Abstract: A method for executing safety-relevant and non-safety-relevant software components on a hardware platform comprising a computer, memory and a monitoring component that operates independently of the computer. The safety-relevant software component erects a memory protection against access of a non-safety-relevant function to at least one area of the memory of the safety-relevant function before execution of the non-safety-relevant software component, so that the non-safety-relevant software component does not have access to the areas of the memory being used for safety-relevant components. After the return from the non-safety-relevant component, the memory protection is deactivated and the monitoring function monitors the safety-relevant function for its proper operation.

Abstract: A memory management and protection system that manages memory access requests from a number of requestors. Memory accesses are allowed or disallowed based on the privilege level of the requestor, based on a Privilege Identifier that accompanies each memory access request. An extended memory controller selects the appropriate set of segment registers based on the Privilege Identifier to insure that the request is compared to and translated by the segment register associated with the master originating the request. A set of mapping registers allow flexible mapping of each Privilege Identifier to the appropriate access permission.

Abstract: A memory management and protection system that incorporates device security features that support a distributed, shared memory system. The concept of secure regions of memory and secure code execution is supported, and a mechanism is provided to extend a chain of trust from a known, fixed secure boot ROM to the actual secure code execution. Furthermore, the system keeps a secure address threshold that is only programmable by a secure supervisor, and will only allow secure access requests that are above this threshold.

Abstract: A memory management and protection system that manages memory access requests from a number of requestors. Memory accesses are allowed or disallowed based on the privilege level of the requestor, based on a Privilege Identifier that accompanies each memory access request. An extended memory controller selects the appropriate set of segment registers based on the Privilege Identifier to insure that the request is compared to and translated by the segment register associated with the requestor originating the request. A set of mapping registers allow flexible mapping of each Privilege Identifier to the appropriate access permission. The segment registers translate the logical address from the requestor to a physical address within a larger address space.

Abstract: A method of protecting software for embedded applications against unauthorized access. Software to be protected is loaded into a protected memory area. Access to the protected memory area is controlled by sentinel logic circuitry. The sentinel logic circuitry allows access to the protected memory area from only either within the protected memory area or from outside of the protected memory area but through a dedicated memory location within the protected memory area. The dedicated memory location then points to protected address locations within the protected memory area.

Abstract: A method providing a persistent common view of data, services, and infrastructure functions accessible via a plurality of shared storage systems of a virtual shared storage system. The method includes applying different governance policies at two or more shared storage systems of the virtual shared storage system. The method includes transferring content from a particular shared storage system to a requesting device without using at least one of a server session, an application-to-server session, and an application session. The content corresponds to at least one of data, a service, and an infrastructure function provided via the particular shared storage system.

Abstract: A secure memory access system and method for providing secure access to Hyper Management Mode memory ranges is presented.

Abstract: An anti-malware approach uses a storage drive with the capability to lock selected memory areas. Platform assets such as OS objects are stored in the locked areas and thus, unauthorized changes to them may not be made by an anti-malware entity.

Abstract: Embodiments are provided for protecting boot block space in a NAND memory device connected to a host device via an SPI interface. One such method includes programming a boot block password into the NAND memory device such that the host device is required to provide the boot block password in order to access the boot block space. A counter may be provided to track the number of times the host device provides an incorrect password, permanently locking the boot block space if the counter reaches a predetermined value. A further method includes associating each of various areas of the boot block space with at least one write lock bit, setting the write lock bit to a lock enable or lock disable value, and locking or unlocking an area of the boot block space depending on the value of its associated write lock bit.

Abstract: Systems, methods, and computer storage mediums for managing read-only memory are provided. A system includes a memory device including a real memory and a tracking mechanism configured to track relationships between multiple virtual memory addresses and real memory. The system further includes a processor configured to perform the below method and/or execute the below computer program product. One method includes mapping a first virtual memory address to a real memory in a memory device and mapping a second virtual memory address to the real memory. Here, the first virtual memory address is authorized to modify data in the real memory and the second virtual memory address is not authorized to modify the data in the real memory. One computer storage medium includes a computer program product for performing the above method.

Abstract: A storage device and method for storage device state recovery are provided. In one embodiment, a storage device commences an authentication process to authenticate a host device. The authentication process comprises a plurality of phases, and the storage device stores the state of the authentication process, wherein the state indicates the phase(s) of the authentication process that have been successfully completed. After a power loss, the storage device retrieves the state of the authentication process and resumes an operation with the host device without re-performing the phase(s) of the authentication process that have been completed.

Abstract: Methods, apparatuses, and computer program products are provided for locking access to data storage shared by a plurality of compute nodes. Embodiments include maintaining, by a compute node, a queue of requests from requesting compute nodes of the plurality of compute nodes for access to the data storage, wherein possession of the queue represents possession of a mutual-exclusion lock on the data storage, the mutual-exclusion lock indicating exclusive permission for access to the data storage; and conveying, based on the order of requests in the queue, possession of the queue from the compute node to a next requesting compute node when the compute node no longer requires exclusive access to the data storage.

Abstract: Embodiments of the invention relate generally to incremental computing. Specifically, embodiments of the invention include systems and methods that provide for the concurrent processing of multiple, incremental changes to a data value while at the same time monitoring and/or enforcing threshold values for that data value. For example, a method is provided that implements domain quotas within a data storage system.

Abstract: Techniques for a data storage device to locally implement security management functionality. In an embodiment, a security management process of the data storage device is to determine whether an access to non-volatile media of the data storage device is authorized. In certain embodiments, the data storage device is to restrict access to a secure region of the non-volatile storage media, the secure region to store information used and/or generated by a security management process of the data storage device.

Abstract: The invention describes a method for accessing a portable storage data carrier (10) having a controller (12) for managing a standardized storage element (14) and having an additional module (16), wherein a data block is transferred to the storage data carrier (10) in a first transmission protocol. The data block comprises routing information and application data, whereby the routing information contains an identifier which can be detected by the controller (12). Furthermore, it is determined whether a data block received on the storage data carrier (10) contains routing information. The data block is relayed to a storage area (18) of the storage element (14), said storage area being hidden to a terminal (50), when the data block comprises routing information and the routing information comprises, besides the identifier contained therein, at least one further, predetermined parameter indicating the access to the hidden storage area (18).

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: A system and method for offset protection data in a RAID array. A computer system comprises client computers and data storage arrays coupled to one another via a network. A data storage array utilizes solid-state drives and Flash memory cells for data storage. A storage controller within a data storage array is configured to store user data in a first page of a first storage device of the plurality of storage devices; generate intra-device protection data corresponding to the user data, and store the intra-device protection data at a first offset within the first page. The controller is further configured to generate inter-device protection data corresponding to the first page, and store the inter-device protection data at a second offset within a second page in a second storage device of the plurality of storage devices, wherein the first offset is different from the second offset.

Abstract: Apparatus, systems, and methods may operate to assert a first semi-exclusive write lock with respect to a storage medium area by storing lock information when assertion of another semi-exclusive write lock with respect to the area is not detected. Additional activities may include writing data to the area by a writing entity that has asserted the first semi-exclusive write lock after determining the lock information has not changed, while substantially simultaneously de-asserting the first semi-exclusive write lock. Reading from the area may be determined as successful by determining that the semi-exclusive write lock was not asserted prior to or during the reading by checking the status of the lock information. Additional apparatus, systems, and methods are disclosed.

Abstract: A method, apparatus, and system in which an integrated circuit comprises an initiator Intellectual Property (IP) core, a target IP core, an interconnect, and a tag and thread logic. The target IP core may include a memory coupled to the initiator IP core. Additionally, the interconnect can allow the integrated circuit to communicate transactions between one or more initiator Intellectual Property (IP) cores and one or more target IP cores coupled to the interconnect. A tag and thread logic can be configured to concurrently perform per-thread and per-tag memory access scheduling within a thread and across multiple threads such that the tag and thread logic manages tags and threads to allow for per-tag and per-thread scheduling of memory accesses requests from the initiator IP core out of order from an initial issue order of the memory accesses requests from the initiator IP core.

Abstract: A file to be read or written is designated and accessed from an access device side to a nonvolatile memory device. In an initialization after start-up of the power source, an empty capacity detector detects empty capacity parameters of a nonvolatile memory with dividing the memory into a plurality of regions. An empty capacity parameter notification part notifies the access device of the empty capacity parameters in a stepwise fashion whenever the empty capacity detector detects an empty capacity. With this, at the time when the empty capacity becomes not less than a capacity required to write file data, the data can be written to the nonvolatile memory without waiting for completion of the initialization, resulting in improvement of a response in the recording.

Abstract: The presently disclosed subject relates at least to a method and system for controlling access to a logical unit (LU) in a logical storage space, available to a given initiator, representing a corresponding physical storage space, said logical storage space being accessible via a storage control layer, said storage control layer being associated with a security manager. A first value is generated by the security manager, based on a secret key, and transmitted to host requesting permission to access the logical storage space, while the secret key is made available to a target associated with the logical storage space. The host sends to the control device an access related request, the request comprising a second value which was generated based on the first value. Responsive to the command the target calculates the first value, based on the secret key and the second value based on the first value.

Abstract: A management system, coupled to a computer system including one or more types of storage apparatus, stores management information. The management information includes: (a) information containing, for each request by an administrator, information indicating a storage function (a function of a storage apparatus) required in order to achieve a function satisfying the administrator request; and (b) information containing, for each storage apparatus, information indicating storage functions. The management system: (A) receives a request of an administrator; (B) identifies an implementation pattern including a storage apparatus having a storage function required to achieve a function satisfying the received administrator request, on the basis of the information (a) and (b), and (C) performs setup in order to achieve a function satisfying the received administrator request, in respect of any of the identified one or more implementation patterns.

Abstract: In a method for managing a memory segment through use of a memory virtual appliance, data is encapsulated with the memory virtual appliance, in which the memory virtual appliance comprises a virtual machine configured to manage a memory segment in a physical memory. In addition, the memory virtual appliance is implemented using a virtualization wrapper comprising computer readable code enabling the encapsulated data to be shared among a plurality of clients. Moreover, the encapsulated data is stored in the memory segment controlled by the memory virtual appliance.

Abstract: A data processing system has a processor and a memory coupled to the processor and an asynchronous memory mover coupled to the processor. The asynchronous memory mover has registers for receiving a set of parameters from the processor, which parameters are associated with an asynchronous memory move (AMM) operation initiated by the processor in virtual address space, utilizing a source effective address and a destination effective address. The asynchronous memory mover performs the AMM operation to move the data from a first physical memory location having a source real address corresponding to the source effective address to a second physical memory location having a destination real address corresponding to the destination effective address. The asynchronous memory mover has an associated off-chip translation mechanism. The AMM operation thus occurs independent of the processor, and the processor continues processing other operations independent of the AMM operation.

Abstract: An apparatus, system, and method are disclosed for coordinating storage requests in a multi-processor/multi-thread environment. An append/invalidate module generates a first append data storage command from a first storage request and a second append data storage command from a second storage request. The storage requests overwrite existing data with first and second data including where the first and second data have at least a portion of overlapping data. The second storage request is received after the first storage request. The append/invalidate module updates an index by marking data being overwritten as invalid. A restructure module updates the index based on the first data and updates the index based on the second data. The updated index is organized to indicate that the second data is more current than the first data regardless of processing order. The modules prevent access to the index until the modules have completed updating the index.

Abstract: In a device for managing data buffers in a memory space distributed over a plurality of memory elements, the memory space is allocatable by memory pages, each buffer including one or more memory pages. The buffers are usable by at least one processing unit for the execution of an application, the application being executed by a plurality of processing units executing tasks in parallel. The memory elements are accessible in parallel by the processing units. The device includes means for allocating buffers to the tasks during the execution of the application and means for managing access rights to the buffers. The means for managing the access rights to the buffers include means for managing access rights to the pages in a given buffer, to verify that writing to a given page does not modify data currently being read from the page or that reading from a given page does not access data currently being written to the page, in such a way as to share the buffer between unsynchronized tasks.

Abstract: An information processing apparatus includes: a CPU (1201) that has, as an operating mode, a privileged mode and an unprivileged mode; a trusted memory (1270) that stores protected data, the protected data being accessed when the CPU (1201) is in the unprivileged mode; and a trusted memory control unit (1203) that controls access to the trusted memory (1270). When the CPU (1201) accesses the trusted memory (1270), the trusted memory control unit (1203) determines the operating mode of the CPU (1201) and, in the case where the operating mode of the CPU (1201) is the unprivileged mode, denies the access to the trusted memory (1270) by the CPU (1201).

Abstract: There is provided a semiconductor device which is simple in configuration and resistant to tampering. A user input unit receives an authentication code input by a user. A CPU determines whether a user's access is legal based on the input authentication code and activates an enable signal if the user's access is legal. A normal row decoder decodes the row address specified by the CPU and selects a normal memory cell of any row based on the result of decode. A redundancy row decoder prohibits the selection by the normal row decoder when the specified row address agrees with the row address of a predetermined normal memory cell only if the enable signal is activated and selects a redundant memory cell of any row.

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: A memory card compatible token includes one or more secure elements accessed using secure element commands hidden in a memory card access command. A mobile computing device such as a mobile phone accesses the non-memory components by including a hidden command value as part of the memory card access command. Any set or subset of all possible secure element commands may be routed to one or more secure elements based on the hidden command value.

Abstract: The present invention concerns a device and a method at the device for selecting and configuring a default storage section. The device comprises connecting means for connecting at least one storage device comprising storing means to the device, characterized in that it comprises a selector for selecting a storage device, the selected storage device becoming the default storage section, configuring means for, on selection of a default storage section, partitioning the storing means of the default storage section into more than one directory, and securing means for defining access rights to the more than one directory.

Abstract: Versatility of a memory card is improved by providing a memory card where data protection mode and normal mode can be selected at discretion. A portable auxiliary storage device includes a mode setting section, a mode detecting section and a memory access control section. The mode setting section allows a user to set a normal mode permitting reading data stored in a memory section or writing the data to the memory section without restriction and a data protection mode for restricting the reading or writing. The mode detecting section detects a mode set in the mode setting section. The memory access control section controls the read or write according to a state of the mode setting section detected by the mode detecting section.

Abstract: A storage device includes a switching unit which switches an access destination in a storage area between a first storage area and a second storage area in response to an access request from a host device; and a nonvolatile storage medium which stores a first host device information used to identify the host device in the second storage area, and a software module executed by a CPU provided in the host device, the software module comprising causing the an authority grant unit which transmits a control signal for switching the access destination to the first storage area to the switching unit of the storage device, when the acquired first and second host device information are compared to find that the first and second host device information match with each other.

Abstract: A method to qualify access to a block storage device via augmentation of the device's controller and firmware flow. The method employs one or more block exclusion vectors (BEVs) that include attributes specifying allowed access operations for corresponding block address ranges. Logic in accordance with the BEVs is programmed into the controller for the block storage device, such as a disk drive controller for a disk drive. In response to an access request, a block address range corresponding to the storage block(s) requested to be accessed is determined. Based on the BEV entries, a determination is made to whether the determined logical block address range is covered by a corresponding BEV entry. If so, the attributes of the BEV are used to determine whether the access operation is allowed. The method may be used to secure access to firmware stored on a disk drive, thus enabling a system configuration that does not require a conventional firmware storage device.

Abstract: One embodiment includes a personal computer device comprising at least one machine configured to execute a primary user operating system and at least one appliance operating system independent from the primary user operating system. The personal computer device also including a system memory including a first portion of the system memory configured to be used by the primary user operating system; and a second portion of the system memory configured to be sequestered from the primary user operating system.

Abstract: A system, method, and computer program product for handling shared cache lines to allow forward progress among processors in a multi-processor environment is provided. A counter and a threshold are provided a processor of the multi-processor environment, such that the counter is incremented for every exclusive cross interrogate (XI) reject that is followed by an instruction completion, and reset on an exclusive XI acknowledgement. If the XI reject counter reaches a preset threshold value, the processor's pipeline is drained by blocking instruction issue and prefetching attempts, creating a window for an exclusive XI from another processor to be honored, after which normal instruction processing is resumed. Configuring the preset threshold value as a programmable value allows for fine-tuning of system performance.

Abstract: A system and method for providing policy-based data management and control on a NAS device deployed on a network and having event enabling framework software. When a user makes a request to store, read, or manipulate data on the NAS device, the NAS device provides an indication of this request to a management tool running on a remote system through the event enabling framework software. The management tool reviews the request in light of its previously established policy-based data storage management configuration and subsequently informs the NAS device, via the event enabling framework software, to either accept or not accept the user's request to store, read or modify data on the NAS device.

Abstract: An apparatus for processing data 2 includes a processor 8, a memory 6 and memory control circuitry 12. The processor 8 operates in a plurality of hardware modes including a privileged mode and a user mode. When operating in the privileged mode, the processor 8 is blocked by the memory control circuitry 12 from fetching instructions from memory address regions 34, 38, 42 within the memory 6 which are writeable within the user mode if a security flag within register 46 is set to indicate that this blocking mechanism is active.

Abstract: In the computer system including at least one host computer, and at least one storage system, the storage system includes a physical disk and a disk controller, and provides the host computer with a storage area of the physical disk as at least one logical unit, and the host computer includes at least one application program accessing the logical unit, and a storage area access control unit for, before the application program makes access to the logical unit, transmitting authentication information guaranteeing the application program as a source of the access to the storage system.

Abstract: A method, system, and computer program product for staged user identifier deletion are provided. The method includes checking a status of a user identifier in response to a triggering event. In response to determining that the status of the user identifier indicates a marked for deletion status, a notification action is performed. The method also includes monitoring a time value to determine whether a time for deletion associated with the user identifier with the marked for deletion status has been reached, and automatically deleting the user identifier with the marked for deletion status in response to determining that the time for deletion has been reached.

Abstract: A system and method for controlling access to a shared storage device in a computing cluster having at least two nodes configured as cluster members provide fencing and quorum features without using the device controller hardware/firmware so fencing can be provided with storage devices that do not support disk reservation operations, such as with non-SCSI compliant disks. A polling thread on each node periodically reads a designated storage space on the shared storage device at a polling interval to determine if its corresponding node registration key is present, and halts the node if the key has been removed. A cluster membership agent removes a corresponding node registration key from the designated storage space of the shared storage device and publishes new membership information indicating that the corresponding node has departed the cluster only after delaying for a time period greater than the polling interval.

Abstract: A system for protecting supervisor mode data from user code having a processor which implements a register window architecture supporting as separate window stacks for supervisor and user modes with a transition window in one of the window stacks set with at least one invalid window bit in an invalid window mask of the architecture additional to an invalid window bit set for a reserved window of the invalid window mask for transitioning from the supervisor mode to the user mode, supervisor mode-only memory storing the supervisor mode window stack, and user mode accessible memory storing the supervisor and user mode window stacks.

Abstract: A data storage system comprising a server computer and a data storage medium. The server computer includes an interface, such as an iSCSI interface, for communicating with a host computer. In response to receiving data from the host computer, the server computer determines whether or not the host computer has access to a virtual data storage device. If the host computer does not have access to a virtual data storage device, the server computer provides a virtual data storage device for access by the host computer, the virtual data storage device employing at least a portion of the data storage medium such that data stored to the virtual data storage device are stored to the portion of the data storage medium.

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: A method for storing data includes providing a memory package including an integrated circuit containing a non-volatile memory and counter circuitry. The data is written to the non-volatile memory. The counter circuitry is operated to maintain a count of write operations performed on the non-volatile memory. The data and the count from the memory package are received at a controller, separate from the memory package, and the data is authenticated in response to the count.

Abstract: In one embodiment, a cache memory includes entries each to store a ring level identifier, which may indicate a privilege level of information stored in the entry. This identifier may be used in performing read accesses to the cache memory. As an example, a logic coupled to the cache memory may filter an access to one or more ways of a selected set of the cache memory based at least in part on a current privilege level of a processor and the ring level identifier of the one or more ways. Other embodiments are described and claimed.

Abstract: A memory protection method of dividing the address space of a memory into two or more protection regions, and protecting the memory from an unauthorized access to a protection region by a program includes a definition step of defining the relation between protection regions, a determination step of, when the relation between the protection regions is an inclusion relation, determining that an included protection region cannot directly access an including protection region and the including protection region can directly access the included protection region, and a step of, when an access to the protection region determined to be able to be directly accessed is requested, permitting a direct access to the protection region determined to be able to be directly accessed, and prohibiting a direct access to the protection region determined to be unable to be directly accessed.

Abstract: An unmount state storing unit configured to store a state of unmount processing to end access processing to a memory card attached to a device from a host computer is provided. During a period from immediately after a host computer executes the unmount processing until detaching of the memory card is detected, a value of the host computer unmount state storing unit is stored as “true”. During the period in which this value is “true”, a host computer mount request from another host computer is denied. Consequently, after the access processing to the memory card attached to a device by the host computer has ended, contents of the memory card cannot be read from the other host computer while the memory card is still attached.

Abstract: Embodiments of the invention relate generally to incremental computing. Specifically, embodiments of the invention include systems and methods that provide for the concurrent processing of multiple, incremental changes to a data value while at the same time monitoring and/or enforcing threshold values for that data value. For example, a method is provided that implements domain quotas within a data storage system.

Abstract: A file attribute, which is called herein “enforcement bit”, is used for each file that is stored in a storage device. If the protection particulars associated with a stored file are allowed to be changed, the enforcement bit is set to a first value, and if the protection particulars or properties are not to be changed, the enforcement bit is set to a second value. When the storage device is connected to a host device, the storage device provides to the host device protection particulars and an enforcement bit, which collectively form a “file protection policy”, for each stored file in response to a file system read command that the host device issues, in order to notify the host device of files in the storage device whose protection particulars are allowed to be changed freely, and of files whose protection particulars are not allowed to be changed by unauthorized users or devices.