公开(公告)号：WO2021025769A1

公开(公告)日：2021-02-11

申请号：PCT/US2020/036877

申请日：2020-06-10

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： DE MARCO, Jonathan ,  SCHULTZ, Benjamin M. ,  SMITH, Frederick Justus, IV ,  PULAPAKA, Hari R. ,  IYIGUN, Mehmet ,  GUO, Amber Tianqi

IPC: G06F9/455 ,  G06F8/656 ,  G06F16/188 ,  G06F8/71 ,  G06F8/61 ,  G06F9/445

Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

公开(公告)号：WO2021086737A1

公开(公告)日：2021-05-06

申请号：PCT/US2020/056955

申请日：2020-10-23

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： SUGANDHI, Tushar Suresh ,  GUO, Amber Tianqi ,  BALASUBRAMANYAN, Balaji ,  SINGH, Abhijat ,  KARADEMIR, Ahmed Saruhan ,  SCHULTZ, Benjamin M. ,  PULAPAKA, Hari R. ,  SHUBHAM, Gupta ,  THOMAS, Chase ,  RAMIREZ, Carlos Ernesto Peza

IPC: G06F21/53 ,  G06F21/57 ,  G06F21/10

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

公开(公告)号：WO2021247138A1

公开(公告)日：2021-12-09

申请号：PCT/US2021/025841

申请日：2021-04-06

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： GUO, Amber Tianqi ,  SMITH, Frederick J., IV ,  STARKS, John ,  REUTHER, Lars ,  THOMAS, Deepu ,  PULAPAKA, Hari R. ,  SCHULTZ, Benjamin M. ,  LIU, Judy J.

IPC: G06F9/455 ,  G06F21/53 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F9/45558 ,  G06F9/545

Abstract: A fine-grain selectable partially privileged container virtual computing environment provides a vehicle by which processes that are directed to modifying specific aspects of a host computing environment can be delivered to, and executed upon, the host computing environment while simultaneously maintaining the advantageous and desirable protections and isolations between the remaining aspects of the host computing environment and the partially privileged container computing environment. Such partial privilege is provided based upon directly or indirectly delineated actions that are allowed to be undertaken on the host computing environment by processes executing within the partially privileged container virtual computing environment and actions which are not allowed. Aspects of the host computing environment operating system, such as the kernel, are extended to interface with container-centric mechanisms to receive information upon which actions can be allowed or denied by the kernel even if the process attempting such actions would otherwise have sufficient privilege.

公开(公告)号：WO2021154410A1

公开(公告)日：2021-08-05

申请号：PCT/US2020/064982

申请日：2020-12-15

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： BINGER, Julia Margaret ,  BARBER, Timothy Daniel ,  MAEDA, Masato ,  WILSON, Matthew James ,  AERON, Rayman Faruk ,  GUO, Amber Tianqi ,  SATHEESH, Shanmugha Priya ,  SCHULTZ, Benjamin M. ,  TRIPATHI, Jyotirmaya ,  LEE, Jong Gyu

IPC: G06F16/958 ,  G06F9/445 ,  G06F9/451

Abstract: To provide a hierarchical visual paradigm while maintaining the communication advantages of sibling extensions, a visual hierarchy simulation extension generates and maintains placeholders in a visually hierarchical manner, with the visual positioning of such placeholders informing the visual positioning of overlays of frames hosting the visual output of sibling extensions. Such a visual hierarchy simulation extension is utilized to layout and establish a desired visual hierarchy. One or more modules of computer-executable instructions are invoked to provide the relevant functionality, including the obtaining of the visual positioning of placeholders, the relevant visual translation between the visual positioning of placeholders and the visual overlaying of corresponding frames, the generation and movement of the corresponding frames, and the instantiation of extension content within the corresponding frames. The visual hierarchy simulation extension is hosted independently from the one or more modules.

公开(公告)号：WO2021006973A1

公开(公告)日：2021-01-14

申请号：PCT/US2020/036575

申请日：2020-06-08

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： RENKE, Maxwell Christopher ,  STARK, Taylor James ,  SCHULTZ, Benjamin M. ,  VISWANATHAN, Giridhar ,  SMITH, Frederick Justus ,  THOMAS, Deepu Chandy ,  PULAPAKA, Hari R. ,  GUO, Amber Tianqi

IPC: G06F21/53 ,  G06F21/55 ,  G06F21/57

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

公开(公告)号：WO2020180546A1

公开(公告)日：2020-09-10

申请号：PCT/US2020/019776

申请日：2020-02-26

Applicant: MICROSOFT TECHNOLOGY LICENSING, LLC

Inventor： GUO, Amber Tianqi ,  SCHULTZ, Benjamin M. ,  SMITH, Frederick Justus, IV ,  RIETSCHIN, Axel ,  PULAPAKA, Hari R. ,  IYIGUN, Mehmet ,  DE MARCO, Jonathan

IPC: G06F9/455

Abstract: Techniques of deferred container deployment are disclosed herein. In one embodiment, a method includes receiving, at a computing device, a container image corresponding to the container. The container image includes a first set of files identified by symbolic links individually directed to a file in the host filesystem on the computing device and a second set of files identified by hard links. The method also includes in response to receiving the container image, at the computing device, storing the received container image in a folder of the host filesystem on the computing device without resolving the symbolic links of the first set of the files until runtime of the requested container.