Abstract: Providing multiple virtual processors (VPs) for a trusted domain (TD) includes creating a virtual processor control structure (VPCS) for one or more of a plurality of VPs of the TD of a processor in a computing system, the TD including a trust domain control structure (TDCS), the plurality of VPs having views into addresses of private memory of the TD, the VPCS for a VP including a secure extended page table (SEPT) for the VP; and for the VP, initializing the VPCS for the VP by copying selected entries of the TDCS to the SEPT of the VPCS, pointing a SEPT pointer to the VPCS, and setting an entry point for starting execution of the VP by the processor.

Abstract: The present disclosure relates to a signal processing device and a vehicle display apparatus including the same. The signal processing device according to an embodiment of the present disclosure includes a processor configured to perform signal processing for displays located in a vehicle, wherein the processor is configured to: display a first image including a first overlay on a first display, transmit the first image by screen sharing, and display a second image of a mirrored image corresponding to the first image on a second display; generate a second overlay different from the first overlay while displaying the first image and the second image; transmit information related to the second overlay by instance copying; and display a second overlay generated based on the information related to the second overlay on top of the first image or the second image. Accordingly, objects may be displayed rapidly and accurately by instance copying during screen sharing.

Abstract: Memory access control in a virtualization environment is provided. Sets of page tables are maintained, with each set corresponding to a given hypervisor application and guest virtual machine (VM), and each set including mappings to a subset of the guest VM memory to thereby limit an amount of the quest VM memory that is accessible Presentation of these sets is controlled to present just one of the sets at any given time for hypervisor processing to access guest VM memory.

Abstract: When a program operation to a second memory of user data in a first memory is to be performed and the size of user data is smaller than a unit program size of the second memory, final data having a size equal to the unit program size may be produced by concatenating the user data and meta data, and the final data may then programmed into the second memory. The second memory may be non-volatile memory, and the meta data may be meta data for the second memory. In some cases, dummy data may also be concatenated with the user data and meta data to produce the final data. Accordingly, it is possible to perform the program operation according to the unit program size and improve the program operation efficiency by reducing the number of program operations performed to store meta data.

Abstract: Virtual computer systems (virtual machines) have become increasingly common with the evolution of virtualization technology, cloud computing, etc. However, as a virtual machine and its associated guest operating system seek to execute and/or access a page of memory through synchronous processes execution of the virtual processor associated with the virtual processing is blocked until the page of memory is locked and available. Accordingly, time is wasted on calls waiting for physical page availability thereby reducing utilization of the host machine and virtual machine respectively. To address this an asynchronous virtual machine environment is established allowing the virtual machine or physical machine to handle additional operations whilst waiting for physical page availability.

Abstract: An apparatus and method are described for detecting and correcting data fetch errors within a processor core. For example, one embodiment of an instruction processing apparatus for detecting and recovering from data fetch errors comprises: at least one processor core having a plurality of instruction processing stages including a data fetch stage and a retirement stage; and error processing logic in communication with the processing stages to perform the operations of: detecting an error associated with data in response to a data fetch operation performed by the data fetch stage; and responsively performing one or more operations to ensure that the error does not corrupt an architectural state of the processor core within the retirement stage.

Abstract: Systems and methods for ballooning related memory allocation techniques for execution environments. An example method may comprise maintaining, by an operating system of a hypervisor, a list of free memory pages associated with the execution environment, wherein each entry in the list references a set of memory pages that are contiguous in a guest address space; receiving, from a management application, a request for guest memory to be made available to the hypervisor, wherein the request comprises a minimum size of guest memory requested and a maximum size of guest memory; and responsive to identifying, by the operating system, in the list of free memory pages, a set of contiguous guest memory pages that is greater than or equal to the minimum size of memory requested, and less than or equal to the maximum size of memory requested, releasing the set of contiguous guest memory pages to the hypervisor.

Abstract: A computer system includes a physical memory having a first page table and a second page table, and an address translation module. The first page table includes primary page table entries, where each page table entry among the primary page table entries is configured to store a mapping of a virtual memory address to a physical memory address and auxiliary information. The second page table includes secondary page table entries each storing at least one further auxiliary information, where each secondary page table entry corresponds to a primary page table entry in the first page table. The address translation module is configured to, in response to receiving a request from a processor, walk through the first page table to identify a primary page table entry and consecutively identify a location of a corresponding secondary page table entry based on a location of the primary page table entry.

Abstract: Example embodiments relate generally to data resynchronization methods and systems in continuous data protection (CDP) and more specifically to an input and output (I/O) filtering framework and log management system to seek a near-zero recovery point objective (RPO).

Abstract: Disclosed are systems, methods, and computer-readable media for assuring tenant forwarding in a network environment. Network assurance can be determined in layer 1, layer 2 and layer 3 of the networked environment including, internal-internal (e.g., inter-fabric) forwarding and internal-external (e.g., outside the fabric) forwarding in the networked environment.

Abstract: Address translation circuitry (20) converts virtual addresses into physical addresses with reference to intermediate level and final level page tables. Final level descriptors within final level page tables identify address translation data for an associated region of memory. Intermediate level descriptors within intermediate level page tables identify intermediate address translation data used to identify an associated page table at a next level of the page tables. Page table update circuitry (35) maintains state information within each final and intermediate level descriptor, and updates the state information from a clean state to a dirty state: in the final level descriptors to indicate that a modification of content of the associated memory region is permitted; in the intermediate level descriptors to indicate occurrence of an update from the clean state to the dirty state within the state information of any final level descriptors that are accessed via that intermediate level descriptor.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: A data processing method includes receiving, by a virtual machine, an I/O access request. The I/O access request is used to access data, the I/O access request includes a type of hardware data used to indicate a working status of a virtual I/O device, and the virtual I/O device is obtained after the I/O device is virtualized. The method also includes identifying, by the virtual machine, that the type of the hardware data in the I/O access request is first-type data. The first-type data is hardware data of the virtual I/O device that remains unchanged in a data processing process. The method further includes obtaining, by the virtual machine, to-be-accessed data from a first memory space. The first memory space is memory storage space in the data processing system.

Abstract: The disclosed technology is generally directed to network security for processors. In one example of the technology, a computing device includes: a processor, a memory, and a network interface. The computing device executes a first binary within a first region of the memory, executes a separate second binary within a second region of the memory, and prevents the second binary from accessing the first region of the memory. The first binary implements a kernel configured to control the network interface, while the separate second binary implements a network stack that is restricted to communicate only with an identified set of trusted servers.

Abstract: The disclosure herein describes integrity verification of a checksum of a canister data structure using built-in checksum verification capability. A kernel image is accessed, and a canister data structure is allocated in a section of memory. The canister data structure is loaded with canister data from the kernel image, wherein the loading is based on an interpreter obtained from the kernel image, wherein the canister data includes address relocation data and a checksum of the canister data. A binary image of the canister data structure is assembled, wherein the assembling includes at least performing reverse relocation on the canister data structure using the address relocation data. A checksum is generated based on the assembled binary image, and the checksum of the canister data is verified using the generated checksum. The integrity of the canister data structure is confirmed based on the verification.

Abstract: A process being initiated for exposure to an operating system of the computer device is detected. A control module can then check whether the process has been whitelisted, and if not, activate an artificial virtual machine to test the process prior to direct exposure to an operating system of the real computing environment. The control module can detect when the process responds to the presumed virtual environment preventing execution. A security action can then be taken on the process including preventing the process from being exposed to the operating system.

Abstract: This disclosure relates to data storage device (DSD) hardware and, more specifically, to systems and methods for encrypting data stored on a DSD. A DSD comprises a non-volatile storage medium to store multiple file system data objects using block addressing. The multiple file system data objects are addressable by respective ranges of blocks. A device controller is integrated with the DSD and comprises hardware circuitry configured to encrypt data to be stored on the storage medium and decrypt data stored on the storage medium based on different cryptographic keys, and to use each of the different cryptographic keys for one of the ranges of blocks addressing a respective file system data object. The decryption part of the hardware circuitry can be deactivated so that the data can be read in encrypted form.

Abstract: A container corresponding to executable code may be received. The container may be executed in a secure computation environment by performing one or more operations specified by the executable code of the container. An instruction to terminate the executing of the container may be received from a high level operating system (HLOS) that is external to the secure computation environment. A determination may be made as to whether the container is associated with a preemption privilege and the executing of the container may be terminated after receiving the instruction from the HLOS based on the determination of whether the container is associated with the preemption privilege.

Abstract: The present disclosure involves systems, software, and computer implemented methods for efficient memory leak detection in database systems. One example method includes receiving a query at a database system. Memory allocations and deallocations are traced during processing of the query. Each memory allocation entry in a tracing file can be processed, including determining, for each allocation, whether a memory deallocation entry exists in the tracing file. A determination can be made as to whether a memory leak has occurred in response to determining whether a memory deallocation entry corresponding to a memory allocation entry exists in the tracing file. For example, a determination can be made that a memory leak has occurred in response to determining that no memory deallocation entry corresponding to an allocated memory address exists in the tracing file. One or more actions can be performed in response to determining that a memory leak has occurred.

Abstract: One example method includes scanning a storage device to obtain data and metadata concerning operation of a computing system, analyzing the data and, based on the analyzing, deriving data groups that include some of the data, and deriving data relationships among some of the data, receiving, by an expert system, a query from a user, and the query specifies a sample object for the expert system to investigate, but the query does not indicate purpose of the user in submitting the query, analyzing the query, based on the data groups and data relationships, and based on the analyzing of the query, generating, by the expert system, query results that comprise a set of user-selectable investigation directions that relate to the sample object, and presenting, by the expert system, the set of user-selectable investigation directions to the user.

Abstract: Host and accelerator devices can be coupled using various interfaces, such as Compute Express Link (CXL). In an example, user applications can have protected access to a shared set of control parameters for different queues. A protocol can allow an application to use a unique memory page at the accelerator device through which the application can access control parameters, such as can be used to control memory-based communication queues or other queues. In an example, there can be multiple sets of control parameters in a single memory page. The protocol can allow views of the single memory page from respective different application processes. In an example, the protocol can include or use an access check to detect and handle unauthorized accesses to particular parameters.

Abstract: Embodiments of apparatuses, methods, and systems for unified address translation for virtualization of input/output devices are described. In an embodiment, an apparatus includes first circuitry to use at least an identifier of a device to locate a context entry and second circuitry to use at least a process address space identifier (PASID) to locate a PASID-entry. The context entry is to include at least one of a page-table pointer to a page-table translation structure and a PASID. The PASID-entry is to include at least one of a first-level page-table pointer to a first-level translation structure and a second-level page-table pointer to a second-level translation structure. The PASID is to be supplied by the device. At least one of the apparatus, the context entry, and the PASID entry is to include one or more control fields to indicate whether the first-level page-table pointer or the second-level page-table pointer is to be used.

Abstract: Technology for enabling a kernel to perform data deduplication on encrypted storage of a container. An example method may involve: enabling, by a kernel, a guest program of a container to access a first storage block of a first container and a second storage block of a second container; receiving, by the kernel from the guest program, an indication that the first storage block and the second storage block are duplicate storage blocks; and updating the first storage block or the second storage block to cause the duplicate storage blocks to reference a common storage location.

Abstract: A system can maintain a first data center that comprises a virtualized overlay network and virtualized volume identifiers. The system can determine to perform a restore of data of the first data center to a second data center, the data comprising first instances of virtualized workloads. The system can transfer the data to the second data center. The system can configure the second data center with the virtualized overlay network and the virtualized volume identifiers. The system can operate the virtualized workloads on the second data center, the second instances of the virtualized workloads invoking the second instance of the virtualized overlay network and the second instance of the virtualized volume identifiers.

Abstract: Hypervisor-independent reference copies of virtual machine payload data based on block-level pseudo-mount infrastructure and techniques are generated and stored in an illustrative data storage management system. An illustrative hypervisor-independent reference copy includes one or more virtual-machine payload data files that originated from a first virtual machine. The hypervisor-independent virtual-machine-payload reference copy is governed by a distinct reference copy policy that controls retention, storage, tiering, scheduling, etc. for the reference copy, independently of how the illustrative system treats other virtual machine payload data files originating from the same virtual machine.

Abstract: For a network control system that receives, from a user, logical datapath sets that logically express desired forwarding behaviors that are to be implemented by a set of managed switching elements, a controller for managing several managed switching elements that forward data in a network that includes the managed switching elements is described. The controller includes a set of modules for detecting a change in one or more managed switching elements and for updating logical datapath set based on the detected change. The logical datapath set is for subsequent translation into a set of physical forwarding behaviors of the managed switching elements.

Abstract: Techniques for migrating virtual machines (VMs) in the presence of uncorrectable memory errors are provided. According to one set of embodiments, a source host hypervisor of a source host system can determine, for each guest memory page of a VM to be migrated from the source host system to a destination host system, whether the guest memory page is impacted by an uncorrectable memory error in a byte-addressable memory of the source host system. If the source host hypervisor determines that the guest memory page is impacted, the source host hypervisor can transmit a data packet to a destination host hypervisor of the destination host system that includes error metadata identifying the guest memory page as being corrupted. Alternatively, if the source host hypervisor determines that the guest memory page is not impacted, the source host hypervisor can attempt to read the guest memory page from the byte-addressable memory in a memory exception-safe manner.

Abstract: A disclosed example includes accessing, by a backend block service driver in an input/output virtual machine executing on one or more processors, a first command submitted to a buffer by a paravirtualized input/output frontend block driver executing in a guest virtual machine; generating, by the backend block service driver, a translated command based on the first command by translating a virtual parameter of the first command to a physical parameter associated with a physical resource; submitting, by the backend block service driver, the translated command to an input/output queue to be processed by the physical resource based on the physical parameter; and submitting, by the backend block service driver, a completion status entry to the buffer, the completion status entry indicative of completion of a direct memory access operation that copies data between the physical resource and a guest memory buffer corresponding to the guest virtual machine.

Abstract: To increase the speed with which a Second Layer Address Table (SLAT) is traversed, memory having the same access permissions is contiguously arranged such that one or more hierarchical levels of the SLAT need not be referenced, thereby resulting in more efficient SLAT traversal. “Slabs” of memory are established whose memory range is sufficiently large that reference to a hierarchically lower level table can be skipped and a hierarchically higher level table's entries can directly identify relevant memory addresses. Such slabs are aligned to avoid smaller intermediate memory ranges. The loading of code or data into memory is performed based on a next available memory location within a slab having equivalent access permissions, or, if such a slab is not available, or if an existing slab does not have a sufficient quantity of available memory remaining, a new slab with the proper access permissions is established.

Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a guest OS. The guest OS is configured to store a plurality of hints in a list at a memory location. Each hint includes an address value and the memory location of the list is included in one of the respective address values associated with the plurality of hints. The guest OS is also configured to pass the list to the hypervisor. Each address value points to a respective memory page of a plurality of memory pages including a first memory page and a last memory page. The hypervisor is configured to free the first memory page pointed to by a first hint of the plurality of hints and free the last memory page pointed to by a second hint of the plurality of hints. Additionally, the last memory page includes the list.

Abstract: A system includes a guest memory having guest physical pages (“GPPs”) that includes loan pages having a fixed quantity, a host memory, a processor in communication with the memory, and a virtual machine monitor (“VMM”). The VMM is configured to track a respective state (inflated or deflated) for each respective GPP. Additionally, the VMM is configured to track a respective status (in-use or unused) of each loan page, determine that each respective loan page is in-use, un-assign a first loan page from a corresponding GPP, discard the first loan page thereby changing the first loan page from in-use to unused, and assign the unused first loan page to a first GPP that is inflated, such that the first loan page's status updates to in-use. Each respective GPP having an inflated state is temporarily backed by the fixed quantity of loan pages.

Abstract: A transform-by-pattern (TBP) system is configured to proactively suggest relevant TBP programs based on inputted source dataset and target dataset without requiring users typing in examples. The TBP system has access to multiple TBP programs, each of which includes a combination of a source pattern, a target pattern, and a transformation program that is configured to transform data that fits into the target pattern into data that fits into the source pattern. When a source dataset and a target dataset are received from a user, the TBP system identifies a subset of the source dataset and a subset of the target dataset as related data. The TBP system then identifies one or more applicable TBP programs amongst the multiple TBP programs, and suggest or apply at least one of the one or more applicable TBP programs.

Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.

Abstract: A neural processing device and a method for job scheduling are provided. The neural processing device configured to receive, by an address space ID (ASID) manager, first and second requests from at least one context, respectively, and determine whether ASIDs are allocated, store jobs of contexts to which the ASIDs have not been allocated from the ASID manager in entities, schedule, by a job scheduler, an execution order of the jobs stored in the entities and cause the ASID manager to allocate the ASIDs to the contexts to which the ASIDs have not been allocated among the at least one context, and sequentially receive, by a command queue, jobs of contexts to which the ASIDs have been allocated, store the jobs as standby jobs, and sequentially execute the standby jobs.

Abstract: An apparatus has an address translation cache (12, 16) having a number of cache entries (40) for storing address translation data which depends on one or more page table entries of page tables. Control circuitry (50) is responsive to an invalidation request specifying address information to perform an invalidation lookup operation to identify at least one target cache entry to be invalidated. The target cache entry is an entry for which the corresponding address translation data depends on at least one target page table entry corresponding to the address information. The control circuitry (50) selects one of a number of invalidation lookup modes to use for the invalidation lookup operation in dependence on page size information indicating the page size of the target page table entry. The different invalidation lookup modes correspond to different ways of identifying the target cache entry based on the address information.

Abstract: There is provided a data processing apparatus and method of data processing. The data processing apparatus comprises storage circuitry to store a hierarchy of page tables comprising an intermediate level page table. Each entry of the intermediate level page table comprises base address information of a next level page table and control information indicating whether an addressing function has been applied to reorder physical storage locations of entries of the next level page table. Address translation circuitry is provided to perform address translations in response to receipt of a virtual address by performing a lookup in a next level page table dependent on the base address information and a page table index from the virtual address. When the control information indicates that the addressing function has been applied, the lookup is performed at a modified storage location generated by applying the addressing function to the page table index.

Abstract: A processor supports secure memory access in a virtualized computing environment by employing requestor identifiers at bus devices (such as a graphics processing unit) to identify the virtual machine associated with each memory access request. The virtualized computing environment uses the requestor identifiers to control access to different regions of system memory, ensuring that each VM accesses only those regions of memory that the VM is allowed to access. The virtualized computing environment thereby supports efficient memory access by the bus devices while ensuring that the different regions of memory are protected from unauthorized access.

Abstract: Representative embodiments of operating a secured device requiring user authentication include receiving a request from a user for operating the device without prior authentication; granting the user temporary access to the device in accordance with a security policy that specifies a predetermined time interval and/or a predetermined number of device operations within which authentication must occur to continue at least some operations of the device; computationally storing an audit trail identifying the temporary access and actions performed during the temporary access; and upon determining that authentication has not been provided within the predetermined time interval or number of device operations, preventing at least some operations of the device and updating the audit trail to specify expiration of the temporary access.

Abstract: Systems, methods, and machine-readable media to migrate data from source databases to target databases are disclosed. Data may be received, relating to the source databases and the target databases. For each source database, a migration assessment may be generated based on analyzing the data, and a migration method may be selected. A migration plan that specifies a parallel migration of a set of databases to the target databases may be created, with a first migration method to migrate a first subset of the set of databases and a second migration method to migrate a second subset of the set of databases. The parallel migration may be executed according to the migration plan may be caused so that the first subset of the set of databases is migrated with the first migration method while the second subset of the set of databases is migrated with the second migration method.

Abstract: An example method for filesystem pass-through on lightweight virtual machine containers includes executing a container on a host, and creating a file system overlay in a local file system storage located on the host. The example method further includes copying files and directories into the file system overlay from a shared file system until the file system overlay is fully populated. The file system overlay is fully populated when all the files and directories from the shared file system are copied into the file system overlay. Once fully populated, completion is marked which indicates the file system overlay is fully populated, where marking the completion prevents accessing a read-only base image within the shared file system.

Abstract: A technique is described for managing processor (CPU) resources in a host having virtual machines (VMs) executed thereon. A target size of a VM is determined based on its demand and CPU entitlement. If the VM's current size exceeds the target size, the technique dynamically changes the size of a VM in the host by increasing or decreasing the number of virtual CPUs available to the VM. To “deactivate” virtual CPUs, a high-priority balloon thread is launched and pinned to one of the virtual CPUs targeted for deactivation, and the underlying hypervisor deschedules execution of the virtual CPU accordingly. To “activate” virtual CPUs, the number of virtual CPUs, the launched balloon thread may be killed.

Abstract: In some examples, collaborative learning-based cloud migration implementation may include identifying a migration agent that is to perform an application migration from a first cloud environment to a second cloud environment, and identifying a plurality of additional migration agents. A technical context and a migration flow context may be determined for the migration agent and for the plurality of additional migration agents. Executed allowed and error-response migration actions may be identified for states that are similar to a current state of the application migration, and a similarity between the migration agent and each of the migration agents that executed the allowed and error-response migration actions may be determined. A migration action that is to be performed may be identified based on a maximum relevance associated with the allowed and error-response migration actions. The identified migration action may be executed by the migration agent to perform the application migration.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or hypervisor fingerprinting. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a CPU ID instruction handler (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it). The CPU ID instruction handler may perform processing, inter alia, to return configurable values different from the actual values for the physical hardware. The virtualization assistance layer may further contain virtual devices, which when probed by guest operating system code, return the same values as their physical counterparts.

Abstract: An embodiment provides a data processing circuit and a device. The circuit includes: a first bank group 201 and a second bank group 202; a write circuit 203; and a read circuit 204. The write circuit 203 includes a write input cache circuit 2031, and is configured to: receive stored data from a write bus 206 through the write input cache circuit 2031, write the stored data into the first bank group 201 through a first read-write bus 207, and write the stored data into the second bank group 202 through a second read-write bus 208. The read circuit 204 includes a read output cache circuit 2041, and is configured to: read the stored data from the first bank group 201 through the first read-write bus 207, and read the stored data from the second bank group 202 through the second read-write bus 208.

Abstract: Transparent memory management for over-subscribed accelerators is disclosed. A request from a remote initiator to execute a workload on a shared accelerator is received at a host system comprising the shared accelerator. A determination is made that there is insufficient physical memory of the accelerator to accommodate the request from the remote initiator. Responsive to determining that there is insufficient physical memory of the accelerator. An allocation of host system memory is requested for the remote initiator from the host system. A mapping between the remote initiator and the allocation of host system memory is then created.

Abstract: Local memory and disaggregated memory may be identified and monitored for integrating disaggregated memory in a computing system. Candidate data may be migrated between the local memory and disaggregated memory to optimize allocation of disaggregated memory and migrated data according to a dynamic set of migration criteria.

Abstract: Apparatuses and methods related to managing regions of memory are described. Managing regions can include verifying whether an access command is authorized to access a particular region of a memory array, which may have some regions that have rules or restrictions governing access (e.g., so-called “protected regions”). The authorization can be verified utilizing a key and a memory address corresponding to the access command. If an access command is authorized to access a region, then a row of the memory array corresponding to the access command can be activated. If an access command is not authorized to access the region, then a row of the memory array corresponding to the access command may not be activated.

Abstract: Some embodiments provide a method of providing distributed storage services to a host computer from a network interface card (NIC) of the host computer. At the NIC, the method accesses a set of one or more external storages operating outside of the host computer through a shared port of the NIC that is not only used to access the set of external storages but also for forwarding packets not related to an external storage. In some embodiments, the method accesses the external storage set by using a network fabric storage driver that employs a network fabric storage protocol to access the external storage set. The method presents the external storage as a local storage of the host computer to a set of programs executing on the host computer. In some embodiments, the method presents the local storage by using a storage emulation layer on the NIC to create a local storage construct that presents the set of external storages as a local storage of the host computer.

Abstract: A method is provided in a data processing system having second level address translation (SLAT) controlled by a hypervisor. In the method, hashes of all memory pages accessible by a guest OS are stored (set S). Also, hashes of all memory pages previously accessed by the guest OS are stored (set T). When the guest OS attempts an access to a memory page having executable code for which it does not have permission, an exception is generated. A hash of the memory page is compared with the hashes of set T and set S. If there is not a match within set T, then the guest OS has never attempted the requested operation before and suspicious behavior is reported. If there is not a match within set S, the requested operation is reported as illegal. In another embodiment, the memory page may be encrypted to prevent the guest OS from reading the memory page.

Abstract: A cloud system data management method for alleviate a data leakage problem occurring when a user accessed by another user when a virtual data volume of the user is mounted to a virtual machine of another user includes creating a first virtual machine for a user and allocating a virtual data volume to the first virtual machine, setting an identifier of the virtual data volume as an identifier corresponding to a home identifier of the first virtual machine, determining, according to the identifier of the virtual data volume and a home identifier of a second virtual machine, whether the virtual data volume and the second virtual machine belong to a same user when the virtual data volume needs to be mounted to the second virtual machine, forbidding the virtual data volume to be mounted to the second virtual machine when they do not belong to the same user.