Abstract: A method for securing electronic device processes against attacks (e.g. side channel attacks) during the processing of sensitive and/or confidential data by a Central Processing Unit (CPU) to the volatile memory (e.g. RAM) of an electronic device such as, for example, a smart card, a PDA or a cellular phone is described herein. The method involves the storage of the confidential data to a dynamically and randomly assigned memory location, thereby rendering more difficult the analysis and subsequently the attacks (e.g. side channel attacks).

Abstract: Apparatus for data processing 2 is provided with processing circuitry 8 which operates in one or more secure modes 40 and one or more non-secure modes 42. When operating in a non-secure mode, one or more regions of the memory are inaccessible. A memory management unit 24 is responsive to page table data to manage accesses to the memory which includes a secure memory 22 and a non-secure memory 6. Secure page table data 36, 38 is used when operating in one of the secure modes. A page table entry within the hierarchy of page tables of the secure page table data includes a table security field 68, 72 indicating whether or not a further page table pointed to by that page table entry is stored within the secure memory 22 or the non-secure memory 6. If any of the page tables associated with a memory access are stored within the non-secure memory 6, then the memory access is marked with a table attribute bit NST indicating that the memory access should be treated as non-secure.

Abstract: In the computer system including at least one host computer, and at least one storage system, the storage system includes a physical disk and a disk controller, and provides the host computer with a storage area of the physical disk as at least one logical unit, and the host computer includes at least one application program accessing the logical unit, and a storage area access control unit for, before the application program makes access to the logical unit, transmitting authentication information guaranteeing the application program as a source of the access to the storage system.

Abstract: A main memory and a hard disk include predetermined serial numbers. A flash memory registers the main memory and hard disk together with their serial numbers. A BIOS reads the serial numbers from the main memory and hard disk. When a read-out serial number is not registered in the flash memory, the BIOS places the information processing apparatus in an unusable state.

Abstract: A method for adjusting performance of a system memory used in a computer system with a system memory includes the following steps: in an operating system in operating, preventing the computer system from accessing data of the system memory when an event is triggered; giving a memory control command to execute a performance adjust program of the system memory after the computer system is completely prevented from accessing the data of the system memory; and permitting accessing the data of the system memory after the performance adjust program is completed.

Abstract: A technique to provide an integrated circuit that performs memory partitioning to partition a memory into a plurality of regions, in which the memory is accessed by a plurality of heterogeneous processing devices that operate to access the memory. The integrated circuit also assigns a security level for each region of the memory and permits a memory access by a transaction to a particular region of the memory, only when a level of security assigned to the transaction meets or exceeds the assigned security level for the particular region. The integrated circuit also performs sandboxing by assigning which of the plurality of processing devices are permitted access to each of the plurality of regions. The integrated circuit may implement only the security level function or only the sandboxing function, or the integrated circuit may implement them both. In some instances, a scrambling/descrambling function is included to scramble/descramble data.

Abstract: A semiconductor memory device includes a security controller. When a one time programmable (OTP) device is programmed, the semiconductor memory device prohibits lock-status information pre-stored in an OTP lock register from being changed to an unlock status, such that it increases the stability of data stored in an OTP area. The semiconductor memory device includes an OTP device configured to determine whether or not data is changed according to a lock/unlock status when a program command is received, and an OTP controller configured to prohibit the lock status from being changed to the unlock status.

Abstract: A flash memory storage system having a flash memory controller, a flash memory chip and a smart card chip is provided. The flash memory chip is configured to store security data. The flash memory controller generates a signature corresponding to the security data according to, a private key and the security data with a one-way hash function, and stores the signature into the smart card chip.

Abstract: A chip card interface device (CCID) is configured for protecting data stored at the CCID in the event of a compromise. The CCID has a housing and a compromise detection system including one or more detection devices configured for detecting a compromise of the housing. The compromise detection system is configured for generating a detection signal indicating the detected compromise. A data protection system is coupled with the compromise detection system and includes a memory device and a processing device coupled with the compromise detection system. The processing device is for receiving the detection signal and erasing data stored on the memory device based on the detection signal in some embodiments. In some embodiments, the processing device also activates a locking function for rendering itself inoperable based on the detection signal.

Abstract: The present invention eliminates the possibility of problems with viruses, worms, identity theft, and other hazards that may result from the connection of a computer to the Internet. It does so by creating a new configuration of components within the computer. In addition to commonly used components, two new components are added. These are a secondary hard drive and a secondary random access memory. When the computer is connected to the Internet these secondary components are used in place of their primary counterparts. The primary hard drive is electronically isolated from the Internet, thus preventing Internet contamination of the primary hard drive.

Abstract: A hardware Secure Processing Unit (SPU) is described that can perform both security functions and other information appliance functions using the same set of hardware resources. Because the additional hardware required to support security functions is a relatively small fraction of the overall device hardware, this type of SPU can be competitive with ordinary non-secure CPUs or microcontrollers that perform the same functions. A set of minimal initialization and management hardware and software is added to, e.g., a standard CPU/microcontroller. The additional hardware and/or software creates an SPU environment and performs the functions needed to virtualize the SPU's hardware resources so that they can be shared between security functions and other functions performed by the same CPU.

Abstract: By having a storage apparatus attachment portion that secures a storage apparatus; a data read prevention processing unit that makes at least a part of data stored in the storage apparatus unreadable; and an input device that inputs a read prevention instruction for the storage apparatus, and configuring such that the data read prevention processing unit makes the data stored in the storage apparatus unreadable in response to a read prevention instruction received from the input device, data on the storage apparatus is reliably and easily set unreadable, as well as preventing data leakage from a typical storage apparatus with lower cost.

Abstract: A method and apparatus for processing information. First information is received from a first number of devices at a first number of interfaces configured to receive the first information in a first section of a programmable integrated circuit. The first information is sent to a second section in the programmable integrated circuit. Second information is received at a second number of interfaces in the second section from a second number of devices that generates the second information with a plurality of security levels. The first and second sections are partitioned from each other such that communication between the first and second sections is controlled by the second section. The first and second information are processed to form processed information that is sent to a number of network interfaces in which an identification of a security level within a plurality of security levels is associated with the processed information.

Abstract: A network security device and method for one way or secure communication are disclosed. At least one processor is connected to a higher level network port and a lower level network port, and is connectable to a shared memory. The at least one processor is configured to send a data to the lower level network port via the shared memory in response to receiving the data from the higher level network port and to decline or ignore any request from the lower level network port to write to the shared memory. The at least one processor, which may be a higher level processor, may be further configured to decline or ignore any request from the higher level network port to read the shared memory. A lower level processor, connected to the lower level network port, may be at least conditionally disabled from writing to the shared memory.

Abstract: A block management method for managing blocks of a flash memory storage device is provided. The flash memory storage device includes a flash memory controller. The block management method includes the following steps. At least a part of the blocks is grouped into a first partition and a second partition. Whether an authentication code exists is determined. When the authentication code exists, the blocks belonging to the first partition are provided for a host system to access, so the host system displays the first partition and hides the second partition. An authentication information is received from the host system. Whether the authentication information and the authentication code are identical is authenticated. When the authentication information and the authentication code are identical, the blocks belonging to the second partition are provided for the host system to access, so the host system displays the second partition and hides the first partition.

Abstract: Handling parallelism in transactions. One embodiment includes a method that includes beginning a cache resident transaction. The method further includes encountering a nested structured parallelism construct within the cache resident transaction. A determination is made as to whether the transaction would run faster serially in cache resident mode or faster parallel in software transactional memory mode for the overall transaction. In the software transactional memory mode, cache resident mode is used for one or more hierarchically lower nested transactions. The method further includes continuing the transaction in the mode determined.

Abstract: The present invention is directed to an integrated circuit, a method and a system for executing a sequence of instruction loaded from an external storage element and ensuring the authenticity of the sequence of instructions via RAM paging. In one embodiment, the integrated circuit includes a processor for executing a sequence of instructions loaded from an external storage element. To ensure the authenticity of the sequence of instructions from the external storage element, the processor supports Multiple Independent Levels of Security (MILS) or another partitioning scheme. A zeroizer is included to zeroize the on-die memory banks thereby ensuring that the processor is incapable of accessing residual sequences of instructions as loaded and stored from the external storage element thereby ensuring the authenticity of the sequence of instructions executed by the processor.

Abstract: An address containing data to be accessed is determined in response to executing an instruction received at a processor core of a microprocessor. During a scratch-pad mode of operation, it is determined whether a set of cache lines of a data cache is accessible based upon the memory location from which the instruction was retrieved. The address space of the data cache during scratch-pad mode can be isolated from other address spaces.

Abstract: Devices, systems, and methods are disclosed which relate to devices utilizing time-sensitive memory storage. The time-sensitive memory storage acts as normal device memory, allowing the user of the device to store files or other data to it; however the information stored on the time-sensitive memory storage is automatically erased, based on some storage time period. A limited amount of persistent storage is used for names and message headers.

Abstract: A semiconductor memory (2) comprises a controller (21) and a memory array (22). The memory array (22) is controlled for each of block areas (221, 221 . . . ). The information processing apparatus (1) can not generate a data erase command for each block area (221). A data erase command (30) for a specified block area “G” is encoded and stored in a block area “A”. When a request for data erasing is issued, a CPU (11) of the information processing apparatus (1) reads an erase command (30) out from the semiconductor memory (2) and outputs the erase command (30) to the controller (21). The controller (21) decodes the erase command (30) and performs a data erasing process for the block area “G”.

Abstract: A file attribute, which is called herein “enforcement bit”, is used for each file that is stored in a storage device. If the protection particulars associated with a stored file are allowed to be changed, the enforcement bit is set to a first value, and if the protection particulars or properties are not to be changed, the enforcement bit is set to a second value. When the storage device is connected to a host device, the storage device provides to the host device protection particulars and an enforcement bit, which collectively form a “file protection policy”, for each stored file in response to a file system read command that the host device issues, in order to notify the host device of files in the storage device whose protection particulars are allowed to be changed freely, and of files whose protection particulars are not allowed to be changed by unauthorized users or devices.

Abstract: The present invention provides a semiconductor device and a method for controlling the semiconductor device, the semiconductor device including memory regions that include nonvolatile memory cells; program prohibition information units, the program prohibition information units storing program prohibition information to be used for determining whether to prohibit or allow programming in a plurality of memory regions corresponding to the program prohibition information units; a first prohibition information control circuit that prohibits a change of the program prohibition information from a program prohibiting state to a program allowing state with respect a memory region, the memory region is one of the plurality of corresponding memory regions, based on first prohibition information to be used for determining whether to prohibit a change of the program prohibition information from a program prohibiting state to a program allowing state with respect to the corresponding memory region; and a second prohibitio

Abstract: A disk array apparatus capable of effecting saving and operation of data through a simple construction. When a host computer sets “write inhibit” or “read/write inhibit” for an LDEV which is set on a first storage device, this setting is registered in an access attribute management table and is also reflected onto a migration management table. A migration control program moves the LDEV for which access limitation has been set to a lower-speed (lower-performance) second storage device or to an external storage device. When the access limitation is released, the moved LDEV is restored to the first storage device from the storage device to which the LDEV has been moved. By performing migration control in interlocking relation to control of access attributes, it is possible to obtain a simple data saving function and data management function.

Abstract: The present invention discloses systems and methods for communicating with a storage device configured to store signed program files, the method including the steps of: generating, by a program process, a respective command number associated with a process command; issuing, by the program process, the process command with the respective command number to the storage device; and according to the respective command number, verifying, by the storage device, whether the process command originated from a trusted program process launched from the program files stored in the storage device. Preferably, the step of verifying includes: generating, by the storage device, a respective initial command number associated with a requested program file; and attaching, by the storage device, the respective initial command number to a copy of the requested program file.

Abstract: System and method for protecting data in a system including a main processor, an embedded controller, and a memory. In response to a power-on-reset (POR), access to the memory is enabled, e.g., access by the embedded controller. First data is read from the memory (e.g., by the embedded controller) in response to the enabling, where the first data are usable to perform security operations for the system prior to boot-up of the main processor. The first data are used, e.g., by the embedded controller, to perform one or more security operations for the system, then access to the memory, e.g., by the embedded controller, is disabled, where after the disabling the memory is not accessible, e.g., until the next POR initiates enablement.

Abstract: Computer-based methods, techniques, and systems for automatically protecting a storage device from unwanted alterations are provided. Example embodiments provide a Disk Access Redirection System, which includes a Redirection Driver, an Available Space Table (“AST”), a Protected Space Redirection Table (“PSRT”), and optionally an Unprotected Space Table (“UST”). The Redirection Driver is installed and registered with the computer operating system so that it can intercept storage device access requests (such as a disk read/write). When a storage access request for a read or write is sent, the request is intercepted by the Redirection Driver, transparent to the code that invokes the storage access request.

Abstract: A computing apparatus having a hard drive storage unit which includes a global positioning system, a non-volatile memory and a compare module. The non-volatile memory stores a permitted zone of operation of the hard drive storage unit while the compare module monitors the current location. If the compare module detects a current location of the hard drive storage unit as tracked by the global positioning system which is outside of the permitted zone of operation as stored in the non-volatile memory, the non-volatile memory contains at least one command implemented by a computer processor that may cause the hard drive storage unit to become disabled.

Abstract: A method and apparatus for processing a write request at a storage device is provided. A write request that identifies a sender of the write request is received at a storage device. The write request is examined to determine the identity of the sender. A determination is made as to whether, within a hierarchical relationship, the sender is subordinate to any entity that has been designated as being unable to perform write requests at the storage device. Upon determining that (a) the sender is not subordinate to any entity that has been designated as being unable to perform write requests at the storage device, and (b) the sender has not been designated as being unable to perform write requests at the storage device, the sender is allowed to write to the storage device. Thereafter, the write request from the sender may be performed at the storage device.

Abstract: A storage device, a memory controller, and a data protection method are provided. The method includes when receiving a read command sent by a host, adopting a corresponding output flow rate limit to determine an operation that is executed on read data corresponding to the read command by the host according to location information included in the read command or a type of a transmission interface between the host and the storage device. The method also includes executing an interference procedure by the storage device to prevent the read data from being copied to the host or slow down the speed of copying the read data to the host when identifying that the operation is a copy operation.

Abstract: A semiconductor memory device includes a plurality of independently accessible memory cores. Each memory core includes at least one flag cell storing a flag value and a plurality of data cells storing data. An access control circuit included in the semiconductor memory device selects an access-control subject memory core from the memory cores based on the flag value of the at least one flag cell of each memory core.

Abstract: A storage device capable of restricting its functions based on its geographical location is disclosed. In one embodiment, the storage device comprises a storage module for storing data; a positioning module, the positioning module determines the current location of the storage device; and a control module, the control module determines if the storage device is located within an area for function-restriction; and if so, one or more storage functions of the storage module is restricted; if not, the storage module assumes normal operation.

Abstract: An apparatus and method are disclosed. The apparatus allows dynamic setting of access permissions to contents of a shared memory in a memory device controlled by an embedded controller and allows updating and recovery of the contents. A computerized system comprising at least one Host linked to the memory device provides access paths to the shared memory, to the Host, and to the embedded controller. The memory device is partitioned into separate blocks, each of which is used to store different types of data. A location is designated in the shared memory for storing protection information that includes data related to access operations allowed by at least one access path to a part of the shared memory. Access, via an arbitration device, to separate parts of the shared memory is permitted by using an access control unit that enables/disables access to predetermined portions of the shared memory.

Abstract: Disclosed is a cascaded combination structure of flash disks to create security function, comprising of a plurality of data disks and a key disk. Each of the data disks includes a public zone and a private zone matched with the key disk. When the key disk is series-connected with the data disks, the private zone can be displayed and load/save by a public program in the key disk. Accordingly, there can be secured and hid the data in the private zone so that the data in the private zone is unable to be embezzled by other illegal users.

Abstract: A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.

Abstract: A removable digital data storage device has a programmable memory controller, a data storage medium and a data destruction means. The memory controller is encoded with a firmware program to provide a computer device driver interface, wherein the firmware program further configures the memory controller to secure data on the medium by querying for a hardware code in response to a data operation request by a computer through the interface and either granting access in response to a hardware code input or, independent of an operational status of the requesting computer, directly instructing the data destruction means to render data residing on the data storage medium unreadable in response to a failure to receive the first hardware code input through the interface.

Abstract: A data storage system for use with a plurality of tape cartridges is provided. Each tape cartridge includes a length of tape media and an amount of flash memory. The data storage system includes a tape cartridge library having a plurality of storage cells. Each storage cell is configured to store a tape cartridge. The tape cartridge library further includes a plurality of tape drives. Each tape drive is configured to access a tape cartridge when the tape cartridge is received in the tape drive. The system further includes a robotic tape mover and a flash memory access mechanism. The robotic tape mover moves tape cartridges between the plurality of storage cells and the plurality of tape drives. The flash memory access mechanism is configured in the tape cartridge library to access the flash memory of a tape cartridge when the tape cartridge is in the tape cartridge library.

Abstract: Methods and an apparatuses that perform protected content data processing with limited access to system resources are described. One or more regions in a memory (including a source memory and a destination memory) can be allocated and unprocessed content data can be mapped to the source memory. A process can be initialized with the source and destination memories to process the content data. The process can be prevented from accessing resource other than the allocated regions in the memory. The processed content data can be stored in the destination memory. In one embodiment, the content data can include media content. A playing device can be instructed to play the media content based on the processed content data via the destination memory.

Abstract: A method and system for acquiring multiple software locks in bulk is disclosed. When multiple locks need to be acquired, such as for atomic transactions in transactional memory systems, the disclosed techniques may be applied to consolidate computationally expensive memory barrier operations across the lock acquisitions. A system may acquire multiple locks in bulk, at least in part, by modifying values in one or more fields of multiple locks and by then performing a memory barrier operation to ensure that the modified values in the multiple locks are visible to other application threads. The technique may be repeated for locks that the system fails to acquire during earlier iterations until all required locks are acquired. The described technique may be applied to various scenarios including static and/or dynamic transactional locking protocols.

Abstract: A system and method for transactional memory using read-write locks is disclosed. Each of a plurality of shared memory areas is associated with a respective read-write lock, which includes a read-lock portion indicating whether any thread has a read-lock for read-only access to the memory area and a write-lock portion indicating whether any thread has a write-lock for write access to the memory area. A thread executing a group of memory access operations as an atomic transaction acquires the proper read or write permissions before performing a memory operation. To perform a read access, the thread attempts to obtain the corresponding read-lock and succeeds if no other thread holds a write-lock for the memory area. To perform a write-access, the thread attempts to obtain the corresponding write-lock and succeeds if no other thread holds a write-lock or read-lock for the memory area.

Abstract: When a thread begins an atomic transaction, the thread reads one or more variables from one or more source addresses. The read portion of the transaction is constrained to a predetermined amount of time or number of cycles (N). The mechanism then performs a test and set operation to determine whether any other threads hold locks on the one or more source addresses. If the locks for the one or more source addresses are free, then the thread acquires locks on the one or more source addresses. The thread then performs work and updates the one or more variables. Thereafter, the mechanism delays for an amount of time or number of cycles greater than or equal to N before releasing the locks. If another thread attempts to acquire a lock on the one or more source addresses, then the test and set operation for that other thread will fail.

Abstract: Systems and methods of identifying a file path of a removable storage device are disclosed. A method includes, at a host device that is coupled to the removable storage device, selecting a file path that is associated with the removable storage device by accessing a size associated with a root directory accessible to the host device, where the root directory corresponds to the removable storage device. The file path is selected based upon the size associated with the root directory. The selected file path is verified by initiating a memory access operation using the selected file path.

Abstract: A content rendering action is detected at a content access control module associated with renderable content stored within a memory associated with the content access control module. A portion of the renderable content is determined to be controlled by an access privilege requirement higher than an access privilege level of a person, a device, or a location associated with the detected content rendering action. The portion of the renderable content determined to have the access privilege requirement higher than the access privilege level of the person, the device, or the location associated with the detected content rendering action is automatically redacted.

Abstract: A multiprocessor computer system comprises a plurality of processors and a plurality of nodes, each node comprising one or more processors. A local memory in each of the plurality of nodes is coupled to the processors in each node, and a hardware firewall comprising a part of one or more of the nodes is operable to prevent a write from an unauthorized processor from writing to the local memory.

Abstract: An integrated microprocessor system for safety-critical control systems, comprising at least two microprocessor system modules each comprising at least one processor core, a read/write memory and a memory protection unit, and a read-only memory which is jointly assigned to the processor cores of the microprocessor system modules. Each of the microprocessor system modules executes a main program and a monitoring program which may comprise a plurality of subprograms. If the memory protection unit detects unauthorized operations by one of the programs for accessing a separate address area (A, B) of another program, then the respective memory protection unit assigns a separate address area (A, B) of the read/write memory to the main program and to the monitoring program.

Abstract: An embodiment may include circuitry that may be comprised in a host that may execute an operating system and/or in a server. The circuitry may generate, at least in part, and/or receive, at least in part, at least one request to initiate, at least in part, at least one operation at the host. The least one operation may facilitate, at least in part, examination remotely from the host of information stored at the host. The at least one operation may be performed independently from the operating system and also may be performed at least in part by the circuitry. The examination may facilitate, at least in part, remotely from the host, backup, recovery, and/or determination of corruption of mass storage data stored at the host. Of course, many variations, modifications, and alternatives are possible without departing from this embodiment.

Abstract: A computing device receives an object at runtime of a compiled application, wherein the object is a component of the application. The computing device generates a transactional proxy for the object, the transactional proxy including transactional logic, a transactional marker and a pointer to the object. The transactional proxy is passed to the application, wherein the application to make calls on the transactional proxy instead of on the object.

Abstract: A data storage device is disclosed comprising a non-volatile memory and control circuitry operable to evaluate a physical feature of the data storage device, wherein the physical feature is physically alterable by a user. When the physical feature is in a first state, host access to first secure data stored in the non-volatile memory is enabled, and when the physical feature is in a second state, the host access to the first secure data is disabled and host access to second data stored in the non-volatile memory is enabled.

Abstract: A playback device includes a port configured to receive content from an external memory device, a device memory residing in the device, and a controller programmed to execute instructions that cause the controller to read a read data pattern from the defined region in the external memory device and determine if the read data pattern correlates to an expected data pattern to a predetermined level, wherein the expected data pattern is derived at least in part from a defect map of the defined region. A memory device includes an array of memory cells configured to store at least one bit of data, the array of memory cells being organized into regions, at least one first region of the array of memory cells having stored therein a defect map of the array of memory cells, and at least one second region of the array of memory cells being designated as a defined region having a known defect pattern.

Abstract: According to one embodiment, a computing system includes two or more opto-electrical isolators coupling a corresponding two or more memory devices to a processor. Each memory device is electrically isolated from each other and configured to store data or instructions executed by the processor. Each opto-electrical isolator selectively couples its associated memory device to the processor such that only one of the two or more memory devices are writable by the processor at any instant of time.

Abstract: A secure memory controller includes a memory unit and a controller. The memory unit stores the information of the predetermined scenario in accordance with an application to be executed. The controller gives the right to access the memory area based on the set scenario. The controller judges whether the bus master which is requesting an access to the memory area has the right to access.