Abstract: Restriction-compliant data replication including receiving a request to replicate a dataset of a database that is stored in a cloud-based data warehouse at a first region of a plurality of geographic regions to a second region of the plurality of geographic regions, wherein the second region is subject to persistent storage restrictions different from restrictions of the first region; selecting a replication policy, applicable to the second region, wherein the replication policy specifies replication restrictions that conform to the persistent storage restrictions of the second region; and replicating the dataset from the first region to the second region, including applying the replication policy to the dataset.

Abstract: An embodiment system for protecting a memory comprises security software configured to determine, from an exception generated during an unauthorized action attempt in the memory, whether the security software can perform the action.

Abstract: A method includes a data protection system determining, based on a first security threat detection process, that a storage system is possibly being targeted by a security threat; performing, based on the determining that the storage system is possibly being targeted by the security threat, a first remedial action with respect to the storage system, the first remedial action comprising generating a snapshot of data stored by the storage system; confirming, based on a second security threat detection process, whether the storage system is possibly being targeted by the security threat; and performing, based on the confirming whether the storage system is possibly being targeted by the security threat, a second remedial action with respect to the storage system, the second remedial action comprising specifying a retention duration with respect to the snapshot.

Abstract: A system and method for associating an event in a cloud computing log to a process running on a workload is presented. The method includes: configuring a workload deployed in a cloud computing environment to deploy thereon a sensor, the sensor configured to detect a runtime process on the workload, the runtime process utilizing an identity; detecting in a log of the cloud computing environment an event based on an identifier of the workload, the log including a plurality of events; inspecting a code object for a cybersecurity object, the code object utilized in deploying the workload in the cloud computing environment; associating the runtime process with the event based on an identifier of the workload and the cybersecurity object, wherein the cybersecurity object indicates the identity; and generating an enriched log including an identifier of the runtime process associated with the event and the cybersecurity object.

Abstract: An apparatus has tag checking circuitry responsive to a target address to: identify a guard tag stored in a memory system in association with a block of one or more memory locations, the block containing a target memory location identified by the target address, perform a tag check based on the guard tag and an address tag associated with the target address, and in response to detecting a mismatch in the tag check, perform an error response action. The apparatus also has tag mapping storage circuitry to store mapping information indicative of a mapping between guard tag values and corresponding address tag values. The tag checking circuitry remaps at least one of the guard tag and the address tag based on the mapping information stored by the tag mapping storage circuitry to generate a remapped tag for use in the tag check.

Abstract: Embodiments described herein provide systems and methods to streamline the mechanism by which data users access differently regulated data through the use of one or more integrated identifiers. The integrated identifiers lessen or eliminate the need to separately maintain one set of identifiers for regulated data and another set for non-regulated data. The methods and systems may be applicable in various credit and healthcare contexts where regulations over data use are prevalent. In one or more embodiments, a data user receives a unique integrated identifier for each of the data user's current or prospective customers, and the integrated identifiers can be used to persistently identify and track the customers over time and across applications that access regulated and/or non-regulated data. In the healthcare context, a healthcare provider may utilize a patient ID as the integrated identifier. To protect privacy, the integrated identifier may not include social security numbers or birthdates.

Abstract: In an embodiment, an apparatus includes a memory access controller to be coupled to a memory and a memory management unit (MMU) coupled to the memory access controller. The MMU is to receive a memory transaction comprising an original transaction security attribute from a first device; responsive to the memory transaction comprising a first physical address of the memory, transmit the memory transaction to the memory access controller; and responsive to the memory transaction comprising a virtual address, generate a translated memory transaction comprising a translated physical address of the memory based on the virtual address and a translated transaction security attribute and transmit the translated memory transaction to the memory access controller, the translated physical address and the translated transaction security attribute associated with an operating system (OS) memory region of the memory associated with an OS. Other embodiments are described and claimed.

Abstract: An I/O memory management unit operates to provide hardware moderated restrictions on access to internal I/O device addresses of I/O devices eliminating the interposition of the operating system in such data transfers. As well as providing read/write permissions, the I/O memory management unit can perform address translation for virtualization and may be the combined with the functions of an IOMMU for managing physical addresses.

Abstract: Disclosed are various approaches for the partitioning of virtualization on systems with multiple core processors. In one approach, hardware extensions for virtualizations are enabled on one or more first cores of a plurality of cores of the processor. The hardware extensions for virtualization are disabled on one or more second cores of the plurality of cores. A virtual machine instance is executed on the first cores having the hardware extensions for virtualization enabled. A real-time operating system is executed on the second cores having the hardware extensions for virtualization disabled.

Abstract: Systems, methods, and computer program products are disclosed for customized segmentation operations in a serverless environment. An intermediate platform receives a signal from an entity requesting application hosting for use with a SaaS platform. The signal conveys personalized configuration information and a unique identifier. The personalized configuration information is used to construct a metadata configuration file. A request is transmitted to the serverless environment for a segmented storage location and a request for a related signed URL containing permission for writing data. The metadata configuration file is sent to the segmented storage location. The signed URL is provided to the entity requesting application hosting for enabling secure transmission of a code to the segmented storage location directly by the entity requesting application hosting.

Abstract: Methods, systems, and devices for initializing memory systems are described. A memory system may transmit, to a host system over a first channel, signaling indicative of a first set of values for a set of parameters associated with communicating information over a second channel between a storage device of the memory system and a memory device of the memory system. The host system may transmit, to the memory system, additional signaling associated with the first set of values for the set of parameters. For instance, the host system may transmit a second set of values for the set of parameters, an acknowledgement to use the first set of values, or a command to perform a training operation on the second channel to identify a second set of values for the set of parameters. The memory system may communicate the information over the second channel based on the additional signaling.

Abstract: A system for using actuators to control an image sensor and/or lens based on sensor data received from position sensors and based on position information for the image sensor and/or lens received from a host processor includes a primary camera controller device, at least one secondary camera controller device, and at least one communication link connecting the primary camera controller device and the at least one secondary camera controller device. The primary and secondary camera controller devices receive respective primary and secondary sensor data from the position sensors, send the respective primary and secondary sensor data to the other camera controller device via the communication link, process the primary and secondary sensor data and the position information to generate respective primary and secondary control data, and drive the respective primary and secondary control data to the actuators concurrently.

Abstract: According to one embodiment, an I/O command control device receives authorization information indicating whether execution of an I/O command is permitted. When the received authorization information is not modified and is issued from a known authorization server, the I/O command control device verifies whether the received authorization information permits execution of the I/O command. The I/O command control device permits or inhibits execution of the I/O command or a control command generated from the I/O command with respect to a logical area that is an execution target of the I/O command, in accordance with an authorization result indicating whether the received authorization information permits execution of the I/O command.

Abstract: A data storage device includes a memory device and a controller coupled to the memory device. The controller includes a decoder multiplexer (mux) module, a plurality of request/response channels coupled to the decoder mux module, an arithmetic pipeline module coupled to the plurality of request/response channels, an arbiter module coupled to the plurality of request/response channels and the arithmetic pipeline module, a mux/arbiter module coupled to the arithmetic pipeline module, a random access memory (RAM) access module coupled to the decoder mux module and the mux/arbiter module, and a RAM coupled to the mux/arbiter module. The controller is configured to determine a pipeline depth value and a calculation parallelism value of the arithmetic pipeline module and configure the arithmetic pipeline module based on the determining.

Abstract: A method of writing data to a protected region in response to a request from a host includes receiving a first write request including a first host message authentication code and a first random number from the host, verifying the first write request based on a write count, the first random number, and the first host message authentication code, updating the write count based on a result of verifying the first write request, generating a first device message authentication code based on the updated write count and the first random number, and providing the host with a first response including the first device message authentication code and a result of the verifying of the first write request.

Abstract: In some implementations, a network device may receive one or more packets via an incoming interface of the network device. The network device may forward, or refraining from forwarding, based on a destination address associated with the one or more packets and the incoming interface of the network device, the one or more packets. The network device may receive, prior to receiving the one or more packets, route information indicating the destination address, and at least one of a set of one or more authorized incoming interfaces of the network device or a set of one or more authorized identifiers that are associated with the destination address and may save the route information in an entry of a data structure. Forwarding, or refraining from forwarding, the one or more packets may further be based on the entry of the data structure.

Abstract: An information processing apparatus includes: a communication device that communicates with an external apparatus outside the information processing apparatus; a memory that includes a protected region and an unprotected region; a processor that operates in a first mode and a second mode, the first mode being a mode in which access to the protected region and access to the unprotected region are allowed, the second mode being a mode in which access to the protected region is prohibited and access to the unprotected region is allowed; a first device controller that controls the communication device by the processor operating in the first mode; a virtual machine manager that causes one or more virtual machines to operate by the processor operating in the second mode; and a second device controller that controls the communication device by the processor operating in the second mode.

Abstract: An approach for indicating viral safety of enclosed spaces. Absolute humidity (AH) values AHV (AHV1, AHV2, . . . , AHVn) are received from a set of sensors S (S1, S2, . . . , Sn) placed at locations L (L1, L2, . . . , Ln). The received absolute humidity values AHV (AHV1, AHV2, . . . , AHVi, AHVn) are compared to a viral safety safe value to determine a viral safety assessment of one of safe and not safe. An action is performed when the viral safety assessment is not safe.

Abstract: Technology for open block boundary group programming of non-volatile memory such as NAND. The open block boundary group could potentially be read in response to a request from a host for the data stored in the group. In an aspect, the memory system will determine whether programming a group of memory cells in a selected block will result in an open block. If it will not result in an open block, then the memory system uses a first set of programming parameters to program the group. However, if it will result in an open block then the memory system uses a second set of programming parameters to program the boundary group. The programming parameters may include verify levels and/or a program voltage step size. The second set of programming parameters can tighten Vt distributions, which mitigates mis-reads if the boundary group is read.

Abstract: Provided is a process, including: accessing, with a processor of an embedded computing device, immutable executable code stored in read-only memory of the embedded computing device; executing, with the processor of the embedded computing device, instructions of the immutable executable code that retrieve, from the read-only memory, a network-layer address of a tamper-evident, immutable data repository and an application-layer address of firmware of the embedded computing device stored in the tamper-evident, immutable data repository; executing, with the processor of the embedded computing device, instructions of the immutable executable code that, using the network-layer address and the application-layer address, download the firmware of the embedded computing device from the tamper-evident, immutable data repository; and executing, with the processor of the embedded computing device, instructions of the immutable executable code that store the downloaded firmware in re-writeable memory of the embedded comput

Abstract: Disclosed herein are system, method, and computer-readable device embodiments for mass insertion into single-threaded databases. An embodiment includes a processor and a memory, a storage layer to interface with a plurality of software applications and to receive data output from the plurality of software applications, and a listener that runs according to an update policy, to detect the presence of information newly stored within the storage layer. The processor and memory may be configured to maintain at least a part of a running database cluster including a plurality of nodes, with at least two nodes configured to run without multi-threading, and to execute an intermediate module to send at least part of the information to the database cluster, and to perform simultaneous access to multiple database nodes running without multi-threading.

Abstract: In described examples, a system on a chip (SoC) and method for sending messages in the SoC include determining locations of initiator-side firewall block and receiver-side firewall block memories using respective pointers to the firewall block memories stored in a single, contiguous memory. Addresses of the pointers within the single memory depend on respective unique firewall identifiers of the firewall blocks. An exclusive security configuration controller uses the pointers to configure the firewall blocks over a security bus which is electrically isolated from a system bus. The system bus is used to send messages from sending functional blocks to receiving functional blocks. The initiator-side firewall block adds a message identifier to messages. The message identifier depends on the initiator-side firewall block's configuration settings.

Abstract: A container corresponding to executable code may be received. In response receiving the container, an assertion value may be stored in an assertion register. A final canary value may be generated based on a cycles combining a prior canary value and a mix value. A determination may be made as to whether the final canary value matches with the assertion value stored in the assertion register. In response to determining that the final canary value matches with the assertion value, one or more privilege registers may be programmed to provide access to hardware resources for the container corresponding to the executable user code.

Abstract: An apparatus has processing circuitry, an instruction decoder, and capability registers, each capability register to store a capability comprising a pointer and constraint metadata for constraining valid use of the pointer/capability. In response to a capability-generating address calculating instruction specifying an offset value, a reference capability register is selected as one of a program counter capability register and a further capability register. A result capability is generated for which the pointer of the result capability indicates a window address identifying a selected window within an address space, the selected window being offset from a reference window by a number of windows determined based on the offset value of the capability-generating address calculating instruction. The reference window comprises the window comprising an address indicated by the pointer of the reference capability register.

Abstract: An example operation may include one or more of receiving, by a file processing node, a document file identification (ID) from a file owner node over a blockchain, acquiring, by the file processing node, a file storage plan executable script and an encrypted symmetric key for the document, decrypting the symmetric key by the file processing node, and executing the file storage plan executable script using the decrypted symmetric key as an input.

Abstract: According to a first aspect, execution logic is configured to perform a linear capability transfer operation which transfers a physical capability from a partition of a first software modules to a partition of a second of software module without retaining it in the partition of the first. According to a second, alternative or additional aspect, the execution logic is configured to perform a sharding operation whereby a physical capability is divided into at least two instances, which may later be combined.

Abstract: A proprietor terminal stores state data in which an identifier of a contract executed in a blockchain system, a hash value of control target file data that specifies content data managed by the contract, and an identifier of a proprietor and an identifier of a user of the content data in the file management system are associated with one another, and includes a route object generation unit that generates reference destination data having the identifier of the contract and generates route object data having the reference destination data and a link name and the hash value of the control target file data.

Abstract: Systems, methods, and computer program products are disclosed perform data access operations in association with a multi-tenant SaaS application within a Multi-tenant SaaS Platform. Code for a multi-tenant SaaS application includes a call to a token associated with retrieving tenant-specific data. A first request is received for first data access using a first token associated with a first tenant associated with a first storage location, the first request lacking an identification of the first storage location. Tenant-specific data associated with the first tenant is retrieved and provided to the multi-tenant SaaS application. A second request is received for second data access using a second token associated with a second storage location associated with a second tenant. The second token is mapped to the second storage location. The second tenant tenant-specific data is retrieved from the second storage location and provided to the multi-tenant SaaS application.

Abstract: A computer implemented method for managing large and sensitive data in a blockchain includes determining a master block store node from a plurality of block store nodes to add large and sensitive data to the blockchain after validation, and generating a block including the large and sensitive data that is validated and its metadata. If the block store nodes, a plurality of block verifier nodes and a plurality of block backup nodes of the blockchain are in synchronization, the method adds, using the master block store node, the block to its chain and generates a synchronization request to the block store nodes, the block verifier nodes and the block backup nodes of the blockchain. Based on assigned roles, the method performs enabling the block store nodes to store the block, enabling the block verifier nodes to store only the metadata, and enabling the block backup nodes to store the block.

Abstract: An apparatus comprises a processing device configured to initiate garbage collection for data pages stored in local storage of a storage node of a storage system. The processing device is also configured to determine, for a given data page stored in the local storage of the storage node, a validity score characterizing a size of changed data in the given data page, and to compare the validity score for the given data page to at least one designated threshold. The processing device is further configured to update a given page object for the given data page in an object store of persistent storage responsive to a first comparison result, and to generate, in the object store of the persistent storage, a page delta object for the given data page responsive to a second comparison result, the page delta object comprising the changed data in the given data page.

Abstract: Embodiments of the present disclosure relate to kernel integrity protection methods and apparatuses. In an embodiment, a method includes: sending, by a first program executing at a first exception level, a request message to a second program executing at a second exception level, wherein the first exception level has lower execution privilege than the second exception level, the request message requests to perform memory access, and wherein the memory access is a preset register access or a preset memory space access, and; in response to receiving the request message, obtaining, by the second program, event information corresponding to the memory access; sending, by the second program, the event information to the first program; and processing, by the first program, the event information.

Abstract: A victim management unit (MU) for performing a media management operation is identified. The victim MU stores valid data. A flush command is received from a host system. A cached data item is retrieved from a volatile memory. The cached data item and at least a subset of the valid data stored at the victim MU are written to a target MU.

Abstract: Disclosed are embodiments for horizontally skimming composite datasets. In one embodiment, a method is disclosed comprising receiving a script, the script including commands to access a composite dataset; pre-processing the script to identify a set of columns; loading a metadata file associated with the composite dataset file; parsing the metadata file to identify one or more datasets that include a column in the set of columns; loading data from the one or more datasets; and executing the script on the one or more datasets.

Abstract: Systems and methods for embodiments of artificial intelligence systems for identity management are disclosed. Embodiments of the identity management systems disclosed herein may support the creation, association, searching, or visualization of any relevant context to identity management assets for a variety of purposes, including for informing the identity management systems' manual or automated decisions, processes or workflows.

Abstract: A method of data caching includes; determining a process corresponding to a read request communicated from a host, obtaining historical access information for the process according to historical process information stored in a cache, wherein the historical process information includes at least one of historical access information for the process and heat information for one or more regions historically accessed by the process, determining a first region historically accessed by the process according to the historical access information, such that heat information for the first region satisfies a first preset condition, and loading a physical address for the first region from a storage device to the cache.

Abstract: An electronic payment terminal including a box having a housing inside which a first removable module for storing data related to at least one transaction carried out via the terminal is arranged, the terminal also having removable features for blocking access to the first storage module and an authenticity device covering at least one portion of the removable features for blocking access to the first storage module.

Abstract: Apparatuses, systems, and techniques for supporting fairness of multiple context sharing cryptographic hardware. An accelerator circuit includes a copy engine (CE) with AES-GCM hardware configured to perform both encryption and authentication of data transfers for multiple applications or multiple data streams in a single application or belonging to a single user. The CE splits a data transfer of a specified size into a set of partial transfers. The CE sequentially executes the set of partial transfers using a context for a period of time (e.g., a timeslice) for an application. The CE stores in a secure memory for the application one or more data for encryption or decryption (e.g., a hash key, a block counter, etc.) computed from a last partial transfer. The one or more data for encryption or decryption are retrieved and used when data transfers for the application is resumed by the CE.

Abstract: A method, system and apparatus for protecting against out-of-bounds references, including storing an address of a buffer in a general register and storing bounds information (BI) for the buffer in a bounds information register, and when a content of the general register is used as an address in a load or store operation, using a content of the bounds information register to determine if the load or store is out of bounds.

Abstract: The present technology may include a first storage circuit connected to a plurality of memory banks, an error correction circuit, a read path including a plurality of sub-read paths connected between the plurality of memory banks and the error correction circuit, and a control circuit configured to control data output from the plurality of memory banks to be simultaneously stored in the first storage circuit by deactivating the read path during a first sub-test section, and to control the data stored in the first storage circuit to be sequentially transmitted to the error correction circuit by sequentially activating the plurality of sub-read paths during a second sub-test section.

Abstract: A memory unit (23,24) is proposed for a computer system having a processing unit and a data bus for transferring data between the processing unit and the memory unit. The memory unit (23,24) stores data at a plurality of locations (“data items”) in a logical memory space (32), such that each data item has an address given by at least one index variable. In addition to read and write commands, the memory unit is operative to receive a shift command in a predefined format and including shift data which indicates a source address in the logical space. Upon receiving the command, the memory unit is operative to recognise it as a shift command and accordingly perform a predefined shift function comprising (i) using the source address to identify a portion of data in the memory space and (ii) writing that portion of data to a different location in the memory space. Thus, the portion of data can be shifted within the memory space without a need to transfer the portion of data along the bus.

Abstract: A method for direct memory access includes: receiving a direct memory access request designating addresses in a data block to be accessed in a memory; randomizing an order of the addresses the data block is accessed; and accessing the memory at addresses in the randomized order. A system for direct memory access is disclosed.

Abstract: An electronic device for controlling access to a device resource, and an operation method thereof, are disclosed. The electronic device may include a memory; and a processor configured to execute at least one operating system executed in a first region allowing an operation based on a first authority; execute at least one application executed in a second region allowing an operation based on a second authority; and in response to detection of access to at least one device resource by the at least one application, determine authority of access to the at least one device resource by using an authority determination module executed in a third region allowing an operation based on a third authority.

Abstract: An illustrative method includes determining that a total amount of read traffic and write traffic processed by a storage system during a time period exceeds a threshold; determining a first compressibility metric associated with the write traffic; determining a second compressibility metric associated with the read traffic; determining, based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; determining, based on the total amount of read traffic and write traffic exceeding the threshold and on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat; and modifying, in response to the determining that the storage system is possibly being targeted by the security threat, a data protection parameter set for one or more recovery datasets generated by the storage system.

Abstract: Content within a memory device (e.g., a DRAM) may be secured in a customizable manner. Data can be secured and the memory device performance by be dynamically defined. In some examples, setting a data security level for a group of memory cells of a memory device may be based, at least in part, on a security mode bit pattern (e.g., a flag, flags, or indicator) in metadata read from or written to the memory device. Some examples include comparing a first signature (e.g., a digital signature) in metadata to a second value (e.g., an expected digital signature) to validate the first value in the metadata. The first value and the second value can be based, at least in part, on the data security level. Some examples include performing a data transfer operation in response to validation of the first and/or second values.

Abstract: Aspects of the present disclosure address systems, methods, and devices for tracking object dependencies in a cloud database system. An object dependency created between a referencing object and a referenced object is detected. Based on detecting the object dependency, a dependency record is generated. The dependency record includes dependency information describing the object dependency between the reference object and the referenced object. The dependency record is stored in a database of dependency records.

Abstract: A method, system and apparatus for protecting against out-of-bounds references, including storing an address of a buffer in a general register and storing bounds information (BI) for the buffer in a bounds information register, and when a content of the general register is used as an address in a load or store operation, using a content of the bounds information register to determine if the load or store is out of bounds.

Abstract: Embodiments are directed to providing a secure address translation service. An embodiment of a system includes memory for storage of data, an IOMMU coupled to the memory, and a host-to-device link to couple the IOMMU with one or more devices and to operate as a translation agent on behalf of one or more devices in connection with memory operations relating to the memory, including receiving a translated request from a discrete device via the host-to-device link specifying a memory operation and a physical address within the memory pertaining to the memory operation, determining page access permissions assigned to a context of the discrete device for a physical page of the memory within which the physical address resides, allowing the memory operation to proceed when the page access permissions permit the memory operation, and blocking the memory operation when the page access permissions do not permit the memory operation.

Abstract: Entanglement of pages and threads is disclosed. An indication is received of a stalling event caused by a requested portion of memory being inaccessible. It is determined that the requested portion of memory is an entangled portion of memory that is entangled with a physical node in a plurality of physical nodes. A type of the entangled portion of memory is determined. The stalling event is handled based at least in part on the determined type of the entangled portion of memory.

Abstract: An apparatus, system and method for protecting the confidentiality and integrity of a secure object running on a computer system by protecting the memory pages owned by the secure object, including assigning a secure object an ID, labeling the memory pages owned by a secure object with the ID of the secure object, maintaining an Access Control Monitor (ACM) table for the memory pages on the system, controlling access to memory pages by monitoring load and store instructions and comparing information in the ACM table with the ID of the software that is executing these instructions; and limiting access to a memory page to the owner of the memory page.

Abstract: Systems and methods relate generally to graphics and image processing by a printing device. In such a method, a graphics orderlist is obtained by a printer engine. The graphics orderlist has at least one imaging issue for printing an associated image. A debug mode is entered for debugging the graphics orderlist. A selection for a debug region is received. A graphic order of the graphics orderlist is executed by a graphic execution unit of the printer engine in the debug mode. The graphic execution unit determines whether the debug region is accessed by the execution of the graphic order. Responsive to the debug region being accessed for the execution of the graphic order, an interrupt is issued. Information of the graphic order and buffer contents associated with the debug region is stored in a log file.