Some aspects of this disclosure relate to implementing a thread device that can associate with a thread network. The thread device includes a network processor, a first memory, and a host processor communicatively coupled to the network processor and the first memory. The first memory can be a nonvolatile memory with a first level security protection, and configured to store a first dataset including thread network parameters for the network processor to manage network functions for the thread device associated with the thread network. The host processor is configured to perform various operations associated with the first dataset stored in the first memory. The network processor can be communicatively coupled to a second memory to store a second dataset, where the second dataset has a same content as the first dataset. The network processor is configured to manage the network functions based on the second dataset. The second memory can be a volatile memory with a second level security protection that is less than the first level security protection.

A host may use address translation to convert virtual addresses to physical addresses for endpoints, which may then submit memory access requests for physical addresses. The host may incorporate the physical address and a signature of the physical address generated using a private key into a translated address field of a response to a translation request. An endpoint may treat the combination as a translated address by storing it in an entry of a translation cache, and accessing the entry for inclusion in a memory access request. The host may generate a signature of the translated address from the request using the private key, with the result being compared to the signature from the request. The memory access request may be verified when the compared values match, and the memory access may be performed using the translated address.

Aspects of the present disclosure relate to techniques for minimizing the effects of RowHammer and induced charge leakage. In examples, systems and methods for preventing access pattern attacks in random-access memory (RAM) are provided. In aspects, a data request associated with a page table may be determined to be a potential security risk and such potential security risk may be mitigated by randomly selecting a memory region from a subset of memory regions, copying data stored in a memory region associated with a page table entry in the page table to the second memory region, disassociating the second memory region from the subset of memory regions and associating the memory region associated with the page table to the second memory region, and updating the page table entry in the page table to refer to the second memory region.

A storage device includes a memory device including a first memory region having a lowest bit density, a second memory region having a medium bit density, and a third memory region having a highest bit density, and a controller configured to control the memory device. The controller is configured to determine data from a host as being any one of hot data, warm data and cold data, is configured to store the hot data in the first memory region, is configured to store the warm data in the second memory region, is configured to store the cold data in the third memory region, is configured to select a source block of first memory blocks included in the first memory region, is configured to select destination blocks in each of the second and third memory regions, and is configured to migrate each piece of unit data stored in the source block to one of the destination blocks according to a degree of hotness of each piece of the unit data.

Methods, systems, and devices for authenticated reading of memory system data are described. In some examples, a host system and a memory system may exchange keys used to grant the host system access to one or more protected regions of the memory system. The keys may be symmetric or asymmetric. In some cases, the host system may transmit a read command to access data stored at a protected region of the memory system, along with a signature generated using the key associated with the protected region. The memory system may verify the signature to determine whether the host is authorized to access the protected region, and may transmit the requested data to the host system. In some examples, the memory system may sign the returned data, so that the host system may verify the source of the data.

Systems, methods, and apparatuses relating to performing an attachment of an input-output memory management unit (IOMMU) to a device, and a verification of the attachment. In one embodiment, a protocol and IOMMU extensions are used by a secure arbitration mode (SEAM) module and/or circuitry to determine if the IOMMU that is attached to the device requested to be mapped to a trusted domain.

A method includes receiving, at a controller of a computational storage (CS) device, a request to allocate computational storage to an application of a host device. The request includes a resource set ID associated with the application. The method further includes identifying a memory range within a memory region of the CS device. The method further includes storing, in a data structure associated with the resource set ID, an association between a memory range identifier (ID) of the memory range, the memory region, and an offset within the memory region. The method further includes sending the memory range ID to the host device.

The disclosed computer-implemented method may include (1) receiving, from an external host processor via a cache-coherent interconnect, a request to access a host address of a coherent memory space of the external host processor, (2) when the request is to read data from the host address, (a) performing an in-line transformation on the data to generate second data and (b) writing the second data to the physical address of the device-attached physical memory mapped to the host address, and (3) when the request is to read data from the host address, (a) reading the data from the physical address of the device-attached physical memory mapped to the host address, (b) performing a reversing in-line transformation on the data to generate second data, and (c) returning the second data to the external host processor via the cache-coherent interconnect. Various other methods, systems, and computer-readable media are also disclosed.

Various embodiments set forth techniques for taking a snapshot of virtual memory of a virtual machine. One technique includes allocating, in a persistent memory, one or more blocks associated with a virtual memory, annotating a first portion of the virtual memory for copying in a first pass, copying the first portion into the one or more blocks in the persistent memory in the first pass, receiving a write request associated with the first portion, and in response to receiving the write request: applying the write request to the first portion and annotating the first portion for copying in a second pass subsequent to the first pass.

In one embodiment, the method includes receiving, at a storage device, a request. The request includes a request message authentication code and write protect information. The write protect information includes at least one of start address information and length information. The start address information indicates a logical block address at which a memory area in a non-volatile memory of the storage device starts, and the length information indicates a length of the memory area. The method also includes generating, at the storage device, a message authentication code based on (1) at least one of the start address information and the length information, and (2) a key stored at the storage device; authenticating, at the storage device, the request based on the generated message authentication code and the request message authentication code; and processing, at the storage device, the request based on a result of the authenticating.