公开(公告)号：US20180225661A1

公开(公告)日：2018-08-09

申请号：US15638203

申请日：2017-06-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mark RUSSINOVICH ,  Manuel COSTA ,  Matthew KERNER ,  Thomas MOSCIBRODA

IPC: G06Q20/38 ,  H04L9/06 ,  H04L9/32 ,  G06Q20/06 ,  H04L29/06 ,  G11B20/00

Abstract: The disclosed technology is generally directed to blockchain and other authentication technology. In one example of the technology, a pre-determined type of blockchain or other authentication protocol code and a pre-determined type of consensus code are stored in a trusted execution environment (TEE) of a processor. In some examples, TEE attestation is used to verify that the blockchain or other authentication protocol code stored in the TEE is the pre-determined type of blockchain or other authentication protocol code, and to verify that the consensus code stored in the TEE is the pre-determined type of consensus code. A request to alter the pre-determined type of blockchain or other authentication protocol code may be received. A determination may be made as to whether to change the pre-determined type of blockchain or other authentication protocol code based on the pre-determined consensus code.

公开(公告)号：US20210342492A1

公开(公告)日：2021-11-04

申请号：US17374942

申请日：2021-07-13

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  David Thomas CHISNALL ,  Saurabh Mohan KULKARNI ,  Kapil VASWANI ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Cédric Alain Marie FOURNET ,  Richard OSBORNE ,  Daniel John Pelham WILKINSON ,  Graham Bernard CUNNINGHAM

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/30 ,  H04L9/32

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

公开(公告)号：US20210004469A1

公开(公告)日：2021-01-07

申请号：US16503455

申请日：2019-07-03

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Cédric Alain Marie FOURNET ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Sylvan CLEBSCH ,  Kapil VASWANI

IPC: G06F21/57 ,  H04L29/06 ,  G06F9/455

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.

公开(公告)号：US20220413883A1

公开(公告)日：2022-12-29

申请号：US17357999

申请日：2021-06-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Sylvan CLEBSCH ,  Stavros VOLOS ,  Sean ALLEN ,  Antonio Nino DIAZ ,  John STARKS ,  Ken GORDON ,  Manuel COSTA

IPC: G06F9/455 ,  G06F9/445 ,  H04L9/08 ,  H04L9/32

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

公开(公告)号：US20200084189A1

公开(公告)日：2020-03-12

申请号：US16686172

申请日：2019-11-17

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mark RUSSINOVICH ,  Manuel COSTA ,  Matthew KERNER ,  Thomas MOSCIBRODA

IPC: H04L29/06 ,  G06Q20/02 ,  G06F21/74 ,  G06Q20/00 ,  G06F21/57 ,  H04L9/32 ,  H04L9/06 ,  G11B20/00 ,  G06Q20/38 ,  G06Q20/06 ,  G06F21/53

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

公开(公告)号：US20180227275A1

公开(公告)日：2018-08-09

申请号：US15638180

申请日：2017-06-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mark RUSSINOVICH ,  Manuel COSTA ,  Matthew KERNER ,  Thomas MOSCIBRODA

IPC: H04L29/06

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

公开(公告)号：US20240394084A1

公开(公告)日：2024-11-28

申请号：US18761303

申请日：2024-07-01

Applicant: Microsoft Technology Licensing, LLC

Inventor： Sylvan CLEBSCH ,  Stavros VOLOS ,  Sean ALLEN ,  Antonio NINO DIAZ ,  John STARKS ,  Kenneth GORDON ,  Manuel COSTA

IPC: G06F9/455 ,  G06F9/445 ,  H04L9/08 ,  H04L9/32

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

公开(公告)号：US20240160795A1

公开(公告)日：2024-05-16

申请号：US18419359

申请日：2024-01-22

Applicant: Microsoft Technology Licensing, LLC

Inventor： Stavros VOLOS ,  David Thomas CHISNALL ,  Saurabh Mohan KULKARNI ,  Kapil VASWANI ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Cédric Alain Marie FOURNET ,  Richard OSBORNE ,  Daniel John Pelham WILKINSON ,  Graham Bernard CUNNINGHAM

IPC: G06F21/85 ,  G06F21/60 ,  H04L9/30 ,  H04L9/32

CPC classification number: G06F21/85 ,  G06F21/602 ,  H04L9/30 ,  H04L9/3265

Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.

公开(公告)号：US20180225448A1

公开(公告)日：2018-08-09

申请号：US15638213

申请日：2017-06-29

Applicant: Microsoft Technology Licensing, LLC

Inventor： Mark RUSSINOVICH ,  Manuel COSTA ,  Matthew KERNER ,  Thomas MOSCIBRODA

IPC: G06F21/53 ,  H04L29/06

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a pre-determined type of blockchain or other security protocol code is stored in a trusted execution environment (TEE) of the processor. TEE attestation is used to verify that the blockchain or other security protocol code stored in the TEE is the pre-determined type of blockchain or other security protocol code. A blockchain or other transaction is received and processed. Based on the processing of the transaction, an official state of the transaction on a consortium network is directly updated for the network. The updated official state of the processed transaction is broadcasted to the consortium network.