Patents by Inventor Andrew John Thornton
Andrew John Thornton has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 8700816Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.Type: GrantFiled: February 8, 2012Date of Patent: April 15, 2014Assignee: Microsoft CorporationInventors: Jacob Oshins, Brandon Allsop, Andrew John Thornton
-
Patent number: 8635612Abstract: Systems and methods are provided, whereby partitions may become enlightened and discover the presence of a hypervisor. Several techniques of hypervisor discovery are discussed, such as detecting the presence of virtual processor registers (e.g. model specific registers or special-purpose registers) or the presence of virtual hardware devices. Upon discovery, information (code and/or data) may be injected in a partition by the hypervisor, whereby such injection allows the partition to call the hypervisor. Moreover, the hypervisor may present a versioning mechanism that allows the partition to match up the version of the hypervisor to its virtual devices. Next, once code and/or data is injected, calling conventions are established that allow the partition and the hypervisor to communicate, so that the hypervisor may perform some operations on behalf of the partition.Type: GrantFiled: April 29, 2005Date of Patent: January 21, 2014Assignee: Microsoft CorporationInventors: Adrian J. Oney, Andrew John Thornton, Eric P. Traut, Nathan T. Lewis
-
Patent number: 8296775Abstract: Various operations are disclosed for improving the operational efficiency of register handling in a virtualized environment. Some infrequently accessed software managed registers are managed lazily when switching contexts between virtual processors. The states of those registers are not saved on exit from a guest or restored on entry to the guest. Rather, guest accesses to those registers are intercepted. For some frequently accessed registers, register states are saved or restored only upon exit from a hypervisor to a different guest that that from which the hypervisor was entered. For enable-flag-gated registers, updates to a physical register value are not made unless the register is enabled. A shadow register cache may be used to speed accesses to some registers. When a shadowed register is modified, the new value is cached as a shadow copy in RAM and subsequent reads of the register are taken from the shadow copy.Type: GrantFiled: January 31, 2007Date of Patent: October 23, 2012Assignee: Microsoft CorporationInventors: Andrew John Thornton, Shuvabrata Ganguly
-
Publication number: 20120144071Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.Type: ApplicationFiled: February 8, 2012Publication date: June 7, 2012Applicant: MICROSOFT CORPORATIONInventors: Jacob Oshins, Brandon Allsop, Andrew John Thornton
-
Patent number: 8117346Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.Type: GrantFiled: October 3, 2008Date of Patent: February 14, 2012Assignee: Microsoft CorporationInventors: Jacob Oshins, Brandon Allsop, Andrew John Thornton
-
Patent number: 7975117Abstract: Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.Type: GrantFiled: December 19, 2003Date of Patent: July 5, 2011Assignee: Microsoft CorporationInventors: Marcus Peinado, Paul England, Bryan Mark Willman, Yuqun Chen, Andrew John Thornton
-
Patent number: 7877760Abstract: Mechanisms are disclosed herein that manage operations in virtual machine environments. A first partition can have a proxy driver object corresponding to a driver object in a second partition. The driver object can control a physical device, but because of the proxy driver object, the first partition can retain some measure of control over the physical device. The driver object can be surrounded by a first filter object beneath it, and a second filter object above it. The first filter object can provide interfaces to the driver object so that the driver object can perform various bus-related functionalities; and, the second filter object can receive redirected instructions from the first partition and provide them to the driver object, and intercept any instructions originating from within the second partition, such that if these instructions are inconsistent with policies set in the first partition, they can be manipulated.Type: GrantFiled: September 29, 2006Date of Patent: January 25, 2011Assignee: Microsoft CorporationInventors: Adrian J. Oney, Andrew John Thornton, Jacob Oshins
-
Publication number: 20100088431Abstract: Various aspects are disclosed herein for bounding the behavior of a non-privileged virtual machine that interacts with a device by creating a description of the device which indicates to a privileged authority (1) which operations on the device may have system-wide effects and (2) which operations have effects local to the device. The privileged authority may then permit or deny these actions. The privileged authority may also translate these actions into other actions with benign consequences.Type: ApplicationFiled: October 3, 2008Publication date: April 8, 2010Applicant: MICROSOFT CORPORATIONInventors: Jacob Oshins, Brandon Allsop, Andrew John Thornton
-
Patent number: 7493429Abstract: The present invention provides for trusted side-band communications between components in a computer system, so that use of the system bus may be avoided. Two components may be connected by means other than a bus (e.g., an infrared port, a wire, an unused pin, etc.), whereby these components may communicate without the use of the system bus. The non-bus communication channel may be referred to as “side-band.” The side-band channel may be used to communicate information that might identify the user's hardware (e.g., a public key) or other information that the user may not want to be easily intercepted by the public at large. Communication over the side-band channel may also be used to verify that the participants in a communication are within a defined positional relationship to each other.Type: GrantFiled: January 16, 2004Date of Patent: February 17, 2009Assignee: Microsoft CorporationInventors: John E. Paff, Marcus Peinado, Thekkthalackal Varugis Kurien, Bryan Mark Willman, Paul England, Andrew John Thornton
-
Patent number: 7457964Abstract: A method is provided for a processor of a computing device to obtain a trusted identification of a hardware peripheral of the computing device, for the computing device and the peripheral to derive a set of shared keys, and for the processor to send trusted data to the peripheral.Type: GrantFiled: February 4, 2004Date of Patent: November 25, 2008Assignee: Microsoft CorporationInventors: Andrew John Thornton, John E. Paff, Marcus Peinado, Thekkthalackal Varugis Kurien
-
Patent number: 7454530Abstract: A system and method to facilitate communication between an associated bus, such as employs a standard bus protocol, and a connector to which a removable SFF device can be attached. A desired operating mode is selected based on the device attached at the connector, such as either to pass the protocol between the bus and device generally unchanged or to implement suitable protocol conversion for such communication. Thus, by configuring the SFF device to appear as device currently supported by the bus, the SFF device can operate at the connector with native operating system support.Type: GrantFiled: August 16, 2004Date of Patent: November 18, 2008Assignee: Microsoft CorporationInventors: Jeremy Paul Cahill, Andrew John Thornton, Jonathan Vines Smith
-
Publication number: 20080183944Abstract: Various operations are disclosed for improving the operational efficiency of register handling in a virtualized environment. Some infrequently accessed software managed registers are managed lazily when switching contexts between virtual processors. The states of those registers are not saved on exit from a guest or restored on entry to the guest. Rather, guest accesses to those registers are intercepted. For some frequently accessed registers, register states are saved or restored only upon exit from a hypervisor to a different guest that that from which the hypervisor was entered. For enable-flag-gated registers, updates to a physical register value are not made unless the register is enabled. A shadow register cache may be used to speed accesses to some registers. When a shadowed register is modified, the new value is cached as a shadow copy in RAM and subsequent reads of the register are taken from the shadow copy.Type: ApplicationFiled: January 31, 2007Publication date: July 31, 2008Applicant: Microsoft CorporationInventors: Andrew John Thornton, Shuvabrata Ganguly
-
Publication number: 20080082975Abstract: Mechanisms are disclosed herein that manage operations in virtual machine environments. A first partition can have a proxy driver object corresponding to a driver object in a second partition. The driver object can control a physical device, but because of the proxy driver object, the first partition can retain some measure of control over the physical device. The driver object can be surrounded by a first filter object beneath it, and a second filter object above it. The first filter object can provide interfaces to the driver object so that the driver object can perform various bus-related functionalities; and, the second filter object can receive redirected instructions from the first partition and provide them to the driver object, and intercept any instructions originating from within the second partition, such that if these instructions are inconsistent with policies set in the first partition, they can be manipulated.Type: ApplicationFiled: September 29, 2006Publication date: April 3, 2008Applicant: Microsoft CorporationInventors: Adrian J. Oney, Andrew John Thornton, Jacob Oshins
-
Patent number: 6871244Abstract: A system and method to facilitate communication between an associated bus, such as employs a standard bus protocol, and a connector to which a removable SFF device can be attached. A desired operating mode is selected based on the device attached at the connector, such as either to pass the protocol between the bus and device generally unchanged or to implement suitable protocol conversion for such communication. Thus, by configuring the SFF device to appear as device currently supported by the bus, the SFF device can operate at the connector with native operating system support.Type: GrantFiled: February 28, 2002Date of Patent: March 22, 2005Assignee: Microsoft Corp.Inventors: Jeremy Paul Cahill, Andrew John Thornton, Jonathan Vines Smith
-
Publication number: 20040205203Abstract: Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.Type: ApplicationFiled: December 19, 2003Publication date: October 14, 2004Inventors: Marcus Peinado, Paul England, Bryan Mark Willman, Yuqun Chen, Andrew John Thornton
-
Patent number: D523306Type: GrantFiled: May 3, 2005Date of Patent: June 20, 2006Assignee: William Levene LimitedInventor: Andrew John Thornton
-
Patent number: D530574Type: GrantFiled: June 10, 2005Date of Patent: October 24, 2006Assignee: William Levene LimitedInventor: Andrew John Thornton
-
Patent number: D539079Type: GrantFiled: June 24, 2005Date of Patent: March 27, 2007Assignee: William Levene LimitedInventor: Andrew John Thornton
-
Patent number: D498988Type: GrantFiled: July 16, 2003Date of Patent: November 30, 2004Assignee: William Levene LimitedInventor: Andrew John Thornton