Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

A device may load a process under test into virtual memory associated with the device. The virtual memory may include a plurality of memory pages. The device may insert a malware inspection element and a memory tracking element into the process under test and may provide a notification of an event associated with the process under test to a memory tracking element. The device may identify, using the memory tracking element, one or more memory pages of the plurality of memory pages. The one or more memory pages may be assigned to, and used by, the process under test. The device may generate, based on identifying the one or more memory pages, a memory map, associated with the process under test, that may include information identifying the one or more memory pages as being assigned to, and used by, the process under test.

When having detected that key data set to an accelerator by command information is not key data permitted to use, a monitor unit issues, to a storage control unit, a suspension request for suspending processing related to writing of data, a compute unit having received an instruction from an application program reads data from the storage device, encrypts read data using the accelerator, and issues, to the storage control unit, an instruction to write encrypted data to the storage device, and when having received the suspension request, the storage control unit suspends processing related to writing of data to the storage device.

Systems, apparatuses, and methods related to a computer system having a page table entry containing security settings for calls from predefined domains are described. The page table entry can be used to map a virtual memory address to a physical memory address. In response to a call to execute a routine identified using the virtual memory address, a security setting corresponding to the execution domain from which the call initiates can be extracted from the page table entry to determine whether a security measure is to be used. For example, a shadow stack structure can be used to protect the private stack content of the routine from being access by a caller and/or to protect the private stack content of the caller from being access by the callee.

According to one embodiment, a memory system includes a nonvolatile memory and a controller. In response to receiving from a host a write request designating a first address for identifying data to be written, the controller encrypts the data with the first address and a first encryption key, and writes the encrypted data to the nonvolatile memory together with the first address. In response to receiving from the host a read request designating a physical address indicative of a physical storage location of the nonvolatile memory, the controller reads both the encrypted data and the first address from the nonvolatile memory on the basis of the physical address, and decrypts the read encrypted data with the first encryption key and the read first address.

Various examples are directed to systems and methods for managing a memory system. The memory system may generate a first encrypted physical address using a first clear physical address. The memory system may generate a first encrypted logical-to-physical (L2P) pointer indicating the first logical address and a first encrypted physical address. The memory system may send the first encrypted L2P pointer to a host device for storage at a host memory.

Apparatus and methods for encrypting captured media. In one embodiment, the method includes capturing media data via use of a lens of an image capture apparatus; obtaining a number used only once (NONCE) value from the captured media data; obtaining an encryption key for use in encryption of the captured media data; using the obtained NONCE value and the obtained encryption key for encrypting the captured media data; and storing the encrypted media data. In some variants, the media is encrypted prior to storage, thereby obviating any instances in which the captured media data resides in a wholly unencrypted instance. Apparatus and methods for decrypting encrypted captured media are also disclosed.

An application-specific integrated circuit (ASIC) and method are provided for executing a memory-hard algorithm requiring reading generated data. A processor or state machine executes one or more steps of the memory-hard algorithm and requests the generated data. At least one specialized circuit is provided for generating the generated data on demand in response to a request for the generated data from the processor. Specific embodiments are applied to memory-hard cryptographic algorithms, including Ethash and Equihash.

Memory devices, systems including memory devices, and methods of operating memory devices are described, in which security measures may be implemented to control access to a fuse array (or other secure features) of the memory devices based on a secure access key. In some cases, a customer may define and store a user-defined access key in the fuse array. In other cases, a manufacturer of the memory device may define a manufacturer-defined access key (e.g., an access key based on fuse identification (FID), a secret access key), where a host device coupled with the memory device may obtain the manufacturer-defined access key according to certain protocols. The memory device may compare an access key included in a command directed to the memory device with either the user-defined access key or the manufacturer-defined access key to determine whether to permit or prohibit execution of the command based on the comparison.

A storage system has zones in solid-state storage memory, with power loss protection. The system identifies portions of data for processes that utilize power loss protection. The system determines to activate or deactivate power loss protection for the portions of data for the processes. The system tracks activation and deactivation of power loss protection in zones in the solid-state storage memory, in accordance with the portions of data having power loss protection activated or deactivated.