Abstract: An example computing device incudes a main processor, a management firmware subsystem, and a controller to control operation of the management firmware subsystem. The controller is separate from a main processor. A memory stores subsystem data that is useable by the controller. The computing device further includes a set of instructions that determines a manufacturing mode of the computing device. The manufacturing mode is enabled when the computing device is under manufacture or maintenance. The manufacturing mode is disabled when the computing device is under normal operation. The set of instructions further determines a manufacturing state of the subsystem data. The manufacturing state indicates whether the subsystem data is complete. In response to determining that the manufacturing mode is disabled and that the manufacturing state of the subsystem data is incomplete, the set of instructions initiates a restoration of the subsystem data from a backup of the subsystem data.

Abstract: Inventive aspects include a device including storage media. The device includes a PMU, and a controller communicatively coupled to the PMU. The PMU determines that an operating power of the device exceeds a threshold, and transmits a signal to the controller to trigger a power reduction operation. The controller throttles one or more operations until the operating power goes below the threshold. Some embodiments include a method for controlling performance of a storage device. The method includes measuring, by a PMU, a power consumption associated with a storage device. The method includes determining, by the PMU, whether the power consumption is greater than a threshold. In response, the method may include setting a performance throttle. The method may include determining, by the PMU, whether the power consumption is less than the threshold. In response, the method may include releasing the performance throttle.

Abstract: A device includes a communications circuit configured to communicate with a storage device controller and a host device. The device further includes a processing device configured to receive a request from the storage device controller through the communications circuit. The request requests encrypted data be written to a memory address of the host device. The processing device is further configured to identify a key associated with the write request based on the memory address. The processing device is further configured to generate a decrypted version of the data based on the key. The processing device is further configured to initiate transfer, through the communications circuit, of the decrypted version of the data to the host device.

Abstract: In a dynamic memory allocator, a method of allocating memory to a process, the method comprising executing on a processor the steps of: creating one or more arenas within the memory, each arena comprising one or more memory blocks and each arena having an n-byte aligned arena address; upon receiving a memory request from the process, returning a pointer to the process, the pointer having as its value an address of a memory block selected from one of the arenas; upon determining that the memory block is no longer needed by the process, retrieving the address of said memory block from the pointer and releasing the memory block; and, upon a new arena being created, shifting forward the n-byte aligned address of said new arena according to a stored variable such that each memory block of said new arena is also shifted by the stored variable, the stored variable having n bytes and the stored variable having a random value.

Abstract: Systems and methods are described for managing ephemeral storage of a virtual machine (VM) to provide victim caches for virtual storage appliances running on the VM. According to one embodiment, a central service may run within the VM and be responsible for managing allocation and reclamation of ephemeral storage space of the VM to/from the virtual storage appliances. Responsive to startup of a new virtual storage appliance on the VM, the new virtual storage appliance may request space from the central service to inform creation of its victim cache. In connection with servicing the request, the central service may take into consideration various factors including one or more of the total aggregate size of multiple local ephemeral drives associated with the VM, remaining available ephemeral storage space, the number of active virtual storage appliances, and the SLO of the virtual storage appliance seeking to establish its victim cache.

Abstract: A method comprises storing an electronic configuration document that identifies configurations of users, groups, and/or permissions relating to access to computer program artifacts in a first repository of an artifact repository system that is geographically distributed. The users and groups include external user groups who do not have explicit user-based permissions to view contents of a repository of the artifact repository system. The artifact repository system comprise second repositories that respectively replicate third repositories and have associated sets of properties, the third repositories including a repository external to the artifact repository system and associated with an external user group. The configurations comprise at least one configuration for configuring external visibility of computer program artifacts for one or more external user groups.

Abstract: Generally discussed herein are devices, systems, and methods for software memory tagging that provides buffer overflow protection. A method can include responsive to a memory write operation to write data to a heap of a memory, identifying a first tag value associated with a first address of the memory write operation in the bit map, comparing, for each address after the first address affected by the memory write operation, respective tag values in a bit map of the memory to the identified first tag value, and halting execution of the application if any of the respective tag values do not match the first tag value.

Abstract: Technologies for untrusted code execution include a computing device having a processor with sandbox support. The computing device executes code included in a native domain in a non-privileged, native processor mode. The computing device may invoke a sandbox jump processor instruction during execution of the code in the native domain to enter a sandbox domain. The computing device executes code in the sandbox domain in a non-privileged, sandbox processor mode in response to invoking the sandbox jump instruction. While executing in the sandbox processor mode, the processor denies access to memory outside of the sandbox domain and may deny execution of one or more prohibited instructions. From the sandbox domain, the computing device may execute a sandbox exit instruction to exit the sandbox domain and resume execution in the native domain. The computing device may execute processor instructions to configure the sandbox domain. Other embodiments are described and claimed.

Abstract: A universal secure mobile device entry upgrade for electronic locks adds a wireless unlocking functionality to an existing host lock assembly. An electronics unit having a processing unit, a wireless communication device, a lock input, and a lock output is installed between a host motor output and host motor of a host lock. The original unlocking functionality of the host lock is maintained by either repeating an unlock signal from the host motor output to the host motor using the processing unit, or through a two-position switch that passes a host unlock signal to the host motor by default, but switches to a second position that allows an unlock signal to be sent to the host motor when a wireless unlocking is signaled from a mobile unlocking device such as a smartphone or the like. An integrated security chip and real-time clock may be included to increase security.

Abstract: A distributed storage method includes offline merging, by a first thread service of a distributed storage system, M small files in a file system; generating, by the first thread service, M pieces of metadata in the offline merging process; loading, by a second thread service of the distributed storage system, the M pieces of metadata into a metadata set; searching, by the second thread service, the metadata set for metadata of a first small file when the second thread service receives a first instruction; and performing, by the second thread service, the operation corresponding to the first instruction when the second thread service finds the metadata of the first small file in the metadata set.

Abstract: A method, an intelligent switch, a device, and a network for recognizing deviations in communication behavior of the network are provided. Characteristics of communication are monitored and evaluated regarding security behavior of the network using a model of a communication behavior of the network. For each communication over a switch of the network, at most three security values are derived from communication metadata of the respective communication using the model of the communication behavior. For each communication, it is checked whether the respective at most three security values meet respective predetermined threshold values. When the respective predetermined threshold values are not met by at least one of the security values, a security warning is generated.

Abstract: A method comprising responsive to a first instruction requesting a memory heap operation, identifying a data block of a memory heap; accessing a tag history for the data block, the tag history comprising a plurality of tags previously assigned to the data block; assigning a tag to the data block, wherein assigning the tag comprises verification that the tag does not match any of the plurality of tags of the tag history; and providing the assigned tag and a reference to a location of the data block.

Abstract: The systems and methods of gesture triggered automatic erasure on a private network, comprising: securely connecting, embedding, sending information within one or more secure objects on the first computing device; detecting, by the first computing device, a signal as a zeroization trigger responsive to a user gesture; and sending, by the first computing device via the private network, a message informing the second computing device of the zeroization trigger, the message causing the second computing device to execute automatic erasure of the one or more secure objects stored on the second computing device; wherein: the second computing device belongs to a zeroization group; the message causing each member computing device belonging to the zeroization group to execute the automatic erasure of the one or more secure objects.

Abstract: Embodiments are directed to methods, apparatuses, computer readable media and systems for authenticating a user on a user device across multiple mobile applications. The identity of the user is validated by encoding and subsequently validating cryptographically encrypted data in a shared data store accessible by the mobile applications tied to the same entity. Specifically, the application leverages the authentication process of a trusted mobile application (e.g. a banking mobile application) to authenticate the same user on a untrusted mobile application (e.g. a merchant mobile application).

Abstract: A computer system includes an ensemble moving target defense architecture that protects the computer system against attack using one or more composable protection layers that change each churn cycle, thereby requiring an attacker to acquire information needed for an attack (e.g., code and pointers) and successfully deploy the attack, before the layers have changed state. Each layer may deploy a respective attack information asset protection providing multiple respective attack protections each churn cycle, wherein the respective attack information asset protections may differ.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for digital transaction signing for multiple client devices using secured encrypted private keys. The system generates, by a device, a private key and public key pair. The key pair is associated with an electronic account. The device also has an associated private key and public key pair. The device generates multiple key shares of the generated private key associated with the electronic account. The device encrypts each of the multiple key shares with the public key of the device thereby creating multiple first or inner layer of encrypted key shares. The device then encrypts each of the multiple first encrypted key shares each with a separate user public key associated with a user thereby creating multiple second or outer layer of encrypted key shares. The double encrypted key shares are then distributed to the respective users having the user public key.

Abstract: A system including a bus, a processor coupled to the bus, a non-volatile memory coupled to the bus, circuitry for providing a detected condition, and a secure controller. The secure controller is coupled to the circuitry for providing a detected condition and to selectively enable communication of information between the non-volatile memory and the bus in response to the detected condition.

Abstract: A vulnerability analyzer includes: a single route derivation unit for deriving single route information from an attack determination position to a start position of program information; a variable analysis unit for deriving actual value range information from information of a branch condition and a branch result in the program information; a memory editing unit for setting a virtual address and an input flag corresponding to input variable information, storing actual value information of the input variable information, and storing actual value range information from the variable analysis unit; and a vulnerability existence determination unit for extracting variable information of an attack execution condition, acquiring the actual value information and the actual value range information corresponding the variable information, calculating limited input actual value information when the input flag is set to the virtual address, and determining if the limited input actual value information satisfies the attack e

Abstract: Various embodiments may include methods and systems for providing secure in-memory device access of a memory device by a system-on-a-chip (SOC). Various methods may include receiving a configuration message from the SOC for configuring a memory access control of the memory device, and configuring the memory access control based on the configuration message. Various embodiments may include receiving an access request message from the SOC requesting access to a memory base address and a memory access range of a memory cell array of the memory device, wherein the access request message includes a read/write operation. Various embodiments may include comparing the access request message with the configured memory access control to determine whether the access request message is allowable. Various embodiments may further include performing the read/write operation in response to determining that the access request message is allowable.

Abstract: [Object] Effectively perform data communication [Solving Means] A communication device includes: a LINK that generates a first output signal on a basis of a first external signal from a first external device, outputs the first output signal to a second external device, generates a second output signal on a basis of a second external signal from the second external device, and outputs the second output signal to the first external device, in which each of the first output signal and the second external signal includes command information indicating content of a command transmitted from the first external device, final-destination-device-identification-information for identifying a final destination device of data transmitted from the first external device, internal address information indicating an internal address of the final destination device, data length information indicating a length of the data transmitted from the first external device, and data-end-position-information indicating an end position of t

Abstract: [Object] Effectively perform data communication [Solving Means] A communication device includes: a LINK that generates a first output signal on a basis of a first external signal from a first external device, outputs the first output signal to a second external device, generates a second output signal on a basis of a second external signal from the second external device, and outputs the second output signal to the first external device, in which each of the first output signal and the second external signal includes command information indicating content of a command transmitted from the first external device, final-destination-device-identification-information for identifying a final destination device of data transmitted from the first external device, internal address information indicating an internal address of the final destination device, data length information indicating a length of the data transmitted from the first external device, and data-end-position-information indicating an end position of t

Abstract: Systems, methods, and apparatus improve synchronization of trigger timing when triggers are configured over a serial bus. A data communication apparatus has an interface circuit that couples the data communication apparatus to a serial bus and is configured to receive a clock signal from the serial bus, a plurality of counters configured to count pulses in the clock signal, and a controller configured to receive a datagram from the serial bus, the datagram including a plurality of data bytes corresponding to the plurality of counters, configure each of the plurality of counters with a count value based on content of a corresponding data byte when the corresponding data byte is received from the datagram, cause each of the counters to refrain from counting until all of the counters have been configured with count values, and actuate a trigger when a counter associated with the trigger has counted to zero.

Abstract: It is desired to provide a technology that suppresses the possibility of unauthorized use of an electronic device. Provided is a communication device that includes a communication unit configured to transmit/receive data, and a storage unit that includes a first area and a second area different from the first area, and in the communication device, the first area is an area in which reading and writing from a program in the second area is prohibited, and the first area stores both of a communication program configured to control the transmission/reception and destination information of the data.

Abstract: A method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions. The programming instructions are operable to optimize data remanence over hybrid disk clusters using various storage technologies, determine one or more data storage technologies accessible by a file system, and determine secure delete rules for each of the one or more storage technologies accessible by the file system. The secure delete rules include a number of overwrites required for data to be securely deleted from each of the one or more storage technologies. The programming instructions are further operable to provide the secure delete rules to the file system upon a request for deletion of data for each of the one or more storage technologies a specific amount of times germane to secure delete data from the one or more storage technologies.

Abstract: A virtual capacity acquisition unit acquires a size of virtual capacity of a save data area from an application. A storage capacity acquisition unit acquires a size of save data of the application. A writing control unit prohibits the application from writing the save data exceeding the virtual capacity in a recording device. A free space acquisition unit acquires a size of free space of the recoding device, and the writing control unit prohibits the writing of save data whose size is larger than that of the free space.

Abstract: A memory protection unit includes at least a first access control unit and a second access control unit programmed for controlling an access to a memory device. Further a method to operate a processing system comprising multiple processing devices and multiple memory protection units associated to the multiple processing devices. The access to the memory by a processing device is approved if first access control unit and second access control unit of the memory protection associated to the processing device approves the access and access is rejected if first access control unit or second access control unit rejects the access. The first access control unit is programmable by the associated processing device alone and the programming of the second access control unit is readable by an additional processing device which is to be used in a system with multiple programming devices, not the associate processing device.

Abstract: A method, system and computer program product for implementing load-reserve and store-conditional instructions in a multi-processor computing system. The computing system includes a multitude of processor units and a shared memory cache, and each of the processor units has access to the memory cache. In one embodiment, the method comprises providing the memory cache with a series of reservation registers, and storing in these registers addresses reserved in the memory cache for the processor units as a result of issuing load-reserve requests. In this embodiment, when one of the processor units makes a request to store data in the memory cache using a store-conditional request, the reservation registers are checked to determine if an address in the memory cache is reserved for that processor unit. If an address in the memory cache is reserved for that processor, the data are stored at this address.

Abstract: One embodiment of the present invention relates to a heap overflow detection system that includes an arithmetic logic unit, a datapath, and address violation detection logic. The arithmetic logic unit is configured to receive an instruction having an opcode and an operand and to generate a final address and to generate a compare signal on the opcode indicating a heap memory access related instruction. The datapath is configured to provide the opcode and the operand to the arithmetic logic unit. The address violation detection logic determines whether a heap memory access is a violation according to the operand and the final address on receiving the compare signal from the arithmetic logic unit.

Abstract: A system and method of verifying a content of a non-volatile reprogrammable memory communicatively coupled to a microprocessor is disclosed. The method comprises the steps of reading at least a portion of the data stored in the non-volatile reprogrammable memory via a second communication path secured by encryption, generating a computed integrity value according to at least a portion of the contents of the non-volatile reprogrammable memory, and reading an integrity value, and comparing the computed integrity value with the read integrity value.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: A method and apparatus for controlling traffic of multiprocessor system or multi-core system is provided. The traffic control apparatus of a multiprocessor system according to the present invention includes a request handler for processing a traffic request of a first processor, and a Quality of Service (QoS) manager for receiving a QoS guaranty start instruction for a second processor from the multiprocessor system, and for transmitting, when traffic of the second processor is detected, a traffic adjustment signal to the request handler. The request handler adjusts the traffic of the first processor according to the received traffic adjustment signal. The traffic control method and apparatus of the present invention is capable of adjusting the required bandwidths of individual technologies and guaranteeing the real-timeness in the multiprocessor system or multi-core system.

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: A transponder having a transmitting and receiving device for receiving commands and transmitting data and command processor for executing commands, and a programming device for changing the memory contents, and a data memory which has a first memory area and a second memory area, whereby the first memory area has the first value or a second value, and when the first memory area has the first value, the content of both memory areas can be changed and, in the case of read access to the second memory area, the transmitting/receiving device transmits a predefined or no data stream instead of the memory content of the second memory area.

Abstract: A system implements a method to non-disruptive restoration of storage services provided by a storage volume of the system. Upon detecting a disruption of storage services at the storage volume, the method freezes the input/output (I/O) operations of applications that are accessing the storage volume. The disrupted storage services are restored. And the configurations of the storage volume are maintained during restoration of the disrupted storage services. Afterward, the frozen I/O operations are activated, allowing the applications to continue their accessing of the storage volume.

Abstract: A computer system is provided, the computer system having a processor and a system memory coupled to the processor. The computer system also includes a Basic Input/Output System (BIOS) in communication with the processor. The BIOS selectively scrubs the system memory during a shutdown process of the computer system.

Abstract: According to one embodiment, a semiconductor device includes a processor, and a memory device. The memory device has a nonvolatile semiconductor storage device and is configured to serve as a main memory for the processor. When the processor executes a plurality of programs, the processor manages pieces of information required to execute the programs as worksets for the respective programs, and creates tables, which hold relationships between pieces of information required for the respective worksets and addresses of the pieces of information in the memory device, for the respective worksets. The processor accesses to the memory device with reference to the corresponding tables for the respective worksets.

Abstract: Methods and apparatuses for improving security of an integrated circuit (IC) are provided. A tamper condition is detected and a digital key stored in the IC is erased. The digital key is associated with a first image loaded onto the IC from a first memory. The memory may be a non-volatile memory module. A second image is loaded into a second memory module. The second memory module may be an embedded memory module, e.g., a control random access memory (CRAM) module. The first image is then erased from the first and second memory modules.

Abstract: An apparatus includes a nonvolatile memory, an interface that at least receives an erase command of the nonvolatile memory, a first controller that controls the nonvolatile memory to execute data erasing on the basis of the erase command output from the interface, an external input unit which is installed independently of the interface, a second controller that controls the nonvolatile memory to execute data erasing on the basis of an erase instruction signal output from the external input unit, and a change-over circuit that switches between connection of the first controller with the nonvolatile memory and connection of the second controller with the nonvolatile memory, wherein the second controller controls the nonvolatile memory to execute data erasing on the basis of the erase instruction when the connection of the second controller with the nonvolatile memory is established by the change-over circuit.

Abstract: Embodiments of the present invention provide a virtualization protection system (VPS) that leverages virtual machine monitor (VMM) technology. In some embodiments, a computer system contains a host operating system and one or more virtual machines that run on “guest” operating systems. The VPS makes certain areas of memory of the computer system read-only, making it essentially impossible for the virtual machines or other component to compromise the system.

Abstract: An apparatus includes a first storage unit, a second storage unit, a setting unit configured to set a level of data deletion used for executing a job, an identification unit configured to identify a storage unit to be used for the job, and a control unit configured to, if the set level is a predetermined level and the identified storage unit is the first storage unit, store data of the job into the first storage unit and overwrite the stored data when the job is executed, and configured to, if the set level is the predetermined level and the identified storage unit is the second storage unit, encrypt data of the job and store the encrypted data into the second storage unit when the job is executed.

Abstract: A secure demand paging (SDP) system includes a dynamic random access memory (DRAM), a microprocessor having a secure internal memory and coupled to said DRAM, and a non-volatile memory storing a representation of operations accessible by the microprocessor. The stored representation of operations includes a coded physical representation of operations to configure an SDP space in the DRAM, to organize the SDP space into virtual machine contexts, to organize at least one of the virtual machine contexts into block book keeping blocks and book keeping spaces in the block book keeping blocks, and to execute a secure demand paging process between said secure internal memory and said DRAM.

Abstract: In one embodiment, a processor includes an access logic to determine whether an access request from a virtual machine is to a device access page associated with a device of the processor and if so, to re-map the access request to a virtual device page in a system memory associated with the VM, based at least in part on information stored in a control register of the processor. Other embodiments are described and claimed.

Abstract: A computer-implemented method for preventing heap-spray attacks may include identifying an object-oriented program. The computer-implemented method may also include identifying, within the object-oriented program, a request to allocate memory for a polymorphic object. The polymorphic object may include a pointer to a virtual method table that supports dynamic dispatch for at least one method of the polymorphic object. The computer-implemented method may further include identifying an area of memory reserved for polymorphic objects. The computer-implemented method may additionally include allocating memory for the polymorphic object from the reserved area of memory. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus and system for protecting memory of a virtual guest includes initializing a virtual guest on a host computing system. The host computing system includes a virtual machine manager that manages operation of the virtual guest. The virtual guest includes a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager. The method includes receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system. The method includes setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

Abstract: The method for protecting memory of a virtual guest includes initializing a virtual guest on a host computing system. The host computing system includes a virtual machine manager that manages operation of the virtual guest. The virtual guest includes a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager. The method includes receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system. The method includes setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

Abstract: A method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions. The programming instructions are operable to optimize data remanence over hybrid disk clusters using various storage technologies, determine one or more data storage technologies accessible by a file system, and determine secure delete rules for each of the one or more storage technologies accessible by the file system. The secure delete rules include a number of overwrites required for data to be securely deleted from each of the one or more storage technologies. The programming instructions are further operable to provide the secure delete rules to the file system upon a request for deletion of data for each of the one or more storage technologies a specific amount of times germane to secure delete data from the one or more storage technologies.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: According to one embodiment, a computing system includes two or more opto-electrical isolators coupling a corresponding two or more memory devices to a processor. Each memory device is electrically isolated from each other and configured to store data or instructions executed by the processor. Each opto-electrical isolator selectively couples its associated memory device to the processor such that only one of the two or more memory devices are writable by the processor at any instant of time.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium is provided. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data this defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: A method and apparatus for utilizing hardware mechanisms of a transactional memory system is herein described. Various embodiments relate to software-based filtering of operations from read and write barriers and read isolation barriers during transactional execution. Other embodiments relate to software-implemented read barrier processing to accelerate strong atomicity. Other embodiments are also described and claimed.