Abstract: In some implementations, a memory device may determine, from a list of key-value pair sets, a key-value pair set. The memory device may identify, from the key-value pair set selected from the list of key-value pair sets, a first key that is included in at least one other key-value pair set from the list of key-value pair sets. The memory device may identify, from the key-value pair set selected from the list of key-value pair sets, a second key that is not included in at least one other key-value pair set from the list of key-value pair sets. The memory device may form a new key-value pair set that excludes the first key and includes the second key. The memory device may replace the key-value pair set selected from the list of key-value pair sets with the new key-value pair set.

Abstract: Disclosed Methods, Apparatus, and articles of manufacture to profile page tables for memory management are disclosed. An example apparatus includes a processor to execute computer readable instructions to: profile a first page at a first level of a page table as not part of a target group; and in response to profiling the first page as not part of the target group, label a data page at a second level that corresponds to the first page as not part of the target group, the second level being lower than the first level.

Abstract: Automatic file system capacity management techniques are provided using file system utilization prediction. One method comprises obtaining input data representing a utilization of a storage capacity of a file system of a given storage system; predicting a future utilization of the storage capacity of the file system based on a portion of the obtained input data; and automatically adjusting the storage capacity of the file system based at least in part on a result of a comparison of the predicted utilization of the storage capacity to a current utilization of the storage capacity. The comparison of the predicted utilization to a current utilization of the storage capacity may comprise comparing the current utilization of the storage capacity to the predicted utilization of the storage capacity for at least first and second time periods following a current time period to determine a trend of the utilization of the storage capacity.

Abstract: Securing communications over a compute express link (CXL) is performed by receiving allocation of memory in a memory device and a key identifier (ID) to a trusted execution environment virtual machine (TEE VM); configuring a random key for the key ID by sending a random key configuration request to instruct a device security manager (DSM) of the memory device to configure a memory encryption engine (MEE) of the memory device with the random key and the memory allocation; initializing the allocated memory using the random key; and enabling secure access by the TEE VM to the allocated memory over the CXL by encrypting data transfers from the TEE VM to the memory device using the random key or decrypting data transfers from the memory device to the TEE VM using the random key.

Abstract: Some aspects as disclosed herein are directed to, for example, a system and method of providing flexible surge volume management to applications when performance capacity is available. The system and method may comprise determining when a data surge is occurring and in response determining available performance capacity and automatically allocating, the available performance capacity, to storage group applications performing data operations.

Abstract: In one embodiment, a data mover accelerator is to receive, from a first agent having a first address space and a first process address space identifier (PASID) to identify the first address space, a first job descriptor comprising a second PASID selector to specify a second PASID to identify a second address space. In response to the first job descriptor, the data mover accelerator is to securely access the first address space and the second address space. Other embodiments are described and claimed.

Abstract: To replicate a source LUN to a different storage system platform, a first storage system transmits a request to replicate a LUN along with attributes for the LUN to a second storage system. The second storage system maps the attributes to attributes used and understood by the platform of the second storage system. The second storage system then creates a destination LUN based on the mapped attributes. Since the destination LUN is created with similar attributes as the source LUN, the destination LUN can store the replicated data of the source LUN while still being accessed and recognized as a LUN by the second storage system. The second storage system also stores any proprietary attributes received from the first storage system so that the proprietary attributes can be supplied to the first storage system to recover the source LUN after a data loss event.

Abstract: In a method of operating a storage device including a plurality of storage regions, a first request is received. The first request is for a cryptographic erasure with respect to a first storage region. During a first time interval, a first encryption key corresponding to the first storage region is changed based on the first request. A second request is received. In response to receiving the second request within the first time interval, a region access signal is outputted. In response to determining, based on the region access signal, that the second request is associated with the first storage region, an execution of the second request is held. In response to determining, based on the region access signal, that the second request is associated with a second storage region among the plurality of storage regions, the second request is executed.

Abstract: Systems, apparatuses, and methods related to isolating virtual machines in a memory device are described. A memory apparatus includes a memory device and a controller coupled to the memory device, wherein the controller is configured to provide a plurality of Peripheral Component Interconnect express (PCIe) functions of the memory device and isolate access to each of the plurality of PCIe functions via respective passwords and digital signatures created from host keys.

Abstract: A front-end firmware component of a memory sub-system receives a first request to perform a first set of initialization operations and initiates a first set of initialization operations for the front-end component in parallel with initiating a second set of initialization operations for a back-end component. Responsive to completing the first set of initialization operations, the front-end component sends a first notification to a host computer system to indicate that the front-end component is available to respond to requests for configuration data associated with the memory sub-system, receives a second request from the host computer system for a configuration data associated with the memory sub-system, and responsive to receiving the second request from the host computer system before the back-end component has completed the second set of initialization operations, provides the configuration data to the host computer system.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

Abstract: A method for detecting an unauthorized physical access to a bus system. The method including: acquiring a measuring signal which assumes a first state when the voltage signal lies above a threshold voltage and a second state when the voltage signal does not; detecting a test-level sequence in the voltage signal; forming a measuring-signal pattern based on the measuring signal; comparing the measuring-signal pattern to a reference pattern that is assigned to the detected test-level sequence and was determined based on a reference measuring signal for the test-level sequence in a state of the bus system in which no unauthorized physical access was present; and determining that a possible unauthorized physical access is present if the measuring-signal pattern and the reference pattern differ from each other in one or more predetermined properties by more than a specific tolerance.

Abstract: It is presented a method for controlling access to an access object. The method is performed in an access control device and comprises the steps of: receiving a user input to reset the access control device; generating a new identifier for the access control device, and discarding any previously used identifier for the access control device; communicating with an electronic key to obtain an identity of the electronic key; obtaining a plurality of delegations, wherein each delegation is a delegation from a delegator to a receiver; and granting access to the access object only when the plurality of delegations comprise a sequence of delegations covering a delegation path from the access control device, identified using the new identifier, to the electronic key such that, in the sequence of delegations, the delegator of the first delegation is the access control device, and the receiver of the last delegation is the electronic key.

Abstract: Aspects of a storage device including a memory and a controller are provided. The memory includes a plurality of non-volatile memory packages coupled to the switch, in which each non-volatile memory package includes a plurality of non-volatile memory dies. The controller can select a non-volatile memory package with the switch. The controller can establish a data channel connection between the selected non-volatile memory package and the controller via the switch. In some aspects, the selected non-volatile memory package is transitioned into an active mode and one or more non-selected non-volatile memory packages are each transitioned into a standby mode. The controller also can perform one or more storage device operations with one or more non-volatile memory dies of the plurality of non-volatile memory dies within the selected non-volatile memory package. Thus, the controller may facilitate a switch based ball grid array extension, thereby improving memory capacity of the storage device.

Abstract: Apparatuses and methods related to updating data lines for data generation in, for example, a memory device or a computing system that includes a memory device. Updating data lines can include updating a plurality of data lines. The plurality of data lines can provide data form the memory array responsive to a receipt of the access command. The plurality of data lines can also be updated responsive to a determination that an access command received at a memory device is unauthorized.

Abstract: A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a remote server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the remote server, the electronic device credentials. The method further includes a step of registering, by the remote server, the electronic device. The method further includes a step of transmitting, from the remote server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

Abstract: Identifying and removing a tracking capability from an external domain that performs a tracking activity on a host web page. Tracking capabilities of an external domain may be removed by altering web requests and/or responses to API calls. Once these tracking capabilities of the external domain have been removed, the altered web requests and/or altered responses to API calls may be transmitted to a web browser and/or entity making the API call thereby protecting user privacy while allowing the external domain to interact with the host web page.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

Abstract: The storage device and storage virtualization system include a non-volatile memory device, and a memory controller configured to generate at least one virtual device corresponding to a physical storage area of the non-volatile memory device, and convert a virtual address for the virtual device into a physical address in response to an access request.

Abstract: According to one embodiment, a storage device is configured to store unencrypted user data. The user data is erased according to at least one data erasure mechanism. The storage device comprises a receiver configured to receive an inquiry from a host device, and a transmitter configured to transfer response information indicating the at least one data erasure mechanism to the host device.

Abstract: Systems, computing devices, and methods for authenticating privileged subsystem access by policy and by use of a security key generated at boot are disclosed herein. According to an aspect, a method includes generating a security key upon boot of a host-facing interface for a client. The method also includes communicating the security key to a baseboard management controller. Further, the method includes authenticating, to the host-facing interface commands, based on the security key. The method may also include implementing a policy associated with the security key. Further, in response to determining that a received command is not allowed by policy or the security key is not authenticated, an external server port or debug header may be disabled to prevent execution of the command.

Abstract: Systems and methods for decryption of payloads are disclosed herein. In various embodiments, systems and methods herein are configured for decrypting thousands of transactions per second. Further, in particular embodiments, the systems and methods herein are scalable, such that many thousands of transactions can be processed per second upon replicating particular architectural components.

Abstract: A method for use in a storage system, the method comprising: receiving, at a first storage processor in the plurality, an Input/Output (I/O) request that is associated with a storage object; identifying an entity associated with the I/O request and the storage object; detecting, by the first storage processor, whether the first storage processor is a current owner of the storage object; when the first storage processor is the current owner of the storage object, setting a lock on the entity, the lock being set by the first storage processor, the lock being set independently of any other storage processors in the storage system; when the first storage processor is not the current owner of the storage object, setting the lock in cooperation with the current owner of the storage object; and executing the I/O request based on the entity after the lock has been set.

Abstract: A data storage device having self-destruction function is disclosed. The data storage device is inserted into a host and includes a controller, a plurality of flash memories, a trigger, and a backup power module. When the data storage device is pulled out of the host, the trigger is triggered and transmits a physical-destruction activating signal to the backup power module, and the backup power module outputs a high voltage to the flash memories according to the physical-destruction activating signal so that the flash memories can be destroyed by the high voltage.

Abstract: Apparatuses and methods related to tracking unauthorized access commands for memory. Identifying unauthorized memory access can include verifying whether an access command is authorized to access a protected region of a memory array. The authorization can be verified utilizing a key and a memory address corresponding to the access command. If an access command is authorized to access a protected region, then a row of the memory array corresponding to the access command can be activated. If an access command is not authorized to access the protected region, then an access count can be incremented to signify the unauthorized access command.

Abstract: One general aspect of device reservation state synchronization in accordance with the present description, device reservation management logic ensures synchronization of reservation states of primary and secondary volumes of a mirror relationship in the event of a change in the state of the mirroring relationship such as achieving full data synchronization between the volumes. Other features and aspects may be realized, depending upon the particular application.

Abstract: Example implementations described herein are directed to Input/Output (I/O) path reservation with out of band management. In example implementations, for failure of a storage orchestrator to delete the path between the container and the first volume, the example implementations described herein are directed to deleting a path between the first volume and a quorum volume; and establishing an I/O path between the new container and the second volume.

Abstract: Embodiments herein are directed towards systems and methods for performing range lookups in B?-trees. One example method involves receiving a request to return key-value pairs within a range of keys from the B?-tree. The B?-tree includes a plurality of nodes, each node being associated with a buffer that stores key-value pairs. The method further involves determining a fractional size of the range of keys. The method further involves, for each level of the B?-tree, obtaining from within one or more buffers of one or more nodes of the level, a set of key-value pairs within the range of keys up to a size equal to the fractional size and transferring the set of key-value pairs to a result data structure. The method further involves sorting and merging all key-value pairs in the result data structure and returning the result data structure in response to the request.

Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.

Abstract: A cloud-native global file system in which a local filer creates objects and forward them to a cloud-based object store is augmented to include constant-time rekeying (CTR). At volume creation time on the filer, a random Intermediate Key (IK) is generated. The IK is encrypted using one or more public key(s) for the volume in question, and then stored in encrypted form in a volume metadata file (e.g., cloudvolume.xml) alongside the other volume information. Once created, the IK is treated like any other volume metadata. During startup of a volume manager on the filer, the one or more per-volume IK blobs (present) are decrypted using an appropriate secret key, and then cached in memory. All objects sent to the cloud are then symmetrically encrypted to the current IK for that volume. All objects read from the cloud are decrypted using the locally-cached IK.

Abstract: An apparatus and method of providing direct access to a non-volatile memory of a non-volatile memory device and detecting potential security violations are provided. A method for providing access to a non-volatile memory of a non-volatile memory device may include tracking a parameter related to a plurality of direct access transactions of the non-volatile memory. A threshold behavior pattern of the host activity may be determined based upon the tracked parameters. The direct access transactions may be reviewed to determine whether the threshold behavior pattern is exceeded.

Abstract: A security system and a security method of stored data are provided. In the security system and the security method, a central processing unit performs hashing operation on a seed code to generate a data access code, which is then compared with a password stored in a storage device. If there is no password in the storage device, the data access code is written into the storage device as the password. On the other hand, if the data access code does not match the password, the storage device denies the access request from the central processing unit.

Abstract: An information processing apparatus includes: a processor that: compares first and second identification information, wherein the first identification information identifies a storage medium in which apparatus information about the information processing apparatus is saved, the apparatus information is memorized in a main board of the information processing apparatus, and the second identification information identifies a storage medium connected to the information processing apparatus; detects that a save destination of the apparatus information is replaced when the first and second identification information do not coincide with each other; and determines a state of the save destination of the apparatus information in accordance with a storage state of the apparatus information in the connected storage medium and a storage state of the apparatus information in the main board of the information processing apparatus when the first and second identification information coincide with each other.

Abstract: An electronic device is provided. The electronic device includes a memory and at least one processor configured to execute a first application among at least one application stored in the memory, determine whether to permit to provide meta information including information for accessing first data related to a first function of the first application stored in the memory based on first user information with which the first application is executed, and perform control as to whether to provide a virtual file system with the meta information about the first data.

Abstract: An in-band remote access controller access system includes a remote access controller. A Basic Input/Output System (BIOS) that is coupled to the remote access controller and includes a BIOS storage that stores a configuration table including a plurality of function definitions that are configured to provide for the management of an in-band communication session with the remote access controller. A secure storage system includes boot security information that is configured to provide for the performance of a managed boot of the BIOS. A processing system provides, to the remote access controller using at least one of the plurality of function definitions, application security information provided by an application requesting access to the remote access controller. The remote access controller authenticates the application security information using the boot security information and, in response, establishes a communication session with the application.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for creating encrypted block store volumes of data from unencrypted object storage snapshots of the volumes. These encryption techniques use a special pool of servers for performing the encryption. These encryption servers are not accessible to users, and they perform encryption and pass encrypted volumes to other block store servers for user access. The encryption context for the volumes can be persisted on the encryption severs for as long as needed for encryption and not shared with the user-facing servers in order to prevent user access to encryption context.

Abstract: Providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: Systems, methods, and computer program products retrieve data from a low retrieval speed device. A request is made to retrieve data from the low retrieval speed device. A determination is made that the time to respond to the request will exceed a threshold amount of time. In response to the determination that the time to respond to the request will exceed the threshold amount of time, a load stall interrupt is generated. In response to the load stall interrupt, one or more system resources associated with a source of the request are released.

Abstract: An apparatus comprises a set of registers and mapping circuitry to perform a mapping operation to map each of a set of register specifiers to a respective register from among the set of registers in dependence on a mapping function. The mapping function is dependent on a key value. In addition, the mapping for at least two register specifiers from among the set of register specifiers is dependent on the same key value.

Abstract: A method and a terminal for unlocking a screen of a terminal having fingerprint sensors are provided. The method includes the following. A press instruction on a designated unlocking area of the terminal is acquired. A press interrupt request is initiated according to the press instruction and fingerprint data are collected at a press position corresponding to the press instruction. The fingerprint data are compared with fingerprint verification data pre-stored in the terminal. Based on a determination that the fingerprint data and the fingerprint verification data are matched, a screen interface of the terminal is enabled and the screen of the terminal is lit up when a response instruction of the press interrupt request is received.

Abstract: According to one embodiment, a data storage apparatus includes a controller with a data protection function. The controller manages first and second personal identification data. The first personal identification data only includes authority to request inactivation of the data protection function. The second personal identification data includes authority to request inactivation of the data protection function and activation of the data protection function. The controller permits setting of the first personal identification data, when the second personal identification data is used for successful authentication and the first personal identification data is an initial value, or when the data protection function is in an inactive state.

Abstract: Techniques are described for cryptographic key generation based on biometric data associated with a user. Biometric data, such as fingerprint(s) and/or heartbeat data, may be collected using one or more sensors in proximity to the user. The biometric data may be analyzed to generate a cryptographic key. In some implementations, the key may be employed by the user to access data, access certain (e.g., secure) feature(s) of an application, authenticate the user, digitally sign document(s), and/or for other purpose(s). In some implementations, the key may be re-generated for each access request or authentication instance, based on the user's fingerprint or other biometric data.

Abstract: An electronic system is provided. The electronic system includes a first electronic device and a second electronic device. The first electronic device generates a new key every certain time period. The second electronic device establishes a connection with the first electronic device to receive the new key therefrom to store the new key as a latest received key. When the first electronic device receives an input event under a locked status, the first electronic device requests the second electronic device to transmit the latest received key thereto, determines that whether the latest received key is the same as the new key and switches to a power on and unlocked status automatically when the latest received key is the same s the new key.

Abstract: A monitoring system (1) comprises an interface (2) for receiving source alerts from at least one detection engine, a database (7) of historical events; and a classifier (3) for classifying received source alerts by linking a source alert with an historical event or a current source alert to provide a link, and providing said link as an output alert. The classifier comprises match methods (9) for processing source alerts and generating a score for extent of matching of a source alert with an historical event or current source alert, a voting engine (4) for weighting scores from the match methods (9), and a linking function (6) for determining that there is a link if a combination of the weighted outputs of a plurality of match methods exceeds a threshold. At least some match methods (9) are each associated with a specific field of a source alert such as a numerical value field or a name field of a source alert.

Abstract: Aspects of the disclosure relate to hierarchical data structures. A method is disclosed for storing data in a hierarchical data structure. The method may include receiving first data to be committed in a distributed database, the first data including one or more data elements. A result of the selection function may be computed, applying the selection function to each of the one or more data elements. A first node of a first hierarchical data structure may be identified based on the result of the selection function applied to a first data element. The first node of the first hierarchical data structure may be updated using the first data element.

Abstract: An information handling system has a secure data storage partition allocation. Access to the secure storage partition is limited to a set of authorized functions authorized to access the secure storage partition. The authorization of a function may be determined by a unique identification corresponding to the function or a reverse trace.

Abstract: Disclosed herein are embodiments related to security in cloudlet environments. In some embodiments, for example, a computing device (e.g., a cloudlet) may include: a trusted execution environment; a Basic Input/Output System (BIOS) to request a Key Encryption Key (KEK) from the trusted execution environment; and a Self-Encrypting Storage (SES) associated with the KEK; wherein the trusted execution environment is to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.

Abstract: Embodiments of the systems and methods disclosed include a durable multiversion modification of B+-tree with full transaction semantics. In-memory and persistent page images are managed without a buffer manager. Instead, a non-leaf page downlink directly points either to in-memory or on-disk pages. In turn, the reduced amount of fetches per page access improves scalability on multi-core hardware platforms. Embodiments include structurally consistent copy-on-write checkpoints that enable using row-level write-ahead logs. In combination with in-memory undo log for multiversion concurrency control, the amount of persistent storage operations is significantly reduced.

Abstract: Techniques are disclosed to provide scalable spinlocks for non-uniform memory access (NUMA). In some examples, a global spinlock configured to protect access to a shareable resource is protected by multiple local spinlocks, which are each configured to control access to the global spinlock. In a multi-socket NUMA system, the global spinlock is allocated on one of the sockets, and the local spinlocks are distributed over the multiple sockets. In some embodiments, one local spinlock is allocated on each of the multiple sockets. In other embodiments, the multiple local spinlocks may be equally distributed over the NUMA sockets. When contention for the global spinlock is low, processes can attempt to directly acquire the global spinlock. In contrast, when contention for the global spinlock is high, processes need to first acquire one of the local spinlocks associated with the global spinlock before attempting to acquire the global spinlock.

Abstract: An information processing apparatus that generates a second password different from a first password in response to a password change request from a terminal, and generates and sends a change screen page to the terminal, stores the first password as an old password, and sends a notification when an authentication is attempted using the old password.