WO2017131684A1 - Content recovery of protected data from non-volatile memory - Google Patents

Content recovery of protected data from non-volatile memory Download PDF

Info

Publication number
WO2017131684A1
WO2017131684A1 PCT/US2016/015266 US2016015266W WO2017131684A1 WO 2017131684 A1 WO2017131684 A1 WO 2017131684A1 US 2016015266 W US2016015266 W US 2016015266W WO 2017131684 A1 WO2017131684 A1 WO 2017131684A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
data recovery
policy
trajectory
request
Prior art date
Application number
PCT/US2016/015266
Other languages
French (fr)
Inventor
Dirk Kuhlmann
Philipp Reinecke
Original Assignee
Hewlett Packard Enterprise Development Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Enterprise Development Lp filed Critical Hewlett Packard Enterprise Development Lp
Priority to PCT/US2016/015266 priority Critical patent/WO2017131684A1/en
Publication of WO2017131684A1 publication Critical patent/WO2017131684A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Examples relate to content recovery of protected data from non-volatile memory. One example includes a system with a non-volatile memory. The example system enables determining a data recovery policy associated with the requested data responsive to receiving a request to recover data stored at a non-volatile memory communicably coupled to the system, determining a data recovery trajectory associated with the determined data recovery policy, and recovering the data from the memory based on the data recovery trajectory.

Description

BACKGROUND
[001 ] Large amounts of data may be stored in non-vo!atile memory, !f this data is protected by cryptographic mechanisms, its reliable recovery becomes an issue.
BR!EF DESCRIPTION OF THE DRAWI GS
[002] The following detailed description references the drawings, wherein:
[003] FIG. 1 is a block diagram of an example system for content recovery of protected data from non-volatile memory;
[004] FIG. 2 is a block diagram of an example system for content recovery of protected data from non-volatile memory;
[005] FIG. 3 is a flowchart of an example method for content recovery of protected data from non-volatile memory; and
[006] FIG. 4 is a flowchart of an example method for content recovery of protected data from non-volatile memory.
DETAILED DESCR!PT!OE J
[007] The following detailed description refers to the accompanying drawings. Wherever possible, the same reference numbers are used in the drawings and the following description to refer to the same or similar parts. While several examples are described in this document, modifications, adaptations, and other implementations are possible. Accordingly, the following detailed description does not limit the disclosed examples. Instead, the proper scope of the disclosed examples may be defined by the appended claims.
[008] Large amounts of data may be stored by in a non-volatile memory under cryptographic protection. Facilitating recovery of data in a reliable and secure manner (preventing or thwarting unauthorized access while safeguarding the ultimate recoverability of content in exceptional cases) may be difficult. [009] Regardless of its complexity, business continuity and/or legal/regulatory requirements often require that stored data is recoverable in an unencrypted format in special conditions. Content may be represented in storage objects and meta-information whose data may spread across vast memory regions and different systems in a distributed non-volatile memory architecture, where each memory region may have its own access conditions and protection mechanisms. Problems of reliable content recovery may become particularly pronounced if data is stored in non-volatile memory in an encrypted manner, !n case the cryptographic key used to encrypt the data becomes unavailable, recovery of the original content may become impossible.
[0010] A new technical solution to address this technical challenge involves distinguishing (a) normal operations where data is protected by traditional cryptographic operations and (b) exceptional operations where data can be recovered under user- and system-definable constraints for data accessibility. This solution allows several ways to address the issue of reliable data recovery. The system may make access to recoverable content inefficient enough to discourage unauthorized attempts to recover the corresponding data. As the value of information is often predicated on immediate and fast access, a system that deliberately degrades access to data in a controlled manner may be useful wherever the value of the corresponding information decreases over time. Conversely, an authorized party in possession of authorization tokens will have normal or even optimized access to recover data, while typically being under less stringent time constraints in situations wherever the data has to be recovered lacking such tokens. Further, a system that enforces efficiency constraints on data recovery may also detect risks of unauthorized access to data stored in non-volatile memory based on access patterns of the data.
[001 1 ] As such, a computer system implementing content recovery of non-volatile memory may determine a data recovery policy associated with the requested data responsive to receiving a request to recover data stored at a non-volatile memory communicably coupled to the system. The system may also determine a data recovery trajectory associated with the determined data recovery policy. The system may recover the data from the memory based on the data recovery trajectory. [0012] Referring now to the drawings, FIG. 1 is a block diagram of an example system 100 for content recovery of protected data from non-vo!ati!e memory. System 100 may comprise a cloud server, a mainframe, data center, notebook, desktop, tablet, workstation, mobile device, and/or any other device suitable for executing the functionality described below. In the embodiment of FIG. 1 , system 100 includes a non- transitory machine-readable storage medium 120 and a processor 1 10.
[0013] Processor 1 10 may be one or more central processing units (CPUs), microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions stored in machine-readable storage medium 120, Processor 1 10 may fetch, decode, and execute program instructions 121 , 122, 123, and/or other instructions to enable content recovery of protected data from non-volatile memory, as described below. As an alternative or in addition to retrieving and executing instructions, processor 1 10 may include one or more electronic circuits comprising a number of electronic components for performing the functionality of one or more of instructions 121 , 122, 123, and/or other instructions.
[0014] In one example, the program instructions 121 , 122, 123, and/or other instructions can be part of an installation package that can be executed by processor 1 10 to implement the functionality described herein. In this case, memory 120 may be a portable medium such as a CD, DVD, or flash drive or a memory maintained by a computing device from which the installation package can be downloaded and installed. In another example, the program instructions may be part of an application or applications already installed on system 100.
[0015] Non-transitory machine-readable storage medium 120 may be any hardware storage device for maintaining data accessible to system 100. For example, machine- readable storage medium 120 may include one or more hard disk drives, solid state drives, tape drives, memristors, and/or any other storage devices. The storage devices may be located in system 100 and/or in another device in communication with system 100. For example, machine-readable storage medium 120 may be any electronic, magnetic, optical, or other physical storage device that stores executable instructions. Thus, machine-readable storage medium 120 may be, for example, Random Access Memory (RAM), an Electrically-Erasable Programmable Read-Oniy Memory (EEPROM), a storage drive, an optical disc, and the like. As described in detail below, machine-readable storage medium 120 may be encoded with executable instructions for content recovery of protected data from non-volatile memory. As detailed below, storage medium 120 may maintain and/or store the data and information described herein.
[0018] System 100 may be communicabiy coupled to a non-volatile memory that stores data accessible to one or more client computing devices. Non-volatile memory may comprise a single non-volatile memory device, multiple non-volatile memory devices, a distributed set of non-volatile memory devices that share a universal name space, and/or other configuration of non-volatile memory. The non-volatile memory may comprise, for example, a memory controller and memory ceils that reside in a single, inseparable physical unit. In some examples, the controller may comprise a cryptographic component that can encode and decode incoming and outgoing data. The cryptographic component may be able to encode and decode the data with minimal latency and at a bus transfer speed. In some examples, the controller may also comprise an authorization component that prevents unauthorized modification of cryptographic keys and operational parameters. In some examples, the authorization component of the controller is a trusted platform module.
[0017] In some examples, non-volatile memory may serve to store backup data of the one or more computing devices. In some examples, some or ail of the stored data in the non-volatile memory may be stored in an unencrypted form. In some examples where some data may be stored in an encrypted format, access to the data in clear text may be possible.
[0018] In some examples, system 100 may receive a request for data stored at the non-volatile memory. The request may comprise information related to the data to be recovered. For example, the information may comprise a location of the data stored at the non-volatile memory, an amount of data to be recovered, and/or other information related to the recovering the data.
[0019] In some examples, the request for recovery of data may be triggered by a physical mechanism. For example, the request may be triggered by a dedicated electrical signal delivered over an I/O interface to the non-volatile memory. Because the physical processor may reside in a rate control component (as discussed further in FIG. 2) that is in the read path of the non-volatile memory, the rate control component may receive the request. In some instances, the electrical signal may be delivered directly to the rate control component. In other examples, the request for recovery of data may be triggered by a recover service invocation with a dedicated access token. In these examples, recovery may be complemented or performed concurrently with a key exchange protocol to safeguard confidentiality and/or freshness, in order to protect the access token. In yet other examples, the request for recovery may be triggered by recovery service invocation without an authorization token, !n other examples, the request for recovery may be received by a client (e.g., a client computing device) storing data in the non-volatile memory.
[0020] Data recovery policy instructions 121 , when executed by processor 1 10, may determine a data recovery policy associated with requested data responsive to the system 100 receiving a request to recover data stored at the non-volatile memory. The data recovery policy instructions 121 , when executed by processor 1 10, may determine the data recovery policy based on information associated with the request, based on access characteristics, and/or based on other information.
[0021 ] A set of available data recovery policies may be stored in the non-transitory storage readable medium 120 and/or other storage communicably coupled to the system 100. Each policy may comprise a policy identifier, a set of characteristics associated with the policy, and a set of data recovery trajectories associated with the policy. The set of characteristics may comprise, for example, one or more of: information related to users to whom the policy applies, a set of memory regions to which the policy applies, access characteristics of a user that would trigger the policy, presence of an access token, presence of authorization credentials, information related to whether the requested data is encrypted, an amount of time the data has been stored, and/or other characteristics.
[0022] The data recovery policy instructions 121 , when executed by processor 1 10, may determine the data recovery policy based on a best match of the set of characteristics associated with the policy and the information associated with the request.
[0023] For example, the data recovery policy instructions 121 , when executed by processor 1 10, may determine, based on information associated with the request, a data recovery policy based on whether the request is authorized. The data recovery policy instructions 121 , when executed by processor 1 10, may determine that an access token is included with the request, encryption keys are included with the request, an authorization secret is included with the request, and/or other authorization information is associated with the request that would indicate potential authorization. Responsive to determining that authorization information is present with the request, the data recovery policy instructions 121 , when executed by processor 1 10, may determine whether the access token, encryption keys, authorization secret, and/or other authorization information is valid by attempting to authenticate the user with the non-volatile memory using the authorization information.
[0024] Responsive to the authentication being validated, the data recovery policy instructions 121 , when executed by processor 1 10, may determine the data recovery policy with a set of characteristics that includes the authorization information validated by the authentication, !n some examples, the set of characteristics may include merely that the request is authorized, and the data recovery policy instructions 121 , when executed by processor 1 10, may determine the data recovery policy based on the request being authorized and based on other characteristics in the set of characteristics of the data recovery policy. In some examples, the set of characteristics may include the authorization information that was validated, and the data recovery policy instructions 121 , when executed by processor 1 10, may determine the data recovery policy based on the authorization information and/or other characteristics associated with the data recovery policy.
[0025] Responsive to the authentication not being validated, the data recovery policy instructions 121 , when executed by processor 1 10, may determine a data recovery policy with a set of characteristics that includes the authorization information not being validated. In some examples, the set of characteristics may include that the request is not authorized, and in other examples, the set of characteristics may include the specific authorization information that was not validated.
[0026] Responsive to no authorization information being present, the data recovery policy instructions 121 , when executed by processor 1 10, may determine a data recovery policy with a set of characteristics that that does not include authorization information. [0027] !n another example, the data recovery policy instructions 121 , when executed by processor 1 10, may determine a data recovery policy based on access characteristics. For example, the data recovery policy instructions 121 , when executed by processor 1 10, may determine a data recovery policy based on access patterns of data in the non-voiatile memory. The data recovery policy instructions 121 , when executed by processor 1 10, may consider historical access frequencies of data, the importance of the data being accessed, and/or other information related to data access for a predetermined time period. The data recovery policy instructions 121 , when executed by processor 1 10, may compare the access characteristics and/or a determined access pattern of data with the sets of characteristics of respective data recovery policies to determine the best matching data recovery policy.
[0028] In some examples, the data recovery policy instructions 121 , when executed by processor 1 10, may determine that a new access pattern for a set of data stored in the non-voiatile memory has occurred based on analysis of historical accesses to the set of data. For example, the system 100 may use machine learning to determine that the new access pattern is occurring. In some of these examples, the data recovery policy instructions 121 , when executed by processor 1 10, may request an administrator of the system to create a custom data recovery policy with a set of characteristics that includes the new access pattern. In some of these examples, the data recovery policy instructions 121 , when executed by processor 1 10, may create a new data recovery policy based on the new access pattern and an importance of the data in the set of data being accessed.
[0029] In some examples, the data recovery policy instructions 121 , when executed by processor 1 10, may allow a user to revise a policy, add a custom policy, remove a policy from the set of available data recovery policies, and/or otherwise change the policies available for data recovery. In these examples, each policy in the set of available data recovery policies may also comprise an indication of whether the policy is a custom policy, a user that provided the policy, a set of users that may revise the policy, a date and time of last revision, and/or other information related to customizing the policy.
[0030] In some examples, the set of data recovery policies may also comprise priority information. The set of data recovery policies may be stored in a hierarchical manner based on the priority information, such that a first set of policies with a first priority may be considered by the data recovery policy instructions 121 , when executed by processor 1 10. Responsive to a policy of the first priority having a set of characteristics that are met by the information associated with the request, the data recovery policy instructions 121 , when executed by processor 1 10, may select that data recovery policy as the determined data recovery policy. Responsive to no policy of the first priority having a set of characteristics that are met by the information associated with the request, the data recovery policy instructions 121 , when executed by processor 1 10, may continue to try to compare policies in each subsequent priority tier until a match is found.
[0031 ] The data recovery trajectory instructions 122, when executed by processor 1 10, may determine a data recovery trajectory associated with the determined data recovery policy, wherein the data recovery trajectory comprises rate control information. As mentioned above, each data recovery policy may comprise information related to a set of data recovery trajectories. In some examples, the set of data recovery trajectories may comprise a single data recovery trajectory associated with the data recovery policy, !n some examples, the set of data recovery trajectories may comprise multiple data recovery trajectories. In some of these examples, the data recovery trajectory instructions 122, when executed by processor 1 10, may determine the data recovery trajectory from the set of examples based on the data recovery trajectory that was most newly associated with the data recovery policy, based on a random determination, based on a round-robin selection, and/or in another manner. In some of these examples, each data recovery trajectory in the set of data recovery trajectories may be associated with a subset of the set of characteristics, a set of access characteristics, a priority indicator, and/or other information. The data recovery trajectory instructions 122, when executed by processor 1 10, may determine the data recovery trajectory based on which subset of the set of characteristics was best matched by information from the request, based on which set of access characteristics was best matched, based on the priority indicator, and/or based on other information associated with the data recovery trajectories.
[0032] In some examples, the data recovery trajectory may be one of a set of types of data recovery trajectories. The types of data recovery trajectories may comprise a constant trajectory, decelerating trajectory, content-dependent trajectory, and/or other trajectory. [0033] A data recovery trajectory with a constant trajectory type facilitates data recovery where all access to the non-volatile to recover the requested data is normal, is at a constant high-speed access, is delayed by a constant time interval or random time interval with a constant mean, and/or is otherwise affected in a constant manner. The rate control information for the constant trajectory type of data recovery may indicate whether a read rate for access is normal, increased, or delayed, and may include a constant integer that indicates either a constant time interval or mean time interval by which the rate is changed.
[0034] A data recovery trajectory with a decelerating trajectory type facilitates data recovery where access to the non-volatile is increasingly affected based on the amount of data already accessed. For example, as more data is recovered for a request, the rate of accessing the data may slow. The rate control information for the decelerating trajectory type of data recovery may indicate whether a read rate for access is normal, increased, or delayed, and may include a number or function that indicates how much the rate is changed.
[0035] A data recovery trajectory with a content-dependent trajectory type facilitates data recovery where access to the non-volatile is affected based on characteristics of the data to be accessed. The access pattern for a content-dependent trajectory may be customized based on the characteristics of the data to be accessed. For example, data with high entropy may be accessed quickly, since that may indicate that the data has been stored in encrypted form, is being encrypted or is being otherwise obfuscated. The rate control information for the content-dependent trajectory type of data recovery may indicate whether a read rate for access is normal, increased, or delayed, and may include information that indicates what the rate should be and whether the rate changes over the course of recovery of the data.
[0036] The data recovery instructions 123, when executed by processor 1 10, may recover the data from the memory based on the rate control information of the determined data recovery trajectory. For example, the data recovery instructions 123, when executed by processor 1 10, may recover the data using a read rate based on the rate control information of the determined data recovery trajectory. The data recovery instructions 123, when executed by processor 1 10, may also store the recovered data in another non-volatile memory, return it to a requesting client, and/or otherwise make the recovered data available.
[0037] FIG. 2 is a block diagram of an example system 200 for content recovery of protected data from non-volatile memory. As with system 100, system 200 may comprise a cloud server, a mainframe, data center, notebook, desktop, tablet, workstation, mobile device, and/or any other device suitable for executing the functionality described below. System 200 may comprise a rate control component 210. Rate control component 210 may comprise a processor. The processor of the rate control component may be the same as or similar to the processor 1 10 of FIG. 1. As such, the rate control component 210 may facilitate the functionality described above with respect to FIG. 1. For example, rate control component 210 may determine a data recovery policy associated with the requested data responsive to receiving a request to recover data stored at a non-volatile memory communicably coupled to the system, determine a data recovery trajectory associated with the determined data recovery policy, recover the data from the memory based on the data recovery trajectory, and/or otherwise perform functionality similar to that described in conjunction with FIG. 1.
[0038] System 200 may also comprise an authentication component 220. The authentication component 220 may facilitate authentication and/or validate authorization of a request to recover data (as described in further detail in FIG. 1 ). In some examples, authentication component 220 may also store and manage cryptographic keys for nonvolatile memory 230 and encode and decode incoming and outgoing data for non-volatile memory 230.
[0039] System 200 may also comprise non-volatile memory 230, Non-volatile memory 230 may be the same as or similar to the non-volatile memory of FIG. 1. In some examples, non-volatile memory 230 may be communicably coupled to rate control component 210 but may be physically separate from rate control component 210. Rate control component 210 may reside in a read path of the non-volatile memory 230. In some examples, non-volatile memory 230 may be communicably coupled to authentication component 220. In some examples, authentication component 210 may be physically inseparable from non-volatile memory 230. [0040] FIG. 3 is a block diagram of an example system 300 for content recovery of protected data from non-volatile memory. As with system 100, system 300 may comprise a cloud server, a mainframe, notebook, desktop, tablet, workstation, mobile device, and/or any other device suitable for executing the functionality described below. As with processor 1 10 of FIG. 1 , processor 310 may be one or more CPUs, microprocessors, and/or other hardware devices suitable for retrieval and execution of instructions. Non- transitory storage medium of FIG. 3 may be the same as or similar to the non-transitory storage medium 120 of FIG. 1.
[0041 ] As detailed below, system 300 may include a series of engines 320-340 for content recovery of protected data from non-volatile memory. Each of the engines may generally represent any combination of hardware and programming. For example, the programming for the engines may be processor executable instructions stored on a non- transitory machine-readable storage medium and the hardware for the engines may include at least one processor of the system 300 to execute those instructions. In addition or as an alternative, each engine may include one or more hardware devices including electronic circuitry for implementing the functionality described below.
[0042] System 300 may receive and process requests in a manner the same as or similar to system 100.
[0043] Data recovery policy engine 320 may determine a data recovery policy associated with the requested data. The data recovery policy engine 320 may determine the data recovery policy associated with the requested data responsive to receive a request to recover data stored at a non-volatile memory communicabiy coupled to the system 300. In some examples, the data recovery policy engine 320 may determine the data recovery policy in a manner the same as or similar to that of the data recovery policy instructions 122 of system 100. Further details regarding an example implementation of data recovery policy engine 320 are provided above in connection with data recovery policy instructions 121 of FIG. 1.
[0044] Data recovery trajectory engine 330 may determine a data recovery trajectory associated with the determined data recovery policy. In some examples, the data recovery trajectory engine 330 may determine the data recovery trajectory in a manner the same as or similar to that of the data recovery trajectory instructions 122 of system 100. Further details regarding an example implementation of data recovery trajectory engine 330 are provided above in connection with data recovery trajectory 122 of FIG. 1.
[0045] Data recovery engine 340 may recover the data from the memory based on the data recovery trajectory. In some examples, the data recovery engine 340 may recover the data in a manner the same as or similar to that of the data recovery instructions 123 of FIG. 1. Further details regarding an example implementation of data recovery engine 340 are provided above in connection with data recovery instructions 123 of F!G. 1 .
[0046] FIG. 4 is a flowchart of an example method for execution by a computing device for content recovery of protected data from non-volatile memory.
[0047] Although execution of the methods described below are with reference to system 100 of FIG. 1 , and/or system 300 of FIG. 3, other suitable devices (e.g., system 200 of FIG. 2 and/or other devices) for execution of this method will be apparent to those of skill in the art. The method described in FIG, 4 and other figures may be implemented in the form of executable instructions stored on a machine-readable storage medium, such as storage medium 120, by one or more engines described herein, and/or in the form of electronic circuitry.
[0048] In an operation 400, responsive to receiving to data stored at a non-volatile memory, the method determines a data recovery policy associated with the requested data. For example, the system 100 (and/or the data recovery policy instructions 121 , the data recovery policy engine 320, or other resource of the system 100) may determine a data recovery policy. The system 100 may determine a data recovery policy in a manner similar or the same as that described above in relation to the execution of the data recovery policy instructions 121 , the data recovery policy engine 320, and/or other resource of the system 100.
[0049] In an operation 410, the method may determine a data recovery trajectory associated with the determined data recovery policy. In some examples, the data recovery trajectory may comprise rate control information. For example, the system 100 (and/or the data recovery trajectory instructions 121 , the data recovery trajectory engine 330, or other resource of the system 100) may determine a data recovery trajectory. The system 100 may determine a data recovery trajectory in a manner similar or the same as that described above in relation to the execution of the data recovery trajectory instructions 121 , the data recovery trajectory engine 330, and/or other resource of the system 100.
[0050] In an operation 420, the data may be recovered from the memory based on the data recovery trajectory. For example, the system 100 (and/or the data recovery instructions 122, the data recovery engine 340, or other resource of the system 100) may recover the data. The system 100 may recover the data in a manner similar or the same as that described above in relation to the execution of the data recovery instructions 122, the data recovery engine 340, and/or other resource of the system 100.
[0051 ] The foregoing disclosure describes a number of example embodiments for content recovery of protected data from non-volatile memory. The disclosed examples may include systems, devices, computer-readable storage media, and methods for content recovery of protected data from non-volatile memory. For purposes of explanation, certain examples are described with reference to the components illustrated in F!GS. 1 -4. The functionality of the illustrated components may overlap, however, and may be present in a fewer or greater number of elements and components. Further, all or part of the functionality of illustrated elements may co-exist or be distributed among several geographically dispersed locations. Moreover, the disclosed examples may be implemented in various environments and are not limited to the illustrated examples.
[0052] Further, the sequence of operations described in connection with FIGS. 1 -4 are examples and are not intended to be limiting. Additional or fewer operations or combinations of operations may be used or may vary without departing from the scope of the disclosed examples. Furthermore, implementations consistent with the disclosed examples need not perform the sequence of operations in any particular order. Thus, the present disclosure merely sets forth possible examples of implementations, and many variations and modifications may be made to the described examples. All such modifications and variations are intended to be included within the scope of this disclosure and protected by the following claims.

Claims

CLA!MS We claim:
1 . A system for content recovery of protected data from non-volatile memory, the system comprising:
a physical processor implementing machine readable instructions stored on a non-transitory machine-readable storage medium that cause the system to:
responsive to receiving a request to recover data stored at a non-volatile memory communicably coupled to the system, determine, from a set of data recovery policies, a data recovery policy associated with the requested data; determine a data recovery trajectory associated with the determined data recovery policy; and
recover the data from the memory based on the data recovery trajectory.
2. The system of claim 1 , wherein the data recovery trajectory comprises rate control information,
wherein the system further comprises:
a rate control component, the rate control component comprising the physical processor, and
wherein the physical processor implements machine readable instructions that cause the system to recover the data based on the data recovery trajectory by:
recovering the data using a read rate based on the rate control information.
3. The system of claim 1 , further comprising:
an authorization component, wherein the authorization component implements machine readable instructions that cause the system to:
determine whether the request is authorized, and
wherein the physical processor implements machine readable instructions that cause the system to:
determine the data recovery policy based on whether the request is authorized.
4. The system of claim 3, wherein the physical processor implements machine readable instructions that cause the system to:
responsive to determining that the request is not authorized, determine the data recovery policy as a first policy and determine the data recovery trajectory as a first trajectory.
5. The system of claim 3, wherein the physical processor implements machine readable instructions that cause the system to:
responsive to determining that the request is authorized, determine the data recovery policy as a second policy based on the request being authorized and information associated with the request matching a set of characteristics of the data recovery policy.
6. The system of claim 3, wherein the physical processor implements machine readable instructions that cause the system to:
responsive to determining that the request is authorized, determine the data recovery policy as a second policy based on authorization information associated with the request. 18
7. The system of claim 1 , wherein the physical processor implements machine readable instructions that cause the system to:
determine the data recovery policy based on information associated with the request matching a set of characteristics of the data recovery policy, wherein the set of characteristics comprises a memory region comprising the data to be recovered.
8. The system of claim 1 , wherein the physical processor implements machine readable instructions that cause the system to:
determine the data recovery policy based on a set of access characteristics.
9. The system of claim 1 , wherein the physical processor implements machine readable instructions that cause the system to:
receive information for a custom data recovery policy to be used by the system, the information comprising a set of characteristics of data and an associated data recovery trajectory associated with the custom data recovery policy; and
add the custom data recovery policy to the set of data recovery policies.
10. A method for content recovery of protected data from non-volatile memory, the method being implemented by a physical processor implementing computer readable instructions, the method comprising:
responsive to receiving a request to recover data stored at a non-volatile memory communicably coupled to the processor, determining, from a set of data recovery policies, a data recovery policy associated with the requested data;
determining a data recovery trajectory associated with the determined data recovery policy, wherein the data recovery trajectory comprises rate control information; and
recovering the data from the memory based on the data recovery trajectory.
1 1 . The method of claim 10, wherein recovering the data comprises:
recovering the data using a read rate based on the rate control information of the data recovery trajectory.
12. The method of claim 10, wherein determining the data recovery policy comprises: determining whether the request is authorized,
13. The method of claim 10, further comprising:
determining the data recovery policy based on information associated with the request matching a set of characteristics of the data recovery policy, wherein the set of characteristics comprises a memory region of data to be read,
14. The method of claim 13, further comprising:
determining the data recovery policy based on a set of access characteristics.
15. A non-transitory machine-readable storage medium comprising instructions for content recovery of protected data from non-volatile memory, the instructions executable by a physical processor of a system to:
responsive to receiving a request to recover data stored at a non-volatile memory communicabiy coupled to the system, determine, from a set of data recovery policies, a data recovery policy associated with the requested data;
determine a data recovery trajectory associated with the determined data recovery policy, wherein the data recovery trajectory comprises rate control information; and
recover the data from the memory based on the rate control information of the determined data recovery trajectory.
PCT/US2016/015266 2016-01-28 2016-01-28 Content recovery of protected data from non-volatile memory WO2017131684A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2016/015266 WO2017131684A1 (en) 2016-01-28 2016-01-28 Content recovery of protected data from non-volatile memory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2016/015266 WO2017131684A1 (en) 2016-01-28 2016-01-28 Content recovery of protected data from non-volatile memory

Publications (1)

Publication Number Publication Date
WO2017131684A1 true WO2017131684A1 (en) 2017-08-03

Family

ID=59398655

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/015266 WO2017131684A1 (en) 2016-01-28 2016-01-28 Content recovery of protected data from non-volatile memory

Country Status (1)

Country Link
WO (1) WO2017131684A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117056128A (en) * 2023-08-30 2023-11-14 上海合芯数字科技有限公司 Data recovery method, data recovery system, storage medium and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040215997A1 (en) * 2003-04-24 2004-10-28 International Business Machines Corporation Apparatus and method for process recovery in an embedded processor system
US20090276623A1 (en) * 2005-07-14 2009-11-05 David Jevans Enterprise Device Recovery
US20090313626A1 (en) * 2008-06-17 2009-12-17 International Business Machines Corporation Estimating Recovery Times for Data Assets
WO2013033272A1 (en) * 2011-09-02 2013-03-07 Microsoft Corporation Efficient application-aware disaster recovery
US20140215265A1 (en) * 2013-01-29 2014-07-31 Hewlett-Packard Development Company, L.P. Data backup and recovery

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040215997A1 (en) * 2003-04-24 2004-10-28 International Business Machines Corporation Apparatus and method for process recovery in an embedded processor system
US20090276623A1 (en) * 2005-07-14 2009-11-05 David Jevans Enterprise Device Recovery
US20090313626A1 (en) * 2008-06-17 2009-12-17 International Business Machines Corporation Estimating Recovery Times for Data Assets
WO2013033272A1 (en) * 2011-09-02 2013-03-07 Microsoft Corporation Efficient application-aware disaster recovery
US20140215265A1 (en) * 2013-01-29 2014-07-31 Hewlett-Packard Development Company, L.P. Data backup and recovery

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117056128A (en) * 2023-08-30 2023-11-14 上海合芯数字科技有限公司 Data recovery method, data recovery system, storage medium and electronic device

Similar Documents

Publication Publication Date Title
US10915633B2 (en) Method and apparatus for device security verification utilizing a virtual trusted computing base
US10394492B2 (en) Securing a media storage device using write restriction mechanisms
US10726137B2 (en) Copy protection for secured files
KR101613146B1 (en) Method for encrypting database
US10990687B2 (en) System and method for user managed encryption recovery using blockchain for data at rest
US11126565B2 (en) Encrypted memory access using page table attributes
WO2005015818A1 (en) Data security and digital rights management system
EP3035582B1 (en) Binding white-box implementation to reduced secure element
US20160277377A1 (en) Privacy and Performance Tuning Apparatus for a Versioned File Block Access Method
CN114556869B (en) Key management method for encrypting data, data processing system and storage medium
US11469880B2 (en) Data at rest encryption (DARE) using credential vault
US20180026986A1 (en) Data loss prevention system and data loss prevention method
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
EP3224759B1 (en) In-memory attack prevention
KR20210097811A (en) Logging unauthorized access commands to memory
EP4121881A1 (en) Systems and methods for protecting a folder from unauthorized file modification
KR102542213B1 (en) Real-time encryption/decryption security system and method for data in network based storage
CN108345804B (en) Storage method and device in trusted computing environment
WO2017131684A1 (en) Content recovery of protected data from non-volatile memory
WO2014153312A1 (en) Methods and apparatuses for securing tethered data
US20170329998A1 (en) A multi-tier security framework
CN108345803B (en) Data access method and device of trusted storage equipment
US9177160B1 (en) Key management in full disk and file-level encryption
US11283600B2 (en) Symmetrically encrypt a master passphrase key
CN113127141A (en) Container system management method and device, terminal equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16888415

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16888415

Country of ref document: EP

Kind code of ref document: A1