Abstract: A method and system for performing a backup operation at a local-area network (LAN) including at least one LAN device and a LAN gateway (GW) includes adding backup data to a local backup archive coupled to the LAN. A request to send backup data may be sent to a data center accessible via a wide-area network (WAN). The data center may indicate authorization to send the backup data. The local backup archive may then be sent to the data center, which may generate a secure backup archive at one or more remote locations. The local backup archive may be sent at an advantageous time with respect to LAN/WAN network availability. After the secure backup archive has been successfully created, the GW may be notified and may then delete the local backup archive.

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: Data storage and access systems enable downloading and paying for data such as audio and video data, text, software, games and other types of data. A portable data carrier has an interface for sending and receiving data, data memory for storing received content data, and payment validation memory for providing payment validation data to an external device. The carrier may also store a record of access made to the stored content, and content use rules for controlling access to the stored content. Embodiments store further access control data and supplementary data such as hot links to web sites and/or advertising data. A complementary data access terminal, data supply computer system, and data access device are also described. The combination of payment data and stored content data and use rule data helps reduce the risk of unauthorized access to data such as compressed music and video data, especially over the Internet.

Abstract: A lock-based software transactional memory (STM) implementation may determine whether a transaction's write-set is static (e.g., known in advance not to change). If so, and if the read-set is not static, the STM implementation may execute, or attempt to execute, the transaction as a semi-static transaction. A semi-static transaction may involve obtaining, possibly after incrementing, a reference version value against which to subsequently validate that memory locations, such as read-set locations, have not been modified concurrently with the semi-static transaction. The read-set locations may be validated while locks are held for the locations to be written (e.g., the write-set locations). After committing the modifications to the write-set locations and as part of releasing the locks, versioned write-locks associated with the write-set locations may be updated to reflect the previously obtained, or newly incremented, reference version value.

Abstract: The apparatus and method described herein are for handling shared memory accesses between multiple processors utilizing lock-free synchronization through transactional-execution. A transaction demarcated in software is speculatively executed. During execution invalidating remote accesses/requests to addresses loaded from and to be written to shared memory are tracked by a transaction buffer. If an invalidating access is encountered, the transaction is re-executed. After a pre-determined number of times re-executing the transaction, the transaction may be re-executed non-speculatively with locks/semaphores.

Abstract: Information equipment having a memory area for which access restrictions are set is provided. The information equipment makes a determination, in response to operation for turning a security mode into a security level enhanced mode, on data in the memory area, whether or not any one of the following conditions satisfy security requirements after the security level is enhanced: access restrictions set for the data itself; access restrictions set for the memory area; and authentication information for a user who has stored the data, and sends, to the user who has stored the corresponding data in the memory area or a user who has set the access restrictions for the memory area storing the corresponding data therein, a message to prompt one of the users to perform operation for satisfying the security requirements.

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: Methods and systems for establishing a cloud bridge between two virtual storage resources and for transmitting data from one first virtual storage resource to the other virtual storage resource. The system can include a first virtual storage resource or cloud, and a storage delivery management service that executes on a computer and within the first virtual storage resource. The storage delivery management service can receive user credentials of a user that identify a storage adapter. Upon receiving the user credentials, the storage delivery management service can invoke the storage adapter which executes an interface that identifies a second virtual storage resource and includes an interface translation file.

Abstract: A method for accessing a protected area of a solid-state storage device via firmware control is described. During system initialization, firmware components are loaded and executed to initialize a computer system. These firmware components include a firmware driver for accessing solid-state storage devices connected to the computer system. The system firmware enables a protected area on a solid-state storage device's media to be accessed under firmware control. After firmware accesses, the protected area is closed from access by non-firmware entities by “hiding” the true size of the media such that those entities are unaware of this area of the media. Mechanisms are disclosed for providing firmware access to the protected area only during pre-boot, and for both pre-boot and run-time operations. The firmware-controlled media access scheme may be used to load firmware stored on solid-state media during pre-boot and to store system information in the protected area during pre-boot and/or run-time operations.

Abstract: A platform and method for secure handling of events in an isolated environment. A processor executing in isolated execution “IsoX” mode may leak data when an event occurs as a result of the event being handled in a traditional manner based on the exception vector. By defining a class of events to be handled in IsoX mode, and switching between a normal memory map and an IsoX memory map dynamically in response to receipt of an event of the class, data security may be maintained in the face of such events.

Abstract: A method, an apparatus, and a system for enabling a processor to access shared data are provided to overcome low efficiency of a storage system. The method includes that the processor sends a storage block locking command to the storage system through a hardware thread, where the command instructs the storage system to lock a storage block; the processor judges whether a storage block locking completion message has been received from the storage system in a preset clock period; and, schedules the hardware thread to access shared data in the storage block if the storage block locking completion message has been received from the storage system in the preset clock period, or schedules the hardware thread to keep waiting for the storage block locking completion message from the storage system if no storage block locking completion message has been received from the storage system in the preset clock period.

Abstract: A computer system increases the confidentiality of a memory to be protected and prevents invalid access that is made, for example, by replacing the memory. The computer system includes a memory in which state information AA, which indicates whether or not information to be protected is stored in a predetermined memory area, and access permission information BB, which indicates whether or not access to the memory area is permitted, are stored; and an access control unit that rewrites the state information AA when information to be protected is written to, or deleted from, the memory area and at the same time, when the system is started, rewrites the access permission information BB to permit access to the memory area if information to be protected is not written in the memory area but, otherwise, rewrites the access permission information BB to the access inhibition state.

Abstract: The present invention relates to the field of computer technology, and relates in particular to a method and system to prevent computer programs and data of any kind stored in a computer system from being manipulated and in particular for preventing hacker attacks and virus infection in computer systems, wherein said computer system comprises a storage means able to be read from and to be written to, and a means for switching said storage means into a write-protected mode.

Abstract: Systems and methods that facilitate processing data and securing data written to or read from memory. A processor can include a host memory interface that monitors all bus traffic between a host processor and memory. The host memory interface can analyze commands generated by the host processor and determine the validity of the commands. Valid commands can proceed for further analysis; invalid commands can be aborted, for example, with the host memory interface and memory each set to an idle state. The host memory interface can analyze authentication information obtained via an authentication component, and information regarding memory partition rights, to determine whether a command partition violation exists as to the command. If a violation exists, the host memory interface can prevent the improper command from executing in the memory, and can cause a different operation to occur thereby allowing the memory to be placed in a known state.

Abstract: The various embodiments of the invention relate generally to semiconductors and memory technology. More specifically, the various embodiment and examples of the invention relate to memory devices, systems, and methods that protect data stored in one or more memory devices from unauthorized access. The memory device may include third dimension memory that is positioned on top of a logic layer that includes active circuitry in communication with the third dimension memory. The third dimension memory may include multiple layers of memory that are vertically stacked upon each other. Each layer of memory may include a plurality of two-terminal memory elements and the two-terminal memory elements can be arranged in a two-terminal cross-point array configuration. At least a portion of one or more of the multiple layers of memory may include an obfuscation layer configured to conceal data stored in one or more of the multiple layers of memory.

Abstract: A cache system can change a cache capacity in a unit of a plurality of divided memory areas. Cache access to at least one memory area among the divided memory areas is restricted in the debug mode. Access history information concerning access in the debug mode is stored in the memory area to which the cache access is restricted.

Abstract: A computer storage apparatus. In one embodiment, the apparatus includes: (1) primary file storage, (2) a controller coupled to said primary file storage and configured to provide an interface by which data is communicated therewith, (3) formula/offset file storage coupled to said controller and configured to store at least one formula/offset and (4) pointer file storage coupled to said controller and configured to store at least one pointer, said controller further configured to provide said interface based on interaction with said formula/offset file storage and said pointer file storage.

Abstract: Shared storage architectures and methods are provided. A particular shared storage architecture is a system including shared storage including data and file system metadata separated from the data. The file system metadata includes location data specifying storage location information related to the data. Services are provided from service providers to service consumers through the shared storage.

Abstract: An access control device for controlling access from a host system to a plurality of storage areas in a storage system, the access control device includes a memory for storing access management information for the plurality of storage areas, and a controller for managing and monitoring access performed by the host system, the controller monitoring frequency of access by the host system to each of the plurality of storage areas and storing information of the frequency of the access to each of the storage areas in the memory, detecting at least one of the storage areas in which the frequency of the access is less than a predetermined range, and restricting the host system from accessing to the detected storage area.

Abstract: A storage device that stores data accessed by a host device via an interface includes a deactivation executing part performing a plurality of deactivating processes deactivating access to the data at different levels via the interface; a setting information storing part storing setting information which includes deactivation identifying information identifying the deactivating process and a condition under which the deactivating process is performed; a judging part referring to the setting information stored on the setting information storing part, comparing the condition represented by the setting information with an operation state of the storage device, and judging whether the condition represented by the setting information is satisfied or not; and a deactivation control part ordering the deactivation executing part to execute one of the plurality of deactivating processes identified with the deactivation identifying information represented by the setting information when the judging part has judged that

Abstract: A device for processing information and the working method of the same are provided. The device for processing information comprises: a memory in which logic for driving a firmware is stored; a connector for connecting the memory to an external device; and a control unit for providing an interface with a host, for communicating with the host through the connector, and for reading and recording data on the memory. The control unit comprises: a first storing device in which a routine for calling the firmware logic stored in the memory is stored; and a processor for executing the firmware logic, stored in the memory, using the routine stored in the first storing device.

Abstract: A computer system with a physical computer having a physical processor, physical memory, virtual computer and virtual computer controller is disclosed. The virtual computer has its own processor and memory, which are virtual components that are provided by logically dividing the physical processor and memory, respectively. The virtual computer also has a page table storing a physical/virtual memory address correspondence relationship, and a protection object table for address management of a protected address space in the virtual memory. The controller includes a protection exception processing unit, protection exception save region, virtual/physical memory address converter, and instruction analyzer. Upon execution of protection exception processing, the controller compares an instruction address at which was generated the protection exception processing to an instruction address of protection exception information saved.

Abstract: Embodiments of a portable data storage device and a method of protecting data stored in the portable data storage device are provided. In one embodiment, the portable data storage device includes a device identification unique to the portable data storage device, a rights object containing information indicative of access rights and a verification identification, a memory to store the device identification and the verification identification, and controller logic. The memory is partitioned into a plurality of areas of memory, including: a first area as a protection area to store an instruction code, a second area as a partition table area to store a partition table, and a third area as a file area to store data files. In response to a request from a client external to the portable data storage device, the controller logic compares the verification identification with the device identification to allow the client to access of the data files if the verification identification matches the device identification.

Abstract: A method of protecting software for embedded applications against unauthorized access. Software to be protected is loaded into a protected memory area. Access to the protected memory area is controlled by sentinel logic circuitry. The sentinel logic circuitry allows access to the protected memory area from only either within the protected memory area or from outside of the protected memory area but through a dedicated memory location within the protected memory area. The dedicated memory location then points to protected address locations within the protected memory area.

Abstract: A system for protecting supervisor mode data from user code having a processor which implements a register window architecture supporting as separate window stacks for supervisor and user modes with a transition window in one of the window stacks set with at least one invalid window bit in an invalid window mask of the architecture additional to an invalid window bit set for a reserved window of the invalid window mask for transitioning from the supervisor mode to the user mode, supervisor mode-only memory storing the supervisor mode window stack, and user mode accessible memory storing the supervisor and user mode window stacks.

Abstract: Enhanced configuration of security and access control for data in a storage device is disclosed. A request is received to access an addressable memory location in a storage media within the storage device. A set of addressable memory locations with contiguous addresses identified by an address range is associated with first and second characteristics. The first characteristic is applied if the addressable memory location is within the set of addressable memory locations, and an entity is currently authenticated to and authorized to access the set of addressable memory locations. The second characteristic is applied if the addressable memory location is within the set of addressable memory locations, and no entity is currently authenticated to and authorized to access the set of addressable memory locations. The set of addressable memory locations can also be a logical partition, where the first and second characteristics are stored in a logical partition table.

Abstract: A method of controlling data access to non-volatile memory is disclosed. The method includes storing a data file in a non-volatile memory. The non-volatile memory includes a memory array including a plurality of address ranges one or more of which corresponding to a protected portion of the memory array and one or more of which corresponding to an unprotected portion of the memory array. The method also includes communicating to a host device an indication that a memory request with respect to the protected portion of the memory array is denied. The indication is communicated for instructing the host device to avoid a timeout when the memory request is denied.

Abstract: A system and method to securing a computer system from software viruses and other malicious code by intercepting attempts by the malicious code to write data to a storage medium. The invention intercepts the write access requests made by programs and verifies that the program is authorized to write before letting the write proceed. Authorization is determined by using the identity of the program as a query element into a database where permission values are stored. Depending on the presence or value of the permission value, write access is permitted or denied. Permission values can be set by the user, downloaded from a central server, or loaded into the central server by a group of users in order to collectively determine a permission value. The interception code can operate in kernel mode.

Abstract: A non-volatile memory may operate, not in a master/slave arrangement, but in a peer-to-peer arrangement. In some embodiments, the memory may initiate a transaction with a device outside the memory. Thus, the memory may proactively perform tasks conventionally performed by memory controllers and other external devices.

Abstract: An external bus interface method including: receiving, via an access control unit, an access request conveyed through an external bus, and judging, via an access judging unit connected to the access control unit, whether the access request is to be honored or rejected, wherein upon receiving the access request, the access control unit sends to the access judging unit an access judging check request signal asking whether the requested address falls within one of access-permitted areas registered in the access judging unit, the access judging unit checks whether the requested address falls within one of the access-permitted areas registered in it and returns to the access control unit, an access judging check result signal indicating whether the access request is to be honored or rejected, and if the access judging check result signal indicates that the access request is to be rejected, the access control unit nullifies the access request.

Abstract: A semiconductor device having circuitry comprising an embedded memory, an embedded processor for executing application codes, and a functional hardware element coupled with the embedded memory via a protected bus, and with the embedded processor via an unprotected bus, the hardware element being arranged to protect the protected bus, and including a locking means comprising at least one lock bit for globally locking at least part of the locking means before executing the application code.

Abstract: Methods, systems and computer program products to implement hardware memory locks are described herein. A system to implement hardware memory locks is provided. The system comprises an off-chip memory coupled to a SOC unit that includes a controller and an on-chip memory. Upon receiving a request from a requester to access a first memory location in the off-chip memory, the controller is enabled to grant access to modify the first memory location based on an entry stored in a second memory location of the on-chip memory. In an embodiment, the on-chip memory is Static Random Access Memory (SRAM) and the off-chip memory is Random Access Memory (RAM).

Abstract: The method and accompanying apparatus provides secure register access. In one example, as part of a secure boot process, data is written into a managed secure register (MSR) register and access policy data is written into programmable MSR policy registers. During run-time, the MSR register securely stores data in compliance with the programmable register access policy data. Access policy is enforced during run-time based on the programmable register access policy data.

Abstract: According to one embodiment, a storage device manages a user data area by dividing the area into a plurality of division data areas. The storage device includes a storage module, an access authority setting module, a lock processor, a command receiver, and an unlock processor. The storage module includes the division data areas. The access authority setting module sets access authority with respect to each division data area for each user. The lock processor disables access to the storage module from a host device that reads data from and writes data to the storage module. The command receiver receives from the host device an unlock command including a basic area storing basic unlock information and an expansion area storing additional unlock information. The unlock processor unlocks each division data area, to which access is restricted for each user, based on the basic unlock information and the additional unlock information.

Abstract: A secure memory interface includes a reader block, a writer block, and a mode selector for detecting fault injection into a memory device when a secure mode is activated. The mode selector activates or deactivates the secure mode using memory access information from a data processing unit. Thus, the data processing unit flexibly specifies the amount and location of the secure data stored into the memory device.

Abstract: A memory protection method for protecting a memory from an unauthorized access by a program, includes: executing area definition processing for dividing an undivided address space on the memory into a plurality of areas; executing combining processing for temporarily combining the divided areas before calling a procedure of the program across the divided areas; executing calling processing for calling the procedure after the areas are combined; and executing restoring processing for restoring the combined areas to a state before the combining processing after execution of the called procedure.

Abstract: Embodiments of the present disclosure provide methods, systems, and articles for restricting access to memory of an application by a component of the application, for example, pluggable code modules. Other embodiments may also be described and claimed.

Abstract: In a write protection method for at least one random access memory device, the inherent problems of such memory devices with regard to data integrity and security with respect to hacker attacks, such that they can also be used for secure archiving in particular of a large volume of data, are avoided by virtue of the fact that commands directed to the at least one memory device are received by a write protection device connected upstream of the at least one memory device before said commands are forwarded to the at least one memory device, wherein commands received in the write protection device are compared with a positive list of permitted commands previously stored in the write protection device, wherein in one case, where the comparison determines that a permitted command is present, said command is forwarded to the at least one memory device, and in the other case, where the comparison determines that no permitted command is present, said command is not forwarded to the at least one memory device.

Abstract: Provided are a portable computing system that allows computing operations anywhere an operating system (OS)-installed host computer exists by using a portable storage device storing a virtual machine, an OS image, a portable software image, etc. and a portable computing based system using the portable computing system. The portable storage device for supporting a portable computing system includes: a portable computing system storage storing portable software for running and operating of a portable computing system, wherein a user may not directly access the portable software for deletion and modification; a portable software storage storing portable software images usable in the portable computing system, wherein a user may not directly access the portable software images for deletion and modification; and a portable data storage capable of adding, deleting, and modifying data.

Abstract: A transactional memory system is described for reporting memory access violations which occur when memory accesses made from instructions within a transaction conflict with memory accesses to the same memory location made from a non-transactional instruction. In an embodiment this is achieved by creating two mappings of a physical heap being used by a thread. The thread (which may be part of a multi-threaded process) comprises instructions for both transactional and non-transactional accesses to the physical heap which may execute concurrently as part of that thread. One of the mappings is used for non-transactional memory accesses to the physical heap. The other mapping is used for transactional memory accesses to the physical heap. Access permissions associated with the mappings are controlled to enable attempted memory access violations to be detected and reported.

Abstract: A disk apparatus is configured to be connected to a host device, and has a security program for preventing unauthorized user access to the disk apparatus. A disk medium stores a boot program for executing a boot process of the disk apparatus, and a security program storage device stores the security program. A processor is provided for retrieving the security program from the storage device and enabling the host device to execute the security program. The boot program is executed by the host device when the host device determines from executing the security system that the disk apparatus may be accessed by the user.

Abstract: An image processing apparatus includes a storage unit for storing user information correlating user identification information and acknowledger information in advance; an image file acquiring unit for acquiring the image file; and a control unit for controlling a writing process in a detachable storage medium. The control unit includes a registration processing unit for correlating the user identification information and authentication information contained in an acknowledgement notice, and for registering the user identification information and the authentication information as acknowledgement information in the storage unit. The control unit further includes a determining unit for determining whether the user identification information and the authentication information received through an input unit are registered in the acknowledgement information, and for allowing the image file stored in the storage unit to be written in the detachable storage medium when the authentication notice is authenticated.

Abstract: A method, apparatus, and software product allow signalling toward a multi-channel memory subsystem within an application processing architecture, and routing of that signalling via a single sandbox which provides memory protection by controlling memory usage and blocking the signalling if it is unauthorized. The signalling via the sandbox leads to a plurality of different memory locations, and the sandbox is an intermediary for substantially all execution memory accesses to the multi-channel memory subsystem.

Abstract: A system and method to securing a computer system from software viruses and other malicious code by intercepting attempts by the malicious code to write data to a storage medium. The invention intercepts the write access requests made by programs and verifies that the program is authorized to write before letting the write proceed. Authorization is determined by using the identity of the program as a query element into a database where permission values are stored. Depending on the presence or value of the permission value, write access is permitted or denied. Permission values can be set by the user, downloaded from a central server, or loaded into the central server by a group of users in order to collectively determine a permission value. The interception code can operate in kernel mode.

Abstract: This invention discloses a method for updating a basic input/output system (BIOS). The BIOS is stored in a memory of an electronic device. An embedded controller (EC) is electrically connected to the memory and a processor. The processor is electrically connected to the memory and executes the BIOS. The method for updating the BIOS includes the following steps. First, a write instruction is sent to the EC. Afterward, the EC receives the write instruction and sends a system management interrupt (SMI) to the processor. Then, the processor receives the SMI and sends an identification code to the EC. Then, the EC receives the identification code and determines whether the identification code matches a security code. If the identification code matches the security code, the EC allows the memory to be writable to update the BIOS.

Abstract: An objective is to prevent a downloaded application from accessing data in an external memory unrelated to the application, and to achieve safer management of access to the external memory. An external memory function module 15 is a function module that controls access of an application downloaded in a cell phone 1, to an external memory 2. This external memory function module 15 has a bind ID acquirer 156 for acquiring a bind ID to specify the application downloaded, a discrimination ID acquirer 157 for acquiring a directory discrimination ID to specify an application permitted to access a directory, and an access controller 158 for checking the bind ID against the directory discrimination ID and for, when they coincide with each other, performing such control as to permit access of the application to the directory.

Abstract: A security system for an external data storage apparatus and a control method thereof, in which a data storage is driven by reading an identification (ID), which is input through a key input unit for the purpose of security of the external data storage apparatus, and then checking whether or not the read ID is equal to a previously registered ID, thereby preventing data from leaking out and being damaged in advance by another person, and safely protecting the data of a user.

Abstract: Method for isolating an object that has not been accessed for a certain period of time in a virtual memory space. When a garbage collection operates on a computer, the following steps are executed: detecting the object which has not been accessed for a certain period of time as a non-access object; moving the non-access object to a newly reserved virtual memory region when a certain time period elapses after detecting the non-access object; and setting the newly reserved virtual memory region to be an inaccessible region so that the garbage collection does not access the inaccessible region after a certain further time period elapses after moving the non-access object to the newly reserved virtual memory region.

Abstract: A log output device and a program are provided, which append a signature to a log, prevent an undetectable tampering (alteration, insertion, deletion, etc.), and are able to narrow tampered position if tampered. The log output device forms a log record including a data part and a hash part, and outputs to a disk; the hash part is formed by combining a hash of the data part (data hash) and a hash of the hash part of the previous record (link hash); a signature is appended to only a part of records of a hash chain; when outputting the record to the disk, a copy of the hash part of the record is maintained on a process memory; when outputting next record, the hash part of the latest record on the disk and the hash part maintained on the process memory are compared; if they are matched, the record on the disk is determined as not being tampered, and if mismatched, the record is determined as tampered.

Abstract: Extension fields in a provisioning certificate in the authentication silo of a transient storage device (TSD) are used to provide secure configuration options for TSDs while operating within the constraints of the current IEEE 1667 standard. Immutable values for configurable settings of the storage device are set in extension fields of a provisioning certificate. The provisioning certificate is then installed on the storage device. The method takes advantage of properties unique to the IEEE 1667 certificate silo specification and ITU-T X.509 certificate specification. The method is implemented while satisfying the security requirements for device configuration and taking advantage of the existing standards definitions as they are, without modification. The method allows particular features present in the device firmware to be enabled or disabled.