Abstract: A vulnerability analyzer includes: a single route derivation unit for deriving single route information from an attack determination position to a start position of program information; a variable analysis unit for deriving actual value range information from information of a branch condition and a branch result in the program information; a memory editing unit for setting a virtual address and an input flag corresponding to input variable information, storing actual value information of the input variable information, and storing actual value range information from the variable analysis unit; and a vulnerability existence determination unit for extracting variable information of an attack execution condition, acquiring the actual value information and the actual value range information corresponding the variable information, calculating limited input actual value information when the input flag is set to the virtual address, and determining if the limited input actual value information satisfies the attack e

Abstract: Various embodiments may include methods and systems for providing secure in-memory device access of a memory device by a system-on-a-chip (SOC). Various methods may include receiving a configuration message from the SOC for configuring a memory access control of the memory device, and configuring the memory access control based on the configuration message. Various embodiments may include receiving an access request message from the SOC requesting access to a memory base address and a memory access range of a memory cell array of the memory device, wherein the access request message includes a read/write operation. Various embodiments may include comparing the access request message with the configured memory access control to determine whether the access request message is allowable. Various embodiments may further include performing the read/write operation in response to determining that the access request message is allowable.

Abstract: [Object] Effectively perform data communication [Solving Means] A communication device includes: a LINK that generates a first output signal on a basis of a first external signal from a first external device, outputs the first output signal to a second external device, generates a second output signal on a basis of a second external signal from the second external device, and outputs the second output signal to the first external device, in which each of the first output signal and the second external signal includes command information indicating content of a command transmitted from the first external device, final-destination-device-identification-information for identifying a final destination device of data transmitted from the first external device, internal address information indicating an internal address of the final destination device, data length information indicating a length of the data transmitted from the first external device, and data-end-position-information indicating an end position of t

Abstract: [Object] Effectively perform data communication [Solving Means] A communication device includes: a LINK that generates a first output signal on a basis of a first external signal from a first external device, outputs the first output signal to a second external device, generates a second output signal on a basis of a second external signal from the second external device, and outputs the second output signal to the first external device, in which each of the first output signal and the second external signal includes command information indicating content of a command transmitted from the first external device, final-destination-device-identification-information for identifying a final destination device of data transmitted from the first external device, internal address information indicating an internal address of the final destination device, data length information indicating a length of the data transmitted from the first external device, and data-end-position-information indicating an end position of t

Abstract: Systems, methods, and apparatus improve synchronization of trigger timing when triggers are configured over a serial bus. A data communication apparatus has an interface circuit that couples the data communication apparatus to a serial bus and is configured to receive a clock signal from the serial bus, a plurality of counters configured to count pulses in the clock signal, and a controller configured to receive a datagram from the serial bus, the datagram including a plurality of data bytes corresponding to the plurality of counters, configure each of the plurality of counters with a count value based on content of a corresponding data byte when the corresponding data byte is received from the datagram, cause each of the counters to refrain from counting until all of the counters have been configured with count values, and actuate a trigger when a counter associated with the trigger has counted to zero.

Abstract: It is desired to provide a technology that suppresses the possibility of unauthorized use of an electronic device. Provided is a communication device that includes a communication unit configured to transmit/receive data, and a storage unit that includes a first area and a second area different from the first area, and in the communication device, the first area is an area in which reading and writing from a program in the second area is prohibited, and the first area stores both of a communication program configured to control the transmission/reception and destination information of the data.

Abstract: A method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions. The programming instructions are operable to optimize data remanence over hybrid disk clusters using various storage technologies, determine one or more data storage technologies accessible by a file system, and determine secure delete rules for each of the one or more storage technologies accessible by the file system. The secure delete rules include a number of overwrites required for data to be securely deleted from each of the one or more storage technologies. The programming instructions are further operable to provide the secure delete rules to the file system upon a request for deletion of data for each of the one or more storage technologies a specific amount of times germane to secure delete data from the one or more storage technologies.

Abstract: A virtual capacity acquisition unit acquires a size of virtual capacity of a save data area from an application. A storage capacity acquisition unit acquires a size of save data of the application. A writing control unit prohibits the application from writing the save data exceeding the virtual capacity in a recording device. A free space acquisition unit acquires a size of free space of the recoding device, and the writing control unit prohibits the writing of save data whose size is larger than that of the free space.

Abstract: A memory protection unit includes at least a first access control unit and a second access control unit programmed for controlling an access to a memory device. Further a method to operate a processing system comprising multiple processing devices and multiple memory protection units associated to the multiple processing devices. The access to the memory by a processing device is approved if first access control unit and second access control unit of the memory protection associated to the processing device approves the access and access is rejected if first access control unit or second access control unit rejects the access. The first access control unit is programmable by the associated processing device alone and the programming of the second access control unit is readable by an additional processing device which is to be used in a system with multiple programming devices, not the associate processing device.

Abstract: A method, system and computer program product for implementing load-reserve and store-conditional instructions in a multi-processor computing system. The computing system includes a multitude of processor units and a shared memory cache, and each of the processor units has access to the memory cache. In one embodiment, the method comprises providing the memory cache with a series of reservation registers, and storing in these registers addresses reserved in the memory cache for the processor units as a result of issuing load-reserve requests. In this embodiment, when one of the processor units makes a request to store data in the memory cache using a store-conditional request, the reservation registers are checked to determine if an address in the memory cache is reserved for that processor unit. If an address in the memory cache is reserved for that processor, the data are stored at this address.

Abstract: One embodiment of the present invention relates to a heap overflow detection system that includes an arithmetic logic unit, a datapath, and address violation detection logic. The arithmetic logic unit is configured to receive an instruction having an opcode and an operand and to generate a final address and to generate a compare signal on the opcode indicating a heap memory access related instruction. The datapath is configured to provide the opcode and the operand to the arithmetic logic unit. The address violation detection logic determines whether a heap memory access is a violation according to the operand and the final address on receiving the compare signal from the arithmetic logic unit.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: A system and method of verifying a content of a non-volatile reprogrammable memory communicatively coupled to a microprocessor is disclosed. The method comprises the steps of reading at least a portion of the data stored in the non-volatile reprogrammable memory via a second communication path secured by encryption, generating a computed integrity value according to at least a portion of the contents of the non-volatile reprogrammable memory, and reading an integrity value, and comparing the computed integrity value with the read integrity value.

Abstract: A method and apparatus for controlling traffic of multiprocessor system or multi-core system is provided. The traffic control apparatus of a multiprocessor system according to the present invention includes a request handler for processing a traffic request of a first processor, and a Quality of Service (QoS) manager for receiving a QoS guaranty start instruction for a second processor from the multiprocessor system, and for transmitting, when traffic of the second processor is detected, a traffic adjustment signal to the request handler. The request handler adjusts the traffic of the first processor according to the received traffic adjustment signal. The traffic control method and apparatus of the present invention is capable of adjusting the required bandwidths of individual technologies and guaranteeing the real-timeness in the multiprocessor system or multi-core system.

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: A transponder having a transmitting and receiving device for receiving commands and transmitting data and command processor for executing commands, and a programming device for changing the memory contents, and a data memory which has a first memory area and a second memory area, whereby the first memory area has the first value or a second value, and when the first memory area has the first value, the content of both memory areas can be changed and, in the case of read access to the second memory area, the transmitting/receiving device transmits a predefined or no data stream instead of the memory content of the second memory area.

Abstract: A system implements a method to non-disruptive restoration of storage services provided by a storage volume of the system. Upon detecting a disruption of storage services at the storage volume, the method freezes the input/output (I/O) operations of applications that are accessing the storage volume. The disrupted storage services are restored. And the configurations of the storage volume are maintained during restoration of the disrupted storage services. Afterward, the frozen I/O operations are activated, allowing the applications to continue their accessing of the storage volume.

Abstract: A computer system is provided, the computer system having a processor and a system memory coupled to the processor. The computer system also includes a Basic Input/Output System (BIOS) in communication with the processor. The BIOS selectively scrubs the system memory during a shutdown process of the computer system.

Abstract: According to one embodiment, a semiconductor device includes a processor, and a memory device. The memory device has a nonvolatile semiconductor storage device and is configured to serve as a main memory for the processor. When the processor executes a plurality of programs, the processor manages pieces of information required to execute the programs as worksets for the respective programs, and creates tables, which hold relationships between pieces of information required for the respective worksets and addresses of the pieces of information in the memory device, for the respective worksets. The processor accesses to the memory device with reference to the corresponding tables for the respective worksets.

Abstract: Methods and apparatuses for improving security of an integrated circuit (IC) are provided. A tamper condition is detected and a digital key stored in the IC is erased. The digital key is associated with a first image loaded onto the IC from a first memory. The memory may be a non-volatile memory module. A second image is loaded into a second memory module. The second memory module may be an embedded memory module, e.g., a control random access memory (CRAM) module. The first image is then erased from the first and second memory modules.

Abstract: An apparatus includes a nonvolatile memory, an interface that at least receives an erase command of the nonvolatile memory, a first controller that controls the nonvolatile memory to execute data erasing on the basis of the erase command output from the interface, an external input unit which is installed independently of the interface, a second controller that controls the nonvolatile memory to execute data erasing on the basis of an erase instruction signal output from the external input unit, and a change-over circuit that switches between connection of the first controller with the nonvolatile memory and connection of the second controller with the nonvolatile memory, wherein the second controller controls the nonvolatile memory to execute data erasing on the basis of the erase instruction when the connection of the second controller with the nonvolatile memory is established by the change-over circuit.

Abstract: Embodiments of the present invention provide a virtualization protection system (VPS) that leverages virtual machine monitor (VMM) technology. In some embodiments, a computer system contains a host operating system and one or more virtual machines that run on “guest” operating systems. The VPS makes certain areas of memory of the computer system read-only, making it essentially impossible for the virtual machines or other component to compromise the system.

Abstract: An apparatus includes a first storage unit, a second storage unit, a setting unit configured to set a level of data deletion used for executing a job, an identification unit configured to identify a storage unit to be used for the job, and a control unit configured to, if the set level is a predetermined level and the identified storage unit is the first storage unit, store data of the job into the first storage unit and overwrite the stored data when the job is executed, and configured to, if the set level is the predetermined level and the identified storage unit is the second storage unit, encrypt data of the job and store the encrypted data into the second storage unit when the job is executed.

Abstract: A secure demand paging (SDP) system includes a dynamic random access memory (DRAM), a microprocessor having a secure internal memory and coupled to said DRAM, and a non-volatile memory storing a representation of operations accessible by the microprocessor. The stored representation of operations includes a coded physical representation of operations to configure an SDP space in the DRAM, to organize the SDP space into virtual machine contexts, to organize at least one of the virtual machine contexts into block book keeping blocks and book keeping spaces in the block book keeping blocks, and to execute a secure demand paging process between said secure internal memory and said DRAM.

Abstract: In one embodiment, a processor includes an access logic to determine whether an access request from a virtual machine is to a device access page associated with a device of the processor and if so, to re-map the access request to a virtual device page in a system memory associated with the VM, based at least in part on information stored in a control register of the processor. Other embodiments are described and claimed.

Abstract: A computer-implemented method for preventing heap-spray attacks may include identifying an object-oriented program. The computer-implemented method may also include identifying, within the object-oriented program, a request to allocate memory for a polymorphic object. The polymorphic object may include a pointer to a virtual method table that supports dynamic dispatch for at least one method of the polymorphic object. The computer-implemented method may further include identifying an area of memory reserved for polymorphic objects. The computer-implemented method may additionally include allocating memory for the polymorphic object from the reserved area of memory. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus and system for protecting memory of a virtual guest includes initializing a virtual guest on a host computing system. The host computing system includes a virtual machine manager that manages operation of the virtual guest. The virtual guest includes a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager. The method includes receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system. The method includes setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

Abstract: A method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions. The programming instructions are operable to optimize data remanence over hybrid disk clusters using various storage technologies, determine one or more data storage technologies accessible by a file system, and determine secure delete rules for each of the one or more storage technologies accessible by the file system. The secure delete rules include a number of overwrites required for data to be securely deleted from each of the one or more storage technologies. The programming instructions are further operable to provide the secure delete rules to the file system upon a request for deletion of data for each of the one or more storage technologies a specific amount of times germane to secure delete data from the one or more storage technologies.

Abstract: The method for protecting memory of a virtual guest includes initializing a virtual guest on a host computing system. The host computing system includes a virtual machine manager that manages operation of the virtual guest. The virtual guest includes a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager. The method includes receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system. The method includes setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: According to one embodiment, a computing system includes two or more opto-electrical isolators coupling a corresponding two or more memory devices to a processor. Each memory device is electrically isolated from each other and configured to store data or instructions executed by the processor. Each opto-electrical isolator selectively couples its associated memory device to the processor such that only one of the two or more memory devices are writable by the processor at any instant of time.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium is provided. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data this defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: A method and apparatus for utilizing hardware mechanisms of a transactional memory system is herein described. Various embodiments relate to software-based filtering of operations from read and write barriers and read isolation barriers during transactional execution. Other embodiments relate to software-implemented read barrier processing to accelerate strong atomicity. Other embodiments are also described and claimed.

Abstract: In one embodiment, a processor includes an access logic to determine whether an access request from a virtual machine is to a device access page associated with a device of the processor and if so, to re-map the access request to a virtual device page in a system memory associated with the VM, based at least in part on information stored in a control register of the processor. Other embodiments are described and claimed.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: A system and method are disclosed for increasing large region transaction throughput by making informed determinations whether to abort a thread from a first core or a thread from a second core when a conflict is detected between the threads. Such a system and method allow resolution of conflicts between a first thread and a second thread. In certain embodiments, the system and method allow a requester to detect a conflict under specific circumstances and make an intelligent decision whether to abort the first thread, enter a wait state to give the first thread an opportunity to complete execution or, if possible, abort the second thread.

Abstract: Methods, apparatus, and products for backing up an image in a computing system that includes computer memory, including: receiving, by a backup image manager, an image for one or more computing devices within the computing system; identifying, by the backup image manager, available protected computer memory within the computing system, wherein the available protected computer memory within the computing system is restricted from alteration by a user of the computing system; slicing, by the backup image manager, the image into a plurality of image slices; and storing, by the backup image manger, one or more of the image slices in the available protected computer memory.

Abstract: According to one embodiment, a storage system includes a host device, a first storing medium, and a second storing medium. The first storing medium includes: a memory provided with a protected first storing region which stores first information sent from the host device, and a second storing region which stores encoded contents; and a controller which carries out authentication processing for accessing the first storing region. The host device and the storing medium produce a bus key which is shared only by the host device and the storing medium by authentication processing, and which is used for encoding processing when information of the first storing region is sent and received between the host device and the storing medium. The host device has the capability to request the storing medium to send a status.

Abstract: A computer accesses a storage device. The computer includes a processor and a non-transitory computer-readable storage medium storing computer-readable instructions, when executed by the processor, the computer-readable instructions cause the computer to perform: storing a first time-lock and a second time-lock in the storage device; and, when both the first time-lock and the second time-lock are successfully stored in the storage device by the computer, to obtain an exclusive access privilege during a particular time interval associated with the first time-lock and the second time-lock.

Abstract: A memory management unit is configured to receive requests for memory access from a plurality of I/O devices. The memory management unit implements a protection mode wherein the unit prevents memory accesses by the plurality of I/O devices by mapping memory access requests (from the I/O devices) to the same set of memory address translation data. When the memory management unit is not in the protected mode, the unit maps memory access requests from the plurality of I/O devices to different respective sets of memory address translation data. Thus, the memory management unit may protect memory from access by I/O devices using fewer address translation tables than are typically required (e.g., none).

Abstract: A method and apparatus for a late lock acquire mechanism is herein described. In response to detecting a late-lock acquire event, such as expiration of a timer, a full cachet set, and an irrevocable event, a late-lock acquire may be initiated. Consecutive critical sections are stalled until a late-lock acquire is completed utilizing fields of access buffer entries associated with consecutive critical section operations.

Abstract: A memory management and protection system that manages memory access requests from a number of requestors. Memory accesses are allowed or disallowed based on the permissions assigned to the request based on the memory segment being accessed. The decision to allow or disallow access is made by the extended memory controller by merging the permissions assigned to the memory segment being accessed, and the permissions assigned to the access request by the originating memory controller or other endpoint.

Abstract: According to the present invention, there is provided a system for securing data with a storage system. The system includes at least one storage device. In addition, the system includes a security mechanism for recognizing an attempt to insert or remove the storage device. Moreover, the system includes a management unit to control the insertion and removal of the storage device.

Abstract: A method of authenticating a memory device by a host device, wherein the memory device, a memory device controller, a memory card containing the memory device and the controller, and the host device are manufactured by a memory device manufacturer, a controller manufacturer, a memory card manufacturer, and a host device manufacturer, respectively. The memory device comprises a first area, a second area for storing key index information, which is written by the memory device manufacturer before shipping the memory device, and a third area for storing a set of encrypted keys whose index corresponds to the key index information, which is written by the memory device manufacturer before shipping the memory device. After the memory device is shipped, the first area is not readable or writable by the controller, the second area readable but not writable by the controller, and the third area readable and writable by the controller.

Abstract: A system includes a shared memory and a plurality of processor cores communicatively coupled to the shared memory. The system includes a processor core memory and a clock subsystem for providing a clock signal to the shared memory and the plurality of processor cores. Each of the plurality of processor cores executes instructions stored in the processor core memory for synchronously changing the clock rate provided by the clock subsystem to the plurality of processor cores.

Abstract: Point-to-point intra-nodelet messaging support for nodelets on a single chip that obey MPI semantics may be provided. In one aspect, a local buffering mechanism is employed that obeys standard communication protocols for the network communications between the nodelets integrated in a single chip. Sending messages from one nodelet to another nodelet on the same chip may be performed not via the network, but by exchanging messages in the point-to-point messaging buckets between the nodelets. The messaging buckets need not be part of the memory system of the nodelets. Specialized hardware controllers may be used for moving data between the nodelets and each messaging bucket, and ensuring correct operation of the network protocol.

Abstract: Methods, systems and devices for configuring access to a memory device are disclosed. The configuration of the memory device may be carried out by creating a plurality of access profiles that are adapted to optimize access to the memory device in accordance with the type of access. Accordingly, when an application with specific memory access needs is initiated, the memory access profile that is most optimized for that particular access need is utilized to configure access to the memory device. The configuration may be effected for a portion of the memory device, a partition of the memory device, or even one single access location on the memory device.

Abstract: A system implements a method to non-disruptive restoration of storage services provided by a storage volume of the system. Upon detecting a disruption of storage services at the storage volume, the method freezes the input/output (I/O) operations of applications that are accessing the storage volume. The disrupted storage services are restored. And the configurations of the storage volume are maintained during restoration of the disrupted storage services. Afterward, the frozen I/O operations are activated, allowing the applications to continue their accessing of the storage volume.

Abstract: Embodiments of computer processing systems and methods are provided that include a memory protection unit (MPU), and a plurality of region descriptors associated with the MPU. The region descriptors include address range and translation identifier values for a respective region of memory. Control logic determines whether a translation identifier control indicator is in a first state, and if the translation identifier control indicator is in the first state, the control logic allows a first process being executed by the processing system to access a memory region allocated to a second process being executed by the processing system.

Abstract: Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.