Abstract: Accessing privileged objects in a server environment. A privileged object is associated with an application comprising at least one process resource and a corresponding semi-privileged instruction. The association is filed in an entity of an operating system kernel. A central processing unit (CPU) performs an authorization check if the semi-privileged instruction is issued and attempts to access the privileged object. The CPU executes the semi-privileged instruction and grants access to the privileged object if the operating system kernel has issued the semi-privileged instruction; or accesses the entity if a process resource of the application has issued the semi-privileged instruction to determine authorization of the process resource to access the privileged object.

Abstract: In a method of the invention, a plurality of distributed service requestors input service requests, and the service requests are replicated to at least two of a plurality of request processing components that are located within a communication path between the requestors and the data store. The method also includes preventing any request processing component that has not successfully claimed the service request from processing the service request A first request processing component can claim responsibility for the service request; and the first request processing component can process its replica of the claimed service request, including accessing data within the data store. The method also includes preventing any of the plurality of request processing components from entering a duplicate claim to responsibility for the service request.

Abstract: In an embodiment, a data processing method comprises: in a computer executing a supervisor program, the supervisor program establishing different memory access permissions comprising any combination of read, write, and execute permissions for one or more different regions of memory of a first domain, receiving a request from a process to execute a particular memory page of the regions of memory, the particular memory page comprising a memory access permission set to read-writeable or read-only, throwing an execute fault for the particular memory page, performing one or more responsive actions to restore execution access or content of the particular memory page, and after performing the one or more responsive actions, setting the memory access permission to execute only.

Abstract: A computer processor includes an instruction processing pipeline that interfaces to a hierarchical memory system employing an address space. The instruction processing pipeline includes execution logic that executes at least one thread in different protection domains over time, wherein the different protection domains are defined by region descriptors each including first data specifying a memory region of the address space employed by the hierarchical memory system and second data specifying permissions for accessing the associated memory region. The address space can be a virtual address space or a physical address space. The protection domains can be associated with different turfs each representing a collection of region descriptors. A given thread can execute in a particular turf, one turf at a time. The particular turf can be selectively configured to change over time.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: In accordance with embodiments of the present disclosure, a system may include a storage controller for managing virtual storage resources and physical storage resources of one or more information handling systems. The storage controller may be configured to, responsive to removal of a physical storage resource owned by the storage controller from a first information handling system broadcast a request to one or more other information handling systems to determine if the physical storage resource has been relocated to a second information handling system. The storage controller may also be configured to, responsive to receiving a reply from the second information handling system indicating that the physical storage resource has been relocated to the second information handling system, operate in concert with a second storage controller of the second information handling system to use the data of the physical storage resource.

Abstract: An apparatus and a method for identifying security of an electronic device are provided. The method includes identifying a security state of a system binary loaded to a memory of the electronic device based on booting of the electronic device in a second operating system of the electronic device, and sending security state information to a first operating system in the second operating system based on a request from the first operating system of the electronic device.

Abstract: An integrated circuit protection device, including: groups of radiation detection elements distributed in a matrix array; logic gates combining outputs of the detection elements in rows and in columns, each output of a detection element being connected to a gate combining a row and to a gate combining a column; and a circuit for interpreting signals supplied by said logic gates and including an event counter and a delay element.

Abstract: Methods, systems, and computer program products for accessing a protected function are provided. A computer-implemented method includes allocating and initializing a guest virtual address for a virtual machine function. A user bit and a valid bit are configured to protect a page associated with the guest virtual address. Once the user bit and the valid bit are configured, the virtual machine function is mapped to the guest virtual address. Supervisor mode is requested in order to access the virtual machine function. In supervisor mode, the virtual machine function is validated and executed.

Abstract: Access level and security group information can be updated for a data instance without having to take down or recycle the instance. A data instance created in a data environment will have at least one default security group. Permissions can be applied to the default security group to limit access via the data environment. A control security group can be created in a control environment and associated with the default security group. Permissions can be applied and updated with respect to the control security group without modifying the default security group, such that the data instance does not need to be recycled or otherwise made unavailable. Requests to perform actions with respect to the control security groups are made via the control environment, while allowing native access to the data via the data environment.

Abstract: A method of protecting software for embedded applications against unauthorized access. Software to be protected is loaded into a protected memory area. Access to the protected memory area is controlled by sentinel logic circuitry. The sentinel logic circuitry allows access to the protected memory area from only either within the protected memory area or from outside of the protected memory area but through a dedicated memory location within the protected memory area. The dedicated memory location then points to protected address locations within the protected memory area.

Abstract: A flexible transactional data structure can be used to store message header in a transactional middleware machine environment. The flexible transactional data structure can have dynamic numbers of fields and is accessible via specified IDs. The message header can include a first data structure that stores address information for accessing a client using a first message queue, and a second data structure that stores address information for accessing a client using a second message queue. The first type of server operates to use only the first data structure to obtain the address information for accessing the client using the first message queue. The second type of server operates to obtain a key from the first data structure first, and then use the key to obtain from the second data structure the address information for accessing the client using the second message queue.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: According to one embodiment, a storage system includes a plurality of memory nodes that are connected to each other in two or more different directions and a connection unit. The connection unit issues a command in response to a request from the outside. In the storage system, a plurality of logical memory nodes are constructed by allocating, to one logical memory node, memory nodes including at least one first memory node which stores data to be accessed by the command and a second memory node which stores redundant data of the data stored in the first memory node. The command includes a first address which designates one of the plurality of logical memory nodes and a second address which designates a storage position in a memory space allocated to each logical memory node.

Abstract: The disclosure relates generally to techniques, methods and apparatus for controlling context switching at a central processing unit. Alternatively, methods and apparatus are provided for providing security to memory blocks. Alternatively, methods and apparatus are provided for enabling transactional processing using a multi-core device.

Abstract: This invention hides the page miss translation latency for program fetches. In this invention whenever an access is requested by CPU that crosses a memory page boundary, the L1I cache controller request a next page translation along with the current page. This pipelines requests to the ?TLB without waiting for L1I cache controller to begin processing the next page requests. This becomes a deterministic prefetch of the second page translation request. The translation information for the second page is stored locally in L1I cache controller and used when the access crosses the next page boundary.

Abstract: The subject disclosure is generally directed towards caching property values in a sparse cache for use in translating notifications to contain previous and source property values, e.g., for use in SMI-S compliant notifications (modification indications). When a modification indication that needs a previous instance and source instance, but only the source instance is available, a cache is accessed to obtain the previous property value. The modification indication is translated to contain the previous and source instance, and output, e.g., to a client subscriber. The cache is updated with the property values of the source instance in anticipation of being needed for a subsequent modification indication of that property.

Abstract: A processor includes support for executing binary-translated code including code modifications. The processor includes a processor core that includes a cache to store translation indicators from a physical map, each translation indicator to indicate whether a corresponding memory location includes translated code to be protected. The processor core also includes logic to execute a translated instruction. The translated instruction is translated from an instruction stored in a memory location. The processor core further includes logic to set a translation indicator in the cache corresponding to the memory location to indicate that it includes translated code to be protected. The processor core also includes logic to request senior store buffer drains of other processor cores of the processor based upon the execution of the translated instruction.

Abstract: A data processing apparatus has a debug state in which processing circuitry 105 executes instructions received from the debug interface 115. Control changing circuitry 135 prohibits the execution of instructions in a predefined privilege mode when in the debug state if a control parameter has a predefined value. In response to a first exception being signalled while in the debug state, where the first exception is intended to be handled at the predefined privilege mode, and further in response to the control parameter having the predefined value, signalling circuitry 115 signals a second exception to be handled at a different privilege mode from the predefined privilege mode and sets information identifying a type of the first exception. Consequently, without having to enter the prohibited (predefined) privilege mode, the debugger 110 can be made aware of the first exception that would ordinarily be handled at the predefined, i.e. prohibited privilege mode.

Abstract: Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized.

Abstract: A streams manager monitors performance of a streaming application, and when the performance needs to be improved, the streams manager automatically requests virtual machines from a cloud manager. The streams manager specifies to the cloud manager streams infrastructure and one or more streams application components for the virtual machines. The cloud manager provisions one or more virtual machines in a cloud with the specified streams infrastructure and streams application components. The streams manager then modifies the flow graph so one or more portions of the streaming application are hosted by the virtual machines in the cloud.

Abstract: Memory corruption detection technologies are described. A processing system can include a processor core including a register to store an address of a memory corruption detection (MCD) table. The processor core can receive, from an application, a memory store request to store data in a first portion of a contiguous memory block of the memory object of a memory. The memory store request comprises a first pointer indicating a first location of the first portion in the memory block to store the data. The processor core can retrieve, from the MCD table, a write protection indicator that indicates a first protection mode of the first portion. The processor core can send, to the application, a fault message when a fault event associated with the first portion occurs based on the first protection mode of the first portion.

Abstract: A processing request is received. The processing request includes information about a first location where a set of data is stored and information about a second location where the set of data is to be transferred. The size of the set of data is determined. The size of the available portion of the second location is determined. If the size of the set of data is smaller than the size of the available portion of the second location is determined. Responsive to determining the size of the set of data is larger than the size of the available portion of the second location, the size of the available portion is requested to be increased. The size of the available portion of the second location is increased to a size larger than the determined size of the set of data.

Abstract: When the terminal device attempts to use a special content, which has an attribute including information distinguishing the special content from regular contents and which is stored in the recording medium device, the recording medium device refers to the revocation information indicating terminal devices restricted from using the special content. When the recording medium device determines the terminal device as a terminal device to be restricted from using the special content based on the terminal identifying information of the terminal device, the usage information output unit of the recording medium device does not transmit the necessary information for using the special content to the terminal device.

Abstract: A semiconductor device includes a plurality of memory blocks each including a plurality of memory cells, a circuit group performing a program operation, a read operation and an erase operation on a selected memory block, among the plurality of memory blocks, and a control circuit controlling the circuit group to program the memory cells of the selected memory block in a healing pattern. The healing pattern is programmed before a subsequent program operation is performed on the selected memory block. The memory cells of the healing pattern include erased memory cells and programmed memory cells arranged alternately.

Abstract: Data access optimization features the innovative use of a writer-present flag when acquiring read-locks and write-locks. Setting a writer-present flag indicates that a writer desires to modify a particular data. This serves as an indicator to readers and writers waiting to acquire read-locks or write-locks not to acquire a lock, but rather to continue waiting (i.e., spinning) until the write-present flag is cleared. As opposed to conventional techniques in which readers and writers are not locked out until the writer acquires the write-lock, the writer-present flag locks out other readers and writers once a writer begins waiting for a write-lock (that is, sets a writer-present flag). This feature allows a write-lock method to acquire a write-lock without having to contend with waiting readers and writers trying to obtain read-locks and write-locks, such as when using conventional spinlock implementations.

Abstract: The present disclosure provides systems and techniques for efficient locking of datasets in a database when updates to a dataset may be delayed. A method may include accumulating a plurality of updates to a first set of one or more values associated with one or more features. The first set of one or more values may be stored within a first database column. Next, it may be determined that a first database column update aggregation rule is satisfied. A lock assigned to at least a portion of at least a first database column may be acquired. Accordingly, one or more values in the first set within the first database column may be updated based on the plurality of updates. In an implementation, the first set of one or more values may be associated with the first lock.

Abstract: A client hosted virtualization system (CHVS) includes a processor to execute code, a security processor, a component that includes a certificate, and a non-volatile memory. The non-volatile memory includes BIOS code for the CHVS and virtualization manager code to initialize the CHVS, launch a virtual machine on the CHVS, and authenticate the component with the security processor by determining that the certificate is valid. The CHVS is configurable to execute the first code and not the second code, or to execute the second code and not the first code.

Abstract: According to an embodiment, an information processing apparatus includes a secure OS, a non-secure OS, and a monitor. The monitor is configured to switch between the OSs. The secure OS includes a memory protection setting controller, a processing determination controller, and a secure device access controller. The memory protection setting controller is configured to set a protection address in a memory for each certain processing. The processing determination controller is configured to receive an access type, a physical address of an access destination, and data to be written, acquire a list of processing, and determine a type of processing to be performed. The secure device access controller is configured to receive the access type, the physical address of an access destination, and data to be written, and access a peripheral identified by the physical address.

Abstract: A method for providing notification of a predictable memory failure includes the steps of: obtaining information regarding at least one condition associated with a memory; calculating a memory failure probability as a function of the obtained information; calculating a failure probability threshold; and generating a signal when the memory failure probability exceeds the failure probability threshold, the signal being indicative of a predicted future memory failure.

Abstract: Representative implementations of devices and techniques provide dynamic secure sharing of resources. A resource module can be partitioned into a plurality of functional blocks, which may be allocated to non-secure and secure applications. A security monitor can monitor processor activity and determine when secure resources may be accessed.

Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.

Abstract: A method is described that includes detecting that an instruction of a thread is a locked instruction. The instruction also includes determining that execution of said instruction includes imposing a bus lock. The instruction also include executing a bus lock assistance function in response to said determining, said bus lock assistance function including a function associated with said bus lock other than implementation of a bus lock protocol.

Abstract: A mechanism for detecting conflicting operations and providing resolutions in a tasking system is disclosed. A method includes receiving, by a processing device in a tasking system, a request for a call including at least one operation to be executed on at least one resource of a plurality of resources that are managed by the tasking system. The method also includes detecting an occurrence of a conflict between the at least one operation on the call request and queued operations associated with the plurality of resources. The method also includes generating at least one of a task or an error report for the at least one operation in the call request based on the conflict. The method further includes identifying task dependencies associated with the at least one task and executing the at least one task only after execution of the task dependencies.

Abstract: A communication apparatus and method based on shared memory are disclosed. The communication apparatus based on shared memory includes a data publication unit, a data subscription unit, and an access control unit. The data publication unit publishes data stored in a shared memory unit. The data subscription unit subscribes to the data stored in the shared memory unit. The access control unit controls the access of the data publication unit and the data subscription unit to the shared memory unit in response to locking operation instructions of the data publication unit and the data subscription unit with respect to the shared memory unit.

Abstract: A method, a processing system, and a non-transitory computer-readable medium configured with instructions to carry out a method of determining access permission for or during dereferencing a memory address in an allocated portion of memory of a processing system. The method comprises: providing a pointer that has a tag field and a control-structure-pointer field; and entering content in the control-structure-pointer field to point to a control structure for the allocated portion of memory. The control structure's location or content indicates the portion of memory. The method assigning a tag value for the portion in the tag fields of the pointer and of the control structure. Determining access permission including ascertaining whether the contents of the tag fields of the pointer and of the control structure match.

Abstract: Embodiments of the invention relate to modifying run-time-instrumentation controls (MRIC) from a lesser-privileged state. The MRIC instruction is fetched. The MRIC instruction includes the address of a run-time-instrumentation control block (RICCB). The RICCB is fetched based on the address included in the MRIC instruction. The RICCB includes values for modifying a subset of the processor's run-time-instrumentation controls. The subset of run-time-instrumentation controls includes a runtime instrumentation program buffer current address (RCA) of a runtime instrumentation program buffer (RIB) location. The RIB holds run-time-instrumentation information of the events recognized by the processor during program execution. The values of the RICCB are loaded into the run-time-instrumentation controls. Event information is provided to the RIB based on the values that were loaded in the run-time-instrumentation control.

Abstract: A method and a computer program are provided for implementing memory accesses. A hypervisor is used for this purpose, via which the memory access takes place.

Abstract: A data processing apparatus and method for performing speculative vector access operations are provided. The data processing apparatus has a reconfigurable buffer accessible to vector data access circuitry and comprising a storage array for storing up to M vectors of N vectors elements. The vector data access circuitry performs speculative data write operations in order to cause vector elements from selected vector operands in a vector register bank to be stored into the reconfigurable buffer. On occurrence of a commit condition, the vector elements currently stored in the reconfigurable buffer are then written to a data store. Speculation control circuitry maintains a speculation width indication indicating the number of vector elements of each selected vector operand stored in the reconfigurable buffer.

Abstract: Embodiments herein relate to accessing a memory region including confidential information. A memory request from a process may be received. The memory request may include a process ID (PID) of the process, a requested memory address, and a requested access type. The memory request may be compared to a permission set associated with a memory region including the confidential information. Access to the memory region by the process may be controlled based on the comparison.

Abstract: A processing request is received. The processing request includes information about a first location where a set of data is stored and information about a second location where the set of data is to be transferred. The size of the set of data is determined. The size of the available portion of the second location is determined. If the size of the set of data is smaller than the size of the available portion of the second location is determined. Responsive to determining the size of the set of data is larger than the size of the available portion of the second location, the size of the available portion is requested to be increased. The size of the available portion of the second location is increased to a size larger than the determined size of the set of data.

Abstract: Techniques are provided for restoring thread groups in a cooperative thread array (CTA) within a processing core. Each thread group in the CTA is launched to execute a context restore routine. Each thread group, executes the context restore routine to restore from a memory a first portion of context associated with the thread group, and determines whether the thread group completed an assigned function prior to executing the context restore routine. If the thread group completed an assigned function prior to executing the context restore routine, then the thread group exits the context restore routine. If the thread group did not complete the assigned function prior to executing the context restore routine, then the thread group executes one or more operations associated with a trap handler routine. One advantage of the disclosed techniques is that the trap handling routine operates efficiently in parallel processors.

Abstract: In an internal register, a value for controlling operation of a flash memory is stored. A power shutoff detection register holds a value which changes when power shutoff occurs, and data stored in a specific memory cell is written in the power shutoff detection register. An EX-OR circuit compares the data stored in the specific memory cell with the value of the power shutoff detection register to thereby detect power shutoff. When power shutoff is detected, the value of the internal register is re-set. Thus, when power shutoff occurs, the flash memory can be prevented from malfunctioning.

Abstract: A device configuration silo is arranged to be accessed as an IEEE 1667-compatible silo which exposes interfaces to a host application to make changes to the presence of one or more other silos, as well as make changes to silo configurations on a per-silo basis for data and method sharing among silos across the ACTs on a storage device such as a transient storage device. The interfaces exposed by the device configuration silo are arranged to enable an authenticated provisioner, like administrator in a corporate network environment, to perform configuration changes to silos after the storage device is released into the field through a secure provisioning mechanism. In addition, users may make configuration changes to silos at runtime in some usage scenarios, for example to enable discrete portions of functionality on a storage device, by using a secure secondary authentication mechanism that is exposed by the device configuration silo.

Abstract: A system and method are provided for processing to create distributed volume in a distributed storage system during a failure that has partitioned the distributed volume (e.g. an array failure, a site failure and/or an inter-site network failure). In an embodiment, the system described herein may provide for continuing distributed storage processing in response to I/O requests from a source by creating the local parts of the distributed storage during the failure, and, when the remote site or inter-site network return to availability, the remaining part of the distributed volume is automatically created. The system may include an automatic rebuild to make sure that all parts of the distributed volume are consistent again. The processing may be transparent to the source of the I/O requests.

Abstract: A system and a method are disclosed for authenticating a user of a mobile computing device. Information is received describing the location of the mobile computing device. The information can include the current location of the device or a current type of user activity associated with a location. A current timeout length is determined based on this information. If the mobile computing device has remained idle for a time period equal to the current timeout length, the user of the mobile computing device is authenticated.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: Execution-Aware Memory protection technologies are described. A processor includes an instruction fetch unit to fetch instructions of applications executing in a multitasking environment and an execution unit to execute the instructions. A memory protection unit (MPU) enforces memory access control of the applications by defining an instruction region (I-space) and a data region (D-space and linking the I-space to the D-space. When the MPU determining whether an instruction address is within the I-space and whether a data address of a data access operation is within the D-space. The MPU issues a memory protection fault for the data access operation when either the instruction address is not within the I-space or the data address is not within the D-space.

Abstract: A processor comprising multiple processor cores and a bus for exchanging data between the multiple processor cores is disclosed. Each of the multiple processor cores includes: at least one processor register; a cache for storing at least one cache line of memory; a load store unit for executing a memory command to exchange data between the cache and the at least one processor register; an atomic memory operation unit for executing an atomic memory operation on the at least one cache line of memory; and a high throughput register for storing a status indicating a high throughput or a normal status. The load store unit is operable to transfer the atomic memory operation to the atomic memory operation unit of a designated processor core if the atomic memory operation status is the high throughput status using the bus.

Abstract: A streams manager monitors performance of a streaming application, and when the performance needs to be improved, the streams manager automatically requests virtual machines from a cloud manager. The streams manager specifies to the cloud manager streams infrastructure and one or more streams application components for the virtual machines. The cloud manager provisions one or more virtual machines in a cloud with the specified streams infrastructure and streams application components. The streams manager then modifies the flow graph so one or more portions of the streaming application are hosted by the virtual machines in the cloud.