Abstract: Generally, this disclosure provides systems, methods and computer readable media for a protected memory view in a virtual machine (VM) environment enabling nested page table access by trusted guest software outside of VMX root mode. The system may include an editor module configured to provide access to a nested page table structure, by operating system (OS) kernel components and by user space applications within a guest of the VM, wherein the nested page table structure is associated with one of the protected memory views. The system may also include a page handling processor configured to secure that access by maintaining security information in the nested page table structure.

Abstract: An apparatus includes a memory, an interface and read restriction logic. The read restriction logic is configured to receive via the interface a request to read a data value from a specified address of the memory, to retrieve the data value from the specified address, to check, upon finding that the specified address falls in an address range that is predefined as restricted, whether the retrieved data value belongs to a predefined set of permitted data values, to respond to the request with the retrieved data value when the retrieved data value belongs to the set of permitted data values, and, otherwise, when the retrieved data value does not belong to the set of permitted data values, to respond to the request with a dummy data value.

Abstract: An example method for remapping a group of system registers. The method may include receiving, by a secure access control mechanism, a request to remap one of a group of system registers from an association with a first access policy group to an association with a second access policy group. The method may include storing the remapping array at a memory of the secure access control mechanism, where a first value stored in a first entry of the remapping array maps the one of the group of system registers to the second access policy group. The method may include remapping, by the secure access control mechanism, the one of a group of system registers from the association with the first access policy group to the association with the second access policy group using the remapping array.

Abstract: A cloud application processing method and related apparatus are provided. The method is performed by a cloud service provider, and may include determining that a working state of a first virtual machine satisfies a condition for adding a virtual machine, determining, according to an emergency policy corresponding to a first application running on the first virtual machine, a second application that has an emergency relationship with the first application, and instructing a second virtual machine on which the second application is hosted to run the first application deployed on the second virtual machine, creating a third virtual machine, deploying and starting the first application on the third virtual machine, and instructing the second virtual machine to stop running the first application after the first application is started on the third virtual machine.

Abstract: A data storage device includes a flash memory and a controller. The controller is coupled to the flash memory and includes a ROM which stores a boot code. In an initialization procedure of the data storage device, the controller does not access the flash memory and receives a debug code from an external device, and executes the boot code and the debug code to complete the initialization procedure.

Abstract: An embodiment involves secure memory implementation for secure execution of virtual machines. Data is processed in a first mode and a second mode, and commands are sent to a chip interconnect bus using real addresses, wherein the chip interconnect bus includes a number of bits for the real addresses. A memory controller is operatively coupled to a memory component. A secure memory range is specified by using range registers. If the real address is detected to be in the secure memory range to match a memory component address, a real address bit is set. If the real address is in the memory address hole, a security access violation is detected. If the real address is not in the secure address range and the real address bit is set, the security access violation is detected.

Abstract: A host central processing unit subsystem that writes information to external memory may provide policy to the external memory. Then every time a write comes from the host subsystem, a memory controller within the memory may check the write against the policy stored in the memory and decide whether or not to implement the write.

Abstract: The present disclosure includes systems and techniques relating to information flow and hardware security for digital devices and microprocessor systems. In general, in one implementation, a technique includes: receiving a hardware design specifying an implementation for information flow in a hardware configuration; receiving one or more labels annotating the hardware design; receiving a security property specifying a restriction relating to the one or more labels for implementing a secure information flow in the hardware configuration; designating each of the one or more labels to a corresponding security level in accordance with the specified restriction; and automatically assigning a respective value to each of the one or more labels in the hardware design, wherein each respective value is determined in accordance with the corresponding security level designated for each of the one or more labels.

Abstract: Described herein is a computer implemented method for maintaining a plurality of issues, each issue having an associated rank value, the rank values of the plurality of issues defining an order of the plurality of issues. The method comprises receiving a rank operation request to change the rank of a subject issue; determining relevant issues to the rank operation request; and attempting to acquire locks on each of the relevant issues. In response to successfully acquiring locks on each of the relevant issues a new rank value for the subject issue is calculated and saved.

Abstract: In a system executing a program, a method comprises detecting one or more input/output calls associated with the program and re-randomizing memory associated with the program in response to the one or more input/output calls. A related system is also described.

Abstract: A method for operating a network element includes obtaining a write request that specifies a variable length data. The method includes identifying a row of a table based on the write request. The method includes processing the row to identify an empty portion of a variable length data storage portion of the row. The method includes determining an offset that that specifies the location of the empty portion. The method includes storing the offset and a length of the variable length data in a fixed length storage element of the fixed length data storage portion. The method includes storing the variable length data in the empty portion of the variable length data storage portion.

Abstract: Systems, apparatuses and methods may provide for detecting an attempt by an operating system (OS) to access a non-OS managed resource and injecting, in response to the attempt, an access event into a platform security component via a guest kernel associated with the OS. Additionally, a response to the attempt may be made based on a policy response from the platform security component. In one example, the attempt is detected with respect to one or more extended page table (EPT) permissions set by a security virtual machine monitor (SVMM). Moreover, injecting the access event into the platform security component may include invoking a previously registered policy callback.

Abstract: An apparatus includes a register file and a binary translator to create a plurality of strands and a plurality of iteration windows, where each iteration window of the plurality of iteration windows is allocated a set of continuous registers of the register file. The apparatus further includes a buffer to store strand documentation for a strand from the plurality of strands, where the strand documentation for the strand is to include an indication of a current register base for the strand. The apparatus further includes an execution circuit to execute an instruction to update the current register base for the strand in the strand documentation for the strand based on a fixed step value and an iteration window size.

Abstract: Embodiments of the present disclosure relate to the field of computer data processing, and provide a data processing method and a smart device, which can effectively resolve a problem of abnormal rewriting of data in a read-only partition of an embedded multimedia card (eMMC) while ensuring that normal upgrading is not affected. The method includes receiving a write protection cancellation command sent by a central processing unit, executing the write protection cancellation command on a specified partition that is in the read-only partition and that is used to store an upgrade file, receiving the upgrade file sent by the central processing unit, writing the upgrade file to the specified partition, after completing writing the upgrade file, sending a write completion message to the central processing unit, receiving a write protection command sent by the central processing unit, and executing the write protection command on the specified partition.

Abstract: A method includes storing data entities in data storage blocks, a logical structure of the storage of the data entities in the data storage blocks is a database including the data entities stored in tables, receiving a request message including an instruction to execute operations using data of the data entities being logically stored in one or more rows of the data entities in the table and physically stored in the data storage blocks of a processing set, determining that the data entity to be used for execution of the operations is stored across the data storage blocks, generating a processing subset in response to the determining that the data entity is stored across the data storage blocks, and executing the operations using a portion of the data stored in the processing subset.

Abstract: A method includes storing data entities in data storage blocks, a logical structure of the storage of the data entities in the data storage blocks is a database including the data entities stored in tables, receiving a request message including an instruction to execute operations using data of the data entities being logically stored in one or more rows of the data entities in the table and physically stored in the data storage blocks of a processing set, determining that the data entity to be used for execution of the operations is stored across the data storage blocks, generating a processing subset in response to the determining that the data entity is stored across the data storage blocks, and executing the operations using a portion of the data stored in the processing subset.

Abstract: A playlist preview is generated to provide a preview of media content items identified by a media playlist. The playlist preview can be created by selecting all or some of the media content items in the playlist, determining preview portions of the selected media content items, and arranging the preview portions with or without a transition effect. The playlist preview can be easily shared with other users through, for example, social media sites.

Abstract: A substrate processing apparatus includes a plurality of arms used for transferring a substrate, a plurality of processing sections for processing the substrate, a recipe storage section storing at least one recipe for designating at least one of the plurality of arms as a usable arm and at least one of the plurality of processing sections as a usable processing section and for specifying processing conditions in the usable processing section, and a control unit for, according to the at least one recipe, controlling the plurality of arms and the plurality of processing sections so that a substrate is transferred using the usable arm and is processed in the usable processing section under the processing conditions.

Abstract: Provided are techniques for fast cache demotions in storage controllers with metadata. A track in a demotion structure is selected. In response to determining that the track in the demotion structure does not have invalidate metadata set, demoting the track from cache. In response to determining that the track has invalidate metadata set, the track is moved from the demotion structure to an invalidate metadata structure. One or more tasks are created to process the invalidate metadata structure, wherein each of the one or more tasks selects a different track in the invalidate metadata structure, invalidates metadata for that track, and demotes that track.

Abstract: A system that includes a vault management console configured to determine a measurement request for virtual machine operating characteristics metadata. The system further includes a guest virtual machine that includes virtual machine measurement points and a hypervisor control point. The system further includes a hypervisor associated with the guest virtual machine that is configured to communicate the measurement request to the hypervisor control point. The hypervisor is further configured to receive a packet with the virtual machine operating characteristics metadata and to communicate the packet to the virtual vault machine. The hypervisor device driver is configured to receive the packet from the hypervisor and to communicate the virtual machine operating characteristics to an analysis tool.

Abstract: A directory maintenance method and apparatus are provided. The method includes sending, by a main memory according to a correspondence between a cache line in a directory and a cache, listening information to each cache corresponding to a cache line at a preset frequency; receiving, by each cache corresponding to the cache line, the listening information, and sending a listening response according to the listening information; and receiving, by the main memory, the listening response, and updating the directory according to the listening response, where the listening response includes a state of the cache line in the cache sending the listening response. The directory maintenance method and apparatus that are disclosed in the present invention can lower an impact of listening caused due to replacement on normal processing of a processor, and reduce degradation of system performance.

Abstract: Systems, computer program products and methods implementing access control for compound structures including subfields are described. A policy system receives a database schema and a data access policy. The database schema defines multiple subfields of a data column. The policy includes one or more rules limiting access to the subfields. A policy analyzer of the policy system creates an access control metadata that stores correspondence between the subfields and the rules. The policy analyzer represents the subfields in the access control metadata using relations between subfields and other components of the database. The policy analyzer provides the access control metadata to a policy enforcer for enforcing the policy on the subfields.

Abstract: In various embodiments, methods and systems for optimizing database transactions based on replicable differential data store data structure are provided. A write operation request, having a key for a write operation on a replicable differential store data structure, is accessed. An intent write lock on a differential state and a write lock on the key are acquired. The differential state comprises a result set of currently committing transactions. A transaction instance, of the write operation, is generated for a write set, the transaction instance comprising a modification to the key. The write-set comprises an uncommitted set of writes for in-flight transactions. A determination is made that the write operation is committed. A result of the transaction instance is persisted when the write operation is committed. It is contemplated that the differential state and a consolidated state can be merged, the consolidated state comprises a result set of previously committed transactions.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: A control apparatus, an integrated circuit, and a management method for a stack are provided. The management method for the stack includes: obtaining an instruction of running a task with a first function; changing a pointer of the stack in an internal memory from pointing to an internal memory to an external memory before executing the first function, wherein the stack in the internal memory is used by the task; executing the first function, wherein first temporary information that is needed to be stored during a period of executing the first function is stored into the external memory pointed to by the pointer of stack; and adjusting the pointer of the stack to point to the internal memory after finishing executing the first function. According to the above-mentioned management method for the stack, the cost is reduced, and low power consumption can be achieved.

Abstract: In some examples, methods and systems may institute technical fallback by determining, by a payment processing system, and based on analysis of the communication status indicator and the data obtained when a magnetic stripe of the payment object is introduced in magnetic stripe object reader, whether the payment object was swiped while an EMV object reader was communicatively coupled to the POS terminal. If the magnetic stripe of the payment object was swiped while the EMV object reader was connected to the POS terminal, the payment processing system extracts a transaction count indicating a number of times the customer has attempted to insert a chip of the payment object into the EMV object reader prior to swiping magstripe. By comparing the transaction count with a threshold count, the payment processing system authorizes the payment transaction as a technical fallback transaction if the transaction count is greater than the threshold count.

Abstract: Some embodiments of the present invention include a method comprising: accessing units of network storage that encode state data of respective virtual machines, wherein the state data for respective ones of the virtual machines are stored in distinct ones of the network storage units such that the state data for more than one virtual machine are not commingled in any one of the network storage units.

Abstract: A system including a guest virtual machine with one or more virtual machine measurement points configured to collect virtual machine operating characteristics metadata and a hypervisor control point configured to receive virtual machine operating characteristics metadata from the virtual machine measurement points. The hypervisor control point is further configured to send the virtual machine operating characteristics metadata to a hypervisor associated with the guest virtual machine. The system further includes the hypervisor configured to receive the virtual machine operating characteristics metadata and to forward the virtual machine operating characteristics metadata to a hypervisor device driver in a virtual vault machine. The system further includes the virtual vault machine configured to determine a classification for the guest virtual machine based on the virtual machine operating characteristics metadata and to send the determined classification to a vault management console.

Abstract: A method for execution by a resource allocation module includes facilitating migration of a first set of encoded data slices stored at a storage unit for decommissioning to a newly commissioned storage unit, and facilitating migration of a remaining set of encoded data slices stored at the storage unit for decommissioning as foster encoded data slices to at least one other storage unit. For each foster encoded data slice, it is determined whether to facilitate migration of the foster encoded data slice to the newly commissioned storage unit. When determining to facilitate the migration of the foster encoded data slice, the migration of the foster encoded data slice to the newly commissioned storage unit is facilitated. An association of the newly commissioned storage unit and identity of the foster encoded data slice is updated in response to detecting successful migration of the foster encoded data slice.

Abstract: Processing transactions in a distributed computing system that includes multiple processing modules includes: storing data items in a data storage system accessible to multiple processes running in the distributed computing system, where the data items are totally ordered according to an ordering rule, and at least some of the processes are running on different processing modules; and processing transactions using a plurality of the multiple processes. Processing a transaction using one of the plurality of the multiple processes includes: receiving a set of requests for accessing data items stored in the data storage system (where the requests are in a first order), obtaining locks on the data items sequentially in the first order if each of the locks is obtained within a first time interval, and, if any of the locks is not obtained within the first time interval, restarting the transaction being processed.

Abstract: Methods and systems are disclosed for implementing a secure application execution environment using Derived User Accounts (SAE DUA) for Internet content. Content is received and a determination is made if the received content is trusted or untrusted content. The content is accessed in a protected derived user account (DUA) such as a SAE DUA if the content is untrusted otherwise the content is accessed in a regular DUA if the content is trusted.

Abstract: Methods, apparatus and articles of manufacture are disclosed to enforce life cycle rules in a modularized virtualization topology using virtual hard disks. An example method includes, in response to a request to access a first virtual hard disk in a virtual computing environment, identifying, with a processor, a life cycle stage. The example method also includes determining, with the processor, whether a condition associated with the life cycle stage applies to the first virtual hard disk. The example method also includes refusing, with the processor, to mount, refusing to dis-mount, mounting or dis-mounting the first virtual hard disk if the condition is satisfied.

Abstract: A computer-implemented method for providing a plurality of security schemes and allowing a particular user of a computer system from among a plurality of users of the computer system to select a security scheme to be associated with the user independent of the security scheme selected by a remainder of the plurality of users of the computer system, thereby providing user customizable security to the computer system. At least one of the security schemes is comparatively more secure than another. Selections of security schemes are included with account information of the particular user and are used in connection with authorizing the particular user to use the computer system. First and second users can each select different security schemes based on their personal preferred balance between convenience and security and have their respective access to the computer system managed in relation to the selections included with their respective accounts.

Abstract: Technologies for securing an electronic device include determining addresses of one or more memory pages, injecting for each memory page a portion of identifier data into the memory page, storing an indication of the identifier data injected into each of the memory pages, determining an attempt to access at least one of the memory pages, determining any of the identifier data present on a memory page associated with the attempt, comparing the indication of the identifier data with the determined identifier data present on the memory page, and, based on the comparison, determining whether to allow the access.

Abstract: Disclosed are various embodiments of a file service which meters costs associated with aggregated file storage. A separate storage area is created for each of a plurality of cost center managers. A default storage area is created that is not associated with any of the cost center managers. Each storage area is divided into a plurality of logical partitions. Each logical partition corresponds to a content user. A content user is allowed to access a file in the corresponding logical partition of the corresponding storage area.

Abstract: A processing system includes a processing core and a hardware accelerator communicatively coupled to the processing core. The hardware accelerator includes a random number generator to generate a byte order indicator. The hardware accelerator also includes a first switching module communicatively coupled to the random value indicator generator. The switching module receives an byte sequence in an encryption round of the cryptographic operation and feeds a portion of the input byte sequence to one of a first substitute box (S-box) module or a second S-box module in view of a byte order indicator value generated by the random number generator.

Abstract: An apparatus includes an interface and a processor. The interface is configured for communicating over a bus. The processor is configured to disrupt on the bus a transaction in which a bus-master device attempts to access a peripheral device without authorization, by forcing one or more dummy values on at least one line of the bus in parallel to at least a part of the transaction.

Abstract: The highly secure method and system acquires, processes and produces health care (HC) data and service records from multiple local devices, notwithstanding different operating systems (OS) in such devices, and all accessed and controlled by a cloud computing network. Devices have memories, displays, keypads, cameras and microphones. The system operates on acquired data including image, keypad-text, audio, and speech-converted-to text data generated by respective devices. The method downloads commands to devices (notwithstanding different OS) which delete-acquired-data upon a request to save (upload) data to the cloud computing network. Further data security includes a disable-print-screen command prohibiting local storage of stored acquired data into local devices.

Abstract: A method of making a “zero knowledge” connection between a computer (2) and an electronic unit (5). At the start of the method, the configuration unit (1) is connected with the computer (2), and a web server is initiated in the configuration unit (1) via the trusted execution environment. A secure network connection is made to a server (3) by the configuration unit (1) and, via the network connection, the items of information required for connection with the electronic units, to which a connection can be made, are synchronized with the trusted execution environment. After synchronization occurs, an electronic unit (5) is selected by the web server via an input of the computer (2), to which electronic unit (5) a connection is made via the trusted execution environment using the stored, synchronized items of information, and via the web server prescribed menu-driven maintenance or configuration steps can be executed.

Abstract: Embodiments described herein provide systems and methods to streamline the mechanism by which data users access differently regulated data through the use of one or more integrated identifiers. The integrated identifiers lessen or eliminate the need to separately maintain one set of identifiers for regulated data and another set for non-regulated data. The methods and systems may be applicable in various credit and healthcare contexts where regulations over data use are prevalent. In one or more embodiments, a data user receives a unique integrated identifier for each of the data user's current or prospective customers, and the integrated identifiers can be used to persistently identify and track the customers over time and across applications that access regulated and/or non-regulated data. In the healthcare context, a healthcare provider may utilize a patient ID as the integrated identifier. To protect privacy, the integrated identifier may not include social security numbers or birthdates.

Abstract: A data processor includes an access target with the address assigned to a memory space, an access subject that gains access to the access target while specifying address, identifier, and access type, and a memory protection resource including an associative memory to perform an access control. The memory protection resource includes a plurality of entries, each including a region setting unit, an identifier determination information unit, and an attribute setting unit. When the address specified by the access subject at the access is included in the region set in the region setting unit in the entry, the identifier agrees with at least one of the identifiers specified according to the identifier determination information, and the specified access type agrees with the access type set in the attribute setting unit, the memory protection resource permits the access.

Abstract: A data processing apparatus has a memory attribute unit having storage regions for storing attribute data for controlling access to a corresponding memory address range by processing circuitry. In response to a target memory address, the processing circuitry can perform a region identifying operation to output a region identifying value identifying which of the storage regions of the attribute unit corresponds to the target memory address. The region identifying value is made available to at least some software executed by the data processing apparatus. This can be useful for quickly checking access permissions of a range of addresses or for determining how to update the memory attribute unit.

Abstract: An apparatus comprising a memory and a controller. The memory may be configured to store data. The controller may process a plurality of input/output requests to read/write to/from the memory. The controller may generate read data by performing a hard-decision decode on a codeword received from the memory. If the hard-decision decode fails, the controller may enter an error-recovery process comprising a plurality of recovery procedures. At least one of the recovery procedures may apply an inter-cell interference cancellation technique. The error-recovery process may (a) determine parameters for a soft-decision decode by performing one of the recovery procedures on the codeword, (b) execute the soft-decision decode using the parameters from the recovery procedure performed to generate the read data and (c) if the soft-decision decode fails, repeat (a) and (b) using a next one of the recovery procedures.

Abstract: A semiconductor device includes a first processing unit configured to perform a calculation by using data stored in a memory; and a memory path controller configured to communicate with the first processing unit and control the memory for the first processing unit to perform the calculation, wherein the memory path controller includes an address region control unit configured to divide an address space of the memory to include a secure address and a non-secure address and permit the first processing unit to access the secure address or the non-secure address, and a first content firewall unit connected with the address region control unit and configured to prevent the first processing unit from writing secure contents in the non-secure address.

Abstract: A method for providing malware protection in connection with processing circuitry including hardware resources and software resources managed by a primary operating system may include providing a trusted operating system to control access to a portion of a local storage area of the hardware resources. In this context, only the trusted operating system is configured to enable writing to the portion of the local storage area. The method may further include storing backup files for the primary operating system in the portion of the local storage area responsive to the trusted operating system granting access to write to the portion of the local storage area.

Abstract: A system comprises a plurality of components, scan chain selection logic coupled to the components, and override selection logic coupled to the scan chain selection logic. The scan chain selection logic selects various of the components to be members of a scan chain under the direction of a host computer. The override selection logic detects a change in the scan chain and, as a result, blocks the entire scan chain from progressing.

Abstract: The disclosed computer-implemented method for detecting gadgets on computing devices may include (i) identifying, on a computing device, a process containing multiple modules, (ii) identifying, within the process, each module that does not implement a security protocol that randomizes, each time the module executes, a memory location of at least one portion of data accessed by the module, (iii) copying each module that does not implement the security protocol to a section of memory dedicated to security analyses, (iv) determining, based on detecting at least one gadget-specific characteristic within at least one copied module, that the process contains a gadget that is capable of being maliciously exploited, and then (v) performing a security action on the computing device to prevent the gadget from being maliciously exploited. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method of protecting software for embedded applications against unauthorized access. Software to be protected is loaded into a protected memory area. Access to the protected memory area is controlled by sentinel logic circuitry. The sentinel logic circuitry allows access to the protected memory area from only either within the protected memory area or from outside of the protected memory area but through a dedicated memory location within the protected memory area. The dedicated memory location then points to protected address locations within the protected memory area.

Abstract: A circuit includes combinational circuit and sequential circuit elements coupled thereto. The circuit includes a multiplexor coupled to the combinational and sequential circuit elements, and a system register is coupled to the multiplexor. At least one portion of the combinational and sequential circuit elements is configured to selectively switch to operate as a random access memory.

Abstract: A data construct called a semcard is a semantic (meaning-based) software object including semantic meta-tags and meta-data that describes a target object or thing. A target object can be any type of digital or physical entity or identifier, or it can be tacit knowledge, such as ideas, concepts, processes or other data existing in a user's mind, provided that the user represents this knowledge in the semcard. A semcard embodies information about its own structure-rules, history, state, policies and goals regarding automation, display, access permissions, sharing and other operations of the semcard and any optional target object. It can also represent a semantic link between two semcards, or a semantically typed link or a standard Web hyperlink between a semcard and its referent target. A collection of semcards represents a knowledge network; single semcards, and knowledge networks, can be browsed, shared, searched, disseminated, manipulated, displayed, organized, and stored.