Abstract: A memory protection unit including hardware registers for entering address tables, a configuration memory for storing the address tables, a preconfigured hardware logic for managing the configuration memory, a data connection between the configuration memory and the hardware logic for loading the hardware registers, a first interface for controlling the loading by a computing core, and a second interface for writing to the configuration memory by the computing core.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating signed addresses. One of the methods includes receiving, by a component from a device, a plurality of first requests, each first request for a physical address and including a virtual address, determining, by the component, a first physical address using the virtual address, generating a first signature for the first physical address, and providing, to the device, a response that includes the first signature, receiving, from the device, a plurality of second requests, each second request for access to a second physical address and including a second signature, determining, by the component for each of the plurality of second requests, whether the second physical address is valid using the second signature, and for each second request for which the second physical address is determined to be valid, servicing the corresponding second request.

Abstract: Techniques are described for facilitating sharing and reuse of executable software images between multiple execution environments. In at least some situations, the executable software images are virtual machine images (e.g., images that are bootable or otherwise loadable by a virtual machine in a particular virtualization environment, and that each include operating system software and/or software for one or more application programs, optionally along with one or more hard disks or other representations of stored data). The described techniques may include use of an image conversion tool that is configured to support interactions with multiple distinct types of source execution environments to extract executable software images from those environments, and to modify extracted software images for execution in one or more distinct types of destination execution environments, optionally as directed by one or more users via a GUI provided by the image conversion tool.

Abstract: According to one embodiment, a semiconductor integrated circuit comprises: a tested block including a test control circuit; and a control circuit configured to output a first signal. The test control circuit performs a test of at least a first test pattern of the test patterns for the scan chain in accordance with the first signal during a first non-access state period of the tested block, and performs a test of at least a second test pattern following the first test pattern of the test patterns for the scan chain in accordance with the first signal during a second non-access state period of the tested block, and the test of the first test pattern and the test of the second test pattern are performed discontinuously.

Abstract: Provided herein may be a memory system and a method of operating the same. A semiconductor memory device may include a write protect pin mode setting unit configured to set, depending on a parameter value stored therein, a write protect pin of the semiconductor memory device as any one of an input pin and an output pin and a control logic configured to output, when the write protect pin serves as the output pin, internal state information of the semiconductor memory device to an external device.

Abstract: Various embodiments are directed to providing integrity protection for a system management mode. During initialization, a hash value of a system management mode control routine may be determined. Subsequently, during operation, the hash value may be compared to a hash value of a system management mode control routine to be executed. The system management mode control routine to be executed may be determined to be authentic if the hash values are the same.

Abstract: Disclosed is event processing a computing center, which may include receiving events from users of the computing center to be processed. Each received event may be stored in an event queue that is associated with a customer of the user. Events in an event queue may then be processed by an event processor that is associated with that event queue.

Abstract: A method for updating security information is applied to a system including an information service provider and mobile devices. The information service provider includes a server and a database, in which the server provides security information to the mobile devices and each of the security information is related individually to a security code. The information service provider can transmit updated security information to the mobile devices in an active-push manner in communicative off-peak hours, and at the same time each of the mobile devices would be automatically waken up and connected with the service-provider so as to receive the updated security information. While the mobile device is to request additional information, the passive-pull transmission manner can then be applied by the mobile device to obtain the additional information from the information service provider. Thus, merits of both the active push transmission and the passive pull transmission can be obtained.

Abstract: An example method includes monitoring healthcare information employed by a local information system of a first healthcare entity via an edge device located at a facility of the first healthcare entity and in communication with a local information system. The edge device is to implement a local cloud system. The local cloud system is to be accessible by only the first healthcare entity and healthcare entities affiliated with the first healthcare entity. The example method also includes determining if the healthcare information has a first characteristic via the edge device, determining if the healthcare information has a second characteristic via the edge device, and automatically uploading the healthcare information onto the local cloud system if the healthcare information has the first characteristic. The example method also includes automatically uploading the healthcare information onto a remote cloud system if the healthcare information has the second characteristic.

Abstract: A plurality of traffic profiles is determined for a plurality of traffic groups where each traffic profile includes a share of traffic and an address footprint size associated with a corresponding traffic group. A host write is received from a host and the traffic group that the host write belongs to is identified. Write data associated with the host write is stored in the solid state storage allocated to the traffic group that the host write is identified as belonging to where the amount of solid state storage allocated to each of the plurality of traffic groups is based at least in part on the traffic profile of a given traffic group.

Abstract: Techniques for aggregating background processing in a data storage system. Blocks are identified having contents on which a data operation was not performed in-line. The background data operation is prevented for blocks that will no longer be accessed by the host computer because they are only mapped to files implementing data objects that are scheduled for future deletion. A region of blocks may be selected that meets a criteria for performing a background free space operation, and the background data operation may be performed on the contents of blocks in the selected region while the contents of those blocks are being relocated to other blocks while performing the background free space operation. While performing the background data operation, blocks may be freed from files that implement data objects scheduled for future deletion.

Abstract: A memory system includes a nonvolatile memory module and a memory controller. The nonvolatile memory module includes a plurality of memory chips and a module controller disposed on a printed circuit board. The module controller controls operations of the plurality of memory chips. Each of the plurality of memory chips includes a plurality of nonvolatile memory cells and operates in an operation mode. The operation mode is either a memory mode or a storage mode. The memory controller performs a write operation and a read operation on the nonvolatile memory module, and performs a first error check and correction (ECC) operation on data communicated with the nonvolatile memory module. One of the module controller or the plurality of memory chips performs a second ECC operation on data stored in the plurality of memory chips based on the operation mode of the plurality of memory chips.

Abstract: Protection from malware download is provided. A first input is received to access one of an email attachment or a web site link using an application. A newly generated secure virtual machine is obtained from one of a network server or a cloud computing service. The one of the email attachment or the web site link is sent to the newly generated secure virtual machine for processing.

Abstract: An operator tree is formed for a data processing plan, the operator tree containing a plurality of interconnected nodes and including a grouping of two or more duplicative portions, each of the two or more duplicative portions having identical nodes and structure such that when the operator tree is executed, operators executed in a first duplicative portion using a first thread perform same functions use different data than operators in a second duplicative portion using a second thread. One or more operators in the first portion and one or more operators in the second portion to be synchronized with each other are identified. A synchronization point is created for the identified operators in the first thread and one or more subsequent threads, wherein the synchronization point receives information from each of the identified operators to build an artifact to deliver to one or more operators that depend on the artifact.

Abstract: A command executing method for a memory storage apparatus is provided. The method includes grouping logical addresses into logical address groups and assigning a key for each of the logical address groups independently. The method also includes receiving a write command and write data corresponding to the write command and temporarily storing the write data into a buffer memory. The method further includes executing the write command, enabling a direct memory access once to transfer the write data from the buffer memory to a writable non-volatile memory module of the memory apparatus and encrypting each sector data of the write data with keys corresponding to the logical address groups that the logical address storing the sector data belong to.

Abstract: Technologies are generally described for systems, devices and methods effective to generate an alert in a computing system. In some examples, a read request may be identified to read from a memory location in a memory. The memory location may include first data accessible by a virtual machine and an instance manager module. The first data may be allowed to be read from the memory location. A write request may be identified to write second data to the memory location. A flag may be identified in response to the identification of the write request. The flag may be associated with the memory location. An alert may be generated, based on the identification of the flag and the identification of the write request.

Abstract: For a data copying operation, data compression using constant number-of-track-groups and a thinly provisioned target device facilitates incremental updates where the size of the compressed data on the target device changes. Compressed data is written to the same LBA as the beginning of the source device chunk cluster LBA (1:1 mapping of data start). A termination string or other demarking device is used to identify space freed on the target device resulting from compression. During an incremental update only changed chunk clusters are changed, and freed space is changed accordingly if necessary.

Abstract: An integrated circuit senses attempts to access security-related data stored in registers connectable into a scan chain when the attempt includes locally and selectively asserting a scan-enable signal at a corresponding branch of the scan-enable tree when the integrated circuit is in a secure functional mode. When such an attempt is detected, the integrated circuit (i) generates a security warning that causes a reset of the security-related data and/or (ii) engages a bypass switch to disconnect the scan chain from the respective output terminal to preclude the security-related data from being shifted out of the IC via the scan chain.

Abstract: Upon a first transition from a first state to a second state, a first bit in a memory unit comprising a plurality of bits is programmed. Upon a first transition from the second state to the first state, a second bit in the memory unit is programmed, the second bit being before the first bit in the sequence of the plurality of bits. Upon a second transition from the first state to the second state, a third bit in the memory unit is programmed, the third bit being subsequent to the first bit by at least two bits in the sequence of the plurality of bits. Upon a second transition from the second state to the first state, a fourth bit in the memory unit is programmed, the fourth bit being before the third bit in the sequence of the plurality of bits.

Abstract: According to embodiments described herein, a backup server maintains backup data for a set of data, which includes data for a first block and a second block. Backup data for the first and second block include backup data for a plurality of versions of the first and second block. A distinct watermark is stored for each version of the first block and each version of the second block. In response to a request to perform a restoration operation on the set of data, a particular version of the first block and a particular version of the second block are selected to use in the restoration operation by comparing a restoration target with the watermarks of the version of the first block and second block. The selected version of the first block has a different watermark than the selected version of the second block.

Abstract: A processor includes a front end to receive an instruction, a decoder to decode the instruction, a core to execute the first instruction, and a retirement unit to retire the first instruction. The core includes logic to execute the first instruction, including logic to repeatedly record a translation lookaside buffer (TLB) until a designated number of records are determined, and flush the TLB after a flush interval.

Abstract: A method, system and computer program product are provided for implementing block extent granularity authorization processing for a Coherent Accelerator Processor Interface (CAPI) adapter. An Application Client requests authorization to a File from a system processor file system. The file system validates the request, determines the location of each Extent that comprises the File, and requests authorization to each Extent from a System CAPI Authorization manager. The System CAPI Authorization manager requests the CAPI Client manager to assign a Child Client ID and CAPI Server Register range to the requesting Application Client and requests a previously authorized CAPI Parent Client to authorize the Child ID to the list of Extents. The CAPI Parent Client sends a Create Authorizations command to the CAPI Adapter via the Parent's CAPI Server Registers.

Abstract: Described herein are mechanisms for continuous automatic tuning of code regions for optimal hardware configurations for the code regions. One mechanism automatically tunes the tunable parameters for a demarcated code region by calculating metrics while executing the code region with different sets of tunable parameters and selecting one of the different sets based on the calculated metrics.

Abstract: The invention concerns a compute node comprising: one or more processors; one or more memory devices storing software enabling virtual computing resources and virtual memory to be assigned to support:—a virtual machines compartment (402) in which a plurality of virtual machines (VM) is enabled by a hypervisor; and—a services compartment (404) comprising an operating system (OS) enabling one or more of real time capabilities, security functionality, and hardware accelerators, wherein the services compartment further comprises a virtual machines service manager (412) adapted to manage service requests received from the virtual machines; and a hardware partition (418) providing access control between the virtual machines (408) and the virtual machines services compartment (404).

Abstract: Embodiments of the present invention provide systems, methods, and computer program products for managing requests for acquiring one or more resources in a computing environment. In one embodiment, successful acquisition of the one or more resources is determined. Embodiments of the present invention provide systems, methods, and computer program products for initiating a synchronous request to acquire the one or more resources, responsive to determining that the acquisition of the one or more resources is not successful.

Abstract: A method, system and computer program product are disclosed for direct storage device sharing in a virtualized environment. In an embodiment, the method comprises assigning each of a plurality of virtual functions an associated memory area of a physical memory, and executing the virtual functions in a single root-input/output virtualization environment to provide each of a plurality of guests with direct access to the physical memory. In one embodiment, each of the guests is associated with a respective one of the virtual functions; and the assigning each of the plurality of virtual functions an associated memory area includes maintaining a per-virtual function mapping table identifying a respective one mapping function for each of the virtual functions, and each of the mapping functions mapping one of the memory areas of the physical area to an associated virtual memory.

Abstract: Systems and methods are disclosed for accessing data over a distributed data storage network. A network-attached storage device (NAS) includes a non-volatile memory module comprising a first portion of data storage for storing local user data associated with a host computing device and a second shared portion of data storage for storing third-party data. The NAS includes a controller configured to provide copies of a portion of the user data to one or more other NAS's for storage therein, receive third-party data from each of the one or more other NAS's, and store the received third-party data in the second portion of data storage. The NAS is configured to upload at least a portion of the user data to the host computing device and upload at least a portion of the third-party data to at least one of the one or more other NAS.

Abstract: A system, apparatus, method, or computer program product of restricting file access is disclosed wherein a set of file write access commands are determined from data stored within a storage medium. The set of file write access commands are for the entire storage medium. Any matching file write access command provided to the file system for that storage medium results in an error message. Other file write access commands are, however, passed onto a device driver for the storage medium and are implemented. In this way commands such as file delete and file overwrite can be disabled for an entire storage medium.

Abstract: Microprocessor system that is implemented or can be implemented in a mobile terminal and comprises: a normal operating system designed to generate and maintain a non-secure runtime environment and a security operating system designed to generate and maintain a secured runtime environment, and an operating system interface between the normal operating system and the security operating system, said operating interface being designed to control communication between the non-secure runtime environment and the secured runtime environment on the operating system level, and at least one filter interface that is designed to securely control communication between the non-secure runtime environment and a secured runtime environment on a level different from the operating system level.

Abstract: Embodiments of the invention relate generally to semiconductors and memory technology, and more particularly, to systems, integrated circuits, and methods to implement circuits configured to compensate for parameter variations in layers of memory by adjusting access signals during memory operations. In some embodiments, memory cells are based on third dimensional memory technology. In at least some embodiments, an integrated circuit includes multiple layers of memory, a layer including sub-layers of semiconductor material. The integrated circuit also includes an access signal generator configured to generate an access signal to facilitate an access operation, and a characteristic adjuster configured to adjust the access signal for each layer in the multiple layers of memory.

Abstract: An apparatus for performing secure operations with a dedicated secure processor is described in one embodiment. The apparatus includes security firmware defining secure operations, a processor configured to execute the security firmware and perform a set of operations limited to the secure operations, and a plurality of secure hardware registers, accessible by the processor and configured to receive instructions to perform the secure operations. An apparatus for performing secure operations with a plurality of security assist hardware circuits is described in another embodiment. The apparatus comprises one or more secure hardware registers configured to receive a command to perform secure operations and one or more security assist hardware circuits configured to perform discrete secure operations using one or more secret data objects.

Abstract: The subject disclosure is generally directed towards caching property values in a sparse cache for use in translating notifications to contain property values related to a source instance, e.g., for use in SMI-S compliant notifications (deletion indications). When a deletion indication translation needs properties that are unavailable in the current source instance, a cache is accessed to obtain the previous related property values. The deletion indication is translated based upon the related property values, and output, e.g., as a translated deletion indication to a client subscriber.

Abstract: A memory component includes a memory bank comprising a plurality of storage cells and a data interface block configured to transfer data between the memory component and a component external to the memory component. The memory component further includes a plurality of column interface buses coupled between the memory bank and the data interface block, wherein a first column interface bus of the plurality of column interface buses is configured to transfer data between a first storage cell of the plurality of storage cells and the data interface block during a first access operation and wherein a second column interface bus of the plurality of column interface buses is configured to transfer the data between the first storage cell and the data interface block during a second access operation.

Abstract: A method is used in managing replication of file systems. Metadata of a set of slices of a file system is updated upon performing an operation on a slice of the file system. The file system includes the set of slices. The metadata of the set of slices is used for recovering the file system.

Abstract: A plurality of processing elements (PEs) include memory local to at least one of the processing elements in a data packet-switched network interconnecting the processing elements and the memory to enable any of the PEs to access the memory. The network consists of nodes arranged linearly or in a grid to connect the PEs and their local memories to a common controller. The processor performs memory accesses on data stored in the memory in response to control signals sent by the controller to the memory. The local memories share the same memory map or space. The packet-switched network supports multiple concurrent transfers between PEs and memory. Memory accesses include block and/or broadcast read and write operations, in which data can be replicated within the nodes and, according to the operation, written into the shared memory or into the local PE memory.

Abstract: A system and method for allocating software resources. Multiple tasks are received from a network in which each task requires at least one software resource. Each task is analyzed to determine the type of resource(s) required to execute each such task. The availability of the software resource(s) is determined and, if available, allocated to the requesting task. If the software resource(s) is not available, the task is stored in a queue until the software resource(s) becomes available.

Abstract: In some embodiments, a method includes executing an atomic transaction in a system having a transactional memory. The method includes receiving a signal interrupt during executing of the atomic transaction. The method includes storing a state of the signal interrupt to enable subsequent execution of the signal interrupt. The method includes returning to executing the atomic transaction until the atomic transaction is at least one of completed and aborted. The method includes after executing the atomic transaction is at least one of completed and aborted, determining whether the signal interrupt is received during executing of the atomic transaction. The method includes after determining that the signal interrupt is received during executing of the atomic transaction, retrieving the state of the signal interrupt. The method includes executing an interrupt handler for processing the signal interrupt and returning from executing of the atomic transaction.

Abstract: In some embodiments, an apparatus includes a processor that is configured to execute computer usable program code to perform operations. The operations include executing an atomic transaction in a system having a transactional memory. The operations include receiving a signal interrupt during executing of the atomic transaction. The operations include storing a state of the signal interrupt to enable subsequent execution of the signal interrupt. The operations include returning to executing the atomic transaction until the atomic transaction is at least one of completed and aborted. The operations include after executing the atomic transaction is at least one of completed and aborted, determining whether the signal interrupt is received during executing of the atomic transaction. The operations include after determining that the signal interrupt is received during executing of the atomic transaction, retrieving the state of the signal interrupt.

Abstract: An example system may include one or more collectors, an analyzer, and a presentation module. The one or more collectors receive a plurality of data streams that include operational data for a plurality of application nodes. The plurality of data streams are captured and provided by a plurality of meters deployed on at least one cloud computing platform to respectively meter the plurality application nodes. The analyzer processes the plurality of data streams to generate real-time performance data for an application associated with the plurality of application nodes. The presentation module streams the real-time performance data to at least one stakeholder of the application for display via a dashboard. The real-time performance data includes one or more performance metrics describing the performance of plurality of the application nodes of the application.

Abstract: Exemplary methods are provided for storing data in a flash storage device to facilitate subsequent detection of tampering, comprising receiving a plaintext; reading first metadata associated with a device sector; encrypting the plaintext based on the first metadata to generate a cipher text and first authentication data; storing the cipher text in the sector; and storing the first authentication data as second metadata associated with the sector. Exemplary methods are also provided for detecting tampering with data stored in a flash storage device, comprising determining a physical location in a device sector; reading cipher text from the physical location; reading first authentication data and maintenance metadata associated with the sector; decrypting the cipher text based on a user key and the maintenance metadata to generate second authentication data; and determining the occurrence of tampering based on the first and second authentication data. Memory devices embodying said methods are also provided.

Abstract: The described embodiments include a computing device that performs operations for at least one of resizing or relocating a table in a memory in the computing device. In the described embodiments, the computing device includes at least one register storing a table base address indicating an original location of an original table in the memory and a table size indicating an original size of the original table in the memory. When relocating the original table, the computing device copies, using the table base address, some or all of the entries from the original table to a new table in the memory and then updates the table base address to indicate a location of the new table in the memory. When resizing the original table, the computing device updates the table size to indicate a new size.

Abstract: Example implementations relate to enabling native application capabilities. Some implementations may determine a set of object capabilities related to a source object stored in a remote third party repository. In some examples, the set of object capabilities represent at least one capability associated with the source object available to a third party application handling the source object. Some implementations may also determine a native application capability associated with the source object based on the determined set of object capabilities. Some implementations may also enable, in a native application, the native application capability for the source object.

Abstract: Multiple lock assemblies are distributed on a chip, each lock assembly manage a lock application message for applying for a lock and a lock release message for releasing a lock that are sent by one small core. Specifically, embodiments include receiving a lock message sent by a small core, where the lock message carries a memory address corresponding to a lock requested by a first thread in the small core; calculating, using the memory address of the requested lock, a code number of a lock assembly to which the requested lock belongs; and sending the lock message to the lock assembly corresponding to the code number, to request the lock assembly to process the lock message.

Abstract: An information handling system includes a processor operable to receive a system management interrupt, and an embedded controller coupled to the processor via a primary interface and via a system management interrupt interface. The embedded controller receives a command to enable address decoding from the processor via the primary interface, sends the system management interrupt via the system management interrupt interface in response to receiving the command, and receives an indication from the processor via the primary interface, the indication including a determination if the processor was operating in a system management mode when the processor sent the command.

Abstract: In an embodiment of the invention, a method includes: determining, in a computer, an area where an undesired computer program will reside; and providing a data object in the area, so that the data object is an antibody that provides security to the computer and immunity against the undesired program. Another embodiment of the invention also provides an apparatus (or system) that can be configured to perform at least some of the above functionalities.

Abstract: Computer-based methods, techniques, and systems for automatically protecting a storage device from unwanted alterations are provided. Example embodiments provide a Disk Access Redirection System, which includes a Redirection Driver, an Available Space Table (“AST”), a Protected Space Redirection Table (“PSRT”), and optionally an Unprotected Space Table (“UST”). The Redirection Driver is installed and registered with the computer operating system so that it can intercept storage device access requests (such as a disk read/write). When a storage access request for a read or write is sent, the request is intercepted by the Redirection Driver, transparent to the code that invokes the storage access request.

Abstract: An apparatus and method for protecting kernel data integrity in an electronic device are provided. The method includes mapping a specified type of data to a read-only memory area, detecting a write attempt to the specified type of data, determining whether a process attempting to write to the specified type of data is permitted according to a specified condition, and allowing the write attempt if the process attempting to write to the specified type of data satisfies the specified condition.

Abstract: A guest operating system (OS) detects a direct memory access (DMA) write request for a device assigned to a guest OS to perform a DMA write to a page of memory and, prior to a write access of to the page, sets a DMA write state of a guest physical address for the requested page of memory to indicate that a DMA write operation is in progress for the requested page. The guest OS causes a virtual central processing unit (CPU) to attempt to write to the requested page of memory and sends the DMA write request to the device to cause the device to write to the requested page of memory.

Abstract: Methods, systems, and computer program products are provided for enabling selective file system access by applications. An application is installed in a computing device. An application manifest associated with the application is received. The application manifest indicates one or more file types that the application is allowed to access. The indicated file type(s) are registered in a location accessible by a broker service. The application is launched as an application process. The application process is isolated in an application container. The application container prevents direct access by the application process to file system data. An access request related to first data of the file system data is received at the broker service from the application process. Access by the application process to the first data is enabled when the broker service determines that a file type of the first data is included in the registered file type(s).

Abstract: This disclosure proposes techniques for graphics processing. In one example, a graphics processing unit (GPU) is configured to access a memory according to one of an unsecure mode and a secure mode. The GPU may include a memory access controller configured to direct memory transactions from at least one hardware unit of the GPU to a secure context bank in a memory controller when the GPU is operating in a secure mode, and configured to direct memory transactions from the at least one hardware unit of the GPU to an unsecure context bank in the memory controller when the GPU is operating in the unsecure mode.