公开(公告)号：WO2017100083A1

公开(公告)日：2017-06-15

申请号：PCT/US2016/064509

申请日：2016-12-02

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： SCHULTZ, Benjamin M. ,  ARNEJA, Aman

IPC: H04L29/06 ,  H04L9/00 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30 ,  H04W12/04

CPC classification number: H04L63/0272 ,  H04L9/3215 ,  H04L63/029 ,  H04L63/04 ,  H04L63/0414 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/0478 ,  H04L63/06 ,  H04L63/08 ,  H04W12/04

Abstract: Aggregating traffic over multiple VPN connections is described. A first Virtual Private Network (VPN) connection is established between a client device and a first VPN server via a a first access network of the client device. A second Virtual Private Network (VPN) connection is established between the client device and a second VPN server via a second access network of the client device. Application traffic associated with a connection between an application server and a client application that corresponds to the client device is received. The application traffic associated with the connection between the application server and the client application is distributed between at least the first VPN connection and the second VPN connection.

Abstract translation: 描述了通过多个VPN连接聚集流量。 经由客户端装置的第一接入网络在客户端装置与第一VPN服务器之间建立第一虚拟专用网络（VPN）连接。 通过客户端设备的第二接入网络在客户端设备和第二VPN服务器之间建立第二虚拟专用网络（VPN）连接。 接收与应用服务器和对应于客户端设备的客户端应用之间的连接相关联的应用流量。 与应用程序服务器和客户端应用程序之间的连接关联的应用程序流量至少分配在第一个VPN连接和第二个VPN连接之间。

公开(公告)号：WO2022010562A1

公开(公告)日：2022-01-13

申请号：PCT/US2021/029034

申请日：2021-04-26

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： RENKE, Maxwell Christopher ,  SCHULTZ, Benjamin M. ,  BAK, Yevgeniy ,  SHARMA, Vijaykumar ,  THANKY, Apurva Ashvinkumar ,  PULAPAKA, Hari R.

IPC: G06F8/65 ,  G06F9/445

Abstract: Enacting a compliance action using an assessment that considers a mix of coldpatches and hotpatches includes identifying a policy defining the compliance condition based on patching status of a software component. A patching state of the software component is determined, including identifying evidence of coldpatched binary file(s) and hotpatch binary file(s) applicable to the software component, and using the evidence to determine whether or not the hotpatch binary file(s) have been applied to a memory image into which an instance of the software component is loaded. Based on the policy and on the patching state of the software component, a compliance action is enacted for the compliance condition. The compliance action includes generating a health report or a health attestation, initiating a patching action, initiating an execution control action, and the like.

公开(公告)号：WO2021247138A1

公开(公告)日：2021-12-09

申请号：PCT/US2021/025841

申请日：2021-04-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： GUO, Amber Tianqi ,  SMITH, Frederick J., IV ,  STARKS, John ,  REUTHER, Lars ,  THOMAS, Deepu ,  PULAPAKA, Hari R. ,  SCHULTZ, Benjamin M. ,  LIU, Judy J.

IPC: G06F9/455 ,  G06F21/53 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F9/45558 ,  G06F9/545

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed. Aspects of the host computing environment operating system, such as the kernel, are extended to interface with container-centric mechanisms to receive information upon which actions can be allowed or denied by the kernel even if the process attempting such actions would otherwise have sufficient privilege.

公开(公告)号：WO2019231685A1

公开(公告)日：2019-12-05

申请号：PCT/US2019/032543

申请日：2019-05-16

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： KARADEMIR, Ahmed Saruhan ,  GHOSH, Sudeep Kumar ,  SRIVASTAVA, Ankit ,  PASHNIAK, Michael Trevor ,  SCHULTZ, Benjamin M. ,  BALASUBRAMANYAN, Balaji ,  PULAPAKA, Hari R. ,  SUGANDHI, Tushar Suresh ,  KURJANOWICZ, Matthew David ,  VISWANATHAN, Giridhar

IPC: G06F21/12

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

公开(公告)号：WO2019112819A1

公开(公告)日：2019-06-13

申请号：PCT/US2018/062379

申请日：2018-11-23

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： SCHULTZ, Benjamin M. ,  BALASUBRAMANYAN, Balaji ,  VISWANATHAN, Giridhar ,  SRIVASTAVA, Ankit ,  CHENCHEV, Margarit Simeonov ,  PULAPAKA, Hari R. ,  SIVADAS, Nived Kalappuraikal ,  GIANOTTI SERRANO DOS SANTO, Raphael ,  RAMASUBRAMANIAN, Narasimhan ,  SMITH, Frederick Justus ,  KURJANOWICZ, Matthew David ,  SRIVASTAVA, Prakhar ,  SCHWARTZ, Jonathan

IPC: G06F21/53

Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

公开(公告)号：WO2018217368A1

公开(公告)日：2018-11-29

申请号：PCT/US2018/028979

申请日：2018-04-24

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： JEFFRIES, Charles G. ,  SCHULTZ, Benjamin M. ,  VISWANATHAN, Giridhar ,  SMITH, Frederick Justus ,  WESTON, David Guy ,  SRIVASTAVA, Ankit ,  CHEN, Ling Tony ,  PULAPAKA, Hari R.

IPC: G06F21/53 ,  G06F21/57

CPC classification number: G06F21/566 ,  G06F21/53 ,  G06F21/577 ,  G06F2221/033 ,  G06F2221/034 ,  G06F2221/2101 ,  H04L63/0281 ,  H04L63/101

Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

公开(公告)号：WO2017210065A1

公开(公告)日：2017-12-07

申请号：PCT/US2017/034354

申请日：2017-05-25

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： PAI, Navin Narayan ,  JEFFRIES, Charles G. ,  VISWANATHAN, Giridhar ,  SCHULTZ, Benjamin M. ,  SMITH, Frederick J. ,  REUTHER, Lars ,  EBERSOL, Michael B. ,  DIAZ CUELLAR, Gerardo ,  PASHOV, Ivan Dimitrov ,  GADDEHOSUR, Poornananda R. ,  PULAPAKA, Hari R. ,  RAO, Vikram Mangalore

IPC: G06F21/53

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract translation: 运行在计算设备上的主机操作系统监视计算设备的网络通信，以识别计算设备请求的网络资源。 主机操作系统将请求的网络资源与安全策略进行比较，以确定请求的网络资源是否可信。 当识别不可信网络资源时，主机操作系统使用本文讨论的技术访问与主机操作系统内核隔离的容器内的不可信网络资源。 通过将访问不受信任的网络资源限制在隔离的容器中，主机操作系统即使受到内核级别的攻击或可能由不可信网络资源导致的感染，也能受到保护。

公开(公告)号：WO2017172455A1

公开(公告)日：2017-10-05

申请号：PCT/US2017/023689

申请日：2017-03-23

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： KLEYNHANS, Christopher Peter ,  WOHLLAIB, Eric Wesley ,  BOZZAY, Paul McAlpin ,  OLUGBADE, Morakinyo Korede ,  SMITH, Frederick J. ,  SCHULTZ, Benjamin M. ,  COLOMBO, Gregory John ,  PULAPAKA, Hari R. ,  IYIGUN, Mehmet

IPC: G06F9/44 ,  G06F9/455 ,  G06F9/445

CPC classification number: H04L41/0816 ,  G06F9/44505 ,  G06F9/45558 ,  G06F2009/45587

Abstract: Configuring a node using a method for modifying configuration settings at a first configuration layer. The method further propagates the modified configuration settings to one or more other configuration layers implemented at the first configuration layer to configure a node.

Abstract translation:

使用在第一配置层修改配置设置的方法配置节点。 该方法进一步将修改的配置设置传播到在第一配置层实现的一个或多个其他配置层以配置节点。

公开(公告)号：WO2017105969A1

公开(公告)日：2017-06-22

申请号：PCT/US2016/065471

申请日：2016-12-08

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： GADDEHOSUR, Poornananda R. ,  SCHULTZ, Benjamin M.

IPC: G06F9/455

CPC classification number: H04L12/4675 ,  G06F9/45537 ,  H04L41/0893 ,  H04L41/12 ,  H04L67/1031

Abstract: Template-driven locally calculated policy updates for virtualized machines in a datacenter environment are described. A central control and monitoring node calculates and pushes down policy templates to local control and monitoring nodes. The templates provide boundaries and/or a pool of networking resources, from which the local control and monitoring node is enabled to calculate policy updates for locally instantiated virtual machines and containers.

Abstract translation: 描述了数据中心环境中虚拟机器的模板驱动本地计算策略更新。 中央控制和监视节点计算策略模板并将其推送到本地控制和监视节点。 这些模板提供了边界和/或网络资源池，从中可以使本地控制和监视节点为本地实例化的虚拟机和容器计算策略更新。

公开(公告)号：WO2023288202A1

公开(公告)日：2023-01-19

申请号：PCT/US2022/073608

申请日：2022-07-11

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： RENKE, Maxwell Christopher ,  ALLIEVI, Andrea ,  VISWANATHAN, Giridhar ,  SCHULTZ, Benjamin M. ,  PULAPAKA, Hari R. ,  WESTON, David Guy

IPC: G06F21/57 ,  G06F21/74

Abstract: Attesting to read-only protected memory. Based on communications request, a client computer system receives a nonce from a relying party computer system. The client computer system generates attestation evidence comprising one or more read-only memory protection (ROMP) attested properties for read-only protected memory allocated to a software component loaded at the computer system, the nonce, and a system security claim. The client computer system sends the attestation evidence toward an attestation service computer system. Based on sending the attestation evidence, the client computer system participates in a relying communication with the relying party computer system.