公开(公告)号：US20180139238A1

公开(公告)日：2018-05-17

申请号：US15430301

申请日：2017-02-10

Applicant: Microsoft Technology Licensing, LLC

Inventor： Benjamin M. Schultz ,  Frederick Justus Smith ,  Daniel Vasquez Lopez ,  Abhinav Mishra ,  Ian James McCarty ,  John A. Starks ,  Joshua David Ebersol ,  Ankit Srivastava ,  Hari R. Pulapaka ,  Mehmet Iyigun ,  Stephen E. Bensley ,  Giridhar Viswanathan

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/1491 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/6254 ,  G06F2009/45587 ,  H04L63/0272 ,  H04L63/0421

Abstract: Anonymous containers are discussed herein. An operating system running on a computing device, also referred to herein as a host operating system running on a host device, prevents an application from accessing personal information (e.g., user information or corporate information) by activating an anonymous container that is isolated from the host operating system. In order to create and activate the anonymous container, a container manager anonymizes the configuration and settings data of the host operating system, and injects the anonymous configuration and settings data into the anonymous container. Such anonymous configuration and settings data may include, by way of example and not limitation, application data, machine configuration data, and user settings data. The host operating system then allows the application to run in the anonymous container.

公开(公告)号：US12158980B2

公开(公告)日：2024-12-03

申请号：US17459445

申请日：2021-08-27

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ronald Aigner ,  Giridhar Viswanathan ,  Lars Reuther ,  Alvin Morales Caro ,  David Kimler Altobelli ,  Dan Ma

IPC: G06F21/78 ,  H04L9/08 ,  H04L9/32

Abstract: Distributed security key management for protecting roaming data via a trusted platform module is performed by systems that include first and second processors, and first and second respective hardware security modules. The first security module encrypts a security key using a public key from the second security module, and the encrypted security key is provided to the second security module. A virtual machine (VM) executed by the first processor has a first virtual security module instance having state data that includes a storage key encrypting VM virtual disk data and that is encrypted with the security key. When a transfer condition is determined, the VM is transferred and executed by the second processor, using a second virtual security module instance, based on decrypting the security key by the second security module using a private key and decrypting the state data for the second virtual security module using the security key.

公开(公告)号：US11074323B2

公开(公告)日：2021-07-27

申请号：US16015064

申请日：2018-06-21

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Benjamin M. Schultz ,  Balaji Balasubramanyan ,  Giridhar Viswanathan ,  Ankit Srivastava ,  Margarit Simeonov Chenchev ,  Hari R. Pulapaka ,  Nived Kalappuraikal Sivadas ,  Raphael Gianotti Serrano dos Santo ,  Narasimhan Ramasubramanian ,  Frederick Justus Smith ,  Matthew David Kurjanowicz ,  Prakhar Srivastava ,  Jonathan Schwartz

IPC: G06F21/10 ,  G06F21/62 ,  G06F21/60 ,  G06F16/11 ,  G06F16/174 ,  G06F21/53

Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

公开(公告)号：US20210011984A1

公开(公告)日：2021-01-14

申请号：US16565271

申请日：2019-09-09

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： Maxwell Christopher Renke ,  Taylor James Stark ,  Benjamin M. Schultz ,  Giridhar Viswanathan ,  Frederick Justus Smith ,  Deepu Chandy Thomas ,  Hari R. Pulapaka ,  Amber Tianqi Guo

IPC: G06F21/12 ,  G06F21/79 ,  G06F21/55 ,  G06F12/14

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

公开(公告)号：US10795974B2

公开(公告)日：2020-10-06

申请号：US15994928

申请日：2018-05-31

Applicant: Microsoft Technology Licensing, LLC

Inventor： Ahmed Saruhan Karademir ,  Sudeep Kumar Ghosh ,  Ankit Srivastava ,  Michael Trevor Pashniak ,  Benjamin M. Schultz ,  Balaji Balasubramanyan ,  Hari R. Pulapaka ,  Tushar Suresh Sugandhi ,  Matthew David Kurjanowicz ,  Giridhar Viswanathan

IPC: H04L29/06 ,  G06F21/10 ,  G06F9/455 ,  G06F21/12

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

公开(公告)号：US10650157B2

公开(公告)日：2020-05-12

申请号：US15582741

申请日：2017-04-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Benjamin M. Schultz ,  Kinshumann ,  David John Linsley ,  Charles Glenn Jeffries ,  Giridhar Viswanathan ,  Scott Daniel Anderson ,  Frederick J. Smith ,  Hari R. Pulapaka ,  JianMing Zhou ,  Margarit Simeonov Chenchev ,  David B. Probert

IPC: G06F9/455 ,  G06F21/62 ,  G06F21/57

Abstract: Facilities are provided to secure guest runtime environments (GREs). Security policy specifications may be associated with GREs. A GRE's security policy may be specific to the GRE and may also include security policy inherited from higher levels such as a host operating environment. The security policy of a GRE specifies restrictions and/or permissions for activities that may be performed within the scope of execution of the GRE. A GRE's security policy may limit what the GRE's guest software may do within the GRE. Restrictions/permissions may be applied to objects such as files, configuration data, and the like. Security specifications may be applied to execution initiated within a GRE. A GRE's security specification may restrict/permit executable objects from loading and executing within the GRE. The executability or accessibility of objects may be conditioned on factors such as the health/integrity of the GRE, the host system, requested files, and others.

公开(公告)号：US20170353496A1

公开(公告)日：2017-12-07

申请号：US15171917

申请日：2016-06-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Navin Narayan Pai ,  Charles G. Jeffries ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Frederick J. Smith ,  Lars Reuther ,  Michael B. Ebersol ,  Gerardo Diaz Cuellar ,  Ivan Dimitrov Pashov ,  Poornananda R. Gaddehosur ,  Hari R. Pulapaka ,  Vikram Mangalore Rao

IPC: H04L29/06 ,  H04L12/46 ,  H04L29/08

CPC classification number: H04L63/20 ,  G06F21/53 ,  H04L12/4641 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L67/02

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.