Abstract: Embodiments of the present disclosure disclose an application program integrity verification method and a network device. The method includes: performing eigenvalue calculation on data of an application program when the application program starts, to obtain a first digest of the application program (101); decrypting a stored digital signature of the application program according to a public key in an embedded key pair to obtain a second digest of the application program, where the digital signature is obtained, according to a private key in the key pair, by signing data of the application program each time the application program is updated (102), and the key pair is a manufacturer key pair corresponding to the application program; and determining that integrity verification of the application program passes if the first digest and the second digest are the same, otherwise, determining that integrity verification of the application program does not pass (103).

Abstract: An apparatus is provided for protecting a basic input/output system (BIOS) in a computing system. The apparatus includes a BIOS read only memory (ROM), an event detector, and a tamper detector. The BIOS ROM has BIOS contents that are stored as plaintext, and an encrypted message digest, where the encrypted message digest comprises an encrypted version of a first message digest that corresponds to the BIOS contents, and where and the encrypted version is generated via a symmetric key algorithm and a key. The event detector is configured to generate a BIOS check interrupt that interrupts normal operation of the computing system upon the occurrence of an event, where the event includes one or more occurrences of a power glitch exceeding a specified threshold within a specified time period.

Abstract: An apparatus is provided for protecting a basic input/output system (BIOS) in a computing system. The apparatus includes a BIOS read only memory (ROM), an event detector, and a tamper detector. The BIOS ROM has BIOS contents that are stored as plaintext, and an encrypted message digest, where the encrypted message digest comprises an encrypted version of a first message digest that corresponds to the BIOS contents, and where and the encrypted version is generated via a symmetric key algorithm and a key. The event detector is configured to generate a BIOS check interrupt that interrupts normal operation of the computing system upon the occurrence of an event, where the event includes one or more occurrences of a fuse array access.

Abstract: A microelectronic memory may be password access protected. A controller may maintain a register with requirements for accessing particular memory locations to initiate a security protocol. A mapping may correlate which regions within a memory array are password protected. Thus, a controller can use a register and the mapping to determine whether a particular granularity of memory is password protected, what the protection is, and what protection should be implemented. As a result, in some embodiments, a programmable password protection scheme may be utilized to control a variety of different types of accesses to particular regions of a memory array.

Abstract: A computer system and an access restriction method may be used to enable security and improve reliability. The computer system includes a first storage apparatus and a second storage apparatus. The first storage apparatus provides a first logical volume from/to which a host apparatus reads and writes data, and the second storage apparatus provides a virtual second logical volume obtained by virtualizing the first logical volume of the first storage apparatus to the host apparatus. The first path information relates to a path from the host apparatus to the second logical volume registered in the first storage apparatus in association with the first logical volume of the first storage apparatus. Reservation of and access to the first logical volume is granted only for a reservation request and access request with matching path information from the host apparatus.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: In a method for allocating space on a logical disk, a computer receives an allocation request to allocate a number of requested logical disk extents. The computer selects one of a first group having an array of logical disk extents and a second group having an array of logical disk extents. The computer selects a group having a number of free logical disk extents that is greater than or equal to the number of requested logical disk extents. The logical disk extents in the array of the first group and in the array of the second group correspond to disk blocks on a logical disk. The logical disk spans one or more physical random access disks. The computer locks the selected group to prevent allocating a logical disk extent other than in response to the allocation request.

Abstract: Embodiments of the present invention provide methods of reading data from and writing data to a memory, computer program products for performing such methods, and apparatus for reading data from and writing data to, a memory, which apparatus may be implemented, for example, as a Field Programmable Gate Array (FPGA). A key associated with data to be read from or written to the memory is converted into two separate values, which values are themselves converted into first and second index values, each having an associated signature value. The index values are used as indices to a signature table containing a signature value for each data entry stored in the memory from which data is to be read or to which data is to be written. In a read operation, a signature of the signature table which matches one of the signature values derived from the key is identified and a read address is calculated based on the index value associated with the matching signature value derived from the key.

Abstract: In a shared memory process different threads may attempt to access a shared data variable in a shared memory. Locks are provided to synchronize access to shared data variables. Each lock is allocated to have a location in the shared memory relative to the instance of shared data that the lock protects. A lock may be allocated to be adjacent to the data that it protects. Lock resolution is facilitated because the memory location of a lock can be determined from an offset with respect to the data variable that is being protected by the lock.

Abstract: A method and system for secure access to data files copied onto a second storage device from a first storage device. A computer receives data from a first storage device that is in communication with the computer. A data file is stored to a second storage device. A passkey is generated and associated with the data file. A passkey image file corresponding to the passkey is generated. The passkey image file is transmitted to the first storage device for storage. Subsequent access to the data file on the second storage device requires entry of the passkey. The passkey is only accessible to a user that has access to read the passkey image file on the first storage device.

Abstract: Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert.

Abstract: Methods and systems are disclosed for code protection in non-volatile memory (NVM) systems. Information stored within NVM memory sectors, such as boot code or other code blocks, is protected using lockout codes and lockout keys written in program-once memory areas within the NVM systems. Further, lockout codes can be combined into a merged lockout code that can be stored in a merged protection register. The merged protection register is used to control write access to protected memory sectors. Lockout code/key pairs are written to the program-once area when a memory sector is protected. The program-once area, which stores the lockout code/key pairs, is not readable by external users. Once protected, a memory sector can not be updated without the lockout code/key pair.

Abstract: An inter-machine locking mechanism coordinates the access of shared resources in a tightly-coupled cluster that includes a number of processing systems. When a requesting processing system acquires a lock to access a resource, a comparison is made between values of a global counter and a local counter. The global counter indicates the number of times the lock is acquired exclusively by any of the processing systems. Based on the comparison result, the requesting processing system determines whether the resource has been modified since the last time it held the lock.

Abstract: According to one embodiment, a storage system includes a host device, 2 storing medium. The secure storing medium includes: a memory provided with a protected first storing region which stores secret information sent from the host device, and a second storing region which stores encoded contents; and a controller which carries out authentication processing for accessing the first storing region. The host device and the secure storing medium produce a bus key which is shared only by the host device and the secure storing medium by authentication processing, and which is used for encoding processing when information of the first storing region is sent and received between the host device and the secure storing medium. The host device has the capability to request the secure storing medium to send a status.

Abstract: According to one embodiment, a storage system includes a host device, 2 storing medium. The secure storing medium includes: a memory provided with a protected first storing region which stores secret information sent from the host device, and a second storing region which stores encoded contents; and a controller which carries out authentication processing for accessing the first storing region. The host device and the secure storing medium produce a bus key which is shared only by the host device and the secure storing medium by authentication processing, and which is used for encoding processing when information of the first storing region is sent and received between the host device and the secure storing medium. The host device has the capability to request the secure storing medium to send a status.

Abstract: According to one embodiment, a storage system includes a host device, 2 storing medium. The secure storing medium includes: a memory provided with a protected first storing region which stores secret information sent from the host device, and a second storing region which stores encoded contents; and a controller which carries out authentication processing for accessing the first storing region. The host device and the secure storing medium produce a bus key which is shared only by the host device and the secure storing medium by authentication processing, and which is used for encoding processing when information of the first storing region is sent and received between the host device and the secure storing medium. The host device has the capability to request the secure storing medium to send a status.

Abstract: The subject disclosure is directed towards establishing more direct access to a storage device from unprivileged code. Using a storage infrastructure mechanism to discover and enumerate storage architecture component(s), a user mode application requests at least one portion of the storage device to store application-related data. The storage infrastructure mechanism determines whether the application is authorized to access the storage device and if satisfied, the storage infrastructure mechanism configures at least one path for performing block-level input/output between the storage device and an unprivileged storage architecture component.

Abstract: A system and method for handling requests by virtual machines (VMs) to lock portions of main memory are disclosed. In accordance with one embodiment, a host operating system (OS) of a computer system receives a request by the guest OS of a VM to lock a portion of main memory of the computer system. The host OS determines whether locking the portion of main memory violates any of a set of constraints pertaining to main memory. The host OS locks the portion of main memory when locking does not violate any of the set of constraints. The locking prevents any page of the portion of main memory from being swapped out to a storage device. The host OS can still swap out pages of main memory that are not allocated to this VM and are not locked by any other VM.

Abstract: A detachable storage device can comprise a memory, circuitry, and a user interface. The memory may comprise a storage partition. The circuitry may be configured to authorize access to the storage partition to a digital device when the detachable storage device is coupled to the digital device based, at least in part, on a user code. The user interface may be configured to receive the user code while the detachable storage device is within a detached state and provide the user code to the circuitry to allow access to the storage partition.

Abstract: A content addressable storage (CAS) system is provided in which each storage unit is assigned to one of a plurality of sibling groups. Each sibling group is assigned the entire hash space. Within each sibling group, the hash space is partitioned into hash segments which are assigned to the individual storage units that belong to the sibling group. Chunk retrieval requests are submitted to all sibling groups. Chunk storage requests are submitted to a single sibling group. The sibling group to which a storage request is submitted depends on whether any sibling group already stores the chunk, and which sibling groups are considered full.

Abstract: A storage system that enables the use of a plurality of keys respectively stored in a plurality of storage units of a storage device is provided. The storage system includes a storage device including a first storage unit and a second storage unit that are recognized as a single storage device, wherein the first storage unit is configured to store a first key, the second storage unit is configured to store a second key different from the first key, and a controller is configured to transmit to the storage device one of a first key-read control signal that includes information about the first storage unit and a second key-read control signal that includes information about the second storage unit and receive the first key and the second key as identification information of the storage device in response to the first key-read control signal and the second key-read control signal, respectively.

Abstract: In at least one embodiment, a method includes determining whether to elide a lock operation based on success of or failure of one or more previous transactional memory operations associated with one or more respective previous lock elisions. In at least one embodiment of the method, the lock operation is associated with a first access of a shared resource and the one or more previous lock elisions are associated with respective one or more previous accesses of the shared resource.

Abstract: A data management method for a data storage device includes receiving a write request; partitioning the file into first and second portions; encrypting the first portion, and storing the encrypted first portion in a first storage medium and the second portion in a second storage medium.

Abstract: A serial memory device having a non-volatile memory array including a plurality of memory blocks, one or more said plurality of blocks being capable of being placed in a locked or an unlocked state upon receiving designated lock or unlock signal sequences is provided. The unlock signal sequences comprises at least two sequential signal sequences: a first unlock sequence, which has 1 to 7 signal bits, is applied to one of address input pins or a logic low enabled write-protection input pin and a second unlock sequence follows the first unlock signal sequence and is applied to a serial data access pin. The memory device further comprising a control logic circuit block coupled to a write-protection circuit block to provide means to identify the designated lock and unlock signal sequences and to set a protection state in a security area.

Abstract: A lock-clustering compiler is configured to compile program code for a software transactional memory system. The compiler determines that a group of data structures are accessed together within one or more atomic memory transactions defined in the program code. In response to determining that the group is accessed together, the compiler creates an executable version of the program code that includes clustering code, which is executable to associate the data structures of the group with the same software transactional memory lock. The lock is usable by the software transactional memory system to coordinate concurrent transactional access to the group of data structures by multiple concurrent threads.

Abstract: A computer system includes: a first storage apparatus; a second storage apparatus; a first volume of the first storage apparatus; and a second volume of the second storage apparatus; wherein the first volume and the second volume have a copy pair relationship and a host system recognizes the second volume as the same volume as the first volume; and wherein the first storage apparatus sends reservation information of the first volume to the second storage apparatus; and the second storage apparatus controls access from the host system on the basis of the received reservation information.

Abstract: In a shared memory process different threads may attempt to access a shared data variable in a shared memory. Locks are provided to synchronize access to shared data variables. Each lock is allocated to have a location in the shared memory relative to the instance of shared data that the lock protects. A lock may be allocated to be adjacent to the data that it protects. Lock resolution is facilitated because the memory location of a lock can be determined from an offset with respect to the data variable that is being protected by the lock.

Abstract: A computer system comprises: a central processing unit (CPU); an input/output control hub (IOCH) connected to the CPU; a storage device; the input/output control hub (IOCH) comprising a direct data access control (DDAC) being connected to the storage device; the DDAC providing protected regions and unprotected regions on the storage device (HDD). The IOCH comprises in addition to the DDAC an interface for semantic control of data access (SCDA), the SCDA storing custom configuration data which can be loaded only by a dedicated service which controls protected code running on the CPU. Via the SCDA, files in protected regions can be accessed on a record or even field level, whereby each record or field can have different access rights.

Abstract: The method is for protecting the digital contents of a solid state memory including a microprocessor. A microprocessor inserts at least an interruption during a copy or a reading of the digital contents and proceeds with the copy or reading only subsequently to a verification of a PIN. In particular, the verification provides control that the PIN is inserted manually. Also, a solid state memory includes a microprocessor programmed for inserting at least an interruption in a copy or reading of digital contents of the memory, for verifying a PIN, and for proceeding with the copy or the reading, if the PIN is inserted correctly.

Abstract: Proposed are a computer system and an access restriction method which enable security and reliability to be improved. In a computer system that comprises a first storage apparatus which provides a first logical volume from/to which a host apparatus reads and writes data, and a second storage apparatus which provides a virtual second logical volume obtained by virtualizing the first logical volume of the first storage apparatus, to the host apparatus, first path information which relates to a path from the host apparatus to the second logical volume is registered in the first storage apparatus in association with the first logical volume of the first storage apparatus, and reservation of and access to the first logical volume is granted only for a reservation request and access request with matching path information from the host apparatus.

Abstract: Systems, methods and media for providing to a plurality of WPARs private access to physical storage connected to a server through a VIOS are disclosed. In one embodiment, a server is logically partitioned to form a working partition comprising a WPAR manager and individual WPARs. Each WPAR is assigned to a different virtual port. The virtual ports are created by using NPIV protocol between the WPAR and VIOS. Thereby, each WPAR has private access to the physical storage connected to the VIOS.

Abstract: An access control method for a computer system in which a plurality of clusters share a storage unit, includes predefining an access instruction with exclusive right in addition to an access instruction that is issued with respect to the storage unit from the plurality of clusters, and monitoring, in the storage unit, based on the access instruction with exclusive right transferred from an arbitrary cluster, an access state of an other cluster and executing access instructions with exclusion if a region accessed by an access instruction from the other cluster overlaps a region accessed by the access instruction with exclusive right.

Abstract: A detachable storage device can comprise a memory, circuitry, and a user interface. The memory may comprise a storage partition. The circuitry may be configured to authorize access to the storage partition to a digital device when the detachable storage device is coupled to the digital device based, at least in part, on a user code. The user interface may be configured to receive the user code while the detachable storage device is within a detached state and provide the user code to the circuitry to allow access to the storage partition.

Abstract: Managing access to a cache memory includes dividing said cache memory into multiple of cache areas, each cache area having multiple entries; and providing at least one separate lock attribute for each cache area such that only a processor thread having possession of the lock attribute corresponding to a particular cache area can update that cache area.

Abstract: Systems, methods, computer programs, and devices are disclosed herein for partitioning the namespace of a secure element in contactless smart card devices and for writing application data in the secure element using requests from a software application outside the secure element. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. A control software application resident in the same or a different secure element provides access types and access bits, for each access memory block of the secure element namespace, thereby portioning the namespace into different access types. Further, a software application outside the secure element manages the control software application by passing commands using a secure channel to the secure element, thereby enabling an end-user of the contactless smart card device or a remote computer to control the partitioning and use of software applications within the secure element.

Abstract: Systems and methods for input/output command management. In embodiments of the invention an input/output command fully executes after a lock has been obtained for the command on all storage segments relating to the command, in a predetermined order. Some embodiments of the invention allow overlapping access to storage and/or to individual storage segments by a plurality of input/output commands. In some embodiments of the invention, prioritization of commands is facilitated through the usage of a sharing policy and/or wakeup policy.

Abstract: Various embodiments of the present invention provide a system for caching information in a multi-process environment. The system includes a processor. A shared memory is communicatively coupled to the processor. The shared memory includes a set of data. A writer process is communicatively coupled to the shared memory. The write process reads and updates the set of data. A plurality of reader processes is communicatively coupled to the shared memory. Each reader process reads at least part of the set of data directly from the shared memory and sends a set of update information to the writer process. The writer process then updates the set of data stored in the shared memory based on the set of update information.

Abstract: Various embodiments of the present invention manage concurrent accesses to a resource in a parallel computing environment. A plurality of locks is assigned to manage concurrent access to a plurality of parts of a resource. A usage of at least one of the plurality of parts of the resource is monitored. The assignment of the plurality of locks to the plurality of parts of the resource is modified based on the usage that has been monitored.

Abstract: A method, system, and computer usable program product for using a dual mode reader writer lock. A contention condition is detected in the use of a lock in a data processing system, the lock being used for managing read and write access to a resource in the data processing system. A determination of the data structure used for implementing the lock is made. If the data structure is a data structure of a reader writer lock (RWL), the data structure is transitioned to a second data structure suitable for implementing the DML. A determination is made whether the DML has been expanded. If the DML is not expanded, the DML is expanded such that the data structure includes an original lock and a set of expanded locks. The original lock and each expanded lock in the set of expanded locks forms an element of the DML.

Abstract: Management of storage used by pageable guests of a computing environment is facilitated. A query instruction is provided that details information regarding the storage location indicated in the query. It specifies whether the storage location, if protected, is protected by host-level protection or guest-level protection.

Abstract: Various embodiments for storage initialization and data destage in a computing storage environment are provided. At least a portion of data on a storage device is initialized using a background process, while one of simultaneously and subsequently destaging the at least the portion of the data to the storage device using a foreground process is performed. A persistent metadata bitmap, adapted to indicate whether the at least the portion of the data has been initialized, is staged to cache, the cache operable in the computing storage environment. The background process maintains a volatile bitmap indicating a status of the initialization of the at least the portion of the data in direct correspondence to the metadata bitmap. As the background process initializes the at least the portion of the data, an applicable bit on the persistent metadata bitmap is cleared and a corresponding bit is set on the volatile bitmap.

Abstract: A system and method for locking and unlocking access to a shared memory for atomic operations provides immediate feedback indicating whether or not the lock was successful. Read data is returned to the requestor with the lock status. The lock status may be changed concurrently when locking during a read or unlocking during a write. Therefore, it is not necessary to check the lock status as a separate transaction prior to or during a read-modify-write operation. Additionally, a lock or unlock may be explicitly specified for each atomic memory operation. Therefore, lock operations are not performed for operations that do not modify the contents of a memory location.

Abstract: Memory page management in a tiered memory system including a system that includes at least one page table for storing a plurality of entries, each entry associated with a page of memory and each entry including an address of the page and a memory tier of the page. The system also includes a control program configured for allocating pages associated with the entries to a software module, the allocated pages from at least two different memory tiers. The system further includes an agent of the control program capable of operating independently of the control program, the agent configured for receiving an authorization key to the allocated pages, and for migrating the allocated pages between the different memory tiers responsive to the authorization key.

Abstract: Main memory operation in a symmetric multiprocessing computer, the computer comprising one or more processors operatively coupled through a cache controller to at least one cache of main memory, the main memory shared among the processors, the computer further comprising input/output (‘I/O’) resources, including receiving, in the cache controller from an issuing resource, a memory instruction for a memory address, the memory instruction requiring writing data to main memory; locking by the cache controller the memory address against further memory operations for the memory address; advising the issuing resource of completion of the memory instruction before the memory instruction completes in main memory; issuing by the cache controller the memory instruction to main memory; and unlocking the memory address only after completion of the memory instruction in main memory.

Abstract: A system and computer implemented method for isolating errors in a computer system is provided. The method includes receiving a direct memory access (DMA) command to access a computer memory, a read response, or an interrupt; associating the DMA command to access the computer memory, the read response, or the interrupt with a stream identified by a stream identification (ID); detecting a memory error caused by the DMA command in the stream, the memory error resulting in stale data in the computer memory; and isolating the memory error in the stream associated with the stream ID from other streams associated with other stream IDs upon detecting the memory error.

Abstract: In one embodiment a network attached storage device comprises at least one storage media, a detection module to detect a connection of a media source to the network attached storage device, a network interface to receive, in the network attached storage device, an activation key associated with the media source, an activation module to determine whether the activation key is stored in a computer-readable memory coupled to the network attached storage device, and in response to a determination that the activation key is not stored in a computer-readable memory coupled to the network attached storage device, to associate the activation key with a device identifier for the network attached storage device and to store the activation key and the device identifier in the computer-readable memory coupled to the network attached storage device, an imaging module to create an image of at least a portion of the media content on the media source in a computer-readable memory coupled to the network attached storage devic

Abstract: A mechanism for automatic reallocation of shared external storage structures is provided. The shared external storage divides the dynamically allocable storage into fixed sized blocks referred to as allocation units. To create an object of a specific type, the shared external storage uses some number of allocation units. If the object will fit in one allocation unit, then it is placed in one allocation unit. If the object is larger than one allocation unit, then the appropriate number of allocation units is obtained and chained together to contain all of the information of the required object. When an object so allocated is no longer needed, the shared external storage breaks the object down to a set of one or more fixed sized allocation units. The shared external storage then returns the allocation units to the pool of available objects.

Abstract: In response to an instruction to dismount a storage volume, for example, an object in the storage volume is identified and a handle that references the object is closed. Once an exclusive lock on the storage volume is acquired, the storage volume can be dismounted. The storage volume can then remounted.

Abstract: An information handling system includes a host mapped general purpose input output (GPIO), a shared memory, a board management controller, and a cryptography engine. The host mapped GPIO includes a plurality of registers. The board management controller is in communication with the host mapped GPIO and with the shared memory, and is configured to control accessibility to the plurality of registers in the GPIO, and to control write accessibility of the shared memory based on a private key received from a basic input output system requesting accessibility to the plurality of registers and write accessibility of the shared memory. The cryptography engine is in communication with the board memory controller, and is configured to authenticate the private key received from the board management controller.

Abstract: A data protection method for an electronic device having a storage medium is provided, wherein the storage medium includes a plurality of partitions and a partition table. In the data protection method, a partition entry point and a partition data corresponding to the specific partition are captured and sent to an external storage device when the electronic device enters a shutdown process. Then, the partition entry point is deleted from the partition table and the partition data is removed from the storage medium. When the electronic device is turned on, a user has to provide the corresponding external storage device to restore the partition entry point and the partition data back to the storage medium. Thereby, personal data stored in the storage medium is protected and accordingly data security is ensured.