Abstract: Disclosed are various embodiments for generating location confirmation models using crowdsourced wireless fingerprints. Wireless fingerprints can be generated and associated with a given location during events that use proximity to specific locations. The wireless fingerprints can be processed to generate location confirmation models that can be used for location confirmation. Periodically, the collected wireless fingerprints can be analyzed and compared to previously collected wireless fingerprints to detect a change in a wireless infrastructure at the given location. Upon determining that a previously generated location confirmation model is invalid according to a level of significance of the change, the outdated wireless fingerprints can be identified and removed from storage or otherwise ignored for future models. An updated location confirmation model can be generated using the up-to-date wireless fingerprints.

Abstract: Disclosed deduplication techniques at a distributed data storage system guarantee that space reclamation will not affect deduplicated data integrity even without perfect synchronization between components. By understanding certain “behavioral” characteristics and schedule cadences of backup operations that generate backup copies received at the distributed data storage system, data blocks that are not re-written by subsequent backup copies are pro-actively aged, while promoting continued retention of data blocks that are re-written. An expiry scheme operates with block-level granularity. Each unique deduplicated data block is given an expiry timeframe based on the block's arrival time at the distributed data storage system (i.e., when a backup copy supplies the block) and further based on backup frequencies of the various virtual disks referencing a unique system-wide identifier of the block, which is based on the block's hash value. Communications between components are kept to an as-needed basis.

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: The present application discloses a magnetic disk management method, an apparatus and an electronic device by providing an engine layer including a plurality of space files and an encapsulation layer including a file directory tree of a space file structure; where the engine layer responds to a data management operation performed for a target space file of the file directory tree output by the engine layer, and a target magnetic disk space corresponding to the target space files is determined through the address association list of the encapsulation layer, and data management is performed on the data in the target magnetic disk space. Thereby, different data can be isolated by different space files when entering through the engine layer, which ensures that security issues such as leakage of the data in the magnetic disk will not occur.

Abstract: An illustrative method includes a data protection system directing a storage system to generate recovery datasets over time in accordance with a data protection parameter set, the recovery datasets usable to restore data maintained by the storage system to a state corresponding to a selectable point in time, determining that the storage system is possibly being targeted by a security threat, and modifying, in response to the determining that the storage system is possibly being targeted by the security threat, the data protection parameter set for one or more of the recovery datasets.

Abstract: A hardware monitor arranged to detect out-of-bounds violations in a hardware design for an electronic device. The hardware monitors include monitor and detection logic configured to monitor the current operating state of an instantiation of the hardware design and detect when the instantiation of the hardware design implements a fetch of an instruction from memory; and assertion evaluation logic configured to evaluate one or more assertions that assert a formal property that compares the memory address of the fetched instruction to an allowable memory address range associated with the current operating state of the instantiation of the hardware design to determine whether there has been an out-of-bounds violation. The hardware monitor may be used by a formal verification tool to exhaustively verify that the hardware design does not cause an instruction to be fetched from an out-of-bounds address.

Abstract: There is provided a method and system for digital rights enforcement. The method includes: determining digital content requested by a user via a selected user device; determining digital rights associated with the digital content; reviewing the digital rights to determine access rights relating to authorized devices for the user; determining whether the user has exhausted the access rights; and if the access rights are exhausted: determining at least one use factor for each of the user's previously authorized user devices; determining a previously authorized user device on which to revoke access to the digital content based on the at least one use factor; and revoking access rights to the previously authorized user associated device; otherwise downloading the digital content on the selected user device. The system includes a content review module and a revoker module.

Abstract: Apparatuses and techniques are described for detecting and isolating defective blocks of memory cells in a multi-plane operation such as program or erase. In one aspect, a program operation begins in a multi-plane mode, for one block in each plane. If fewer than all blocks complete programming by the time a trigger number of program loops have been performed, one or more unpassed blocks are programmed further, one at a time, in a single plane mode. If the one or more unpassed blocks do not complete programming when a maximum allowable number of program loops have been performed, they are marked as bad blocks and disabled from further operations. In another aspect, when a trigger number of program loops have been performed, one or more unpassed blocks are subject to a word line leakage detection operation.

Abstract: An illustrative method includes a data protection system determining a first compressibility metric associated with write traffic processed by a storage system, the first compressibility metric indicating an amount of storage space saved if the write traffic is compressed; determining a second compressibility metric associated with read traffic processed by a storage system, the second compressibility metric indicating an amount of storage space saved if the read traffic is compressed; determining, based on a comparison of the first compressibility metric with the second compressibility metric, that the write traffic is less compressible than the read traffic; determining, based on the write traffic being less compressible than the read traffic, that the storage system is possibly being targeted by a security threat; and performing, based on the determining that the storage system is possibly being targeted by the security threat, a remedial action with respect to the storage system.

Abstract: An illustrative method includes a data protection system determining a delta metric between a first recovery dataset generated by a storage system at a first time and a second recovery dataset generated by the storage system at a second time subsequent to the first time and determining, based on the delta metric, whether data maintained by the storage system is possibly being targeted by a security threat.

Abstract: An illustrative method includes a storage system receiving attribute data representative of one or more attributes of a known attack against data maintained by a target system other than the storage system, updating an extensible attack monitoring process executed by the storage system with the attribute data, and monitoring, using the extensible attack monitoring process updated with the attribute data, storage operation requests of the storage system for one or more attributes that match the one or more attributes of the known attack.

Abstract: An illustrative method includes a data protection system detecting, for a storage system, a potential data corruption in the storage system, analyzing, in response to the detecting of the potential data corruption, one or more metrics of the storage system, and determining, based on the analyzing of the one or more metrics of the storage system, a corruption-free recovery point for potential use to recover from the potential data corruption.

Abstract: A method includes determining, by component of a memory sub-system, workload characteristics corresponding to a workload to be received by the memory sub-system. The method can further include dynamically altering a performance attribute of the memory sub-system based, at least in part, based on the determined workload characteristics.

Abstract: In an information management system that manages encrypted personal information on a user stored in a storage device, a personal information appropriateness/inappropriateness determination section determines whether or not the personal information stored in the storage device is appropriate when access permission information is received from a user terminal used by the user, the access permission information instructing that a requesting entity requesting the personal information be permitted to access the personal information. A personal information access management section enables the requesting entity to access the personal information stored in the storage device when it is determined by the personal information appropriateness/inappropriateness determination section that the personal information stored in the storage device is appropriate.

Abstract: A method and apparatus for performing access control of a memory device with aid of aggressor bit information are provided. The method includes: receiving a first host read command from a host device; sending a first read command to the NV memory in order to try reading first data from a first page; sending a second read command to the NV memory to obtain soft-decoding information and performing a first soft-decoding operation according to the soft-decoding information in order to try obtaining the first data from the first soft-decoding operation; reading multiple bits from at least one aggressor page to be the aggressor bit information; converting the soft-decoding information into adjusted soft-decoding information according to the aggressor bit information of the at least one aggressor page; and performing a second soft-decoding operation according to the adjusted soft-decoding information to obtain the first data from the second soft-decoding operation.

Abstract: An illustrative method includes a data protection system detecting a request to perform an operation with respect to a storage system, identifying one or more attributes of the request, determining, based on the one or more attributes, that the request is possibly related to a security threat against the storage system, and throttling, based on the determining that the request is possibly related to the security threat against the storage system, a performance of the operation.

Abstract: Example implementation described herein are directed to a mechanism to provision data volume which requires remote data copy between separated clusters, especially for the container platform. For a request to create a volume made to the clusters, example implementations can involve creating a first volume in a first cluster; obtaining volume information of a corresponding second volume from a second cluster; configuring the first volume and the corresponding second volume in the second cluster to have a remote copy relationship based on the obtained volume information; and setting access from the container to the first volume and the corresponding second volume based on the remote copy relationship.

Abstract: An integrated circuit including an input terminal and an output terminal, signal generator circuitry that generates a pseudo-random digital signal provided at the output terminal, and comparator circuitry that compares an input signal received via the input terminal with the pseudo-random digital signal for providing a tamper detection signal indicative thereof. The signal generator circuitry may be a pseudo-random binary sequence generator or may be a linear-feedback shift register with software triggered reloading. The comparator circuitry may include a Boolean logic exclusive-OR gate for comparing the output and input signals. A method of detecting tampering including generating and providing a pseudo-random digital signal at an output terminal and comparing an input signal received via an input terminal with the pseudo-random digital signal for providing a tamper detection signal indicative thereof.

Abstract: An engineering system for an industrial process automation system, wherein components of the industrial process automation system are each represented by a computer-based object within the engineering system and are continuously stored in an engineering database, where functions of the engineering system are made available as services via a standard service interface, process sequences and states for retrieving or processing objects stored in the engineering database are stored in an order database that is separate from the engineering database, and access to process sequences and states that are stored in the order database occurs via an order interface that is separate from the standard service interface.

Abstract: A computing device determines, for a first time period, a usage-based file list identifying one or more executable files. The computing device determines, for each of the one or more executable files identified by the usage-based file list, whether to perform a malware scan upon the executable file based on a cached record for the executable file. The computing device schedules, for execution during a preceding time period before the first time period, a malware scan for at least one of the one or more executable files based on the corresponding determination of whether to perform a malware scan. Each scheduled malware scan is initiated as a low priority thread for execution. The computing device performs each scheduled malware scan during the preceding time period.

Abstract: Disclosed is an electronic apparatus. The electronic apparatus includes: a non-volatile memory having no internal controller; and a controller configured to: control the non-volatile memory, and transmit, to the non-volatile memory, first data and a generated first message authentication code (MAC). Accordingly, it is possible to efficiently defend against a replay attack in a non-volatile memory having no internal controller.

Abstract: An embodiment includes deriving usage data associated with records of a database by monitoring requests to perform read operations on the records of the database. The embodiment generates record correlation data representative of correlations between respective groups of records of the database by parsing the usage data associated with the records of the database. The embodiment stores a plurality of records received as respective write requests during a first time interval in an intermediate storage medium. The embodiment identifies a correlation in the record correlation data between a first record of the plurality of records and a second record of the plurality of records. The embodiment selects, responsive to identifying the correlation, a first location in the database for writing the first record and a second location in the database for writing the second record based on a proximity of the first location to the second location.

Abstract: Various embodiments relate to a memory controller, including: a memory interface connected to a memory; an address and control logic connected to the memory interface and a command interface, wherein the address and control logic is configured to receive a memory read request; a read inline encryption engine (IEE) connected to the memory interface, wherein the read IEE is configured to decrypt encrypted data read from the memory; a key selector configured to determine a read memory region associated with the memory read request based upon a read address where the data to be read is stored, wherein the read address is received from the address and control logic; and a key logic configured to select a first key associated with the determined read memory region and provide the selected key to the read IEE.

Abstract: An example apparatus comprises a controller coupled to a non-volatile memory (NVM) device. The controller may be configured to cause a logical block address (LBA) to be stored in a first logical-to-physical (L2P) data structure in the NVM device and a physical block address (PBA) to be stored in a second L2P data structure in the NVM device The first L2P data structure and the second L2P data structure may have a same size associated therewith.

Abstract: A sample is received for analysis by a virtualized environment. A determination is made that the sample was compiled for a CPU architecture that is different from a host CPU architecture. The sample is executed in an emulated user space corresponding to the CPU architecture for which the sample was compiled. The emulated user space is provided by executing a user space emulation utility in a virtual machine that shares the host CPU architecture.

Abstract: A programmable crossbar matrix or an array of steering multiplexors (MUXs) coalesces (i.e., routes) the data values from multiple known “bad” bit positions within multiple symbols of a codeword, to bit positions within a single codeword symbol. The single codeword symbol receiving the known “bad” bit positions may correspond to a check symbol (vs. a data symbol). Configuration of the routing logic may occur at boot or initialization time. The configuration of the routing logic may be based upon error mapping information retrieved from system non-volatile memory (e.g., memory module serial presence detect information), or from memory tests performed during initialization. The configuration of the routing logic may be changed on a per-rank basis.

Abstract: Disclosed is a memory system including a controller configured to authenticate a user who inputs a request for discarding the memory system, to verify whether the request is valid when the user is authenticated as a legitimate user, to register discard activation of the memory system when the request is valid, and to transmit the request to a memory device; and the memory device configured to determine whether the transmitted request is valid, and to register the discard activation of the memory system when the request is valid.

Abstract: Methods and systems for enabling secure memory transactions in a memory controller are disclosed. Responsive to determining that an incoming request is for a secure memory transaction, the incoming request is placed in a secure request container. The memory container then enters a state where re-ordering between requests for secure memory transactions placed in the secure request container and requests for non-secure memory transactions from other containers is prevented in a scheduling queue.

Abstract: A processor comprising a processor pipeline comprising one or more execution units configured to execute branch instructions, a branch predictor associated with the processor pipeline and configured to predict a branch instruction prediction outcome, and the branch prediction unit. The branch predictor is turned off to save power and avoid miss-predictions when the branch predictor and/or branch prediction unit accuracy is lower than expected.

Abstract: Embodiments of the present disclosure relates to managing resources. The embodiment include receiving a first request from a first application to process first data using a target resource and a second request from a second application to process second data using the target resource and determining a first quantity and a second quantity based on the first request and the second request, the first quantity indicating an amount of data in the first data to be processed using the target resource, the second quantity indicating an amount of data in the second data to be processed using the target resource. The method further comprises causing the first application to process the first quantity of data in the first data using the target resource and causing the second application to process the second quantity of data in the second data using the target resource.

Abstract: Disclosed are embodiments for generating metadata files for composite datasets. In one embodiment, a method is disclosed comprising generating a tree representing a plurality of datasets; parsing the tree into an algebraic representation of the tree; identifying a plurality of terms in the algebraic representation, each term in the terms comprising at least two factors, each of the two factors associated with a dataset in the plurality of datasets; generating a metadata object of the plurality of terms; serializing the metadata object to generate serialized terms; and storing the serialized terms in a metadata file associated with the plurality of datasets.

Abstract: A system and method provide unstructured data to a client device based on permissions possessed by the device user and required by the data for access. Items of unstructured data stored in a data storage device are organized into data segments based on classifications assigned to them by their creators using a content management system. When a user later requests access to the data via a cloud-based service, such as a search service, the user privileges are converted into data segment identifiers which are then searched, and only the items of unstructured data that correspond to matching identifiers are returned. Data segment identifiers may be provided illustratively as a hash function to facilitate searching and to guarantee non-collision of data segment identifiers.

Abstract: Managing connectivity to synchronously replicated storage systems, including: identifying a plurality of storage systems across which a dataset is synchronously replicated; identifying a host that can issue I/O operations directed to the dataset; identifying a plurality of data communications paths between the host and the plurality of storage systems across which a dataset is synchronously replicated; identifying, from amongst the plurality of data communications paths between the host and the plurality of storage systems across which a dataset is synchronously replicated, one or more optimal paths; and issuing, to the host, an identification of the one or more optimal paths.

Abstract: A size associated with a content file is determined to be greater than a threshold size. In response to the determination, file metadata of the content file split and stored across a plurality of component file metadata structures. The file metadata of the content file specifies tree structure organizing data components of the content file and each component file metadata structure of the plurality of component file metadata structures stores a portion of the tree structure. A snapshot tree is updated to reference the plurality of component file metadata structures for the content file.

Abstract: A method for hot updating machine emulator including requesting specified memory which is used to store the virtual machine memory address and virtual machine status information and is not released when updating a machine emulator; restoring the virtual machine status information from the specified memory after the machine emulator is updated. Thus, the techniques of the present disclosure accelerate recovery speed and shorten updating time.

Abstract: An embodiment includes a system, comprising: a processor configured to: read a stride parameter from a device coupled to the processor; and map registers associated with the device into virtual memory based on the stride parameter; wherein: the stride parameter is configured to indicate a stride between the registers associated with the device; and the processor is configured to map at least one of the registers to user space virtual memory in response to the stride parameter.

Abstract: Disclosed herein are systems and method for anti-virus scanning of backup data at a centralized storage. In an exemplary aspect, a method may receive, at the centralized storage, a backup slice from each respective computing device in a plurality of computing devices, wherein the centralized storage comprises, for each respective computing device, a respective backup archive including a plurality of backup slices. The method may mount the received backup slice as a virtual disk. The method may detect, for the respective computing device, a change between the mounted virtual disk and any number of previous backup slices and may evaluate the change against behavioral rules to identify malicious behavior. In response to determining that the change exhibits malicious behavior, the method may execute a remediation action to prevent an attack on the plurality of computing devices or the centralized storage.

Abstract: The disclosure herein describes processing deletion requests using sequencing numbers with change feed updates. When a deletion occurs on the source data store, a deletion notification is created in a change feed on the source server. The deletion notification includes a set of deletion record IDs identifying a set of records to be deleted, a tombstone sequence number (TSN) identifying a sequence of the deletion notification within a set of deletion notifications and/or a deletion sequence number (DSN). The DSN is incremented by one each time a new deletion notification is created. A deletion notification can represent deletion of a single record or a set of records. Each deletion notification is assigned a time-to-live (TTL) value. The deletion notification is deleted at expiration of the TTL. The TSN and the DSN entries are used to determine whether any deletion updates have been missed to prevent silent failures.

Abstract: Embodiments of the present disclosure provide a method, a device and a computer program product for storage management. The method comprises: obtaining time information related to a removal time point for a backup storage system, the time information indicating that a chunk in the backup storage system whose expiration time does not exceed the removal time point is to be removed; determining, from a removal period list, a target removal period whose end time does not exceed the removal time point, each removal period in the removal period list being mapped to at least one chunk element, the at least one chunk element representing at least one chunk in the backup storage system whose expiration time is within the removal period to which the at least one chunk element is mapped; determining at least one target chunk element to which the target removal period is mapped; and removing, from the backup storage system, at least one target chunk corresponding to the at least one target chunk element.

Abstract: Provided is a process, including: accessing, with a processor of an embedded computing device, immutable executable code stored in read-only memory of the embedded computing device; executing, with the processor of the embedded computing device, instructions of the immutable executable code that retrieve, from the read-only memory, a network-layer address of a tamper-evident, immutable data repository and an application-layer address of firmware of the embedded computing device stored in the tamper-evident, immutable data repository; executing, with the processor of the embedded computing device, instructions of the immutable executable code that, using the network-layer address and the application-layer address, download the firmware of the embedded computing device from the tamper-evident, immutable data repository; and executing, with the processor of the embedded computing device, instructions of the immutable executable code that store the downloaded firmware in re-writeable memory of the embedded comput

Abstract: A combination default write-blocking system may include a host computer. The host computer may include at least one general storage device storing program instructions for a blocking driver assembly and a host processor configured as the blocking driver assembly while executing the program instructions for the blocking driver assembly. A connection interface device physically separate from the host processor, and the connection interface device is configured to be operatively coupled to the host processor and to a protected storage device physically separate from the general storage device, receive a communication from the blocking driver assembly, and establish communication between the protected storage device and the host processor after receiving the communication from the blocking driver assembly. The blocking driver assembly is further configured to communicate with the connection interface device and conditionally allow a host computer process to alter data stored on the protected storage device.

Abstract: A data-processing device is provided. The data-processing device includes: a flash memory, a computation unit, and a flash-memory controller. The flash-memory controller is electrically connected to the computation unit, and configured to control access to the flash memory. The flash-memory controller allocates a first execute-only memory (XOM) setting and a second XOM setting in a first memory bank and a second memory bank of the flash memory, respectively. The flash-memory controller allocates one or more XOM spaces in the flash memory according to the first XOM setting or the second XOM setting.

Abstract: An electronic device is provided. A storage device includes a memory device and a memory controller. The memory device includes a write protection area. The memory controller controls the memory device to perform a read operation on the write protection area, in response to a series of requests regarding security read that are received from a host, provides read data received from the memory device to the host, and generates a device authentication code based on the read data. The memory controller performs generation of the device authentication code in parallel with provision of the read data to the host.

Abstract: Systems and methods are described for encrypting a swap file in a computer system. The swap file can be encrypted by a background process executing on the computer system. Processing of paging swapping operations occurs independently and separately of the background encryption of the swap file. Processing a page swapping operation can include decrypting or encrypting data to be swapped involved in the paging operation depending on the paging operation and whether or not the data to be swapped is encrypted or not.

Abstract: In one embodiment, a system on chip includes a dynamic voltage and frequency scaling (DVFS) power supply, a secure environment, a non-secure environment, and a power supply management control module. The secure environment is configured to generate a secure instruction defining a permitted operating point of voltage and frequency for the DVFS power supply. The non-secure environment is configured to generate a request to modify the DVFS power supply, where the request to modify includes a voltage-frequency operating point. The power supply management control module is configured to scale the DVFS power supply to the permitted operating point, in response to the request to modify the DVFS power supply.

Abstract: A device implementing purgeable memory mapped files includes at least one processor configured to receive a first request to store a first data object in volatile memory in association with a copy of the first data object stored in non-volatile memory, the first request indicating to lock the copy in the non-volatile memory. The processor is further configured to provide for storing the first data object in the volatile memory, and lock the copy stored in the non-volatile memory. The processor is further configured to receive a second request associated with clearing a portion of the non-volatile memory, provide an indication that a second data object is available for deletion from the non-volatile memory when the first data object is locked, and provide an indication that the first data object is available for deletion from the non-volatile memory when the first data object has been unlocked.

Abstract: A method for determining validity of a code of an application. The method is implemented within an electronic device having a processor, a non-secure memory and a secure memory. The method includes at least one iteration of: loading the application in the non-secure memory, delivering a current application code; determining a current footprint of the current application code; obtaining, within the secure memory, a reference footprint associated with the application; comparing the current footprint with the reference footprint; and when the current footprint is identical to the reference footprint, validating the current application code, including: executing an optimization process of the current application code, delivering an optimized application code; determining a post-optimization footprint of the optimized application code; and recording the post-optimization footprint in the secure memory as a new reference footprint associated with the application.

Abstract: A method, computer program product, and computing system for receiving, at a host computing device, a request to copy data from a source Non-Volatile Memory Express (NVMe) namespace directly accessible by a source storage controller to a destination NVMe namespace directly accessible by a destination storage controller and may determine whether the destination storage controller can directly access the source NVMe namespace. In response to determining that the destination storage controller cannot directly access the source NVMe namespace, a first identifier associated with the data may be generated via the source storage controller. The first identifier may be provided to the host computing device. A data handle associated with the first identifier may be generated via the destination storage controller. The data may be copied, via the destination storage controller, from the source NVMe namespace to the destination NVMe namespace based upon, at least in part, the data handle.

Abstract: Examples of the present disclosure are related to systems and methods for assuring integrity of operating system and software components at runtime. More specifically, embodiments are directed towards a hardware module configured to monitor a kernel start and drivers being loaded into the kernel, and to continually scan the kernel and drivers for undesired modification after load. Further embodiments extend the monitoring capability to userspace processes.

Abstract: Techniques are disclosed relating to specifying memory consistency constraints. In some embodiments, an instruction may specify, for a memory operation, a type of memory consistency and a scope at which to enforce the type of consistency. For example, these fields may specify whether to sequence memory accesses relative to the operation at one or more of multiple different cache levels based on the type of memory consistency and the scope.