Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

Abstract: A method for detecting an unauthorized physical access to a bus system. The method including: acquiring a measuring signal which assumes a first state when the voltage signal lies above a threshold voltage and a second state when the voltage signal does not; detecting a test-level sequence in the voltage signal; forming a measuring-signal pattern based on the measuring signal; comparing the measuring-signal pattern to a reference pattern that is assigned to the detected test-level sequence and was determined based on a reference measuring signal for the test-level sequence in a state of the bus system in which no unauthorized physical access was present; and determining that a possible unauthorized physical access is present if the measuring-signal pattern and the reference pattern differ from each other in one or more predetermined properties by more than a specific tolerance.

Abstract: It is presented a method for controlling access to an access object. The method is performed in an access control device and comprises the steps of: receiving a user input to reset the access control device; generating a new identifier for the access control device, and discarding any previously used identifier for the access control device; communicating with an electronic key to obtain an identity of the electronic key; obtaining a plurality of delegations, wherein each delegation is a delegation from a delegator to a receiver; and granting access to the access object only when the plurality of delegations comprise a sequence of delegations covering a delegation path from the access control device, identified using the new identifier, to the electronic key such that, in the sequence of delegations, the delegator of the first delegation is the access control device, and the receiver of the last delegation is the electronic key.

Abstract: Aspects of a storage device including a memory and a controller are provided. The memory includes a plurality of non-volatile memory packages coupled to the switch, in which each non-volatile memory package includes a plurality of non-volatile memory dies. The controller can select a non-volatile memory package with the switch. The controller can establish a data channel connection between the selected non-volatile memory package and the controller via the switch. In some aspects, the selected non-volatile memory package is transitioned into an active mode and one or more non-selected non-volatile memory packages are each transitioned into a standby mode. The controller also can perform one or more storage device operations with one or more non-volatile memory dies of the plurality of non-volatile memory dies within the selected non-volatile memory package. Thus, the controller may facilitate a switch based ball grid array extension, thereby improving memory capacity of the storage device.

Abstract: Apparatuses and methods related to updating data lines for data generation in, for example, a memory device or a computing system that includes a memory device. Updating data lines can include updating a plurality of data lines. The plurality of data lines can provide data form the memory array responsive to a receipt of the access command. The plurality of data lines can also be updated responsive to a determination that an access command received at a memory device is unauthorized.

Abstract: A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a remote server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the remote server, the electronic device credentials. The method further includes a step of registering, by the remote server, the electronic device. The method further includes a step of transmitting, from the remote server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

Abstract: Identifying and removing a tracking capability from an external domain that performs a tracking activity on a host web page. Tracking capabilities of an external domain may be removed by altering web requests and/or responses to API calls. Once these tracking capabilities of the external domain have been removed, the altered web requests and/or altered responses to API calls may be transmitted to a web browser and/or entity making the API call thereby protecting user privacy while allowing the external domain to interact with the host web page.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

Abstract: The storage device and storage virtualization system include a non-volatile memory device, and a memory controller configured to generate at least one virtual device corresponding to a physical storage area of the non-volatile memory device, and convert a virtual address for the virtual device into a physical address in response to an access request.

Abstract: According to one embodiment, a storage device is configured to store unencrypted user data. The user data is erased according to at least one data erasure mechanism. The storage device comprises a receiver configured to receive an inquiry from a host device, and a transmitter configured to transfer response information indicating the at least one data erasure mechanism to the host device.

Abstract: Systems, computing devices, and methods for authenticating privileged subsystem access by policy and by use of a security key generated at boot are disclosed herein. According to an aspect, a method includes generating a security key upon boot of a host-facing interface for a client. The method also includes communicating the security key to a baseboard management controller. Further, the method includes authenticating, to the host-facing interface commands, based on the security key. The method may also include implementing a policy associated with the security key. Further, in response to determining that a received command is not allowed by policy or the security key is not authenticated, an external server port or debug header may be disabled to prevent execution of the command.

Abstract: Systems and methods for decryption of payloads are disclosed herein. In various embodiments, systems and methods herein are configured for decrypting thousands of transactions per second. Further, in particular embodiments, the systems and methods herein are scalable, such that many thousands of transactions can be processed per second upon replicating particular architectural components.

Abstract: A method for use in a storage system, the method comprising: receiving, at a first storage processor in the plurality, an Input/Output (I/O) request that is associated with a storage object; identifying an entity associated with the I/O request and the storage object; detecting, by the first storage processor, whether the first storage processor is a current owner of the storage object; when the first storage processor is the current owner of the storage object, setting a lock on the entity, the lock being set by the first storage processor, the lock being set independently of any other storage processors in the storage system; when the first storage processor is not the current owner of the storage object, setting the lock in cooperation with the current owner of the storage object; and executing the I/O request based on the entity after the lock has been set.

Abstract: A data storage device having self-destruction function is disclosed. The data storage device is inserted into a host and includes a controller, a plurality of flash memories, a trigger, and a backup power module. When the data storage device is pulled out of the host, the trigger is triggered and transmits a physical-destruction activating signal to the backup power module, and the backup power module outputs a high voltage to the flash memories according to the physical-destruction activating signal so that the flash memories can be destroyed by the high voltage.

Abstract: Apparatuses and methods related to tracking unauthorized access commands for memory. Identifying unauthorized memory access can include verifying whether an access command is authorized to access a protected region of a memory array. The authorization can be verified utilizing a key and a memory address corresponding to the access command. If an access command is authorized to access a protected region, then a row of the memory array corresponding to the access command can be activated. If an access command is not authorized to access the protected region, then an access count can be incremented to signify the unauthorized access command.

Abstract: One general aspect of device reservation state synchronization in accordance with the present description, device reservation management logic ensures synchronization of reservation states of primary and secondary volumes of a mirror relationship in the event of a change in the state of the mirroring relationship such as achieving full data synchronization between the volumes. Other features and aspects may be realized, depending upon the particular application.

Abstract: Example implementations described herein are directed to Input/Output (I/O) path reservation with out of band management. In example implementations, for failure of a storage orchestrator to delete the path between the container and the first volume, the example implementations described herein are directed to deleting a path between the first volume and a quorum volume; and establishing an I/O path between the new container and the second volume.

Abstract: Embodiments herein are directed towards systems and methods for performing range lookups in B?-trees. One example method involves receiving a request to return key-value pairs within a range of keys from the B?-tree. The B?-tree includes a plurality of nodes, each node being associated with a buffer that stores key-value pairs. The method further involves determining a fractional size of the range of keys. The method further involves, for each level of the B?-tree, obtaining from within one or more buffers of one or more nodes of the level, a set of key-value pairs within the range of keys up to a size equal to the fractional size and transferring the set of key-value pairs to a result data structure. The method further involves sorting and merging all key-value pairs in the result data structure and returning the result data structure in response to the request.

Abstract: Example techniques herein determine that an event associated with a monitored computing device is associated with a security violation. Terms are extracted from at least two command lines associated with the event. Term representations of the at least two terms are determined based at least in part on a trained representation mapping. Two or more first filter outputs are determined based at least in part on the term representations of terms in a respective first subset of the terms. An indication of whether the event is associated with a security violation is determined at least partly by operating a trained classification computational model (CM) based at least in part on the two or more first filter outputs. Various examples train a word2vec or other x2vec model to provide the representation mapping. Various examples train a CM having convolutional and classification sections to provide the indication.

Abstract: A cloud-native global file system in which a local filer creates objects and forward them to a cloud-based object store is augmented to include constant-time rekeying (CTR). At volume creation time on the filer, a random Intermediate Key (IK) is generated. The IK is encrypted using one or more public key(s) for the volume in question, and then stored in encrypted form in a volume metadata file (e.g., cloudvolume.xml) alongside the other volume information. Once created, the IK is treated like any other volume metadata. During startup of a volume manager on the filer, the one or more per-volume IK blobs (present) are decrypted using an appropriate secret key, and then cached in memory. All objects sent to the cloud are then symmetrically encrypted to the current IK for that volume. All objects read from the cloud are decrypted using the locally-cached IK.

Abstract: An apparatus and method of providing direct access to a non-volatile memory of a non-volatile memory device and detecting potential security violations are provided. A method for providing access to a non-volatile memory of a non-volatile memory device may include tracking a parameter related to a plurality of direct access transactions of the non-volatile memory. A threshold behavior pattern of the host activity may be determined based upon the tracked parameters. The direct access transactions may be reviewed to determine whether the threshold behavior pattern is exceeded.

Abstract: A security system and a security method of stored data are provided. In the security system and the security method, a central processing unit performs hashing operation on a seed code to generate a data access code, which is then compared with a password stored in a storage device. If there is no password in the storage device, the data access code is written into the storage device as the password. On the other hand, if the data access code does not match the password, the storage device denies the access request from the central processing unit.

Abstract: An information processing apparatus includes: a processor that: compares first and second identification information, wherein the first identification information identifies a storage medium in which apparatus information about the information processing apparatus is saved, the apparatus information is memorized in a main board of the information processing apparatus, and the second identification information identifies a storage medium connected to the information processing apparatus; detects that a save destination of the apparatus information is replaced when the first and second identification information do not coincide with each other; and determines a state of the save destination of the apparatus information in accordance with a storage state of the apparatus information in the connected storage medium and a storage state of the apparatus information in the main board of the information processing apparatus when the first and second identification information coincide with each other.

Abstract: An electronic device is provided. The electronic device includes a memory and at least one processor configured to execute a first application among at least one application stored in the memory, determine whether to permit to provide meta information including information for accessing first data related to a first function of the first application stored in the memory based on first user information with which the first application is executed, and perform control as to whether to provide a virtual file system with the meta information about the first data.

Abstract: An in-band remote access controller access system includes a remote access controller. A Basic Input/Output System (BIOS) that is coupled to the remote access controller and includes a BIOS storage that stores a configuration table including a plurality of function definitions that are configured to provide for the management of an in-band communication session with the remote access controller. A secure storage system includes boot security information that is configured to provide for the performance of a managed boot of the BIOS. A processing system provides, to the remote access controller using at least one of the plurality of function definitions, application security information provided by an application requesting access to the remote access controller. The remote access controller authenticates the application security information using the boot security information and, in response, establishes a communication session with the application.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for creating encrypted block store volumes of data from unencrypted object storage snapshots of the volumes. These encryption techniques use a special pool of servers for performing the encryption. These encryption servers are not accessible to users, and they perform encryption and pass encrypted volumes to other block store servers for user access. The encryption context for the volumes can be persisted on the encryption severs for as long as needed for encryption and not shared with the user-facing servers in order to prevent user access to encryption context.

Abstract: Providing a server polling component for remote cryptographic key erasure resilient to network outage. A set of keys received from a server are stored on data storage. The data storage sends a status request to the server. If a key enabled status is received, the data storage continues normal operations. If a key disabled status is received, a key failure action is performed. The key failure action includes deleting one or more of the keys in the set of keys or shutting down one or more storage devices of the data storage. If no response is received from the server, the data storage iteratively resends the status request at retry time intervals until a response is received from the server or until a time out period expires. On expiration of the time out period, the key failure action is performed.

Abstract: Systems, methods, and computer program products retrieve data from a low retrieval speed device. A request is made to retrieve data from the low retrieval speed device. A determination is made that the time to respond to the request will exceed a threshold amount of time. In response to the determination that the time to respond to the request will exceed the threshold amount of time, a load stall interrupt is generated. In response to the load stall interrupt, one or more system resources associated with a source of the request are released.

Abstract: An apparatus comprises a set of registers and mapping circuitry to perform a mapping operation to map each of a set of register specifiers to a respective register from among the set of registers in dependence on a mapping function. The mapping function is dependent on a key value. In addition, the mapping for at least two register specifiers from among the set of register specifiers is dependent on the same key value.

Abstract: A method and a terminal for unlocking a screen of a terminal having fingerprint sensors are provided. The method includes the following. A press instruction on a designated unlocking area of the terminal is acquired. A press interrupt request is initiated according to the press instruction and fingerprint data are collected at a press position corresponding to the press instruction. The fingerprint data are compared with fingerprint verification data pre-stored in the terminal. Based on a determination that the fingerprint data and the fingerprint verification data are matched, a screen interface of the terminal is enabled and the screen of the terminal is lit up when a response instruction of the press interrupt request is received.

Abstract: According to one embodiment, a data storage apparatus includes a controller with a data protection function. The controller manages first and second personal identification data. The first personal identification data only includes authority to request inactivation of the data protection function. The second personal identification data includes authority to request inactivation of the data protection function and activation of the data protection function. The controller permits setting of the first personal identification data, when the second personal identification data is used for successful authentication and the first personal identification data is an initial value, or when the data protection function is in an inactive state.

Abstract: Techniques are described for cryptographic key generation based on biometric data associated with a user. Biometric data, such as fingerprint(s) and/or heartbeat data, may be collected using one or more sensors in proximity to the user. The biometric data may be analyzed to generate a cryptographic key. In some implementations, the key may be employed by the user to access data, access certain (e.g., secure) feature(s) of an application, authenticate the user, digitally sign document(s), and/or for other purpose(s). In some implementations, the key may be re-generated for each access request or authentication instance, based on the user's fingerprint or other biometric data.

Abstract: An electronic system is provided. The electronic system includes a first electronic device and a second electronic device. The first electronic device generates a new key every certain time period. The second electronic device establishes a connection with the first electronic device to receive the new key therefrom to store the new key as a latest received key. When the first electronic device receives an input event under a locked status, the first electronic device requests the second electronic device to transmit the latest received key thereto, determines that whether the latest received key is the same as the new key and switches to a power on and unlocked status automatically when the latest received key is the same s the new key.

Abstract: A monitoring system (1) comprises an interface (2) for receiving source alerts from at least one detection engine, a database (7) of historical events; and a classifier (3) for classifying received source alerts by linking a source alert with an historical event or a current source alert to provide a link, and providing said link as an output alert. The classifier comprises match methods (9) for processing source alerts and generating a score for extent of matching of a source alert with an historical event or current source alert, a voting engine (4) for weighting scores from the match methods (9), and a linking function (6) for determining that there is a link if a combination of the weighted outputs of a plurality of match methods exceeds a threshold. At least some match methods (9) are each associated with a specific field of a source alert such as a numerical value field or a name field of a source alert.

Abstract: Aspects of the disclosure relate to hierarchical data structures. A method is disclosed for storing data in a hierarchical data structure. The method may include receiving first data to be committed in a distributed database, the first data including one or more data elements. A result of the selection function may be computed, applying the selection function to each of the one or more data elements. A first node of a first hierarchical data structure may be identified based on the result of the selection function applied to a first data element. The first node of the first hierarchical data structure may be updated using the first data element.

Abstract: An information handling system has a secure data storage partition allocation. Access to the secure storage partition is limited to a set of authorized functions authorized to access the secure storage partition. The authorization of a function may be determined by a unique identification corresponding to the function or a reverse trace.

Abstract: Disclosed herein are embodiments related to security in cloudlet environments. In some embodiments, for example, a computing device (e.g., a cloudlet) may include: a trusted execution environment; a Basic Input/Output System (BIOS) to request a Key Encryption Key (KEK) from the trusted execution environment; and a Self-Encrypting Storage (SES) associated with the KEK; wherein the trusted execution environment is to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.

Abstract: Embodiments of the systems and methods disclosed include a durable multiversion modification of B+-tree with full transaction semantics. In-memory and persistent page images are managed without a buffer manager. Instead, a non-leaf page downlink directly points either to in-memory or on-disk pages. In turn, the reduced amount of fetches per page access improves scalability on multi-core hardware platforms. Embodiments include structurally consistent copy-on-write checkpoints that enable using row-level write-ahead logs. In combination with in-memory undo log for multiversion concurrency control, the amount of persistent storage operations is significantly reduced.

Abstract: Techniques are disclosed to provide scalable spinlocks for non-uniform memory access (NUMA). In some examples, a global spinlock configured to protect access to a shareable resource is protected by multiple local spinlocks, which are each configured to control access to the global spinlock. In a multi-socket NUMA system, the global spinlock is allocated on one of the sockets, and the local spinlocks are distributed over the multiple sockets. In some embodiments, one local spinlock is allocated on each of the multiple sockets. In other embodiments, the multiple local spinlocks may be equally distributed over the NUMA sockets. When contention for the global spinlock is low, processes can attempt to directly acquire the global spinlock. In contrast, when contention for the global spinlock is high, processes need to first acquire one of the local spinlocks associated with the global spinlock before attempting to acquire the global spinlock.

Abstract: Provided is a method for configuring the functional capabilities of a computer system. The computer system may include a persistent memory and a replaceable functional unit. The method may include transferring, in response to a repair action for the functional unit, enablement data that is stored on the functional unit to the persistent memory. The enablement data may specify one or more functional capabilities of the functional unit that are enabled. The method may further include erasing the enablement data from the functional unit after it has been transferred to the persistent storage. The method may further include obtaining a second unique identification item from a replacement unit. The method may further include obtaining new enablement data. The new enablement data may be transferred to the replacement unit.

Abstract: An information processing apparatus that generates a second password different from a first password in response to a password change request from a terminal, and generates and sends a change screen page to the terminal, stores the first password as an old password, and sends a notification when an authentication is attempted using the old password.

Abstract: A processor for supporting secure memory intent is disclosed. The processor of the disclosure includes a memory execution unit to access memory and a processor core coupled to the memory execution unit. The processor core is to receive a request to access a convertible page of the memory. In response to the request, the processor core to determine an intent for the convertible page in view of a page table entry (PTE) corresponding to the convertible page. The intent indicates whether the convertible page is to be accessed as at least one of a secure page or a non-secure page.

Abstract: A touch screen control system communicates with a host processing system (HPS). The touch screen control system includes a memory and control circuitry. The control circuitry operates a touch screen according to rules stored in the memory by: during a first time period and in response to detecting a first type of user input with a touch sensor of the touch screen, updating a display screen of the touch screen autonomously without requiring intervention from the HPS following the detection of the first type of user input; during the first time period and in response to detecting a second type of user input with the touch sensor, updating the display screen according to directions provided by the HPS; and during a second time period and in response to detecting the first type of user input with the touch sensor, updating the display screen according to directions provided by the HPS.

Abstract: A transaction card is provided for communicating data relating to a transaction. The transaction card includes a solar layer, a transaction card layer, and a power transfer layer. The solar layer includes at least one solar panel capable of converting light into electricity, the transaction card layer supports the solar layer and includes a magnetic strip, and the power transfer layer includes circuitry capable of receiving electricity from the solar layer.

Abstract: A method and apparatus for accessing a storage device is disclosed. More specifically, for load balancing by dynamically transferring memory address range assignments. In one embodiment, a storage device receives, from a host apparatus, an access request directed at two or more storage addresses, assigns, based on a first storage address of the two or more storage addresses, the access request to a first processor of two or more processors of the storage device, obtains a local memory lock based on the first storage address, determines, based on a second storage address of the two or more storage addresses, that the second storage address is assigned to a second processor of the two or more processors, obtains a remote memory lock from the second processor based on the second storage address and processes the access request.

Abstract: An error recovery system includes a memory, a processor in communication with the memory, a primary device, a backup device, a hypervisor executing on the processor, and a virtual machine. The virtual machine includes a guest operating system (OS) executing on the hypervisor, a pass-through device, and a guest driver. The hypervisor executes to detect an error associated with the primary device and to send a request to save a device state to the guest driver. The hypervisor also grants the guest OS access to the backup device. The guest driver receives the request from the hypervisor, and responsive to receiving the request, saves a state signature in the memory. The state signature includes a device signature and the device state of the primary device. Additionally, the guest driver determines a status of the device signature as one of matching and mismatching the backup device.

Abstract: Provided is a method for configuring the functional capabilities of a computer system. The computer system may include a persistent memory and a replaceable functional unit. The method may include transferring, in response to a repair action for the functional unit, enablement data that is stored on the functional unit to the persistent memory. The enablement data may specify one or more functional capabilities of the functional unit that are enabled. The method may further include erasing the enablement data from the functional unit after it has been transferred to the persistent storage. The method may further include obtaining a second unique identification item from a replacement unit. The method may further include obtaining new enablement data. The new enablement data may be transferred to the replacement unit.

Abstract: The present invention provides a system and method for protecting data stored in the control registers of an integrated circuit, such as a television chip. The system and method use one or more selectively activated read protection modules to prevent the control registers from being read unless a predetermined key or password is entered. The password or key may be stored in password registers within the chip. A key access generator will enable read access of the control registers if correct values are written to the appropriate password registers. The key access generator may enable read access for a predetermined period of time or until it receives another input.

Abstract: One embodiment of the present disclosure sets forth an effective way to maintain fairness and order in the scheduling of common resource access requests related to replay operations. Specifically, a streaming multiprocessor (SM) includes a total order queue (TOQ) configured to schedule the access requests over one or more execution cycles. Access requests are allowed to make forward progress when needed common resources have been allocated to the request. Where multiple access requests require the same common resource, priority is given to the older access request. Access requests may be placed in a sleep state pending availability of certain common resources. Deadlock may be avoided by allowing an older access request to steal resources from a younger resource request. One advantage of the disclosed technique is that older common resource access requests are not repeatedly blocked from making forward progress by newer access requests.

Abstract: An object storage system includes a plurality of memory devices; and a memory controller configured to, receive a value and a key from a host, the key identifying the received value, store data corresponding to the received value in the plurality of memory devices, generate, based on the received value, a parity for detecting an error of the stored data, manage key-value mapping information that identifies a correspondence relationship between the received value and the key, and manage the parity in the key-value mapping information such that the parity corresponds to the received value and the key.