-
公开(公告)号:US10803175B2
公开(公告)日:2020-10-13
申请号:US14641184
申请日:2015-03-06
Applicant: Microsoft Technology Licensing, LLC
Inventor: Janani Vasudevan , Peter David Waxman , Kinshuman Kinshumann , Justin A. Hou , Peter J. Kaufman , Yuhang Zhu , Giridhar Viswanathan , Scott R. Shell
Abstract: A device boots in a secure manner that allows measurements reflecting which components are loaded during booting to be generated. Measurements of such components, as well as of a device management agent and the security state of the device, are also obtained. The device management agent accesses an attestation service for an enterprise, which is a collection of resources managed by a management service. The device management agent provides the obtained measurements to the attestation service, which evaluates the measurements and based on the evaluation determines whether the device is verified for use in the enterprise. The management service uses this verification to ensure that the device management agent is running in a secure manner, is accurately providing indications of the state of the device to the management service, and is implementing policy received from the management service.
-
公开(公告)号:US20190392117A1
公开(公告)日:2019-12-26
申请号:US16013816
申请日:2018-06-20
Applicant: Microsoft Technology Licensing, LLC
Inventor: Giridhar Viswanathan , Sudeep Kumar Ghosh , Ankit Srivastava , Michael Trevor Pashniak , Benjamin M. Schultz , Balaji Balasubramanyan , Hari R. Pulapaka , Tushar Suresh Sugandhi , Matthew David Kurjanowicz , Ahmed Saruhan Karademir
Abstract: Techniques for secure sharing of data in computing systems are disclosed herein. In one embodiment, a method includes when exchanging data between the host operating system and the guest operating system, encrypting, at a trusted platform module (TPM) of the host, data to be exchanged with a first key to generate encrypted data. The method also includes transmitting the encrypted data from the host operating system to the guest operating system and decrypting, at the guest operating system, the transmitted encrypted data using a second key previously exchanged between the TPM of the host and a virtual TPM of the guest operating system.
-
公开(公告)号:US20190280883A1
公开(公告)日:2019-09-12
申请号:US16351877
申请日:2019-03-13
Applicant: Microsoft Technology Licensing, LLC
Inventor: Christopher Edward Fenner , Peter David Waxman , Gabriel Fortunato Stocco , Kam Kouladjie , Cristian Stefan Salvan , Prabu Raju , Himanshu Soni , Giridhar Viswanathan
Abstract: The present invention provides for streamlined issuance of certificates and other tokens that are contingent on key attestation of keys from a trusted platform module within a computing platform. Various methods are described for wrapping the requested token in a secret, such as an AES key, that is encrypted to a TPM based key in a key challenge. If the requesting platform fails the key challenge, the encrypted certificate or token cannot be decrypted. If requesting platform passes the challenge, the encrypted certificate or token can be decrypted using the AES key recovered from the key challenge.
-
公开(公告)号:US20190180003A1
公开(公告)日:2019-06-13
申请号:US16015064
申请日:2018-06-21
Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC
Inventor: Benjamin M. Schultz , Balaji Balasubramanyan , Giridhar Viswanathan , Ankit Srivastava , Margarit Simeonov Chenchev , Hari R. Pulapaka , Nived Kalappuraikal Sivadas , Raphael Gianotti Serrano dos Santo , Narasimhan Ramasubramanian , Frederick Justus Smith , Matthew David Kurjanowicz , Prakhar Srivastava , Jonathan Schwartz
Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.
-
公开(公告)号:US20160259941A1
公开(公告)日:2016-09-08
申请号:US14641184
申请日:2015-03-06
Applicant: Microsoft Technology Licensing, LLC
Inventor: Janani Vasudevan , Peter David Waxman , Kinshuman Kinshumann , Justin A. Hou , Peter J. Kaufman , Yuhang Zhu , Giridhar Viswanathan , Scott R. Shell
Abstract: A device boots in a secure manner that allows measurements reflecting which components are loaded during booting to be generated. Measurements of such components, as well as of a device management agent and the security state of the device, are also obtained. The device management agent accesses an attestation service for an enterprise, which is a collection of resources managed by a management service. The device management agent provides the obtained measurements to the attestation service, which evaluates the measurements and based on the evaluation determines whether the device is verified for use in the enterprise. The management service uses this verification to ensure that the device management agent is running in a secure manner, is accurately providing indications of the state of the device to the management service, and is implementing policy received from the management service.
Abstract translation: 设备以安全的方式引导,允许测量反映在引导期间加载哪些组件以生成。 还获得了这些组件以及设备管理代理的测量以及设备的安全状态。 设备管理代理访问企业的认证服务,企业是管理服务管理的资源集合。 设备管理代理将获得的测量结果提供给认证服务,其对评估进行评估,并且基于评估来确定设备是否被验证用于企业中。 管理服务使用该验证来确保设备管理代理以安全的方式运行,准确地向管理服务提供设备状态的指示,并且正在执行从管理服务接收到的策略。
-
Patent Agency Ranking
公开(公告)号:US11256785B2
公开(公告)日:2022-02-22
申请号:US16565271
申请日:2019-09-09
Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC
Inventor: Maxwell Christopher Renke , Taylor James Stark , Benjamin M. Schultz , Giridhar Viswanathan , Frederick Justus Smith , Deepu Chandy Thomas , Hari R. Pulapaka , Amber Tianqi Guo
Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.
-
公开(公告)号:US11100243B2
公开(公告)日:2021-08-24
申请号:US15871635
申请日:2018-01-15
Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC
Inventor: Margarit Simeonov Chenchev , Benjamin M. Schultz , Giridhar Viswanathan , Balaji Balasubramanyan , Yanan Zhang , Frederick Justus Smith , Hari R. Pulapaka , David Weston
Abstract: Technologies are described for selective persistence of data utilized by software containers. A configuration policy is defined that includes data that specifies one or more data stores for which data is not to be persisted following accesses to a software container and one or more data stores for which data is to be persisted following accesses to the software container. When the software container is first accessed, the data stores identified in the configuration policy are attached to the software container. Upon a subsequent access to the container, such as at the conclusion of a user session or upon destruction of the container, the data in the attached data stores is persisted or deleted based upon the configuration policy. When the software container is once again accessed, the data store containing the persisted data can be re-attached to the software container.
-
公开(公告)号:US10438019B2
公开(公告)日:2019-10-08
申请号:US15640164
申请日:2017-06-30
Applicant: Microsoft Technology Licensing, LLC
Inventor: Giridhar Viswanathan , Gerardo Diaz Cuellar , Hari R. Pulapaka , Ivan Dimitrov Pashov , Navin Narayan Pai , Benjamin M. Schultz
Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.
-
公开(公告)号:US10375111B2
公开(公告)日:2019-08-06
申请号:US15430301
申请日:2017-02-10
Applicant: Microsoft Technology Licensing, LLC
Inventor: Benjamin M. Schultz , Frederick Justus Smith , Daniel Vasquez Lopez , Abhinav Mishra , Ian James McCarty , John A. Starks , Joshua David Ebersol , Ankit Srivastava , Hari R. Pulapaka , Mehmet Iyigun , Stephen E. Bensley , Giridhar Viswanathan
Abstract: Anonymous containers are discussed herein. An operating system running on a computing device, also referred to herein as a host operating system running on a host device, prevents an application from accessing personal information (e.g., user information or corporate information) by activating an anonymous container that is isolated from the host operating system. In order to create and activate the anonymous container, a container manager anonymizes the configuration and settings data of the host operating system, and injects the anonymous configuration and settings data into the anonymous container. Such anonymous configuration and settings data may include, by way of example and not limitation, application data, machine configuration data, and user settings data. The host operating system then allows the application to run in the anonymous container.
-
公开(公告)号:US20180314846A1
公开(公告)日:2018-11-01
申请号:US15582741
申请日:2017-04-30
Applicant: Microsoft Technology Licensing, LLC
Inventor: Benjamin M. Schultz , KINSHUMANN , David John Linsley , CHARLES GLENN JEFFRIES , Giridhar Viswanathan , Scott Daniel Anderson , Frederick J. Smith , Hari R. Pulapaka , JianMing Zhou , Margarit Simeonov Chenchev , David B. Probert
CPC classification number: G06F9/45558 , G06F9/44505 , G06F21/6218 , G06F2009/45587 , G06F2009/45591
Abstract: Facilities are provided to secure guest runtime environments (GREs). Security policy specifications may be associated with GREs. A GRE's security policy may be specific to the GRE and may also include security policy inherited from higher levels such as a host operating environment. The security policy of a GRE specifies restrictions and/or permissions for activities that may be performed within the scope of execution of the GRE. A GRE's security policy may limit what the GRE's guest software may do within the GRE. Restrictions/permissions may be applied to objects such as files, configuration data, and the like. Security specifications may be applied to execution initiated within a GRE. A GRE's security specification may restrict/permit executable objects from loading and executing within the GRE. The executability or accessibility of objects may be conditioned on factors such as the health/integrity of the GRE, the host system, requested files, and others.
-
-
-
-
-
-
-
-
-
Search Results
27
records
(took 0.019 seconds)
