Described embodiments provide systems and methods for securing offline data for shared accounts of a shared computing device. Cache files can be generated for a plurality of users of an application executable on the device to store user data corresponding to individual users of the application. An encryption key can be generated for one or more of the cache files and the encryption key can be associated with at least one user of the application. The encryption key can be associated with a user identifier so that the encryption key is not accessible by other users of the computing device. The user data can be encrypted in one of the cache files with the encryption key. The encrypted user data can be presented to a user via the shared computing device based on receipt of a user identifier that enables access to the encryption key.

An object of the invention is to enable a fine grain access control in a unit finer than an access unit specified in a specification of application software such as a block-chain and a database. A data management system, in which data to be processed by an information processing device is accessed by a file system in which date is accessed in a file unit, stores fine grain access information related to a file to be accessed. The fine grain access information includes a position of the file, an access right to the file, and retention information, and access to the file from the information processing device is controlled based on the fine grain access information. The file includes a block-chain block, and the fine grain access information is stored as an extended attribute in the file including the block-chain block.

A method for performing a secure boot of a data processing system, and the data processing system are provided. The method includes: processing a command issued from a processor of the data processing system, the command directed to a memory; determining that the command is a command that causes the memory to be modified; performing cryptographic verification of the memory; and incrementing a first counter in response to the determining that the command is a command that causes the memory to be modified. The data processing system includes a processor, a memory, and a counter. The memory is coupled to the processor, and the memory stores data used by a bootloader during a secure boot. The counter is incremented by a memory controller in response to a command being a type of command that modifies the data stored by the memory.

Technology is disclosed that provides security for data stored in a non-volatile memory device. The non-volatile memory device may be embedded in a host system. The host system may further have a host controller that is configured to obtain a memory access message from an initiator to access the non-volatile memory. The host controller may be further configured to provide the memory access message to the memory controller. The memory access message may contain an identifier of the initiator, which may be verified by the host controller. The memory controller may be configured to access the identifier of the initiator from the memory access message, and grant or deny non-volatile memory access to the initiator based on whether the initiator has access rights to a region of the non-volatile memory to which the initiator seeks access.

Techniques for storing encrypted data using a storage service system are described herein. A computer system of a computation layer of the storage service system receives an encrypted key manifest, which is then decrypted using a cryptoprocessor of the computer system of the computation layer to produce a partition key. The partition key is then provided to a file system abstraction layer so that, as data is provided to the computation layer for storage, the file system abstraction layer can use the partition key to encrypt data and store the encrypted data in the storage layer.

A data processing system for processing data using a memory having a plurality of memory regions, a given memory region within said plurality of memory regions having an associated owning process having exclusive rights to control access to said given memory region, said system comprising: a security controller to: receive a request to initialise a guest execution environment; claim one or more regions of memory to be owned by said security controller; store executable program code of said guest execution environment within said one or more regions of memory; and transfer ownership of said one or more regions to said guest execution environment.

A computer comprises a controller and a storage apparatus which is configured to provide a storage area for storing data. The controller and the storage apparatus have a function of achieving encryption and decryption of data through use of an encryption key. The computer is configured to: execute encryption key setting processing for setting the encryption key in the controller and the storage apparatus so that the controller holds the same encryption key as the encryption key of the storage apparatus; and determine whether to enable the function of any one of the controller and the storage apparatus, based on load states of the controller and the storage apparatus when an I/O request is received.

A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.

Key capability storage circuitry 90 is provided to store a key capability specifying key bounds indicating information indicative of permissible bounds for information specified by any one or more of: a non-capability operand, a capability, or the key capability itself. For a given software compartment executed by the processing circuitry, which lacks a key capability operating privilege associated with at least a portion of the key capability storage circuitry, the processing circuitry is configured to prohibit certain manipulations of the key capability, including a transfer between key capability storage and a memory location selected by the given software compartment. This can help to support temporal safety.

A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.