公开(公告)号：US10855725B2

公开(公告)日：2020-12-01

申请号：US15171917

申请日：2016-06-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Navin Narayan Pai ,  Charles G. Jeffries ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Frederick J. Smith ,  Lars Reuther ,  Michael B. Ebersol ,  Gerardo Diaz Cuellar ,  Ivan Dimitrov Pashov ,  Poornananda R. Gaddehosur ,  Hari R. Pulapaka ,  Vikram Mangalore Rao

IPC: H04L29/06 ,  G06F21/53 ,  H04L12/46 ,  H04L29/08

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

公开(公告)号：US10666655B2

公开(公告)日：2020-05-26

申请号：US15818481

申请日：2017-11-20

Applicant: Microsoft Technology Licensing, LLC

Inventor： Gerardo Diaz Cuellar ,  Navin Narayan Pai ,  Ivan Dimitrov Pashov ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Hari R. Pulapaka

IPC: H04L29/06 ,  G06F21/31

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.

公开(公告)号：US10438019B2

公开(公告)日：2019-10-08

申请号：US15640164

申请日：2017-06-30

Applicant: Microsoft Technology Licensing, LLC

Inventor： Giridhar Viswanathan ,  Gerardo Diaz Cuellar ,  Hari R. Pulapaka ,  Ivan Dimitrov Pashov ,  Navin Narayan Pai ,  Benjamin M. Schultz

IPC: G06F21/00 ,  G06F21/62 ,  G06F21/31 ,  G06F21/74 ,  G06F9/455 ,  G06F9/50

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.

公开(公告)号：US20170353496A1

公开(公告)日：2017-12-07

申请号：US15171917

申请日：2016-06-02

Applicant: Microsoft Technology Licensing, LLC

Inventor： Navin Narayan Pai ,  Charles G. Jeffries ,  Giridhar Viswanathan ,  Benjamin M. Schultz ,  Frederick J. Smith ,  Lars Reuther ,  Michael B. Ebersol ,  Gerardo Diaz Cuellar ,  Ivan Dimitrov Pashov ,  Poornananda R. Gaddehosur ,  Hari R. Pulapaka ,  Vikram Mangalore Rao

IPC: H04L29/06 ,  H04L12/46 ,  H04L29/08

CPC classification number: H04L63/20 ,  G06F21/53 ,  H04L12/4641 ,  H04L63/08 ,  H04L63/10 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L67/02

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.