace identifier and data command; executing the data command to read from or write data to a data storage interfaced with the computing device associated with the namespace identifier.

Abstract: One embodiment provides for a non-transitory machine-readable medium storing instructions to cause one or more processors to perform operations comprising receiving an instruction to dynamically allocate memory for an object of a data type and dynamically allocating memory for the object from a heap instance that is specific to the data type for the object, the heap instance including a memory allocator for the data type, the memory allocator generated at compile time for the instruction based on a specification of the data type for the heap instance.

Abstract: A memory block circuit can include a plurality of data interfaces, a switch connected to each data interface of the plurality of data interfaces, and a plurality of memory banks each coupled to the switch. Each memory bank can include a memory controller and a random access memory connected to the memory controller. The memory block circuit also includes a control interface and a management controller connected to the control interface and each memory bank of the plurality of memory banks. Each memory bank can be independently controlled by the management controller.

Abstract: Techniques are disclosed in which a secure circuit controls a gating circuit to enable or disable other circuity of a device (e.g., one or more input sensors). For example, the gating circuit may be a power gating circuit and the secure circuit may be configured to disable power to an input sensor in certain situations. As another example, the gating circuit may be a clock gating circuit and the secure circuit may be configured to disable the clock to an input sensor. As yet another example, the gating circuit may be configured to gate a control bus and the secure circuit may be configured to disable control signals to an input sensor. In some embodiments, hardware resources included in or controlled by the secure circuit are not accessible by other elements of the device, other than by sending requests to a predetermined set of memory locations (e.g., a secure mailbox).

Abstract: An SoC device has a boot-code memory that stores boot code and a boot core that accesses the boot-code memory to execute the boot code at startup. The boot core is capable of executing application code after the startup is complete. One or more master cores execute application code. An access control circuit prevents the boot core from accessing the boot-code memory when application code is being executed.

Abstract: The invention relates to a method of securing a mobile terminal (UE) able to communicate with a first telecommunication network (2G, 3G, 4G, 5G). According to the method, the terminal periodically emits a unique identifier from an unmodifiable dedicated memory of the terminal and the identifier is transmitted to a core network of the first telecommunication network via a control channel based on a second telecommunication network (LoRa, IoT) of low energy consumption type.

Abstract: Unaligned atomic memory operations on a processor using a load-store instruction set architecture (ISA) that requires aligned accesses are performed by widening the memory access to an aligned address by the next larger power of two (e.g., 4-byte access is widened to 8 bytes, and 8-byte access is widened to 16 bytes). Data processing operations supported by the load-store ISA including shift, rotate, and bitfield manipulation are utilized to modify only the bytes in the original unaligned address so that the atomic memory operations are aligned to the widened access address. The aligned atomic memory operations using the widened accesses avoid the faulting exceptions associated with unaligned access for most 4-byte and 8-byte accesses. Exception handling is performed in cases in which memory access spans a 16-byte boundary.

Abstract: Method and apparatus for handling page protection faults in combination particularly with the dynamic conversion of binary code executable by a one computing platform into binary code executed instead by another computing platform. In one exemplary aspect, a page protection fault handling unit is used to detect memory accesses, to check page protection information relevant to the detected access by examining the contents of a page descriptor store, and to selectively allow the access or pass on page protection fault information in accordance with the page protection information.

Abstract: A method includes receiving, at a server associated with a merchant, an identification token associated with a mobile device located in a service environment associated with the merchant, and receiving an address of a profile agent associated with and distinct from the mobile device. The identification token includes an opaque token generated by a source other than the mobile device. The method includes sending to the profile agent a request for a user profile associated with the mobile device, where the request includes the identification token, and receiving an opaque user profile responsive to the request. The method includes sending a personalized offer associated with the merchant to the profile agent based on the opaque user profile. The profile agent causes application of preferences and policies associated with the mobile device to the personalized offer to determine whether to forward the personalized offer to the mobile device.

Abstract: Embodiments described herein provide systems and methods to streamline the mechanism by which data users access differently regulated data through the use of one or more integrated identifiers. The integrated identifiers lessen or eliminate the need to separately maintain one set of identifiers for regulated data and another set for non-regulated data. The methods and systems may be applicable in various credit and healthcare contexts where regulations over data use are prevalent. In one or more embodiments, a data user receives a unique integrated identifier for each of the data user's current or prospective customers, and the integrated identifiers can be used to persistently identify and track the customers over time and across applications that access regulated and/or non-regulated data. In the healthcare context, a healthcare provider may utilize a patient ID as the integrated identifier. To protect privacy, the integrated identifier may not include social security numbers or birthdates.

Abstract: The present invention extends to methods, systems, and computer program products for configuring, enforcing, and monitoring separation of trusted execution environments. Firmware images consistent with configuration of multiple separate execution domains can be generated without requiring changes to existing application source code. A cryptographically signed firmware image can be loaded at a processor to form multiple separate execution domains at the processor. Communications can be secured across separate execution domains without using shared memory.

Abstract: A single architected instruction to perform multiple functions is executed. The executing includes performing a first function of the multiple functions and a second function of the multiple functions. The first function includes moving a block of data from one location to another location, and the second function includes setting one portion of a storage key using one selected key and another portion of the storage key using another selected key. The storage key is associated with the block of data and controls access to the block of data. The first function and the second function are performed as part of the single architected instruction.

Abstract: A system may include a processor and a memory, the processor having at least one cache. The cache may include a plurality of sets, each set having a plurality of cache lines. Each cache line may include several bits for storing information, including at least a “shared” bit to indicate whether the cache line is shared between different processes being executed by the processor. The example cache may also include shared cache line detection and eviction logic. During normal operation, the cache logic may monitor for a context switch (i.e., determine if the processor is switching from executing instructions for a first process to executing instructions for a second process). Upon a context switch, the cache logic may evict the shared cache lines (e.g., the cache lines with a shared bit of 1). This eviction of shared cache lines may prevent attackers utilizing such attacks from gleaning meaningful information.

Abstract: Methods, systems and computer program products provide protection domains for processes in shared address space. Multiple processes may share address space, for example, in a software isolated process running on top of a library operating system (OS). A protection domain (PD), such as a Protection Key (PKEY), may be assigned to a process to protect its allocated address spaces from access by other processes. PDs may be acquired from a host OS. A library OS may manage PDs to protect processes and/or data. A PD may be freed and reassigned to a different process or may be concurrently assigned to multiple processes, for example, when the number of processes exceeds the number of protection domains. Threads spawned by a process may inherit protection provided by a PD assigned to the process. Process PDs may be disassociated with address spaces as they are deallocated for a process or its threads.

Abstract: The present invention provides a data protection method and storage device. The data protection method includes: (A): during an initial period after the storage device is connected to a host, detecting the storage device and determining whether the storage device needs to be performed with data protection; (B): when the storage device needs to be performed with data protection in Step (A), modifying a predetermined writing destination that the host writes data to a storage unit of the storage device, to make the data from the host be written to another writing destination rather than being written to said writing destination; or writing the data from the host into a control chip or a bridge chip of an inner memory or an inner register, rather than writing the data from the host into the storage device; and (C): reporting to the host that the writing operation is completed.

Abstract: Security systems for microelectronic devices physically lock the hardware itself and serve as a first line of defense by preventing overwriting, modification, maniplation or erasure of data stored in a device's memory. Implementations of the security systems can respond to lock/unlock commands that do not require signal or software interactivity with the functionality of the protected device, and which therefore may be consistent across devices. In various embodiments, a security device passively “listens” on data lines of the protected device and, when a lock or unlock command is received (typically in conjunction with a valid authentication code), the security device physically blocks or allows passage of signals to and from the protected device.

Abstract: Filter-based request processing includes generating first data corresponding to a request. A first queue node is generated for processing the first data. The first queue node references a first buffer and a filter subroutine. The first buffer references the first data and a completion handler for performing completion tasks associated with the filter subroutine. The first queue node is executed. The executing includes processing the first data using the filter subroutine to generate a second buffer referencing second data. A second queue node is generated that includes the completion handler. The second queue node is executed. The executing includes processing the completion handler to perform the completion tasks. A response is transmitted corresponding to the request. The response includes the second data referenced by the second buffer.

Abstract: An integrated circuit includes a first communication interface for communicatively coupling the integrated circuit with a coherent data processing system, a second communication interface for communicatively coupling the integrated circuit with an accelerator unit including an accelerator functional unit and an effective address-based accelerator cache for buffering copies of data from the system memory of the coherent data processing system, and a real address-based directory inclusive of contents of the accelerator cache. The real address-based directory assigns entries based on real addresses utilized to identify storage locations in the system memory.

Abstract: In some examples, a non-transitory machine readable medium storing instructions executable by a processor to store display information in a private memory hidden from an operating system (OS), and divisibly virtualize a contiguous planar display into a first area as a main display and a second area as a second display separate from the main display, where the continuous planar display is divisibly virtualized responsive to exposure of the display information to the OS or the display information being directly provided to a graphics processing unit (GPU).

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing cryptographic keys based on user identity information. One of the methods includes receiving biometric information associated with a user and a request to store a user key pair to a memory on an identity cryptographic chip (ICC); comparing the biometric information associated with the user with biometric information pre-stored in the memory as pre-stored biometric information; in response to determining that the biometric information associated with the user matches the pre-stored biometric information, encrypting the user key pair to provide an encrypted user key pair; and storing the encrypted user key pair to the memory.

Abstract: An approach is provided for collecting data files from target devices. A data collection manager implemented in a mobile device generates a collector based, at least in part, on collection definition data. The collector is configured to perform a data search on a target device. The data collection manager causes to transmit the collector to a network server for storing the collector in the network server, and causes to transmit a notification to the network server to notify a custodian of the target device that the collector is to be downloaded from the network server to the target device for execution. Executing the collector causes the collector to selectively determine one or more data files that have certain characteristics and that are hosted on the target device, collect the one or more data files from the target device, and store the one or more data files in the network server.

Abstract: Locally providing cloud storage array services for a plurality of storage systems within a data center by receiving a request from an operating system level virtualization service; and determining, among the plurality of storage systems, an implementation of the request from the operating system level virtualization service, among the plurality of storage systems.

Abstract: A delivery management system includes: an authentication unit that authenticates a user; a storage unit that stores identification information on an article stored in a storage area that is a target article associated with the user; and a control unit that, when an article carried out by the authenticated user from the storage area is the same as the target article, permits the user to exit the storage area.

Abstract: One embodiment of the present invention is a method including: (a) representing virtual primary disk data and state data of a virtual machine in a unit of storage; (b) exposing the virtual primary disk data of the virtual machine to a guest of the virtual machine to allow the guest to access the virtual primary disk data; and (c) preventing the guest from accessing the state data for the virtual machine.

Abstract: Disclosed are a method and system for managing multi-threaded concurrent access to a cache data structure. The cache data structure includes a hash table and three queues. The hash table includes a list of elements for each hash bucket with each hash bucket containing a mutex object and elements in each of the queues containing lock objects. Multiple threads can each lock a different hash bucket to have access to the list, and multiple threads can each lock a different element in the queues. The locks permit highly concurrent access to the cache data structure without conflict. Also, atomic operations are used to obtain pointers to elements in the queues so that a thread can safely advance each pointer. Race conditions that are encountered with locking an element in the queues or entering an element into the hash table are detected, and the operation encountering the race condition is retried.

Abstract: Some examples described relate to securing a memory device of a computing system. For instance, a method may comprise comparing a command for the memory device to each command in a list of commands. The command is accepted when the command matches an authorized command in the list of commands. The accepted command is issued to the memory device.

Abstract: In one respect, there is provided a system for classifying an instruction sequence with a machine learning model. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: processing an instruction sequence with a trained machine learning model configured to detect one or more interdependencies amongst a plurality of tokens in the instruction sequence and determine a classification for the instruction sequence based on the one or more interdependencies amongst the plurality of tokens; and providing, as an output, the classification of the instruction sequence. Related methods and articles of manufacture, including computer program products, are also provided.

Abstract: Dynamic load balancing of hardware threads in clustered processor cores using shared hardware resources, and related circuits, methods, and computer readable media are disclosed. In one aspect, a dynamic load balancing circuit comprising a control unit is provided. The control unit is configured to determine whether a suboptimal load condition exists between a first cluster and a second cluster of a clustered processor core. If a suboptimal load condition exists, the control unit is further configured to transfer a content of private register(s) of a first hardware thread of the first cluster to private register(s) of a second hardware thread of the second cluster via shared hardware resources of the first hardware thread and the second hardware thread. The control unit is also configured to exchange a first identifier associated with the first hardware thread with a second identifier associated with the second hardware thread via the shared hardware resources.

Abstract: Data is frequently protected by securing the data within containers that are only accessible using a specific security application. Once such data is transferred, all protections provided by the security application are lost. Methods and systems provide secured access to data by intercepting requests for access to a data files accessed via an IHS (Information Handling System) by applications operating within the operating system of the IHS. Based on condition settings stored in the data files, access privileges are determined for applications. The conditions settings include environmental conditions required for providing access to the data. If the IHS satisfies the environmental conditions specified by a data file, access to the data file may be granted. The data requests may be intercepted by a kernel process of the operating system of the IHS. The environmental conditions may specify requirements on the networks, display devices and/or software utilized by the IHS.

Abstract: Method and apparatus for handling page protection faults in combination particularly with the dynamic conversion of binary code executable by a one computing platform into binary code executed instead by another computing platform. In one exemplary aspect, a page protection fault handling unit is used to detect memory accesses, to check page protection information relevant to the detected access by examining the contents of a page descriptor store, and to selectively allow the access or pass on page protection fault information in accordance with the page protection information.

Abstract: Systems, apparatuses, and methods for implementing a hardware enforcement mechanism to enable platform-specific firmware visibility into an error state ahead of the operating system are disclosed. A system includes at least one or more processor cores, control logic, a plurality of registers, platform-specific firmware, and an operating system (OS). The control logic allows the platform-specific firmware to decide if and when the error state is visible to the OS. In some cases, the platform-specific firmware blocks the OS from accessing the error state. In other cases, the platform-specific firmware allows the OS to access the error state such as when the OS needs to unmap a page. The control logic enables the platform-specific firmware, rather than the OS, to make decisions about the replacement of faulty components in the system.

Abstract: Systems, apparatuses, and methods related to hierarchical memory are described. A hierarchical memory system that can leverage persistent memory to store data that is generally stored in a non-persistent memory. Logic circuitry can be configured to determine that a request to access a persistent memory device corresponds to an operation to divert data from the non-persistent memory device to the persistent memory device, generate an interrupt signal, and cause the interrupt signal to be asserted on a host coupleable to the logic circuitry as part of the operation to divert data from the non-persistent memory device to the persistent memory device. Access data and control messages can be transferred between or within a memory device, including to or from a multiplexer and/or a state machine. A state machine can include logic circuitry configured to transfer interrupt request messages to and receive interrupt request messages.

Abstract: A computer initiates a fault prevention shell. The computer protects a plurality of the computer's files in a first storage area. The computer carries out a command entered by a user into the fault prevention shell, wherein the command targets one or more of the plurality of the computer's files in the first storage area, and wherein the command is carried out on a copy of the one or more of the plurality of the computer's files in a second storage area. The computer prompts a commit by the user to perform the command on the one or more of the plurality of the computer's files in the first storage area. The computer processes a user response to the prompt. The computer updates one or more command lists with the command.

Abstract: A host device is configured to communicate over a network with a storage system. The host device comprises a multi-path input-output (MPIO) driver configured to control delivery of input-output (IO) operations from the host device to the storage system over selected ones of a plurality of paths through the network, and a data service driver. The data service driver is configured to provide one or more data services on the host device, wherein the one or more data services correspond to respective extensions. The respective extensions are organized in different levels in a stacked configuration. The data service driver is further configured to receive and process a given IO operation through the respective extensions in the stacked configuration. The MPIO driver is a component of first MPIO software for the host device, and the data service driver is a component of second MPIO software for the host device.

Abstract: Techniques for providing content management based on spatial and temporal information are disclosed herein. In an example, a service provides content management based on properties determined from a schedule of a user. The schedule of the user is processed to identify a geo-fenced area assigned for performing a task. Upon determining that the location of the client device as within the geo-fenced area, content identified by the task may be accessed through the client to perform the task.

Abstract: At least one processing device is configured to detect a failure event impacting at least a first storage node of a distributed storage system, and responsive to the detected failure event, to initiate a metadata recovery process for at least the first storage node. In conjunction with the metadata recovery process, destaging of a metadata update journal of the first storage node is performed, the destaging of the metadata update journal of the first storage node being performed in multiple phases, including at least a preload phase in which, for each of a plurality of pages required for the destaging of the metadata update journal, one or more address locks are obtained for the page, the page is preloaded into a memory of the first storage node from persistent storage accessible to the first storage node, and the one or more address locks are released, and an update and write phase.

Abstract: Method for processing data, in which a Petri net is encoded, written into a memory and read and executed by at least one instance, wherein transitions of the Petri net read from at least one tape and/or write on at least one tape symbols or symbol strings, with the aid of at least one head. [FIG. 1]. In an alternative, data-processing, co-operating nets are composed, the composition result is encoded, written into a memory and read and executed from the memory by at least one instance. In doing this, components can have cryptological functions. The data-processing nets can receive and process second data from a cryptological function which is executed in a protected manner. The invention enables processing of data which prevents semantic analysis of laid-open, possibly few processing steps and which can produce a linkage of the processing steps with a hardware which is difficult to isolate.

Abstract: An information processing apparatus includes a first memory configured to store first conversion information used for converting a virtual address to a physical address of a memory region to access data stored in the memory region; a second memory configured to store second conversion information used for converting a virtual address to a logical block address of a storage device to access data stored in the storage device; memory management circuitry configured to execute a first processor a second process, according to an access destination of a first virtual address, the first process includes address conversion on the first virtual address using the first conversion information or the second conversion information and memory access to the memory region based on a result of the address conversion, the second process including notification of a first logical block address associated with the first virtual address to an operating system.

Abstract: A system to facilitate automatic data center assembly is described. The system includes a first enclosure, including a first set of components, each component including a component manager to perform a component function and a first enclosure manager, communicatively coupled to each component manager, to perform a discovery of each of the first set of components and discover one or more adjacent enclosures coupled to the enclosure via link cables. The system also includes a system manager to automatically discover the first enclosure via the first enclosure manager and discover each of the first set of plurality of components via an associated component manager.

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: A device may obtain user activity data associated with a plurality of processes being run by the device, where the user activity data identifies user interactions with one or more user input devices, where the plurality of processes is associated with a plurality of process identifiers, and where the user activity data is associated with the plurality of process identifiers. The device may detect an attempt, initiated by a first process having a first process identifier, to access a data file of a file system, and may compare the first process identifier and the plurality of process identifiers to determine whether the first process is associated with a first user interaction included in the user activity data, and may selectively grant the first process access to the data file based on determining whether the first process is associated with the first user interaction.

Abstract: Certain example embodiments described herein relate to techniques for automatically protecting, or hardening, software against exploits of memory-corruption vulnerabilities. The techniques include arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and modifying the execution of the application program in response to the identifying, the modifying being in order to prevent exploitation of the memory and/or to correctly execute the application program.

Abstract: An apparatus comprises a storage system having storage devices and an associated storage controller. In conjunction with initiation of a checkpoint, the storage controller sets a checkpoint started flag for the checkpoint, marks user data pages and metadata pages for write operations already entered in a write journal of the storage system as of the setting of the checkpoint started flag as checkpoint pages, and marks user data pages and metadata pages for new write operations entered in the write journal after the setting of the checkpoint started flag as non-checkpoint pages by altering information used to generate signatures for respective ones of the metadata pages. Metadata pages characterizing the same user data pages subject to write operations at different times thereby have different signatures depending on whether or not the checkpoint started flag was set when its corresponding write operation was entered in the write journal.

Abstract: The described technology is generally directed towards domains that data services can use to collect files of a global filesystem namespace into groups. A data service (a domain patron) creates a domain, e.g., for a particular directory, and a domain manager associates files under that directory with domain membership information. Thereafter, the data service can use the domain membership information associated with a file to determine whether to include that file in a data service operation. In one implementation the membership information is maintained in file metadata, facilitating fast and efficient retrieval of the information in near constant time. Exclusion from a domain, hard links, renames and alternate data streams are among the various aspects supported by the domain technology.

Abstract: In a general aspect, a system can include a processor having a secure mode and a non-secure mode, and a secure module configured to respond to tokens posted by the processor in the secure mode. Each token can identify a secure asset, and source and destination addresses within secure and public address spaces. The secure module can include a memory storing secure assets identifiable by the tokens and a memory access circuit to read data from source addresses and write processed data to destination addresses. The system can further include a cryptography engine configured to process the read data using identified secure assets. The secure module can respond to tokens posted in the non-secure mode. The memory can store, with each secure asset, a respective rule defining the address spaces where the memory access circuit may read and write data. The secure module can ignore tokens that do not satisfy respective rules.

Abstract: A processor includes a processing core; a filter register to store a first permissions filter; and a memory management unit (MMU), coupled to the processing core, the filter register and a first peripheral device associated with the first permissions filter, wherein the MMU comprises a logic circuit to manage a shared page table comprising entries corresponding to the processing core and the first peripheral device, wherein the logic circuit is to; receive a memory access request for a first page of memory from the first peripheral device; determine whether the set of permission bits of the first entry match a first combination of bits of the first permissions filter; grant the memory access request if the set of permission bits match the first combination of bits of the first permissions filter; and cause a page fault if the set of permission bits do not matching the first combination of bits.

Abstract: Data processing apparatus comprises one or more transaction issuing devices configured to issue data processing transactions to be handled by a downstream device and to receive a completion acknowledgement in respect of each completed transaction; each transaction issuing device having associated transaction regulator circuitry configured to allow that transaction issuing device to issue transactions subject to a limit on a maximum number of outstanding transactions, an outstanding transaction being a transaction which has been issued but for which a completion acknowledgement has not yet been received; in which the downstream device is configured to issue an indication to a transaction issuing device, to authorize a change by the transaction regulator circuitry of the limit applicable to outstanding transactions by that transaction issuing device.

Abstract: An electronic device is disclosed that includes a housing, a universal serial bus (USB) connector exposed through one region of the housing, a wireless communication circuitry supporting short-range wireless communication, at least one processor electrically connected with the USB connector and the wireless communication circuitry, and a memory electrically connected with the processor. The memory stores instructions, when executed, causing the at least one processor to, while the USB connector is connected with a first external device and while the wireless communication circuitry performs wireless communication with a second external device, determine a wired communication state with the first external device through the USB connector and adjust a power saving scheme for the wireless communication based at least in part on the determined state. In addition, various embodiments recognized through the specification are possible.

Abstract: A processor and method for handling lock instructions identifies which of a plurality of older store instructions relative to a current lock instruction are able to be locked. The method and processor lock the identified older store instructions as an atomic group with the current lock instruction. The method and processor negatively acknowledge probes until all of the older store instructions in the atomic group have written to cache memory. In some implementations, an atomic grouping unit issues an indication to lock identified older store instructions that are retired and lockable, and in some implementations, also issues an indication to lock older stores that are determined to be lockable that are non-retired.

Abstract: There is described a method, data processing apparatus and computer program product for initializing storage protection, the storage protection for enforcing access permission for a region of storage configured in a layout of regions according to at least one security constraint, the method comprising: receiving a set of storage requirements; generating a layout whereby the layout comprises a combination of storage regions that accommodate the storage requirements within the at least one security constraint; and configuring the storage protection according to the generated layout, wherein generating a layout comprises: calculating, for each storage requirement, a list of all storage regions that could accommodate the storage requirement within the at least one security constraint; selecting and testing combinations of storage regions until a selected combination accommodates the storage requirements within the at least one security constraint; and providing the accommodated combination of storage regions as a