公开(公告)号：US20220413883A1

公开(公告)日：2022-12-29

申请号：US17357999

申请日：2021-06-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Sylvan CLEBSCH ,  Stavros VOLOS ,  Sean ALLEN ,  Antonio Nino DIAZ ,  John STARKS ,  Ken GORDON ,  Manuel COSTA

IPC: G06F9/455 ,  G06F9/445 ,  H04L9/08 ,  H04L9/32

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

公开(公告)号：US20240394084A1

公开(公告)日：2024-11-28

申请号：US18761303

申请日：2024-07-01

Applicant: Microsoft Technology Licensing, LLC

Inventor： Sylvan CLEBSCH ,  Stavros VOLOS ,  Sean ALLEN ,  Antonio NINO DIAZ ,  John STARKS ,  Kenneth GORDON ,  Manuel COSTA

IPC: G06F9/455 ,  G06F9/445 ,  H04L9/08 ,  H04L9/32

Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.

公开(公告)号：US20240064033A1

公开(公告)日：2024-02-22

申请号：US18260763

申请日：2022-01-25

Applicant: Microsoft Technology Licensing, LLC

Inventor： Alexander SHAMIS ,  Amaury Pierre Paul CHAMAYOU ,  Edward ASHTON ,  Julien MAFFRE ,  Sylvan CLEBSCH ,  Cedric Alain Marie Christophe FOURNET ,  Miguel Oom Temudo de CASTRO ,  Antoine Jean DELIGNAT-LAVAUD ,  Peter Robert PIETZUCH

IPC: H04L9/00 ,  H04L9/32

CPC classification number: H04L9/50 ,  H04L9/3247

Abstract: Systems and methods are provided for generating a combined receipt in a distributed ledger system implemented by replicas of a network. The replicas maintain a distributed ledger comprising a plurality of executed transactions authenticated using a hash tree having a hash root. Some or all of the replicas cryptographically sign the hash root. A combined receipt for a first transaction and second transaction of a plurality of executed transactions is generated by determining path information comprising a minimum set of values required to generate the hash root from either the first transaction or the second transaction given the first transaction and the second transaction. The combined receipt for the first and second transactions comprises: i) the determined path information; and ii) signatures of one or more of the replicas which signed the hash root.

公开(公告)号：US20210004469A1

公开(公告)日：2021-01-07

申请号：US16503455

申请日：2019-07-03

Applicant: Microsoft Technology Licensing, LLC

Inventor： David Thomas CHISNALL ,  Cédric Alain Marie FOURNET ,  Manuel COSTA ,  Samuel Alexander WEBSTER ,  Sylvan CLEBSCH ,  Kapil VASWANI

IPC: G06F21/57 ,  H04L29/06 ,  G06F9/455

Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.