Abstract: Examples include a processor including at least one untrusted extended page table (EPT), circuitry to execute a set of instructions of the instruction set architecture (ISA) of the processor to manage at least one secure extended page table (SEPT), and a physical address translation component to translate a guest physical address of a guest physical memory to a host physical address of a host physical memory using one of the at least one untrusted EPT and the at least one SEPT.

Abstract: A method and system for operating an application with multiple modes are described. A plurality of applications may be presented to a user on a mobile device and one of the displayed applications may be selected. The selected application may have one or more contexts that are determined based on one or more operational parameters. For example, a context for the selected application may be that the application is configured to access an enterprise account. Based on the context, the selected application may be run on the mobile device in one of a plurality of operations modes. The operation modes may comprise managed, unmanaged, and partially managed modes, among others.

Abstract: A system architecture is provided and includes first and second processing units respectively communicative with an on-chip coherency unit and an accelerator communicative with the on-chip coherency unit. The accelerator is configured to execute an operation responsive to a call issued by one of the first and second processing units. The first processing unit is configured to set an asynchronous operation flag (AOF) to indicate that the second processing unit is to conduct an operation for the first processing unit. The second processing unit is configured to respond to the AOF by building scatter gather lists and subsequently issuing the call and feeding the scatter gather lists to the accelerator to facilitate execution of the operation by the accelerator.

Abstract: A data processing system with technology to secure a VMCS comprises random access memory (RAM) and a processor in communication with the RAM. The processor comprises virtualization technology that enables the processor to (a) execute host software in root mode and (b) execute guest software from the RAM in non-root mode in a virtual machine (VM) that is based at least in part on a virtual machine control data structure (VMCDS) for the VM. The processor also comprises a root security profile to specify access restrictions to be imposed when the host software attempts to read the VMCDS in root mode. Other embodiments are described and claimed.

Abstract: Systems and methods for managing locks in a data acquisition system with a distributed data storage are disclosed. In embodiments, a storage node of a data acquisition system with a plurality of storage nodes receives a request for an unprocessed event, where portions of the event data are stored across the plurality of storage nodes. One node of the plurality of nodes holds the lock value for the event. The node receiving the request searches for an event where it stores the lock value that is unlocked. If none is found, the node receiving the request forwards the request to a second node, which repeats the search.

Abstract: A method for operating a secure storage device with a non-volatile memory on a computer system which executes multiple operating system instances. The non-volatile memory comprises one or more domains which are used by the operating system instances. A separate trusted key entry system is used to configure secret data of an operating system instance stored in the non-volatile memory. The method comprises setting a domain to either secure or non-secure mode; generating a unique identifier of the operating system instance; generating a secure hash for the operating system instance; and storing the secure hash in the domain.

Abstract: One example method includes receiving an IO associated with a process initiated by an application, where the IO is identified by a tag that corresponds to the process. The method further includes saving the tag on a device that is an element of a storage group (SG) that is specific to the application, and correlating the tag with a data protection process that is associated with the application. When a request is received to perform an SG protection process, the SG protection process is performed on the tagged device.

Abstract: A system includes a processor and memory including one or more memory region groups, each including a plurality of distinct memory regions. In embodiments, each memory region of a particular memory region group has a same set of memory attributes and is associated with a same attribute group identifier (AGI). In response to an access request to a memory location of a memory region within the particular memory region group, the AGI may be used to identify the set of memory attributes to be applied when executing the access request. In response to a request to change one or more memory attributes of the particular memory region group, update of a single entry changes the memory attributes for all memory regions of the particular memory region group, without accessing individual metadata of each memory region. The update can be accomplished atomically and substantially simultaneously.

Abstract: The present invention discloses a method and device for managing a storage system. Specifically, in one embodiment of the present invention there is proposes a method for managing a storage system, the method comprising: dividing a stripe included in a storage array in the storage system into a group of blocks; in response to receiving an allocation request for a storage space in the storage system, determining a space size associated with the allocation request; and building a repository based on one or more blocks selected from the group which match the space size, the repository being defined using an address mapping including addresses of the one or more blocks in the storage system. In one embodiment of the present invention there is proposed a device for managing a storage system.

Abstract: A memory alignment randomization method of a memory heap exploit is provided, memory alignment of objects inside a heap area is randomly performed to mitigate the exploits of the vulnerability of the software memory heap area The heap exploit is powerfully mitigated by aligning randomly obtained memory addresses instead of aligning memory addresses at multiples of 4 or 8 when the memory alignment for the objects inside the heap area.

Abstract: The present disclosure relates to a disaggregated computing architecture comprising: a first compute node (302) comprising an interconnect interface (310); an accelerator node (304) comprising a physical device (402); and an interconnection network (308) linking the first compute node (302) and the accelerator node (304), wherein: the first compute node (302) executes a host operating system (410) and instantiates a first virtual machine (VM) executing a guest device driver (406) for driving the physical device; one or more input registers of the physical device are accessible via a first uniform physical address range (upa_a_devctl) of the interconnection network (308); and the interconnect interface (310) of the first compute node (302) is configured to map a host physical address range (hpa_c_devctl) of the host operating system (410) to the first uniform physical address range (upa_a_devctl).

Abstract: A data storage device includes a nonvolatile memory device; and a controller suitable for controlling the nonvolatile memory device through a command, the controller comprising a memory controller including a queue which includes multiple slots, each of the multiple slots being mapped to one type among a plurality of types of the command, and suitable for processing a descriptor for the command enqueued to the queue to generate the command; and a processor suitable for requesting one slot of the multiple slots mapped to one type among the plurality of types of the command, to the memory controller, and enqueuing, when allocated with the one slot, the descriptor for the command, to the one slot.

Abstract: Some embodiments of the present invention include a method comprising: accessing units of network storage that encode state data of respective virtual machines, wherein the state data for respective ones of the virtual machines are stored in distinct ones of the network storage units such that the state data for more than one virtual machine are not commingled in any one of the network storage units.

Abstract: Apparatuses, systems, and methods are disclosed for data availability during temporary inaccessibility of a memory region for memory. An apparatus may include a plurality of memory elements and a controller. A controller may be configured to identify a portion of memory of a plurality of memory elements such that data stored in a portion of memory is temporarily inaccessible and other data stored in other portions of memory in the plurality of memory elements is accessible. A controller may be configured to reconstruct data stored in a portion of memory from other data stored in other portions of memory. A controller may be configured to provide reconstructed data while a portion of an array is temporarily inaccessible.

Abstract: A storage system in one embodiment comprises a plurality of storage devices and a storage controller. The storage controller is configured to receive a plurality of logical addresses. Each logical address has one of a content-based mapping type and an address-based mapping type. Responsive to a first logical address of the plurality of logical addresses having the content-based mapping type, the storage controller is configured to utilize a content-based mapping generated based on content of a data page associated with the first logical address to identify a corresponding physical address. Responsive to a second logical address of the plurality of logical addresses having the address-based mapping type, the storage controller is configured to utilize an address-based mapping generated based on the second logical address to identify a corresponding physical address.

Abstract: An overlay of a file-based write filter can be freed up to thereby minimize the likelihood that the overlay will become full and force a system reboot. An overlay-managing write filter can be employed in conjunction with the file-based write filter to monitor files that are stored in the overlay and move files that are not currently being accessed. If a request is made to access a moved file, the overlay-managing write filter can modify the request so that it targets the location of the moved file rather than the location of the original file on the protected volume. In this way, the fact that modified files are being moved from the overlay but not discarded can be hidden from the file-based write filter. As a result, the effective size of the overlay will be increased while still allowing the file-based write filter to function in a normal fashion.

Abstract: In one embodiment, an apparatus includes: at least one core to execute instructions, the at least one core formed on a semiconductor die; a first memory formed on the semiconductor die, the first memory comprising a non-volatile random access memory, the first memory to store a first entry to be a monotonic counter, the first entry including a value field and a status field; and a control circuit, wherein the control circuit is to enable access to the first entry if the apparatus is in a secure mode and otherwise prevent the access to the first entry. Other embodiments are described and claimed.

Abstract: A method of protecting software for embedded applications against unauthorized access is disclosed. Software to be protected is loaded into a protected memory area and access to the protected memory area is controlled by sentinel logic circuitry. The sentinel logic circuitry allows access to the protected memory area only either from within the protected memory area or from outside of the protected memory area but through a dedicated memory location within the protected memory area. The dedicated memory location then points to protected address locations within the protected memory area.

Abstract: A method and apparatus for accelerating data routing between applications of an application group are disclosed. In the method and apparatus, a host computer system receives registration information from a first computer system instantiated on the host computer system, whereby the registration information indicates whether a first application is executed on the first computer system. In response to a request from a second computer system that is instantiated on the host computer system to route data to the first application, the host computer system routes the data to the first computer system, whereby the internal routing of the data is determinable by the first computer system.

Abstract: A Network Attached Storage (NAS) apparatus to provide network-based data storage for client computing devices (e.g., in a local area network). One or more file-based logical storage area (LSA) shares are created in memory of the NAS apparatus, wherein each file-based LSA share originally is configured as one of “private access” (only certain users have access to a private file-based LSA share) or “public access” (any user on the LAN that can access the NAS appliance can also access the public file-based LSA share). At some later time, the file-based LSA share may be reconfigured to go from private-to-public access or public-to-private access (each file-based LSA share has a “reversible privacy setting”). In one example, object permissions for each object (file or folder) already stored on the LSA share prior to the access reconfiguration are updated on an object-by-object basis to ensure appropriate access to all legacy objects after the access reconfiguration.

Abstract: A microprocessor computer system for secure/high assurance/safety critical computing includes a hardware subsystem having a plurality of cache controller and cache bank modules including cache bank and memory cell hardware permission bits for managing and controlling access to system resources. A computer security framework subsystem includes a hierarchy of access layers comprising top layers and lower layers. The permission bits provide hardware level computer security primitives for a computer operating system. The top layers are completely trusted and the lower layers are moderately trusted to completely untrusted. The top layers include a trusted operating system layer that executes management and control of the system resources and permission bits. The permission bits define limits for a hardware execution security mechanism for less trusted to completely untrusted software.

Abstract: In various implementations, a system includes a memory, a processor, and an execution-aware memory protection unit (EA-MPU). The EA-MPU is configured to regulate memory access by the processor based at least on the identity of a subject executable that requests access, and on the address to which access is requested, and on permissions information that identifies which subject executables are to be granted access to each of several memory regions. In various implementations, the permissions information itself is stored among the several memory regions. Various configurations of the permissions information can be used to provide shared memory regions for communication among two or more stand-alone trusted software modules, to protect access to devices accessible through memory-mapped I/O (MMIO), to implement a flexible watchdog timer, to provide security for software updates, to provide dynamic root of trust measurement services, and/or to support an operating system.

Abstract: A memory request, including an address, is accessed. The memory request also specifies a type of an operation (e.g., a read or write) associated with an instance (e.g., a block) of data. A group of caches is selected using a bit or bits in the address. A first hash of the address is performed to select a cache in the group. A second hash of the address is performed to select a set of cache lines in the cache. Unless the operation results in a cache miss, the memory request is processed at the selected cache. When there is a cache miss, a third hash of the address is performed to select a memory controller, and a fourth hash of the address is performed to select a bank group and a bank in memory.

Abstract: A system, method and computer-readable storage medium with instructions for operating a processor of an electronic device to protect against unauthorized manipulation of the code pointer by maintaining and updating a code pointer complement against which the code pointer may be verified. Other systems and methods are disclosed.

Abstract: A storage array uses paged metadata. Each storage director has access to a plurality of object storage systems which describe locations of paged metadata in backing storage. Each object storage system includes different types of inodes which describe objects in backing storage. The object storage systems are used to locate and relocate metadata for loading into global memory, and creation and deletion of objects. An object storage system may be selected based on factors including ratio of different inode types, locality of object usage and anticipated object activity level.

Abstract: An apparatus and method are provided for managing bounded pointers. The apparatus has processing circuitry to execute a sequence of instructions, and a plurality of storage elements accessible to the processing circuitry, for storage of bounded pointers and non-bounded pointers. Each bounded pointer has explicit range information associated therewith indicative of an allowable range of memory addresses when using the bounded pointer. A current range check storage element is then used to store a current range check state for the processing circuitry. When the current range check state indicates a default state, the processing circuitry is responsive to execution of a memory access instruction identifying a pointer to be used to identify a memory address, to perform a range check operation to determine whether access to that memory address is permitted.

Abstract: An added security feature on a mobile device to require an owner or an authorized user of the mobile device to provide a shutdown password to power off the mobile device is disclosed. The shutdown password is configured and set by the owner or the authorized user and stored internally in a data storage device of the mobile device. When so configured, the mobile device triggers a shutdown password input field to be displayed on the mobile device screen. The user of the mobile device must provide the shutdown password in order to power off the mobile device, thereby preventing unauthorized powering off of the mobile device and associated GPS and internal communications circuitry of the mobile device, allowing the mobile device to be tracked in the event of an emergency or when the mobile device is lost or stolen.

Abstract: An update processing method executed by a processor included in an update processing apparatus, the update processing method includes storing, in a memory, update information that is updated in accordance with update processing executed by using information called from another computer in accordance with accepted request information, the update information regarding a frequency of the call, and response information that is used for response to the request information; when the request information corresponding to the update processing is accepted, determining in accordance with the update information whether to transmit the response information stored in the memory as a response to the request information to a transmission source of the request information; and transmitting the response information selected in accordance with a result of the determination to the transmission source.

Abstract: A system provides cloud-based identity and access management. The system receives a request for an identity management service, authenticates the request, and forwards the request to a microservice configured to perform the identity management service, where the microservice is implemented by a microservice virtual machine provisioned by a provisioning framework, and the forwarding is according to routing information configured based on metadata information stored in a registry by the provisioning framework. The system then performs the identity management service by the microservice.

Abstract: An input-output (IO) memory management unit (IOMMU) uses a reverse map table (RMT) to ensure that address translations acquired from a nested page table are correct and that IO devices are permitted to access pages in a memory when performing memory accesses in a computing device. A translation lookaside buffer (TLB) flushing mechanism is used to invalidate address translation information in TLBs that are affected by changes in the RMT. A modified Address Translation Caching (ATC) mechanism may be used, in which only partial address translation information is provided to IO devices so that the RMT is checked when performing memory accesses for the IO devices using the cached address translation information.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to method and process management, and provide a data processing system, method, and computer program product for dynamic binding of a capability pattern to multiple processes in a method architecture. In accordance with an embodiment of the present invention, a data processing system configured for dynamic binding of process patterns can include a method management tool. The method management tool can include program code enabled both to compose a capability pattern comprised of at least one activity defined by a plurality of nested and descriptors for source method elements, and to bind an extension activity to the capability pattern in a process model without replicating the activity of the capability pattern in the process pattern.

Abstract: A guarded storage facility sets up a boundary indicating a range of addresses to be guarded or protected. When a program attempts to access an address in a guarded section defined by the boundary, a guarded storage event occurs. Use of this facility facilitates performance of certain tasks within a computing environment, including storage reclamation.

Abstract: A clock mode configuration circuit for a memory device is described. A memory system includes any number of memory devices serially connected to each other, where each memory device receives a clock signal. The clock signal can be provided either in parallel to all the memory devices or serially from memory device to memory device through a common clock input. The clock mode configuration circuit in each memory device is set to a parallel mode for receiving the parallel clock signal, and to a serial mode for receiving a source synchronous clock signal from a prior memory device. Depending on the set operating mode, the data input circuits will be configured for the corresponding data signal format, and the corresponding clock input circuits will be either enabled or disabled. The parallel mode and the serial mode is set by sensing a voltage level of a reference voltage provided to each memory device.

Abstract: A system includes a non-programmable bus master. The non-programmable bus master includes a memory protection unit (MPU) to operate in a first configuration with a first set of access permissions and a second configuration with a second set of access permissions, and hardware logic. The hardware logic executes a first task and a second task. The tasks generate transactions and the hardware logic switches between executing the first and second tasks. The hardware logic also causes the MPU to operate in the first configuration when the hardware logic executes the first task and causes the MPU to operate in the second configuration when the hardware logic executes the second task.

Abstract: Unauthorized code may be stored as data in a data volume of a firmware volume. To prevent or block execution of the unauthorized code, the firmware file system (FFS) file that includes the unauthorized code may be tagged, marked or deleted according to a system bios policy. These corrupted FFS files are thus blocked from execution during initialization or a boot process of a basic input/output system (BIOS) firmware as they are not published or enumerated to an execution list of the BIOS firmware.

Abstract: A method and system for operating an application with multiple modes are described. A plurality of applications may be presented to a user on a mobile device and one of the displayed applications may be selected. The selected application may have one or more contexts that are determined based on one or more operational parameters. For example, a context for the selected application may be that the application is configured to access an enterprise account. Based on the context, the selected application may be run on the mobile device in one of a plurality of operations modes. The operation modes may comprise managed, unmanaged, and partially managed modes, among others.

Abstract: A storage system according to the present invention includes a first storage device configured to receive a command from a command issuing apparatus, a second storage device configured to manage target data of the command, and a third storage device configured to form a copy pair with the second storage device for the target data and store the target data. When the target data is forwarded from the first storage device to the third storage device through the second storage device and stored in the third storage device, the second storage device stores the target data therein so that the target data is redundantly stored in the second storage device and the third storage device.

Abstract: Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.

Abstract: A non-volatile memory device uses physical authentication to enable the secure programming of a boot partition, when the boot partition is write protected. This physical authentication can also be used to enable other features/functions.

Abstract: Embodiments of the disclosure provide techniques managing a log-structured solid state drive (SSD) format in a distributed storage system. SSDs in the distributed storage system maintains a journal of logical changes to storage objects to persist prepared and committed changes in the latency path. The journal includes metadata entries that describe changes and reference data pages. Dense data structures (such as a logical block addressing table) index the metadata entries. To reduce the amount of overhead in I/O operations, the distributed storage system maintains the dense data structures in memory rather than on disk.

Abstract: A computer-implemented method for analyzing operations of privilege changes is presented. The computer-implemented method includes inputting a program and performing source code analysis on the program by generating a privilege control flow graph (PCFG), generating a privilege data flow graph (PDFG), and generating a privilege call context graph (PCCG). The computer-implemented method further includes, based on the source code analysis results, instrumenting the program to perform inspections on execution states at privilege change operations, and performing runtime inspection and anomaly prevention.

Abstract: To enable a fast configuration of a control or of a total plant, a control for the safe control of at least one machine is provided having at least one input unit for receiving input signals from at least one signal generator; having at least one output unit for outputting output signals to the at least one machine; having a control unit for generating the output signals in dependence on the input signals; and having a connection unit having at least one connection socket for connecting an external input device that can be used or configuring the control, wherein the connection unit has at least one connection terminal for connecting the signal generators and/or the machine and is separable from the control and wherein the connection socket can be removed from the connection unit or from the control and comprises a memory with configuration data of the control.

Abstract: A system and method of enabling simultaneous kernel mode access and user mode access to an NVMe device using the NVMe interface are disclosed. The method includes creating a first set of queue(s) by at least reserving a first range of memory addresses in the kernel space; providing a location address and size of the first set of queues to a controller of the NVMe device; receiving a request for user mode access from a user application process running on the host computer system; and performing the following in response to receiving the request for user mode access: creating a second set of queue(s) by at least reserving a second range of memory addresses mapped for use by the user application process, and providing a location address and size of the second set of queues to the user application process and the controller of the NVMe device.

Abstract: A respective volatility attribute associated with each of one or more tables of a computerized database is used to determine circumstances under which a page of table data is paged out of memory, by preferentially retaining pages from volatile database tables in memory. Various optional additional uses of a volatility attribute to manage a database are disclosed. Preferably, database parameters are automatically monitored over time and database table volatility state is automatically determined and periodically adjusted.

Abstract: A N-way merge technique efficiently updates metadata in accordance with a N-way merge operation managed by a volume layer of a storage input/output (I/O) stack executing on one or more nodes of a cluster. The metadata is embodied as mappings from logical block addresses (LBAs) of a logical unit (LUN) accessible by a host to durable extent keys, and is organized as a multi-level dense tree. The mappings are organized such that a higher level of the dense tree contains more recent mappings than a next lower level, i.e., the level immediately below. The N-way merge operation is an efficient (i.e., optimized) way of updating the volume metadata mappings of the dense tree by merging the mapping content of all three levels in a single iteration, as opposed to merging the content of the first level with the content of the second level in a first iteration of a two-way merge operation and then merging the results of the first iteration with the content of the third level in a second iteration of the operation.

Abstract: A system may register a use case with the use case including an application. An application identifier may be assigned to the application. The system may generate a transformation associated with the use case. The transformation may include logic to derive an output variable from a source variable. The system may also execute the transformation to derive output data for the output variable from source data of the source variable. The system may further lookup an access permission for the application using the application identifier in response to an access request.

Abstract: A respective volatility attribute associated with each of one or more tables of a computerized database is used to determine circumstances under which a page of table data is paged out of memory, by preferentially retaining pages from volatile database tables in memory. Various optional additional uses of a volatility attribute to manage a database are disclosed. Preferably, database parameters are automatically monitored over time and database table volatility state is automatically determined and periodically adjusted.

Abstract: Cryptographic affinities are generated to improve security in data centers. When a blade server is hot swapped, the cryptographic affinities protect electronic data stored within the blade server. The cryptographic affinities are generated based on hashing a unique chassis identifier. If the blade server is installed in a different chassis, the cryptographic affinities lock out the different chassis from read, write, and other access operations. The cryptographic affinities may even require deleting or reformatting before rekeying is commenced.

Abstract: Systems, methods, and computer-readable media are disclosed for virtualizing memory compute function resources to improve resource utilization and system performance are disclosed. A virtualized hypervisor may be provided that is configured to instantiate a respective memory function controller of each memory controller present in a system/device. The virtualized hypervisor may be further configured to maintain the memory function controllers and their corresponding memory compute functionality as shareable resources that can be allocated to system components upon request. The virtualized hypervisor may allocate a memory function controller and its corresponding memory compute functionality to a system component, and may further provide the system component with an exclusive grant of memory compute pages that can be utilized by the allocated memory function controller to execute a memory compute function to perform one or more operations (e.g., one or more computations) on behalf of the system component.

Abstract: Multiple lock assemblies are distributed on a chip, each lock assembly manage a lock application message for applying for a lock and a lock release message for releasing a lock that are sent by one small core. Specifically, embodiments include receiving a lock message sent by a small core, where the lock message carries a memory address corresponding to a lock requested by a first thread in the small core; calculating, using the memory address of the requested lock, a code number of a lock assembly to which the requested lock belongs; and sending the lock message to the lock assembly corresponding to the code number, to request the lock assembly to process the lock message.