Abstract: Methods, systems, apparatuses, and computer program products are provided for generating an instruction set for an evaluation engine. An arithmetic expression that combines multiple columns of data (e.g., a first column of data, a second column of data, etc.) is received. Instructions may be generated, that, when executed by an integrated-circuit-based processor, cause the integrated-circuit-based processor to evaluate the arithmetic expression. In examples, a set of instructions may be generated for each column of data represented in the arithmetic expression. For instance, the instructions may comprise a first set of instructions associated with the first column of data, a second set of instructions associated with the second column of data, and so on. The instructions may specify one or more parameters for operations associated with each column of data, such as operations to load data from a buffer, store data into a buffer, arithmetic operations to perform on data, etc.

Abstract: Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

Abstract: Methods, systems, apparatuses, and computer program products are provided for generating an instruction set for an evaluation engine. An arithmetic expression that combines multiple columns of data (e.g., a first column of data, a second column of data, etc.) is received. Instructions may be generated, that, when executed by an integrated-circuit-based processor, cause the integrated-circuit-based processor to evaluate the arithmetic expression. In examples, a set of instructions may be generated for each column of data represented in the arithmetic expression. For instance, the instructions may comprise a first set of instructions associated with the first column of data, a second set of instructions associated with the second column of data, and so on. The instructions may specify one or more parameters for operations associated with each column of data, such as operations to load data from a buffer, store data into a buffer, arithmetic operations to perform on data, etc.

Abstract: Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

Abstract: Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

Abstract: A database management system (DBMS) run a host CPU and a hardware coprocessor accelerate traversal of a tree-type data structure by allocating reusable memory in cache to store portions of the tree-type data structure as the tree-type data structure is being requested by the host CPU. The hardware coprocessor manages the cached tree-type data structure in a manner that is transparent to the host CPU. A driver located at the host CPU or at a separate computing device can provide an interface between the host CPU and the hardware coprocessor, thus reducing communications between the host CPU and the hardware coprocessor.

Abstract: Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

Abstract: A database management system (DBMS) run a host CPU and a hardware coprocessor accelerate traversal of a tree-type data structure by allocating reusable memory in cache to store portions of the tree-type data structure as the tree-type data structure is being requested by the host CPU. The hardware coprocessor manages the cached tree-type data structure in a manner that is transparent to the host CPU. A driver located at the host CPU or at a separate computing device can provide an interface between the host CPU and the hardware coprocessor, thus reducing communications between the host CPU and the hardware coprocessor.

Abstract: A cloud computing service to securely process queries on a database. A security device and method of operation are also disclosed. The security device may be provisioned with a private key of a subscriber to the cloud service and may have processing hardware that uses that key, sequestering the key and encryption processing in hardware that others, including operating personnel of the cloud service, cannot readily access. Processing within the security device may decrypt queries received from the subscriber and may encrypt responses for communication over a public network. The device may perform functions on clear text, thereby limiting the amount of clear text data processed on the cloud platform, while limiting bandwidth consumed in communicating with the subscriber. Such processing may include formatting data, including arguments in a query, in a security protocol used by the cloud platform.

Abstract: A secure cloud computing platform. The platform has a pool of secure computing devices such that each can be allocated to a customer as with other computing resources. Each secure computing device may be configured by a customer with a key and software for performing operations on sensitive data. The customer may submit data, defining a job for execution on the platform, as cyphertext. The secure computing device may perform operations on that data, which may include decrypting the data with the key and then executing the software to perform an operation on cleartext data. This operation, and the data on which it is performed, though in cleartext, may be inaccessible to the operator of the cloud computing platform. The device may operate according to a secure protocol under which the software is validated before loading and the device is provisioned with a key shared with the customer.

Abstract: A cloud computing service to securely process queries on a database. A security device and method of operation are also disclosed. The security device may be provisioned with a private key of a subscriber to the cloud service and may have processing hardware that uses that key, sequestering the key and encryption processing in hardware that others, including operating personnel of the cloud service, cannot readily access. Processing within the security device may decrypt queries received from the subscriber and may encrypt responses for communication over a public network. The device may perform functions on clear text, thereby limiting the amount of clear text data processed on the cloud platform, while limiting bandwidth consumed in communicating with the subscriber. Such processing may include formatting data, including arguments in a query, in a security protocol used by the cloud platform.

Abstract: A secure cloud computing platform. The platform has a pool of secure computing devices such that each can be allocated to a customer as with other computing resources. Each secure computing device may be configured by a customer with a key and software for performing operations on sensitive data. The customer may submit data, defining a job for execution on the platform, as cyphertext. The secure computing device may perform operations on that data, which may include decrypting the data with the key and then executing the software to perform an operation on cleartext data. This operation, and the data on which it is performed, though in cleartext, may be inaccessible to the operator of the cloud computing platform. The device may operate according to a secure protocol under which the software is validated before loading and the device is provisioned with a key shared with the customer.

Abstract: Logic and state information suitable for execution on a programmable hardware device may be generated from a task, such as evaluating a regular expression against a corpus. Hardware capacity requirements of the logic and state information on the programmable hardware device may be estimated. Once estimated, a plurality of the logic and state information generated from a plurality of tasks may be distributed into sets such that the logic and state information of each set fits within the hardware capacity of the programmable hardware device. The tasks within each set may be configured to execute in parallel on the programmable hardware device. Sets may then be executed in series, permitting virtualization of the resources.