Abstract: Upon initialization or startup of an electronic device, the device checks a predetermined section of non-volatile memory, referred to as the signature byte or lock byte, and allows either the manufacturing mode which allows for installation of the final or production version of firmware to be loaded into non-volatile memory, or the production mode which write-protects certain portions of non-volatile memory before giving operating control of the electronic device to another program, for example, an operating system. By only allowing execution of operating system or other executable code after write-protecting certain portions of non-volatile memory, system security, integrity, and robustness are substantially increased.

Abstract: The present invention relates to a data scanning circuit and method. According to the present invention, a memory circuit stores a plurality of codes. Each of the code corresponds to a sub-rule. The memory circuit outputs at least first bit and at least second bit of each code, respectively, according to a first and a second data items. An operational circuit performs logic operations on the first and second bits, and produces an operated result. A decision circuit decides whether the input data satisfies the scanning rule according to the operated result.

Abstract: A memory device comprises a memory array, a status register coupled with the memory array, and a security register coupled with the memory array and the status register. The memory array contains a number of memory blocks configured to have independent access control. The status register includes at least one protection bit indicative of a write-protection status of at least one corresponding block of the memory blocks that corresponds to the protection bit. The security register includes at least one register-protection bit. The register-protection bit is programmable to a memory-protection state for preventing a state change of at least the protection bit of the status register. The register-protection bit is configured to remain in the memory-protection state until the resetting of the memory device.

Abstract: Embodiments of apparatuses, methods, and systems for executing a protected device model in a virtual machine are disclosed. In one embodiment, an apparatus includes recognition logic, memory management logic, control logic, and execution logic. The recognition logic is to recognize an indication, during execution of first code on a virtual machine, that the first code is attempting to access a device. The memory management logic is to prevent the virtual machine from accessing a portion of memory during execution of the first code, and to allow the virtual machine to access the portion of memory in response to the indication. The control logic is to transfer control of the apparatus from the first code to second code stored in the portion of memory, without exiting the virtual machine. The execution logic is to execute the second code to model the device.

Abstract: A data protection device for an interconnect network on chip (NoC) includes a header encoder that receives input requests for generating network packets. The encoder routes the input requests to a destination address. An access control unit controls and allows access to the destination address. The access control unit uses a memory to store access rules for controlling access to the network as a function of the destination address and of a source of the input request.

Abstract: A storage system is utilized to its fullest storage capacity by setting a write inhibitive attribute to a desired storage area of the storage system. The storage system has a logical volume in which data is stored and a control device which controls access to the data stored in the logical volume. A first area of a desired size is set in the logical volume, and an access control attribute is set to the first area. In response to a request made by a computer to perform access to the logical volume, the control device notifies the computer that the control device does not perform the access when an area designated by the access request contains at least a part of the first area and the access control attribute set to the first area inhibits the type of the access requested.

Abstract: A system and method for achieving one or more protected regions within a computer system having multiple partitions are disclosed. In at least some embodiments, the system includes an intermediary device for use within the computer system having the multiple partitions. The intermediary device includes a fabric device, and a first firewall device capable of limiting communication of a signal based upon at least one of a source of the signal and an intended destination of the signal, the first firewall device being at least indirectly coupled to the fabric device. The intermediary device further includes a first conversion device that is one of integrated with the first firewall device and distinct from the first firewall device, and that is capable of converting between a processor address and a fabric address for use by the fabric device. In some embodiments, the various devices each include Control and Status Registers (CSRs).

Abstract: When a file server is to create data that does not permit falsification in an external storage, it is not possible to guarantee that the rewriting of this data can be prevented from a computer connected to the external storage without going through a file server. Provided is a storage system configured from a first storage having a file I/O processing unit and a second storage connected to this first storage, wherein the first storage includes a unit for requesting a change of access authority to the storage area in the own storage and in the second storage provided to the own storage. An access request to a storage area in a second storage from a computer connected to a second storage without going through a file I/O processing unit is restricted based on the change of access authority executed by the second storage upon receiving the request from the first storage.

Abstract: A method for formatting a storage medium. The method includes saving management information associated with data that is to be protected from the formatting, the management information indicating where the data to be protected is stored, formatting a management information area of the storage medium where the management information is stored, and recovering the saved management information to the management information area of the storage medium such that the data to be protected is accessible.

Abstract: System and method for protecting data in a system including a main processor, an embedded controller, and a memory. In response to a power-on-reset (POR), access to the memory is enabled, e.g., access by the embedded controller. First data is read from the memory (e.g., by the embedded controller) in response to the enabling, where the first data are usable to perform security operations for the system prior to boot-up of the main processor. The first data are used, e.g., by the embedded controller, to perform one or more security operations for the system, then access to the memory, e.g., by the embedded controller, is disabled, where after the disabling the memory is not accessible, e.g., until the next POR initiates enablement.

Abstract: Protection against unauthorized copying of digital media content is achieved by receiving a request to provide digital media content to a client device, sending instructions to the client device regarding a processor executable function that provides protection against unauthorized copying of the digital media content, and sending the digital media content to the client device upon activation of the processor executable function.

Abstract: A hardware Secure Processing Unit (SPU) is described that can perform both security functions and other information appliance functions using the same set of hardware resources. Because the additional hardware required to support security functions is a relatively small fraction of the overall device hardware, this type of SPU can be competitive with ordinary non-secure CPUs or microcontrollers that perform the same functions. A set of minimal initialization and management hardware and software is added to, e.g., a standard CPU/microcontroller. The additional hardware and/or software creates an SPU environment and performs the functions needed to virtualize the SPU's hardware resources so that they can be shared between security functions and other functions performed by the same CPU.

Abstract: A memory device includes an address protection system that facilitates the ability of the memory device to interface with a plurality of processors operating in a parallel processing manner. The protection system is used to prevent at least some of a plurality of processors in a system from accessing addresses designated by one of the processors as a protected memory address. Until the processor releases the protection, only the designating processor can access the memory device at the protected address. If the memory device contains a cache memory, the protection system can alternatively or additionally be used to protect cache memory addresses.

Abstract: A storage subsystem and a storage controller adapted to take advantage of high data transfer rates of fibre channels while offering enhanced reliability and availability and capable of connecting with a plurality of host computers having multiple different interfaces. A loop is provided to serve as a common loop channel having fibre channel interfaces. Host interface controllers (HIFC) connected to host computers having different interfaces permit conversion between the fibre channel interface and a different interface as needed. Control processors, shared by the host interface controllers, each reference FCAL (fibre channel arbitrated loop) management information to capture a frame having an address of the processor in question from among the frames passing through the loop. I/O processing is then carried out by the controller in accordance with a range of logical unit numbers (LUN) set in the captured frame.

Abstract: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

Abstract: Methods and systems for running multiple operating systems in a single embedded or mobile device (include PDA, cellular phone and other devices) are disclosed. The invention allows a mobile device that normally can only run a single operating system to run another operating system while preserving the state and data of the original operating system. Guest OS is packaged into special format recognizable by the host OS that still can be executed in place by the system. The Methods include: Change the memory protection bits for the original OS; Fake a reduced physical memory space for guest OS; Use special memory device driver to claim memories of host OS; Backup whole image of the current OS and data to external memory card.

Abstract: A storage system that comprises multiple solid-state storage devices includes a command set that enables a host system to initiate one or more types of purge operations. The supported purge operations may include an erase operation in which the storage devices are erased, a sanitization operation in which a pattern is written to the storage devices, and/or a destroy operation in which the storage devices are physically damaged via application of a high voltage. The command set preferably enables the host system to specify how many of the storage devices are to be purged at a time during a purge operation. The host system can thereby control the amount of time, and the current level, needed to complete the purge operation. In some embodiments, the number of storage devices that are purged at a time may additionally or alternatively be selectable by a controller of the storage system.

Abstract: A storage system compares content of new data received from a host computer with content of existing data already stored in the storage system. If the content of the new data matches the content of the existing data, the storage system determines whether the computer that sent the new data is a registered owner of the new data by determining who the registered owners are of the existing data that has the matching content. If the computer that sent the new data is not a registered owner, unauthorized information sharing is assumed to have taken place. The storage system sends a notification or takes other specified action when the computer that sent the new data is not a registered owner. An administrator or monitoring agent may thus be notified of any unauthorized file sharing or data leakage within the storage system.

Abstract: A memory apparatus and method for protecting the memory apparatus are provided. The memory apparatus includes a memory unit, a memory control unit, a switch and a control circuit. The memory control unit is used for reading from or writing to the memory unit and has a build-in protection unit. The switch has a lock end and a normal end. The control circuit is coupled between the switch and the memory control unit and is used for detecting the position of the switch. Once the switch is switched to the lock end and the memory apparatus receives a working voltage, the protection unit is automatically enabled by the control circuit to inhibit the memory control unit from reading data from or writing data to the memory unit.

Abstract: A security protection device provides protection for computer long-term storage devices, such as hard drives. The security protection device is placed between a host computer and the storage device. The security protection device intercepts communications between the host and the storage device and examines any commands from the host to the storage device. Only “safe” commands that match commands on a pre-approved list are passed to the storage device. All other commands may be discarded.

Abstract: Provided are an apparatus and method of detecting and controlling a privilege level violation process. The apparatus monitors whether higher-privileged processes depend on information provided from lower-privileged objects or denies the higher-privileged processes to access the lower-privileged objects. The apparatus is provided in a process, and monitors whether a process accesses to a lower-privileged object. The apparatus gives a warning message or denies an access of the process to the lower-privileged object when it detects that the higher-privileged process access to the lower-privileged object. Therefore, the apparatus of detecting and controlling a privilege level violation process detects weaknesses that may be caused by privilege level violation, thus allowing a system to be safely operated.

Abstract: An analysis section analyzes the live range of a first variable shared among subroutines and the live range of a second variable used only in a subroutine. The allocation section allocates the second variable in an allocation memory for the first variable if the live ranges of the first and second variables do not overlap each other.

Abstract: Protection mechanism is provided for data stored in logical volumes, especially during the time the corresponding host computer is off line. Additionally, integrity check mechanism is provided for logical volume when the host computer is started, so that host computer can detect unauthorized access to its assigned logical volume during off-line period, and execute security check.

Abstract: The program attains compatibility of suppression of an overhead accompanying page exception handling in the case of operating a program whose amount of memory use is large on a virtual machine and suppression of the overhead accompanying page exception handling in the case of operating a first OS that has a function of making another OS run on a virtual machine. A VMM creates a shadow PT for prohibiting reading-writing of privileged memory that requires emulation of reading/writing by using a RSV-bit, and registers the shadow PT and the second PT that a second OS operating on the first OS has in an x86 compatible CPU equipped with a page exception detecting function using two PT's. When a page exception occurs, the VMM refers to a cause code of the page exception and, when a P field of the cause code is 0, determines immediately that emulation is unnecessary.

Abstract: A memory-protection method and apparatus is provided that can protect a memory that is used by components in a real time operating system environment (RTOS). The memory-protection method includes requesting access to a first memory region that a first component uses when the first component is called to execute a first task in a real time operating system, and permitting the first task to access the first memory region with reference to a task list that includes information on tasks which are permitted to access the first memory region.

Abstract: Receiving a request for canceling setting, a control circuit erases data stored in a corresponding block, changes a value of a protection flag, and cancels protection setting. When an overall protection is set for any block, the control circuit prohibits access to all blocks, except when it is an operation mode for activating a memory program contained in the microcomputer. Further, control circuit permits an access to a block M only when partial protection is set, CPU is in the mode for activating a memory program contained in the microcomputer and the access is for reading an instruction code in accordance with an instruction fetch.

Abstract: Systems and methods for modifying a parameter value of a controller are described. In one embodiment, the method includes verifying a local presence at the controller, modifying a parameter value at a remote device, confirming the identity of the remote device, and storing the modified parameter value in the controller.

Abstract: Provided are a method and apparatus for checking the integrity of firmware. The method includes storing a first hash function value of unhacked firmware for determining whether actual firmware of an external processor has been hacked; reading the actual firmware via a bus; calculating a second hash function value of the actual firmware; comparing the first hash function value with the second hash function value; and sharing a bus key with the external processor, based on the comparison result.

Abstract: To prevent random access commands from remaining even in the case of mixed sequential and random accesses. A storage medium control unit is used in a data storage device adapted to perform processing on a data storage medium based on multiple requests including sequential access requests and random access requests. The storage medium control unit includes: request response delay monitoring device for monitoring the presence of delay in response to the requests based on whether or not the response time for each request exceeds a certain allowable delay time; and request control device for preventing the rearrangement processing of the sequential access requests and controlling the processing of the requests to be performed in a certain request order at the allowable delay time if exceeded.

Abstract: Methods and apparatus are provided for inhibiting data writing to an optical disc drive connected to a computer. A BIOS confirms presence of a security function of an optical disc drive. When the optical disc drive possesses the security function, the BIOS delivers a command to the optical disc drive to set it to a read-only mode. The optical disc drive that has received the command sets the drive per se to operate in the read-only mode. Since a command for setting it to the read-only mode and a command for releasing it are delivered to the optical disc drive only by the BIOS, when a control is transferred to an Operating System (OS), setting of the read-only mode cannot be released by the OS and other OS's, or application software.

Abstract: A multiprocessor system that can perform for a lock variable a function equivalent to an atomic read-modify-write function. When a specified CPU asserts a read signal READ, a main lock variable LOCK is read from a lock register, and a main lock variable LOCK in a locked state “1” is written to the lock register. When the main lock variable LOCK that is read is in an unlocked state “0”, the CPU can obtain a lock. Since not only the main lock variable LOCK is read, but is also the main lock variable LOCK in the locked state “1” is written, when a different CPU asserts a read signal READ immediately after this, the main lock variable LOCK in the locked state “1” is read from the lock register in the locked state “1”, so that the different CPU can not obtain a lock.

Abstract: In an embodiment, when a removable storage device is removably coupled to a host, the removable storage device indicates that it is non-removable to the host. The removable storage device may include a user-created secure storage area.

Abstract: A storage media for storing data and comprising an integral controller configured to control access to the data depending on the location of the storage media. The storage media may further comprise means to determine its location, e.g. such as a GPS receiver or a cellular network positioning solution. Alternatively, the location may be provided by an external device.

Abstract: A semiconductor device includes a volatile memory for storing a first instruction group, a first processing unit for executing the first instruction group, a nonvolatile memory for storing a second instruction group, a second processing unit for executing a second instruction group, a control signal output unit for outputting a control signal to specify permission or prohibition of executing a debugging function to the first processing unit, and a debug control unit for controlling execution of the debugging function by the first processing unit based on the control signal.

Abstract: A microcomputer includes a flash memory and a flash controller that controls access to the flash memory, the flash memory including a protection information storage section that stores protection information, the protection information indicating whether or not access to a given area of the flash memory is available; the flash controller including a flash protection section that performs a protection process relating to access to a given area of the flash memory based on the protection information; and the flash protection section performing the protection process relating to access to the flash memory when an access target is data.

Abstract: Access to memory address space is controlled by memory access control circuitry using access control data. The ability to change the access control data is controlled by domain control circuitry. Whether or not an instruction stored within a particular domain, being a set of memory addresses, is able to modify the access control data is dependent upon the domain concerned. Thus, the ability to change access control data can be restricted to instructions stored within particular defined locations within the memory address space thereby enhancing security. This capability allows systems to be provided in which call forwarding to an operating system can be enforced via call forwarding code and where trusted regions of the memory address space can be established into which a secure operating system may write data with increased confidence that that data will only be accessible by trusted software executing under control of a non-secure operating system.

Abstract: A memory card compatible token includes non-memory components accessed using commands hidden in the data stream of a memory card access command. A mobile computing device such as a mobile phone accesses the non-memory components by writing to a specific address, including a known data value in the data stream, or both. The token may be activated using an activation code, and a subsequently chosen password may be used to authenticate the mobile computing device to the token each time a hidden command is issued.

Abstract: Provided is a method of controlling memory access. In a system including a first layer element executed in a privileged mode having a first priority of permission to access the entire region of a memory and second and third layer elements executed in an unprivileged mode having a second priority of permission to access a partial region of the memory, the method of controlling memory access determines whether the memory is accessible for each page that is an address space unit, based on which mode a layer element currently accessing the memory is executed in between the privileged mode and the unprivileged mode; and determines whether the memory is accessible based on which one of the first, second and third layer elements corresponds to a domain currently being attempted to be accessed from among a plurality of domains of the memory.

Abstract: Various embodiments of a system and method for performing file backup operations are described. The method may operate to enable a user of a computer system to provide a password or other authentication information to associate with files on the computer system, e.g., in order to protect files that are backed up. For example, when the user (or another person or software agent) attempts to restore or otherwise access a backup copy of a password-protected file, the user may be prompted to enter the password. The method may operate to verify that the entered password matches the password associated with the file before granting permission to restore the file.

Abstract: A storage device has a data erasing function. A controller of a storage device, such as an USB, has a lost timer section and an emergency timer section. Both timer sections halt clocking operation as a result of initiation of use of the storage device by an authorized user. The lost timer section commences s clocking operation as a result of completion of use of the storage device by the authorized user. The emergency timer section commences clocking operation as a result of unauthorized removal of the storage device. When either the lost timer section or the emergency timer section outputs a count-up signal, data in flash ROM are erased.

Abstract: Provided are a method and a system for processing an access to a disk block. The system receives a disk block access request from an OS domain, determines whether the OS domain is permitted to access a disk block with reference to a predetermined block table and processes disk block access of the OS domain according to the determination result. Accordingly, OS domains can share caches without having data copy through memory access control in a virtual machine monitor environment. Furthermore, a device domain controls access to a disk drive so that data corruption can be prevented.

Abstract: A method for intervaled memory transfer access provides periodic authorization signals to a memory access controller. The method cycles between: 1) inhibiting the memory access controller from writing data to a memory until the memory access controller receives a periodic authorization signal to cause the memory access controller to remove the inhibition and write a predetermined amount of data to the memory through a data bus, and 2) releasing the data bus following writing of the predetermined amount of data to the memory by inhibiting the memory access controller from writing further data.

Abstract: A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine.

Abstract: A computer-readable storage medium stores a program for causing a processor to perform a process including: acquiring a first address that specifies a start address of a first area on the main memory where a target data to be cached is stored and range information that specifies a size of the first area on the main memory; converting the first address into a second address that specifies a start address of a second area on the local memory, the second area having a one-to-n correspondence (n=positive integer) to a part of a bit string of the first address; copying the target data stored in the first area specified by the first address and the range information onto the second area specified by the second address and the range information; and storing the second address to allow accessing the target data copied onto the local memory.

Abstract: The electronic device, in particular a transponder, includes a non volatile memory (EEPROM) having a plurality of words 1 to N whose read and/or write access can be locked. The protection register (22) is formed of two protection words A and B these two protection words are alternately active and inactive during the successive locking of words 1 to N of the programmable memory (16). The state of the protection register is defined by the active word. An initially active word is not deleted until the content thereof has been copied into the inactive word. Once the content has been altered in accordance with the lock command, the initially inactive word becomes the active word of the protection register.

Abstract: A memory lock system (900) is provided that includes: providing a controller (212); providing a connector (204) connected to the controller (212) for providing data to the controller (212); providing a memory (216) connected to the controller (212) for receiving and storing information from the controller (212); and manipulating an input device (206) connected to the controller (212) to unlock or lock data transfer between the connector (204) and the controller (212), in the controller (212), between the connector (204) and the memory (216), or in the memory (216).

Abstract: A technique for realtime-safe detection of a grace period for deferring the destruction of a shared data element until pre-existing references to the data element have been removed. A per-processor read/write lock is established for each of one or more processors. When reading a shared data element at a processor, the processor's read/write lock is acquired for reading, the shared data element is referenced, and the read/write lock that was acquired for reading is released. When starting a new grace period, all of the read/write locks are acquired for writing, a new grace period is started, and all of the read/write locks are released.

Abstract: An electronic file system includes an operating device for receiving an input for performance of an operation on an electronic file and an approval device used for approving of the operation on the electronic file. The electronic file includes an operation file on which an operation is to be performed and a restriction file indicating a restriction condition (policy) for restricting an operation performable on the operation file and a request destination for approval of the restricted operation. The operating device includes determination means for determining whether the operation to be performed on the operation file is permitted in accordance with the restriction condition described in the restriction file and means for, when it is determined that the operation corresponds to the restriction condition, transmitting to the approval device described as the request destination in the restriction file an approval request for requesting approval of the operation.

Abstract: Described are a self-protecting memory device and a method for protecting information stored in a memory device. The self-protecting memory device includes a storage module, an access control module and a pattern memory module. The access control module communicates with the storage module and is configured to receive memory references from a host system. The pattern memory module communicates with the access control module and stores an expected pattern of memory references. The access control module compares the expected pattern of memory references and memory references received from the host system. Access to the information stored in the storage module is provided or denied by the access control module according to the results of the comparison.

Abstract: A method and apparatus is described for receiving and storing data from a first host device and performing actions or events on a second host device based on the stored data. Also, a priority factor value may be determined for the stored data such that actions or events performed on the second host device may be based on the priorities of the stored data. For example, a removable, portable device may be connected to the first or the second host device. The stored data is accessed by the second host device and the stored data and the action or event on the second host device is performed based on the stored data. In another example, the stored data is not stored on the second host device. Thus, the stored data may be secure and trusted.