Abstract: Provided are techniques for verifying, by a first device, that a management key block of a second device is valid. A management key block that includes a plurality of verification data, each of the plurality associated with a plurality of security classes ranked from a high to low, is generated. The first device, which is associated with a security class that is higher than a security class associated with the second device, verifies a management key block of the second device by calculating a management key precursor associated with the higher security class and verifying verification data associated with the higher security class. In this manner, the second device is unable to pass an unauthorized, or “spoofed,” management key block.

Abstract: This invention provides a system and method to search for and securely download Digital MultiMedia Evidence (DME) data from a central DME repository to portable USB, smart phone, tablet, laptop, desktop, or other data storage devices, with a clear chain of custody and access control audit trail reporting, so the DME can be used to prepare for and conduct legal proceedings.

Abstract: A computer accesses a storage device. The computer includes a processor and a non-transitory computer-readable storage medium storing computer-readable instructions, when executed by the processor, the computer-readable instructions cause the computer to perform: storing a first time-lock and a second time-lock in the storage device; and, when both the first time-lock and the second time-lock are successfully stored in the storage device by the computer, to obtain an exclusive access privilege during a particular time interval associated with the first time-lock and the second time-lock.

Abstract: A device establishes access to a first set of storage devices associated with a first storage characteristic and a second set of storage devices associated with a second storage characteristic. The first storage characteristic and the second storage characteristic include at least one of a consistency characteristic or a latency characteristic. The device receives a first request to store content, and determines a storage rule associated with the content, based on the first storage characteristic and the second storage characteristic. The storage rule specifies a manner in which the content is to be stored. The device transmits first information, associated with the content, to a first storage device of the first set of storage devices, based on the storage rule. The device transmits second information, including the content, to a second storage device of the second set of storage devices, based on the storage rule.

Abstract: According to one embodiment, an apparatus includes a permission/inhibition information storage which stores a permission/inhibition information file, a changer which changes a first encryption key of a first private key encrypted with the first public key to the second public key by using the first re-encryption key, a first storage which stores a second private key in a device private key temporary storage, a second storage which stores a second re-encryption key in a re-encryption key storage, a permission/inhibition information registration module which registers second permission/inhibition information in the permission/inhibition information file, and a transmitter which transmits the second private key in the re-encryption key storage to the second terminal.

Abstract: A method of operating a host controller interface includes receiving a buffer descriptor including sector information from a main memory, fetching data by using a source address included in the buffer descriptor, selecting one of a plurality of entries included in a security policy table by using the sector information, and determining whether to encrypt the fetched data by using a security policy included in the selected entry.

Abstract: There are provided methods for single-owner multi-consumer work queues for repeatable tasks. A method includes permitting a single owner thread of a single owner, multi-consumer, work queue to access the work queue using atomic instructions limited to only a single access and using non-atomic operations. The method further includes restricting the single owner thread from accessing the work queue using atomic instructions involving more than one access. The method also includes synchronizing amongst other threads with respect to their respective accesses to the work queue.

Abstract: The invention provides a system and method for writing data to a removable media device in accordance with a security policy. According to a method of the invention a request to write data to a first file on the removable media device is detected. Dummy data is written to the first file instead of writing the requested data. The requested data is written instead to a corresponding second file on a fixed media device. The corresponding second file is compared to a security policy. Response to the write request is based on the results of the comparison.

Abstract: A method for fast data erasing an FPGA including a programmable logic core controlled by a plurality of SONOS configuration memory cells, each SONOS configuration memory cell including a p-channel SONOS memory transistor in series with an n-channel SONOS memory transistor, which includes detecting tampering with the FPGA, disconnecting power from the programmable logic core, and simultaneously programming the n-channel device and erasing the p-channel device in all cells.

Abstract: Techniques are disclosed for authenticating users to a computing application. A relying application transmits a login page to a user requesting access to the application. The login page may include a QR code (or other barcode) displayed to the user. The QR code may encode a nonce along with a URL address indicating where a response to the login challenge should be sent. In response, the user scans the barcode with an app on a mobile device (e.g., using a camera on a smart phone) to recover both the nonce and the URL address. The mobile device may also include a certificate store containing a private key named in a PKI certificate. The app signs the nonce using the private key and sends the signed nonce in to the URL in a response message.

Abstract: A computer system is provided for preventing peripheral devices and/or processor cores from accessing restricted portions of system memory. For example, the computer system can include a host bridge, system memory coupled to the host bridge via a first access bus, a security processor coupled to the host bridge via a memory access bus that allows the security processor to access system memory and to access the peripheral device, and a security processor memory management unit (SPMMU) coupled between the peripheral device and the host bridge. The security processor is configured to program the SPMMU via the memory access bus to specify a first restricted range of physical addresses in the system memory that the peripheral device is not permitted to access. The SPMMU can then process access requests from the peripheral device and deny access requests that are determined to be within the first restricted range.

Abstract: A method and apparatus for disabling the communication functionality (i.e., disabling the transmission and/or reception of RF signals) of an integrated device, while still providing access to the local functionality of such device. A control and select function, such as a switch that is implemented by hardware or software or a combination thereof, is provided in an integrated device to allow the end user of the device to access the local data processing functionality of the device, even while the wireless communication functionality of such device is disabled.

Abstract: A microelectronic memory may be password access protected. A controller may maintain a register with requirements for accessing particular memory locations to initiate a security protocol. A mapping may correlate which regions within a memory array are password protected. Thus, a controller can use a register and the mapping to determine whether a particular granularity of memory is password protected, what the protection is, and what protection should be implemented. As a result, in some embodiments, a programmable password protection scheme may be utilized to control a variety of different types of accesses to particular regions of a memory array.

Abstract: According to one embodiment, a memory device includes a semiconductor memory, a memory controller which controls the semiconductor memory according to a request from outside the device, a radio section for wireless communication, and a controller. The controller manages storing data in the device according to a procedure for protecting copyright, obtains the latest version of a parameter for protecting copyright which can be updated from outside the device via the radio section, includes a comparator which compares the parameter stored in the device with the latest version of the parameter, and includes an update manager which updates the stored parameter to the latest version of the parameter when they are different.

Abstract: What is disclosed is a control system which includes an interface configured to receive a content request from a request source wherein the content request identifies content stored on a storage medium. The control system also includes a processing system coupled to the interface and configured to process the content request to determine when the request source is a valid destination for the content based on a first identifier stored with the content on the storage medium and a second identifier provided with the content request. The interface is further configured to transfer the content to the request source when the request source is a valid destination.

Abstract: A storage device security system includes a server that is coupled to a storage device, a storage controller, a configuration IHS, and a remote access controller. The remote access controller receives a storage device access key request and a storage controller Globally Unique Identifier (GUID) from the storage controller. The remote access controller also receives a server GUID from the server. The remote access controller also receives a security key from the configuration IHS over a network. The remote access controller is configured to use a remote access controller Media Access Control (MAC) address, the storage controller GUID, the server IHS GUID, and the security key to generate a storage device access key. The remote access controller may then provide the storage device access key to the storage controller, and storage controller may use the storage device access key to access the storage device coupled to the server IHS.

Abstract: What is provided is an enhanced dynamic address translation facility. In one embodiment, a virtual address to be translated is first obtained and an initial origin address of a translation table of the hierarchy of translation tables is obtained. Based on the obtained initial origin, a segment table entry is obtained. The segment table entry is configured to contain a format control and access validity fields. If the format control and access validity fields are enabled, the segment table entry further contains an access control field, a fetch protection field, and a segment-frame absolute address. Store operations are permitted only if the access control field matches a program access key provided by any one of a Program Status Word or an operand of a program instruction being emulated. Fetch operations are permitted if the program access key associated with the virtual address is equal to the segment access control field or the fetch protection field is not enabled.

Abstract: A computer system and an access restriction method may be used to enable security and improve reliability. The computer system includes a first storage apparatus and a second storage apparatus. The first storage apparatus provides a first logical volume from/to which a host apparatus reads and writes data, and the second storage apparatus provides a virtual second logical volume obtained by virtualizing the first logical volume of the first storage apparatus to the host apparatus. The first path information relates to a path from the host apparatus to the second logical volume registered in the first storage apparatus in association with the first logical volume of the first storage apparatus. Reservation of and access to the first logical volume is granted only for a reservation request and access request with matching path information from the host apparatus.

Abstract: The present invention relates to a method for managing the memory of a secure microcircuit, including steps executed by the microcircuit of: forming a data block with executable code and/or data stored in a volatile memory of the microcircuit, and to be backed up outside the microcircuit, calculating a signature of the data block using a first signature key, inserting the calculated signature of the data block into a signature block, obtaining a current value of a non-volatile counter internal to the microcircuit, calculating a signature of the signature block associated with the current value of the internal counter, using a second signature key, and sending outside the microcircuit, the data block, the signature block and the signature of the signature block.

Abstract: A system and method are disclosed for an event lock storage device. The storage device includes a user partition and an event partition (which may be associated with an event). The storage device receives data from a host device, and stores the data in the user partition. In response to receiving an indication of an event, the storage device may designate the data as part of the event partition. The event partition may include a set of access rules that is different from the user partition, such as more restrictive rules for modification or deletion of a file containing the data.

Abstract: A system, computer program product, and computer implemented method for mapping a Virtual machine (VM) drive to underlying storage, the method comprising locating a signature for a disk mounted to a VM, finding one or more files storage on a storage medium representing the virtual machine file system (VMFS) for a hypervisor that is running the VM, finding a portion of the one or more files on the storage medium that contains the signature, mapping the found portion of the one or more files to be the disk of the VM.

Abstract: A system includes a memory device including a real memory and a tracking mechanism configured to track relationships between multiple virtual memory addresses and real memory. The system further includes a processor configured to perform the below method and/or execute the below computer program product. One method includes mapping a first virtual memory address to a real memory in a memory device and mapping a second virtual memory address to the real memory. Here, the first virtual memory address is authorized to modify data in the real memory and the second virtual memory address is not authorized to modify the data in the real memory. One computer storage medium includes a computer program product for performing the above method.

Abstract: Management of storage used by pageable guests of a computing environment is facilitated. A query instruction is provided that details information regarding the storage location indicated in the query. It specifies whether the storage location, if protected, is protected by host-level protection or guest-level protection.

Abstract: A first virtual memory address is mapped to a real memory in a memory device, and a second virtual memory address is mapped to the real memory. Here, the first virtual memory address is authorized to modify data in the real memory and the second virtual memory address is not authorized to modify the data in the real memory.

Abstract: A method, system, and computer program product for providing a first site the ability to execute a read signature command, wherein the read signature command takes a set of arguments, wherein at least one of the arguments corresponds to at least a portion of the first storage medium, and returns a signature value for the at least a portion of the storage medium.

Abstract: A microcomputer includes a CPU, a protection information storage configured to store memory protection information specifying an access permission or a prohibited state to a memory space by a program executed by the CPU, a memory access control apparatus configured to determine whether or not to allow a memory access request from the CPU according to the memory protection information, and a reset apparatus configured to invalidate the memory protection information stored in the protection information storage according to a reset request signal output from the CPU to a switching of programs executed by the CPU, the reset request signal being based on a state of execution of the program by the CPU. The reset apparatus sets all valid bit storing fields of a plurality of protection setting registers of the protection information storage to invalid state in response to the reset request signal output by the CPU.

Abstract: Creating a computer program product or a computer system to execute a frame management instruction which identifies a first and second general register. The first general register contains a frame management field having a key field with access-protection bits and a block-size indication. If the block-size indication indicates a large block then an operand address of a large block of data is obtained from the second general register. The large block of data has a plurality of small blocks each of which is associated with a corresponding storage key having a plurality of storage key access-protection bits. If the block size indication indicates a large block, the storage key access-protection bits of each corresponding storage key of each small block within the large block is set with the access-protection bits of the key field.

Abstract: Systems and methods for providing object versioning in a storage system may support the logical deletion of stored objects. In response to a delete operation specifying both a user key and a version identifier, the storage system may permanently delete the specified version of an object having the specified key. In response to a delete operation specifying a user key, but not a version identifier, the storage system may create a delete marker object that does not contain object data, and may generate a new version identifier for the delete marker. The delete marker may be stored as the latest object version of the user key, and may be addressable in the storage system using a composite key comprising the user key and the new version identifier. Subsequent attempts to retrieve the user key without specifying a version identifier may return an error, although the object was not actually deleted.

Abstract: Method and system for providing information regarding a plurality of storage devices managed by a plurality of storage servers are provided. The storage space at the storage devices is presented to a plurality of computing systems as logical storage space. A plurality of searchable data structures having a plurality of data object types are stored at a temporary memory storage device of a management console that interfaces with the plurality of computing systems and the storage servers. Each data object type stores information regarding the storage device. The searchable data structure includes information regarding the storage devices and the logical storage space presented to the computing systems. A lock data structure for tracking locks that are assigned for accessing information pertaining to a storage server and a data object type is maintained to prevent unauthorized access to at least one of the searchable data structures.

Abstract: Various embodiments provide systems and methods for migrating data. One system includes a small computer system interface logical unit number (SCSI LUN) configured to store protected data, a processor, and memory configured to store a peer-to-peer remote copy (PPRC) application. The processor is configured to execute the PPRC application to modify the protection in transmitted data and received data. One method includes receiving unprotected data, utilizing a PPRC application to add protection to the data to generate protected data, and storing the protected data in a protected SCSI LUN. Another method includes receiving, at a protected SCSI LUN, a request to transmit protected data, utilizing a PPRC application to strip the protection from the protected data to generate unprotected data, and transmitting the unprotected data to an unprotected SCSI LUN.

Abstract: According to one embodiment, a storage system includes a host device and a secure storage. The host device and the secure storage produce a bus key which is shared only by the host device and the secure storage by authentication processing, and which is used for encoding processing. The host device produces a message authentication code including a message which can be stored in the secure storage based on the bus key, and sends the produced message authentication code to the secure storage. The secure storage stores the message included in the message authentication code in accordance with instructions of the host device. The host device verifies whether the message stored in the secure storage is intended contents.

Abstract: According to an embodiment, an information processing apparatus includes a first storage unit, a second storage unit, a power supply state control unit, a cryptographic key movement unit, a communications unit, an information input determination unit, a communications state determination unit, and a cryptographic key control unit. The cryptographic key movement unit is configured to move at least part of the cryptographic key data stored in the first storage unit to the second storage unit before a shift from a power-on state to another power supply state. In the other power supply state, the cryptographic key control unit returns the cryptographic key data from the second storage unit to the first storage unit if it is determined that there is an input of information which matches the information stored in the second storage unit and it is determined that communications are enabled between the communications unit and a base-station apparatus.

Abstract: Methods, systems, and apparatuses, including computer programs encoded on computer-readable media, for storing data in both defaultable and non-defaultable memory on a unit in such a way that if a pluggable device is removed from the unit, the defaultable memory is reset to some default state. Further, non-defaultable memory may have data, but that data is unintelligible without data in the defaultable memory.

Abstract: A system for providing write-protection functionality to a memory device includes: a memory device including configurable registers controlling write and erase operations in the memory device; a system interface; a filter logic device in electrical communication with the memory device and further in communication with the system interface; and a power on reset circuit in communication with the system interface and the filter logic device, wherein the power on reset circuit asserts a reset signal to the system interface on startup of the system, further wherein, while the reset signal is asserted to the system interface, the filter logic device modifies the configurable registers to prevent all further write and erase operations to the memory device and then the power on reset circuit de-asserts the reset signal to the system interface enabling communication between the system interface and the memory device.

Abstract: Provided are techniques for allocating logical memory corresponding to a logical partition in a computing system; generating a S/W PFT data structure corresponding to a first page of the logical memory, wherein the S/W PFT data structure comprises a field indicating that the corresponding first page of logical memory is a klock page; transmitting a request for a page of physical memory and the corresponding S/W PFT data structure to a hypervisor; allocating physical memory corresponding to the request; and, in response to a pageout request, paging out available logical memory corresponding to the logical partition that does not indicate that the corresponding page is a klock page prior to paging out the first page.

Abstract: In this wireless communication device, a storage unit stores writing identification information relating to permission and prohibition of writing. An acquisition unit acquires device identification information that uniquely specifies an arbitrary wireless communication device from the arbitrary wireless communication device. A determination unit determines permission or prohibition of writing to a recording medium on the basis of the device identification information acquired by the acquisition unit and the writing identification information stored in the storage unit when a communication protocol of a session layer that performs writing to and readout from the recording medium in sector units is selected. A recording medium control unit controls permission and prohibition of writing to the recording medium on the basis of a result determined by the determination unit.

Abstract: A method of managing a software license comprises loading a software program into volatile memory, obtaining authorization data, modifying a portion of the volatile memory relied upon by the program in accordance with the authorization data, executing the program, and causing the modifications to be deleted from the volatile memory. In some embodiments, selection criteria compared with the authorization data does not contain information corresponding to all of the content of the authorization data, thereby denying a software attacker the benefit of identifying and exploiting the selection criteria.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: Method and system for providing information regarding a plurality of storage devices managed by a plurality of storage servers are provided. The storage space at the storage devices is presented to a plurality of computing systems as logical storage space. A plurality of searchable data structures having a plurality of data object types are stored at a temporary memory storage device of a management console that interfaces with the plurality of computing systems and the storage servers. Each data object type stores information regarding the storage device. The searchable data structure includes information regarding the storage devices and the logical storage space presented to the computing systems. A lock data structure for tracking locks that are assigned for accessing information pertaining to a storage server and a data object type is maintained to prevent unauthorized access to at least one of the searchable data structures.

Abstract: A method and apparatus for preventing a user from interpreting optional stored data information even when the user extracts the optional stored data, by managing data associated with a flash memory in a flash translation layer, the method comprising searching at least one page of the flash memory when writing data to the flash memory, determining whether authority information corresponding to respective searched pages includes an encryption storage function, generating, corresponding to respective searched pages, a page key according to an encrypting function when the authority information includes the encryption storage function encrypting the data using the generated page key and storing the encrypted data in the respective searched pages, and storing the data in the respective searched pages without encryption when the authority information does not include the encryption storage function.

Abstract: In an embodiment, a computing device may include a control unit. The control unit may acquire a request from a central processing unit (CPU), contained in the computing device, that may be executing a basic input/output system (BIOS) associated with the computing device. The request may include a request for a value that may represent a maximum authorized storage size for a storage contained in the computing device. The control unit may generate the value and send the value to the CPU. The CPU may generate a system address map based on the value. The CPU may send the system address map to the control unit which may acquire the system address map and configure an address decoder, contained in the computing device, based on the acquired system address map.

Abstract: A data object is stored in a hosted storage system and includes an access control list specifying access permissions for data object stored in the hosted storage system. The hosted storage system provides hosted storage to a plurality of clients that are coupled to the hosted storage system. A request to store a second data object is received. The request includes an indicator that the first data object stored in the hosted storage system should be used as an access control list for the second data object. The second data object is stored in the hosted storage system. The first data object is assigned as an access control list for the second data object stored in the hosted storage system.

Abstract: A semiconductor device has: as security states to which the nonvolatile memory device can transition, an unprotected state in which, when secret information is not set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted, and reading the stored information is permitted; a protection unlocked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted on condition that a result of authentication using the secret information is correct, and reading the stored information is permitted; and a protection locked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is inhibited until correctness as a result of authentication using the secret information is confirmed, and reading the stored information is inhibited under a predetermined condition.

Abstract: A system and method of verifying a content of a non-volatile reprogrammable memory communicatively coupled to a microprocessor is disclosed. The method comprises the steps of reading at least a portion of the data stored in the non-volatile reprogrammable memory via a second communication path secured by encryption, generating a computed integrity value according to at least a portion of the contents of the non-volatile reprogrammable memory, and reading an integrity value, and comparing the computed integrity value with the read integrity value.

Abstract: Information management is disclosed. A file output from an application to an operating system is intercepted before the file output arrives at the operating system. The file output is directed towards protected data. The intercepted file output is analyzed to determine whether a predetermined type of version of the protected data has been created. In the event it is determined that the predetermined type of version of the protected data has been created at least in part because the analyzed intercepted file output includes a modification to the protected data, the protected data automatically backed up, including by storing at least a portion of the file output as a backup version of the protected data. In the event it is determined that the predetermined type of version of the protected data has not been created, the protected data is not backed up.

Abstract: The invention relates to a procedure for accessing a non-volatile watch memory, the watch comprising two supply terminals accessible from the outside that define a potential difference corresponding to a standard supply voltage, and a control circuit of the non-volatile memory produced using a technology supporting a predefined maximum supply voltage, the access procedure consisting of transmitting the following to the control circuit of the non-volatile memory by means of a supply terminal of the watch: a) an opening key to authorize access to the non-volatile memory; b) an instruction for access to the non-volatile memory; the procedure being characterized in that the opening key is a predefined instruction transmitted by modulation of the standard supply voltage such that this does not exceed the predefined maximum supply voltage.

Abstract: A storage device includes a processing state value calculator that calculates a first processing state value representing a state of data forwarding from the storage device via the connection lines; a notifier that notifies the first processing state value to the second storage device; a receiver that receives a second processing state value representing a state of data forwarding from another storage device (second storage device) via the communication lines and calculated in the second storage device; a multiplicity calculator that calculates, using the first processing state value and the second processing state value, a multiplicity representing the number of data forwarding processes which the storage device is able to simultaneously carry out on the communication lines; and a forwarding controller that forwards data via the communication lines within the calculated multiplicity, so that data may be optimally forwarded via the connection lines.

Abstract: A system and method are provided for protecting data information stored in a storage medium. The system includes a memory unit which is divided into a plurality of storage regions in which data information is stored; a domain unit which includes a plurality of OS domains, which are access subjects, and loads the data information stored in the storage regions that are accessed by the OS domains; and a control unit which controls access of the domain unit to the memory unit.

Abstract: A system and method of enabling a function within a module configured to be used with an information handling system is disclosed. In one form, the method of enabling functions includes detecting whether to install a custom install routine within a module configured to enable access to a hash function, and accessing a lock bit configured to lock access to the hash function. The method can further include detecting whether to set the lock bit to lock access to the hash function.

Abstract: Aspects of the disclosure provide a method for null address handling. The method includes compiling code without adding a null check code before a memory access code, storing a first address of the memory access code in association with a second address of a handling code for null address, determining, in response to an exception that occurs at the first address during an execution of the compiled code, the second address based on the stored information, and executing the handling code at the second address.