Abstract: Provided are an access control apparatus, an access control method, and a program that can reduce risks of tampering with a block while at the same time keeping ICV data size to a minimum. An individual key generation section (52) generates an individual key specific to an information processing apparatus (12). An ICV data generation section (56) generates, by using an individual key, ICV data that is based on verified digest value data, specific to the information processing apparatus (12), and smaller in data size than the digest value data. An ICV calculation section (64) calculates, by using the individual key, an ICV based on the block to which access is requested. A comparison section (66) compares the ICV indicated by a part of the ICV data corresponding to the block with the ICV calculated by the ICV calculation section (64). A writing section (68) writes the block to a memory in a case where the comparison succeeds.

Abstract: Methods, systems, and apparatuses related to adjustable security levels in processors are described. A processor may have functional units and a register configured to control security operations of the functional units. The register configures the functional units to operate in a first mode of security operations when the register contains a first setting; and the register configures the functional units to operate in a second mode of security operations when the register contains a second setting (e.g., to skip/bypassing a set of security operation circuit for enhanced execution speed).

Abstract: A user can customize (also referred to as train) an AI module, which includes any of a variety of machine learning systems. The AI module can be used by the device on which the AI module is trained or can be communicated to other devices in the same environment (e.g., the same home). The AI module can also be communicated in a secure and private manner to a device in another environment (e.g., another user's home). To do so, the AI module is encrypted and added to a blockchain, and the blockchain is communicated via a peer-to-peer network to the device in the other environment. The recipient of the blockchain can then decrypt the AI module and use the AI module in that other environment, including further training the AI module for use in that other environment.

Abstract: A flash memory storage management method includes: providing a flash memory module including single-level-cell (SLC) blocks and at least one multiple-level-cell block such as MLC block, TLC block, or QLC block; classifying data to be programmed into groups of data; respectively executing SLC programing and RAID-like error code encoding to generate corresponding parity check codes, to program the groups of data and corresponding parity check codes to the SLC blocks; when completing program of the SLC blocks, performing an internal copy to program the at least one multiple-level-cell block by sequentially reading and writing the groups of data and corresponding parity check codes from the SLC blocks to the multiple-level-cell block according to a storage order of the SLC blocks.

Abstract: Methods, systems, and devices for storing and reading data at a memory device are described. A memory device may utilize one or more storage states to store data within a data word. The memory device may exhibit higher data leakage or more power consumption when storing or reading a first storage state compared to storing or reading one or more other storage states. In some cases, the memory device may generate a second data word corresponding to a first data word by modifying each symbol type of the first data word to generate a different symbol type for the second data word. A memory device may reduce the occurrence of a storage state associated with large data leakage, or high-power consumption, or both. Further, the memory device may generate and store an indicator indicating the transformation of a corresponding data word.

Abstract: A notification is received that a first user device and a second user device would like to share a data set. The data set is retrieved from a database. A first security level associated with the first user device and a second security level associated with the second user device is retrieved. The data set is provided to the first user device and the second user device in accordance with the first security level and the second security level.

Abstract: Devices and techniques are disclosed herein for verifying host generated physical addresses at a memory device during a host-resident FTL mode of operation to ameliorate erroneous or potentially malicious access to the memory device.

Abstract: Disclosed is a method and a system to execute the method to perform a first hashing operation to compute a first hash value, store the first hash value in a plurality of output registers, store a second message in a plurality of input registers, perform a first iteration of a second hashing operation, with an input to the second hashing operation including the second message and the first hash value, determine that a first portion of the second message, stored in a first register of the plurality of input registers, has been processed in course of the second hashing operation, and move a first portion of the first hash value stored in a first register of the plurality of output registers to the first register of the plurality of input registers.

Abstract: A device, method, and system for synthesizing variants of semantically equivalent computer source code using computer source code components to protect against cyberattacks. An input constraint, an output constraint, and a schema are received from a user. A component-based synthesizer generates first computer source code including a first computer source code component based on the input constraint, the output constraint, and the schema. The component-based synthesizer generates second computer source code including a second computer source code component based on the input constraint, the output constraint, and the schema. The second computer source code is generated as a semantically equivalent variant of the first computer source code to provide for protection against a cyberattack. The invention may also include a dynamic component library.

Abstract: An example system includes a secure processing engine. The secure processing engine is to store a host key. The system also includes an integrated circuit in a single package. The integrated circuit includes a firmware engine to execute firmware instructions. The integrated circuit also includes a one-time-programmable (OTP) memory unreadable by the firmware engine. The OTP memory is to store the host key. The integrated circuit also includes a security engine. The security engine is to encrypt and decrypt communications between the firmware engine and the secure processing engine based on the host key.

Abstract: A server computer toggles between a protected mode and an unprotected mode. In the protected mode, users are unable to access configuration information due to a Base Address Register (BAR) being cleared. However, a service provider can access a Trusted Platform Module (TPM) through an Application Program Interface (API) request. In an unprotected mode, the BAR is programmed so that users can access the configuration information, but the TPM is blocked. Blocking of the TPM is achieved by changing a configuration file, which changes an overall image of the card. With the modified image not matching an original image, the TPM blocks access to data, such as encryption keys. Separate interfaces can be used for user access (PCIe) and service provider access (Ethernet) to the server computer. The server computer can then be toggled back to the protected mode by switching the configuration file to the original configuration file.

Abstract: A computer-implemented technique for determining whether a first computing device has the correct version of a software program may be used to provide a secure approach to verifying that a client computing device has a secure and approved version of content player software implemented for consuming downloaded copyright media content. With this technique, copyright media content providers are able to ensure that only secure and approved content players are implemented to access the content.

Abstract: Methods, systems, and devices are described for displaying information on a visual display of a data storage device. The device may be an internal data storage device and may display information associated with various operation parameters and a security confidence metric or states of the data storage device. The data storage device may display, on the visual display, an indication of a security confidence metric of the data storage device indicative of whether the data storage device has been compromised. The data storage device may be compromised by having one or more sub-components replaced, altered, or misused. The visual display may be electronic paper, mechanical, or chemical such that the information is displayed without power being applied to the data storage device. The visual display may be removable from the data storage medium.

Abstract: Systems and methods for maintaining encryption keys are disclosed. An encrypted master key is determined by encrypting a master key based on an initial user password and discarding the master key. The encrypted master key is stored. A request for the master key including a present user password is received and verified based on comparison to the initial user password. Based on failure of verifying the present user password, a failed attempt counter that is maintained within a secure container is created. User password based access to the master key is locked out based on the failed attempt counter exceeding a defined value.

Abstract: In one embodiment, a request may be received to load firmware on a microcontroller of a device. A firmware transfer may be initiated to load the firmware on the microcontroller. Data traffic may be monitored at one or more locations on a communication path associated with the firmware transfer. It may be determined whether the data traffic matches a digital fingerprint associated with the firmware.

Abstract: The present invention concerns a method of protecting sensitive data, and a corresponding computing system processing device, comprising: entering, by a processing device, a sensitive date access mode in-which sensitive data is accessible; restricting, by a program running in the sensitive data access mode, one or more accessible address ranges for a non-secure function, and calling, from the sensitive data access mode, the non-secure function; and entering, by the processing device, a further operating mode to execute the non-secure function during which the processing device has access to only the one or more accessible address ranges.

Abstract: The following description is directed to a configurable logic platform. In one example, a configurable logic platform includes host logic and a reconfigurable logic region. The reconfigurable logic region can include logic blocks that are configurable to implement application logic. The host logic can be used for encapsulating the reconfigurable logic region. The host logic can include a host interface for communicating with a processor. The host logic can include a management function accessible via the host interface. The management function can be adapted to cause the reconfigurable logic region to be configured with the application logic in response to an authorized request from the host interface. The host logic can include a data path function accessible via the host interface. The data path function can include a layer for formatting data transfers between the host interface and the application logic.

Abstract: A relatively small amount of programmable logic may be included in a mostly ASIC device such that the programmable logic can be used as a substitute for a fault-infected ASIC block. This substitution may occur permanently or temporarily. When an ASIC block is temporarily substituted, faulty outputs of the ASIC block are disabled just at the time they would otherwise propagate an error. The operations of the temporarily deactivated ASIC block(s) may be substituted for by appropriately programmed programmable logic. Thus, a fault-infected ASIC block that operates improperly 1% of the time can continue to be gainfully used for the 99% of the time when its operations are fault free. This substitution can be activated in various stages of the ASIC block's life including after: initial design; pilot production; and mass production. This provides for cost saving and faster time-to-market, repair, and maintenance even years after installation and use.

Abstract: A method for upgrading firmware in a device, includes: when firmware of a first chip in the device needs to be upgraded, identifying a first partition of a flash memory in a second chip in the device, the first partition being a backup partition for downloading firmware of the second chip; downloading new firmware of the first chip to the first partition of the flash memory in the second chip; and copying the new firmware of the first chip from the first partition of the flash memory in the second chip to an effective region in the first chip.

Abstract: The invention relates to a method for securing access to a computer device, that includes the step of establishing a secured connection and authentication of said computer device and the user of the computer device with a remote server, wherein the steps of establishing the secured connection and authentication are carried out upon the execution of commands included in a data set adapted for implementing the pre-start of the computer device before triggering the execution of the boot loader of the computer device operating system.

Abstract: An apparatus includes a memory to store a secure object comprising at least one of code and data that is encrypted when stored in the memory and a central processing unit (CPU) that is capable of executing an EnterSecureMode (esm) instruction that enables the decryption of the secure object's information when the secure object information is retrieved from the memory into the CPU. The CPU further comprises a feature to protect the secure object from code received from other software.

Abstract: Systems and methods used to securely communicate a shared key to devices.

Abstract: Various systems and methods for implementing additional security in a flashless modem are described herein. A modem system for implementing additional security in a flashless modem, the modem system comprising: local storage; non-volatile random access memory (NVRAM); and an access control module to: read non-volatile memory data (NVM data) from the local storage; calculate a hash of the NVM data; access a previously-stored hash; compare the hash of the NVM data with the previously-stored hash to produce a comparison; and control access to the NVM data based on the comparison.

Abstract: Systems and methods used to securely communicate a shared key to devices.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: A method begins by a processing module dispersed storage error encoding data to produce a set of encoded data slices and generating a transaction identifier regarding storage of the set of encoded data slices. The method continues with the processing module outputting a plurality of write request messages to a plurality of dispersed storage (DS) units, wherein each of the plurality of write request messages includes the transaction identifier and a corresponding one of the set of encoded data slices. The method continues with the processing module receiving write response messages from at least some of the DS units, wherein each of the write response messages includes a reference to the transaction identifier. The method continues with the processing module updating directory information regarding storage of the data to produce updated directory information when at least a write threshold number of the write response messages have been received.

Abstract: A method and system for secure access to data files copied onto a second storage device from a first storage device. A computer receives data from a first storage device that is in communication with the computer. A data file is stored to a second storage device. A passkey is generated and associated with the data file. A passkey image file corresponding to the passkey is generated. The passkey image file is transmitted to the first storage device for storage. Subsequent access to the data file on the second storage device requires entry of the passkey. The passkey is only accessible to a user that has access to read the passkey image file on the first storage device.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium is provided. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data this defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: A method and controller for implementing dynamic banding of a storage device, such as a Self Encrypting Device (SED) in a data storage array, and a design structure on which the subject controller circuit resides are provided. The controller dynamically identifies band boundaries for the storage device at the time a data storage array is created, when one or more devices are added into an existing data storage array, and when a replacement device is rebuilt into an exposed array, or an array with a failed device. A storage device band definition is provided based upon the dynamically identified band boundaries for the storage device.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: A mobile device includes an application processor, an RF modem for connection to cellular networks, wireless device for connection to wireless networks, a display coupled to the application processor, audio devices coupled to the application processor, power management for providing power through a main battery; and charging the battery, a hybrid memory including a magnetic memory, the magnetic memory further including a parameter area configured to store parameters used to authenticate access to certain areas of the main memory, and a parameter memory that maintains a first area, used to store protected zone parameters, and a second area used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with access to the certain areas in the main memory that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: Multiple revisions of an encoded data slice are generated, with each revision having the same slice name. Each of the data slices represents the same original data portion, but each is encoded so that no single data slice can be used to reconstruct the original data portion. Appropriate revision numbers are associated with each encoded data slice, and the encoded data slices and associated revision numbers are transmitted for storage in selected storage units of a distributed storage network. If write confirmations are received from at least a write threshold number of storage units, a commit command is transmitted so that the most recently written data slices will be available for access. After a commit command is issued, a current directory used to access the encoded data slices can be sliced, encoded, and stored in the same way as the data slices.

Abstract: A method for secure data reading and a data handling system is provided. The method protects the data reading from fault attacks by repeating read request in an interleaved manner, in particular the method comprises the steps of (M200) dispatching a first read request; (M400) dispatching a second read request; (M600) dispatching a further first read request; and (M1000-a) producing an anomaly signal if a first result produced by the memory in response to the first read request does not agree with a further first result produced by the memory in response to the further first read request.

Abstract: A method and system are disclosed for allowing access to processing resources of one or more idle memory devices to an active memory device is disclosed, where the idle and active memory devices are associated with a common host. The resources shared may be processing power, for example in the form of using a processor of an idle memory to handle some of the logical-to-physical mapping associated with a host command, or may be other resources such as RAM sharing so that a first memory has expanded RAM capacity. The method may include exchanging tokens with resource sharing abilities, operation codes and associated data relevant to the requested resources.

Abstract: A data storage device includes a memory, a controller, a first module, a first interface, and a second interface. The first interface and the second interface are coupled to the controller. The controller is used to access data in the memory, the first module is used to perform a first predetermined function. The second interface is inaccessible to the first module. The first interface may gain access to at least one additional module in the data storage device to perform at least one additional predetermined function which the second interface may not gain access to and may not perform.

Abstract: Disclosed are systems, methods and computer program products for secure rebooting and debugging a peripheral subsystem of a system on a chip (SoC) device. According to one aspect of the method, when an application processor of the SoC device detects crash of the peripheral subsystem, the application processor loads a secure boot agent into SoC memory. The secure boot agent is configured to access a secure memory region of the peripheral subsystem containing memory dump data associated with the peripheral subsystem. The secure memory region is inaccessible to the application processor. The Secure boot agent encrypts the memory dump data in the secure memory region and opens the secure memory region for access to the application processor. The application processor accesses the secure memory region and collects the encrypted memory dump data. The application processor then forwards the encrypted memory dump data to a third party for debugging purposes.

Abstract: Various embodiments of the present invention provide systems, methods and circuits for use of a memory system. As one example, an electronics system is disclosed that includes a memory bank, a memory access controller circuit, and an encoding circuit. The memory bank includes a plurality of multi-bit memory cells that each is operable to hold at least two bits. The memory access controller circuit is operable to determine a use frequency of a data set maintained in the memory bank. The encoding circuit is operable to encode the data set to yield an encoded output for writing to the memory bank. The encoding level for the data set is selected based at least in part on the use frequency of the data set.

Abstract: An object storage system providing a secure object destruction and deletion service is provided. The destruction and deletion of files can be handled through secure overwriting of files on a storage medium or through cryptographic scrambling of file contents followed by subsequent deletion from a file table. The triggering of secure deletion can be periodically scheduled or dependent upon some particular event, making files self-destructing. Methods and systems for periodic re-authorization of files are also provided, allowing self-destructing files to be persisted in an available state.

Abstract: A method of programming memory cells for a rewritable non-volatile memory module is provided. The method includes: receiving a command which indicates performing an update operation to a logical page; and identifying valid logical access addresses and invalid logical access addresses in the logical page according to the command. The method also includes: selecting a physical page; setting flags corresponding to the valid logical access addresses in a valid state, setting flags corresponding to the invalid logical access in an invalid state; programming the flags and data belonging to the valid logical access addresses to the selected physical page based on the update operation; and mapping the selected physical page to the logical page. Accordingly, the method can effectively increase the speed of programming the memory cells.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data thus defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: A method and apparatus for a virtual storage device is provided. In one example, data to be stored at a removable storage device is received. A virtual storage agent is executed on the removable storage device. An interlace is established with at least one remote storage location. The data is stored at the at least one remote storage location. In another example, a request to access data associated with a removable storage device is received. A virtual storage agent on the removable storage device is executed. An interface is established with at least one remote storage location. The data is fetched from the at least one remote storage location.

Abstract: A method, computer management apparatus, and computer program product are provided for processing data stored on a sequential storage media within a computational computing environment. A block reference table and most often read blocks are loaded from a modified tape format of a sequential storage media into an internal memory of a sequential storage media device. During write command processing, a data deduplication procedure is performed using a modified block reference table. It is determined if entries from the block reference table must be deleted and responsive to this identifying and deleting host block and device block entries from the block reference table.

Abstract: When content, such as premium video or audio, is decoded, the content is stored in protected memory segments. Read access to the protected memory segments from a component not in a frame buffer protected (FBP) mode is blocked by a memory controller. The memory controller also blocks components in the FBP mode from writing to unprotected memory segments. The content may be processed by a processing engine operating in the FBP mode and may only be written back to protected memory segments. The memory segment may later be marked as unprotected if the memory segment is no longer needed. If the content is encrypted in protected memory, the encrypting key associated with the memory segment may be removed. If the content is stored in the clear, the protected memory segments are scrubbed before releasing the segments for use as unprotected memory segments.

Abstract: An electronic apparatus is provided, which includes a central processing unit (CPU), a first memory unit which performs communication with the CPU, and a second memory unit which stores therein conditional access system (CAS) software and platform software. According to the method of controlling the apparatus, upon booting, the CPU copies the CAS software to an internal memory area which may be within the CPU, copies the platform software to the first memory unit and executes the CAS and platform software, and executes CAS operations through communication between the CAS software and the platform software.

Abstract: A method begins with a processing module obtaining encoded key slices from a plurality of user devices and decoding a threshold number of the encoded key slices utilizing a first error coding dispersal storage function to produce a key when the threshold number of the encoded key slices has been obtained. The method continues with the processing module receiving encoded data slices and decoding a threshold number of encoded data slices utilizing a second error coding dispersal storage function to produce encrypted data when the threshold number of the encoded data slices has been received. The method continues with the processing module decrypting the encrypted data utilizing the key and an encryption function to produce data.

Abstract: Various embodiments of the present invention provide systems and methods for selecting data encoding. As an example, some embodiments of the present invention provide methods that include receiving a data set to be written to a plurality of multi-bit memory cells that are each operable to hold at least two bits. In addition, the methods include determining a characteristic of the data set, and encoding the data set. The level of encoding is selected based at least in part on the characteristic of the data set. In some instances of the aforementioned embodiments, the characteristic of the data set indicates an expected frequency of access of the data set from the plurality of multi-bit memory cells.

Abstract: A communication equipment, method and storage device cooperate to assist in connecting a storage device between different devices. The equipment includes an interface configured to be electrically connected to information terminal equipment. It also includes a communication mechanism that performs communication with storage equipment that has a region assigned to the communication equipment. It further includes a controller that transmits device class information indicating that the communication equipment is of a mass storage class to information terminal equipment in response to the communication equipment being connected to the information terminal equipment via the interface.

Abstract: A storage system in which a storage control apparatus writes data in each of divided areas defined by division of one or more storage areas in one or more storage devices, after encryption of the data with an encryption key unique to each divided area. When the storage control apparatus receives, from a management apparatus, designation of one or more of the divided areas allocated as one or more physical storage areas for a virtual storage area to be invalidated and an instruction to invalidate data stored in the one or more of the divided areas, the storage control apparatus invalidates one or more encryption keys associated with the designated one or more of the divided areas. In addition, the storage control apparatus may further overwrite at least part of the designated one or more of the divided areas with initialization data for data erasion.

Abstract: To comply with a policy for a computing device indicating that data written by the computing device to the storage volume after activation of the policy be encrypted, a sector map is accessed. The sector map identifies one or more sectors of a storage volume and also identifies, for each of the one or more sectors of the storage volume, a signature of the content of the sector. In response to a request to read the content of a sector, the content of the sector is returned without decrypting the content if the sector is one of the one or more sectors and the signature of the content of the sector matches the signature of the sector identified in the sector map. Otherwise, the content of the sector is decrypted and the decrypted content is returned.