Abstract: A method, apparatus, and computer program product for implementing a high-performance data storage device using block-access memory devices are disclosed. According to an embodiment of the present invention, a storage device includes a block-access memory device configured to stored data in one or more physical sector addresses and a random-access memory device storing a logical-to-physical (L2P) sector address translation data structure. Also, the storage device includes a device manager, coupled to both the block-access memory device and the random-access memory. The device manager is configured to determine a physical sector address in the block-access memory device, in response to a data access request, wherein the data access request includes a logical sector address by mapping the logical sector address to a physical sector address using the L2P sector address translation data structure.

Abstract: A data processing system includes a host processor and a graphics processing unit operable to process data under the control of an operating system executing on the host processor. The graphics processing unit can be switched between a normal mode of operation in which the it has read and write access to data that is stored in non-protected memory regions 9 but no or write-only access to any protected memory regions 8, and a protected mode of operation in which it has read and write access to data that is stored in protected memory regions 8 but only has read-only access to any non-protected memory regions 9. The data processing system further comprises a mechanism for switching the graphics processing unit from its normal mode of operation to the protected mode of operation, and from its protected mode of operation to the normal mode of operation.

Abstract: According to one embodiment, an information processor includes an operator and an address protector. The address protector includes a register access interface, an address table, and an access determination module. The register access interface is configured to receive address protection information from the operator. The address table is configured to store the received address protection information. The access determination module is configured to determine whether an access to an address specified by the operator is allowable based on the address protection information, and configured to output an interrupt signal to the operator when the access is unallowable.

Abstract: A data processing apparatus comprises a primary processor, a secondary processor configured to perform secure data processing operations and non-secure data processing operations and a memory configured to store secure data used by the secondary processor when performing the secure data processing operations and configured to store non-secure data used by the secondary processor when performing the non-secure data processing operations, wherein the secure data cannot be accessed by the non-secure data processing operations, wherein the secondary processor comprises a memory management unit configured to administer accesses to the memory from the secondary processor, the memory management unit configured to perform translations between virtual memory addresses used by the secondary processor and physical memory addresses used by the memory, wherein the translations are configured in dependence on a page table base address, the page table base address identifying a storage location in the memory of a set of des

Abstract: In general, the invention is directed to techniques for identifying memory overruns. For example, as described herein, a device includes a main memory that enables an addressable memory space for the device. A plurality of memory pages each comprises a separate, contiguous block of addressable memory locations within the addressable memory space. The device also includes a memory manager comprising a secure pool allocator that assigns a secure pool size value to a first one of the plurality of memory pages. The secure pool size value defines a plurality of protected memory spaces in the first memory page that partition the first memory page into a plurality of secure objects. The device also includes a memory management unit comprising secure pool logic that determines, based on the secure pool size value, whether a memory address is an address of one of the protected memory spaces in the first memory page.

Abstract: The present invention describes a system and a method for securely loading digital information from an external storage device in a non-trusted environment into a memory module in a trusted environment within a data processing system. A master mode and a service mode are described, the master mode being when the secure loading is requested by a secure processor residing within the trusted environment and the service mode being when the loading is requested by an element which is external to the trusted environment i.e. in the non-trusted environment. The system comprises at least one storage device, one memory module and at least one first processor, and further comprises a memory access controller module connected between the processor and the memory module, and a secure memory management module connected to the processor, the memory module, the storage device and the memory access controller.

Abstract: A technique of identifying IO hot spots is performed in a data storage apparatus (e.g., a file server). The technique involves updating, in response to host IO operations which lock ranges of extents prior to accessing the ranges of extents, contents of a lock history database based on the ranges of extents which were locked by the host IO operations. The technique further involves receiving a lock history request. The technique further involves providing, in response to the lock history request, the contents of the lock history database to identify, as the IO hot spots, extents which were locked by the host IO operations.

Abstract: A system includes storage devices for storing content along with two or more computing devices such as a two or more servers. One of the computing devices includes a staging memory that stores content that is received from the storage devices. The computing device also includes a user memory that is assigned to a user and stores content transferred from the staging memory. The user memory is accessible by the user while the staging memory is inaccessible by the user. The system also includes another computing device that has a content manager that initiates transferring of content from the storage devices to the staging memory and transferring content from the staging memory to the user memory for electronic publication of the content.

Abstract: Methods, apparatuses, and computer program products are provided for locking access to data storage shared by a plurality of compute nodes. Embodiments include maintaining, by a compute node, a queue of requests from requesting compute nodes of the plurality of compute nodes for access to the data storage, wherein possession of the queue represents possession of a mutual-exclusion lock on the data storage, the mutual-exclusion lock indicating exclusive permission for access to the data storage; and conveying, based on the order of requests in the queue, possession of the queue from the compute node to a next requesting compute node when the compute node no longer requires exclusive access to the data storage.

Abstract: A system reserves and manages a hidden service partition through components of the hardware platform of a computing device. The hidden partition is not accessible by way of a host operating system on the computing device. A hardware platform controller provisions a portion of nonvolatile storage through configuration settings of the hardware platform controller. When the host system requests settings related to storage in the system, the request is routed through the interfaces of the hardware platform, and the hardware platform controller reports in accordance with the configuration settings, hiding the service partition. The hidden partition is dynamically modifiable through secure remote access to the hardware platform controller, not through the host system such as operating system or BIOS.

Abstract: A method is used in reserving storage space in data storage systems. A set of logical units (LUs) predefined as file based storage hardware specific LUs are reserved in a restricted access storage space of a block based storage system. The restricted access storage space is accessed by a file based storage system for storing information required for initializing the file based storage system. The file based storage system is initialized using the information stored in the file based storage hardware specific LUs.

Abstract: A clock generator includes a controllable clock source and a frequency hopping controller. The controllable clock source generates a clock signal to a clock-driven device. The frequency hopping controller controls the controllable clock source to make the clock signal have at least one frequency transition from one clock frequency to another clock frequency, wherein the controllable clock source stays in a frequency-locked state during a time period of the at least one frequency transition.

Abstract: A multi-core processor system includes a number of cores, a memory system, and a common access bus. Each core includes a core processor; a dedicated core cache operatively connected to the core processor; and, a core processor rate limiter operatively connected to the dedicated core cache. The memory system includes physical memory; a memory controller connected to the physical memory; and, a dedicated memory cache connected to the memory controller. The common access bus interconnects the cores and the memory system. The core processor rate limiters are configured to constrain the rate at which data is accessed by each respective core processor from the memory system so that each core processor memory access is capable of being limited to an expected value.

Abstract: Provided is a method of controlling memory access. In a system including a first layer element executed in a privileged mode having a first priority of permission to access the entire region of a memory and second and third layer elements executed in an unprivileged mode having a second priority of permission to access a partial region of the memory, the method of controlling memory access determines whether the memory is accessible for each page that is an address space unit, based on which mode a layer element currently accessing the memory is executed in between the privileged mode and the unprivileged mode; and determines whether the memory is accessible based on which one of the first, second and third layer elements corresponds to a domain currently being attempted to be accessed from among a plurality of domains of the memory.

Abstract: An electronic device includes a memory protection unit configured to protect an access to a register of a device arranged in an address space. An operating system sets an access right to the register by using the memory protection unit. A process requests the operating system to operate the device when the process operates the device, and the operating system makes an access to the corresponding register in accordance with the request for the operation to operate the device.

Abstract: A system and method for high performance secure access to a trusted platform module on a hardware virtualization platform. The virtualization platform including Virtual Machine Monitor (VMM) managed components coupled to the VMM. One of the VMM managed components is a TPM (Trusted Platform Module). The virtualization platform also includes a plurality of Virtual Machines (VMs). Each of the virtual machines includes a guest Operating System (OS), a TPM device driver (TDD), and at least one security application. The VMM creates an intra-partition in memory for each TDD such that other code and information at a same or higher privilege level in the VM cannot access the memory contents of the TDD. The VMM also maps access only from the TDD to a TPM register space specifically designated for the VM requesting access. Contents of the TPM requested by the TDD are stored in an exclusively VMM-managed protected page table that provides hardware-based memory isolation for the TDD.

Abstract: A disclosed example apparatus includes an interface (702, 726) to receive a request to access a memory (602a) of a memory module (600) and a data store status monitor (730) to determine a status of the memory. The example apparatus also includes a message output subsystem (732) to, when the memory is busy, respond to the request with a negative acknowledgement indicating that the request to access the memory is not grantable.

Abstract: A data processing device is provided that includes an array of working memory banks and an associated processing engine. The working memory bank array is configured with at least one independently activatable memory bank. A dirty data counter (DDC) is associated with the independently activatable memory bank and is configured to reflect a count of dirty data migrated from the independently activatable memory bank upon selective deactivation of the independently activatable memory bank. The DDC is configured to selectively decrement the count of dirty data upon the reactivation of the independently activatable memory bank in connection with a transient state. In the transient state, each dirty data access by the processing engine to the reactivated memory bank is also conducted with respect to another memory bank of the array. Upon a condition that dirty data is found in the other memory bank, the count of dirty data is decremented.

Abstract: A system implements dishonest policies for managing unauthorized access requests. The system includes memory management hardware to store a set of dishonest policy bits, each dishonest policy bit that is configured to a predetermined value indicating disallowed access for one of a set of memory ranges. When a processor receives an access request for a location in a memory range to which access is not allowed as indicated by a set dishonest policy bit, the processor returns a false indication according to a dishonest policy that the requested access has been performed.

Abstract: A method and apparatus for preventing a user from interpreting optional stored data information even when the user extracts the optional stored data, by managing data associated with a flash memory in a flash translation layer, the method comprising searching at least one page of the flash memory when writing data to the flash memory, determining whether authority information corresponding to respective searched pages includes an encryption storage function, generating, corresponding to respective searched pages, a page key according to an encrypting function when the authority information includes the encryption storage function encrypting the data using the generated page key and storing the encrypted data in the respective searched pages, and storing the data in the respective searched pages without encryption when the authority information does not include the encryption storage function.

Abstract: In electronic equipment 1, a limitation level on reading data from a USB flash drive (storage device) 2 is set to a setting section 3 in advance. The USB flash drive 2 ascertains the setting at the setting section 3 when connected to the electronic equipment 1 and limits reading data based on the determined setting. If the limitation level does not match with the condition for permitting data read-out as determined in USB flash drive 2, the USB flash drive 2 prohibits the electronic equipment 1 from reading out data. By executing the processing for limiting data read-out at the side of the USB flash drive 2, unauthorized leakage of data can easily be prevented.

Abstract: One embodiment of the present invention relates to a heap overflow detection system that includes an arithmetic logic unit, a datapath, and address violation detection logic. The arithmetic logic unit is configured to receive an instruction having an opcode and an operand and to generate a final address and to generate a compare signal on the opcode indicating a heap memory access related instruction. The datapath is configured to provide the opcode and the operand to the arithmetic logic unit. The address violation detection logic determines whether a heap memory access is a violation according to the operand and the final address on receiving the compare signal from the arithmetic logic unit.

Abstract: Wireless USB device with security that allows the information to be automatically exchanged with the USB device wirelessly when it is in one location, and when in another location, only certain information can be so exchanged.

Abstract: Techniques, including systems and methods, take frequent captures of data sets for the purpose of forensic analysis. The data set captures are taken at the block level in various embodiments. Data set captures are used to instantiate forensic storage volumes that are attached to computing instances. The computing instances can access data in the forensic storage volumes at a state corresponding to a specified capture time. A user can select different capture times to re-instantiate the forensic storage volume to see how the forensic storage volume changed between captures.

Abstract: A protecting circuit for a basic input output system (BIOS) chip of a computer includes a platform controller hub (PCH), an inverting circuit connected to the PCH, a BIOS socket to connect the BIOS chip, and a controlling circuit connected between the inverting circuit and the BIOS socket. The PCH outputs a first signal or a second signal, and a third signal. The inverting circuit outputs an inverted signal with a level contrary to the first or second signal. The controlling circuit receives the first or second signal and the inverted signal, to output a processing signal to the BIOS socket, thereby controlling write-protection states of the BIOS chip.

Abstract: A device configuration silo is arranged to be accessed as an IEEE 1667-compatible silo which exposes interfaces to a host application to make changes to the presence of one or more other silos, as well as make changes to silo configurations on a per-silo basis for data and method sharing among silos across the ACTs on a storage device such as a transient storage device. The interfaces exposed by the device configuration silo are arranged to enable an authenticated provisioner, like administrator in a corporate network environment, to perform configuration changes to silos after the storage device is released into the field through a secure provisioning mechanism. In addition, users may make configuration changes to silos at runtime in some usage scenarios, for example to enable discrete portions of functionality on a storage device, by using a secure secondary authentication mechanism that is exposed by the device configuration silo.

Abstract: When an address indicating an access destination of a data storing unit, and a command indicating a content of a process for the address are input, block information corresponding to the input address is output from an information holding unit. Whether or not to execute the command for the address is decided on the basis of the output block information and the input command.

Abstract: A data object is stored in a hosted storage system and includes an access control list specifying access permissions for data object stored in the hosted storage system. The hosted storage system provides hosted storage to a plurality of clients that are coupled to the hosted storage system. A request to store a second data object is received. The request includes an indicator that the first data object stored in the hosted storage system should be used as an access control list for the second data object. The second data object is stored in the hosted storage system. The first data object is assigned as an access control list for the second data object stored in the hosted storage system.

Abstract: The present invention aims to improve the performance of accessing flash memory used as a storage medium in a storage device. In the storage device in accordance with the present invention, a storage controller, before accessing the flash memory, queries a flash controller as to whether the flash memory is accessible.

Abstract: A method in one embodiment for operating a virtual server supporting at least one Write Once Read Many (WORM) logical data object and at least one read-write logical object includes initializing a logical data object from a common pool of the logical data objects, the logical data object bound with a member of a media type group, the member of the media type group comprising a WORM logical data object and a read-write logical data object; and reusing one of the logical data objects as the member of the media type group without ejection and reinsertion by mounting the logical data object with a write from beginning of logical data object to bind at least one data attribute to the member of the media type group to replace any previous attribute and data associated with the logical data object.

Abstract: Embodiments related to a processing unit and a first information storage are described and depicted. First information is provided from a first unit into a first information storage for performing a first operation of the processing unit. During the first operation of the processing unit second information is transferred between the processing unit and the first information storage. The first information storage comprises during the first operation of the processing unit an access protection for the first unit.

Abstract: Disclosed is a software program, USB monitoring software agent. USB monitoring software agent is a software program that monitors all USB ports of a computer and provides real-time detection of all USB devices connected to a USB port. As a USB device is detected, the device is identified, categorized, catalogued and logged in a secure persistent store, prompted for a challenge policy of use if so configured, prevent the USB device from being used if so configured, transmit information about the detected USB device to a local or remote repository by a selected industry standard telecommunication method. A method of creating a digital photograph and/or a video recording to record and identify a user of the computer contemporaneous with the insertion/removal/ejection of a USB device into or out of the computer is disclosed also.

Abstract: A memory system and an operating method thereof stably supplies power, so that it is possible to improve performance of a memory system by omitting an operation, which has been performed in order to prevent an error due to the blocking of a power supply, in a condition in which an error due to the blocking of the power supply may not be generated.

Abstract: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.

Abstract: A data security system includes providing a unique identification from a first system to a second system; copying the unique identification in the second system by the first system; and unlocking a memory in the first system or the second system only when the unique identifications in the first system and the second system are the same.

Abstract: An apparatus, system, and method for deliberately preventing unauthorized access to data stored in a non-volatile memory device are disclosed. In one embodiment, an apparatus is configured to destroy the data stored on the memory device. The apparatus may comprise a printed circuit board (PCB), a non-volatile memory circuit electrically connected to the PCB, and a housing of the PCB. The non-volatile memory circuit may be scored to facilitate deliberately breaking the non-volatile memory circuit in response to an external force. In a further embodiment, the apparatus may comprise an electrical erase circuit powered by a power source connected to a switch. The electrical erase circuit may be configured to non-destructively erase the non-volatile memory circuit in response to activation of the switch. The system may further include a leverage tool configured to provide leverage to a non-volatile memory device affected by an external force.

Abstract: A semiconductor device has: as security states to which the nonvolatile memory device can transition, an unprotected state in which, when secret information is not set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted, and reading the stored information is permitted; a protection unlocked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is permitted on condition that a result of authentication using the secret information is correct, and reading the stored information is permitted; and a protection locked state in which, when the secret information is set in the nonvolatile memory device, rewriting the nonvolatile memory device is inhibited until correctness as a result of authentication using the secret information is confirmed, and reading the stored information is inhibited under a predetermined condition.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: A multiprocessing system executes a plurality of processes concurrently. A process execution circuit (10) issues requests to access a shared resource (16) from the processes. A shared access circuit (14) sequences conflicting ones of the requests. A simulating access circuit (12) generates signals to stall at least one of the processes at simulated stall time points selected as a predetermined function of requests from only the at least one of the processes and/or the timing of the requests from only the at least one of the processes, irrespective of whether said stalling is made necessary by sequencing of conflicting ones of the requests. Thus, part from predetermined maximum response times, predetermined average timing can be guaranteed, independent of the combination of processes that is executed.

Abstract: A storage device with multiple interfaces and multiple levels of data protection includes a first memory area and a second memory area utilizing data protection for protecting second data stored in the second memory area, the second memory area being distinct from the first memory area. The storage device also includes a first interface through which the storage device writes first data into the first memory area or reads first data stored in the first memory area and a second interface through which the storage device writes second data into the second memory area or reads second data stored in the second memory area, the second interface being distinct from the first interface. A controller controls access to the first memory area and the second memory area, and the second memory area is inaccessible through the first interface.

Abstract: According to an embodiment, an authentication device includes an acquiring unit, a predicting unit, and an authenticating unit. The acquiring unit is configured to acquire performance information of a first device that is a device to be authenticated. The predicting unit is configured to predict performance information of a second device that is a device being a reference for authentication according to a change with time from initial performance information. The authenticating unit is configured to perform an authentication process of determining whether or not the first device falls into the second device on a basis of a degree of agreement between the performance information acquired by the acquiring unit and the performance information predicted by the predicting unit.

Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.

Abstract: A device is provided for use with a content provider that is operable to provide content, which includes a plurality of content components. The device includes a communication portion, a memory portion, a parsing portion, a counting portion and a processing portion. The communication portion can receive the content from the content provider. The parsing portion can parse the content into the plurality of content components and can store the parsed plurality of content components within the memory portion. The counting portion can provide a counter for each of the parsed plurality of content components within the memory portion, respectively. The processing portion can retrieve and process one of the parsed plurality of content components within the memory portion. The counting portion can further increment the counter associated with the retrieved one of the parsed plurality of content components within the memory portion.

Abstract: A memory controller may include a cell state generator that is configured to generate a cell state for each of a plurality of multi-level cells included in a non-volatile memory device, using data of pages. The memory controller may also include a pseudo-random number generator that is configured to generate a pseudo-random number. The memory controller may further include an operator that is configured to change the cell state of each multi-level cell using the pseudo-random number, and that is configured to output a changed cell state for each multi-level cell.

Abstract: Information management is disclosed. A file output from an application to an operating system is intercepted before the file output arrives at the operating system. The file output is directed towards protected data. The intercepted file output is analyzed to determine whether a predetermined type of version of the protected data has been created. In the event it is determined that the predetermined type of version of the protected data has been created at least in part because the analyzed intercepted file output includes a modification to the protected data, the protected data automatically backed up, including by storing at least a portion of the file output as a backup version of the protected data. In the event it is determined that the predetermined type of version of the protected data has not been created, the protected data is not backed up.

Abstract: A storage control device includes a processor. The processor is configured to receive commands requesting access to a first storage. The processor is configured to detect, among the received commands, a monitoring command requesting access for monitoring to the first storage. The processor is configured to restrict access to the first storage in response to the detected monitoring command.

Abstract: An example processing system may comprise: a lower stack bound register configured to store a first memory address, the first memory address identifying a lower bound of a memory addressable via a stack segment; an upper stack bound register configured to store a second memory address, the second memory address identifying an upper bound of the memory addressable via the stack segment; and a stack bounds checking logic configured to detect unauthorized stack pivoting, by comparing a memory address being accessed via the stack segment with at least one of the first memory address and the second memory address.

Abstract: A storage system is provided with a memory region, a cache memory region, and a processor. The memory region stores the time relation information that indicates a time relationship of a data element that has been stored into the cache memory region and that is to be written to the logical region and a snapshot acquisition point of time to the primary volume. The processor judges whether or not the data element that has been stored into the cache memory region is a snapshot configuration element based on the time relation information for the data element that is to be written to a logical region of a write destination that conforms to the write request that specifies the primary volume and that has been stored into the cache memory region.

Abstract: A method, computer program product, and computing system for compartmentalizing a LUN into a plurality of portions that are each assigned to one or more hosts. The occurrence of a migration event in which an application being executed on a first host is being migrated to second host may be detected. Any portions within the LUN that are assigned to the application being executed on the first host may be identified, thus generating one or more identified portions. The one or more identified portions may be reassigned to the second host.

Abstract: A method and apparatus for controlling traffic of multiprocessor system or multi-core system is provided. The traffic control apparatus of a multiprocessor system according to the present invention includes a request handler for processing a traffic request of a first processor, and a Quality of Service (QoS) manager for receiving a QoS guaranty start instruction for a second processor from the multiprocessor system, and for transmitting, when traffic of the second processor is detected, a traffic adjustment signal to the request handler. The request handler adjusts the traffic of the first processor according to the received traffic adjustment signal. The traffic control method and apparatus of the present invention is capable of adjusting the required bandwidths of individual technologies and guaranteeing the real-timeness in the multiprocessor system or multi-core system.