Patents by Inventor Kristjan E. Hatlelid
Kristjan E. Hatlelid has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10511631Abstract: Providing safe access of a data item accessed through one of a plurality of access channels while concurrently providing a policy check of the data item. An indication associated with accessing a data item through one access channel of a plurality of access channels may be received. In response to receiving the indication associated with accessing the data item, the data item may be automatically analyzed to determine whether the data item satisfies a policy. Also in response to receiving the indication associated with accessing the data item and while determining whether the data item satisfies the policy, safe access of the data item may be provided. Regardless of the access channel through which the data item was accessed, any of the policy check, the safe access, and the analysis of the data item may be the same.Type: GrantFiled: January 25, 2017Date of Patent: December 17, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Amar D. Patel, Mario D. Goertzel, Kristjan E. Hatlelid
-
Publication number: 20180213000Abstract: Providing safe access of a data item accessed through one of a plurality of access channels while concurrently providing a policy check of the data item. An indication associated with accessing a data item through one access channel of a plurality of access channels may be received. In response to receiving the indication associated with accessing the data item, the data item may be automatically analyzed to determine whether the data item satisfies a policy. Also in response to receiving the indication associated with accessing the data item and while determining whether the data item satisfies the policy, safe access of the data item may be provided. Regardless of the access channel through which the data item was accessed, any of the policy check, the safe access, and the analysis of the data item may be the same.Type: ApplicationFiled: January 25, 2017Publication date: July 26, 2018Inventors: Amar D. Patel, Mario D. Goertzel, Kristjan E. Hatlelid
-
Patent number: 8984597Abstract: An access component sends an access request to an intermediary component, the access request being a request to access a service or resource without credentials of a current user of the intermediary component being revealed to the access component. The intermediary component obtains user credentials, for the current user, that are associated with the service or resource. The access request and the user credentials are sent to the service or resource, and in response session state information is received from the service or resource. The session state information is returned to the access component, which allows the access component and the service or resource to communicate with one another based on the session state information and independently of the first component.Type: GrantFiled: May 27, 2010Date of Patent: March 17, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Kristjan E. Hatlelid, Marc R. Barbour, Magnus Bo Gustaf Nyström
-
Patent number: 8924714Abstract: Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server.Type: GrantFiled: June 27, 2008Date of Patent: December 30, 2014Assignee: Microsoft CorporationInventors: Kristjan E. Hatlelid, Kelvin S. Yiu
-
Patent number: 8904509Abstract: A collection of multiple user credentials each associated with one of multiple different users is obtained at a device, and one or more of the multiple user credentials are verified. A determination is made as to whether access to a resource is permitted, by at least comparing the collection of multiple user credentials to a threshold combination of user credentials to be satisfied to access the resource. An indication of whether access to the resource by a requesting user is permitted is returned or provided to another device.Type: GrantFiled: March 15, 2013Date of Patent: December 2, 2014Assignee: Microsoft CorporationInventors: Marc R. Barbour, Carl M. Ellison, Kristjan E. Hatlelid, Janet L. Schneider, Pieter R. Kasselman
-
Patent number: 8418237Abstract: A collection of multiple user credentials each associated with one of multiple different users is obtained at a device, and one or more of the multiple user credentials are verified. The collection of multiple user credentials is also compared to a threshold combination of user credentials to be satisfied to access the resource, and a determination is made, based on the comparing and the verifying, as to whether access to the resource is permitted. An indication of whether access to the resource by a requesting user is permitted is returned or provided to another device.Type: GrantFiled: October 20, 2009Date of Patent: April 9, 2013Assignee: Microsoft CorporationInventors: Marc R. Barbour, Carl M. Ellison, Kristjan E. Hatlelid, Janet L. Schneider, Pieter R. Kasselman
-
Patent number: 8380634Abstract: Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof.Type: GrantFiled: December 21, 2011Date of Patent: February 19, 2013Assignee: Microsoft CorporationInventors: Andrey Lilikov, Donald H. Rule, Kristjan E. Hatlelid, Nir Ben Zvi
-
Publication number: 20120096566Abstract: Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof.Type: ApplicationFiled: December 21, 2011Publication date: April 19, 2012Applicant: MICROSOFT CORPORATIONInventors: Andrey Lilikov, Donald H. Rule, Kristjan E. Hatlelid, Nir Ben Zvi
-
Patent number: 8103592Abstract: Upon a first process encountering a triggering device, a second process chooses whether to proxy-execute code corresponding to the triggering device of the first process on behalf of such first process based at least in part on whether a license evaluator of the second process has determined that the first process is to be operated in accordance with the terms and conditions of a corresponding digital license. The license evaluator at least in part performs such determination by running a script corresponding to the triggering device in the code of the first process. Thus, the first process is dependent upon the second process and the license for operation thereof.Type: GrantFiled: November 14, 2005Date of Patent: January 24, 2012Assignee: Microsoft CorporationInventors: Andrey Lilikov, Donald H. Rule, Kristjan E. Hatlelid, Nir Ben Zvi
-
Publication number: 20110296510Abstract: An access component sends an access request to an intermediary component, the access request being a request to access a service or resource without credentials of a current user of the intermediary component being revealed to the access component. The intermediary component obtains user credentials, for the current user, that are associated with the service or resource. The access request and the user credentials are sent to the service or resource, and in response session state information is received from the service or resource. The session state information is returned to the access component, which allows the access component and the service or resource to communicate with one another based on the session state information and independently of the first component.Type: ApplicationFiled: May 27, 2010Publication date: December 1, 2011Applicant: Microsoft CorporationInventors: Kristjan E. Hatlelid, Marc R. Barbour, Bo Gustaf Magnus Nyström
-
Patent number: 7979911Abstract: A first computer process has code including at least one triggering device, and a digital license corresponding to the first process sets forth terms and conditions for operating same. A second computer process proxy-executes code corresponding to each triggering device of the first process on behalf of same. The second process includes a license evaluator for evaluating the license to determining that the first process is to be operated in accordance with the terms and conditions set forth in such license. A third computer process includes the code corresponding to each triggering device of the first process and an address of the triggering device in the first process. Thus, the first process is dependent on and cannot be operated without the second process and the third process.Type: GrantFiled: May 27, 2005Date of Patent: July 12, 2011Assignee: Microsoft CorporationInventor: Kristjan E. Hatlelid
-
Publication number: 20110093939Abstract: A collection of multiple user credentials each associated with one of multiple different users is obtained at a device, and one or more of the multiple user credentials are verified. The collection of multiple user credentials is also compared to a threshold combination of user credentials to be satisfied to access the resource, and a determination is made, based on the comparing and the verifying, as to whether access to the resource is permitted. An indication of whether access to the resource by a requesting user is permitted is returned or provided to another device.Type: ApplicationFiled: October 20, 2009Publication date: April 21, 2011Applicant: Microsoft CorporationInventors: Marc R. Barbour, Carl M. Ellison, Kristjan E. Hatlelid, Janet L. Schneider, Pieter R. Kasselman
-
Patent number: 7788496Abstract: A first process operating on a computer comprises code to be executed in connection therewith, where the code includes at least one triggering device. A digital license corresponds to the first process and sets forth terms and conditions for operating the first process. A second process operating on the computer proxy-executes code corresponding to each triggering device of the first process on behalf of such first process. The second process includes a license evaluator for evaluating the license to determine whether the first process is to be operated in accordance with the terms and conditions set forth in such license, and the second process chooses whether to in fact proxy-execute based at least in part on determination of the license evaluator. Thus, the first process is dependent upon the second process for operation thereof.Type: GrantFiled: October 8, 2003Date of Patent: August 31, 2010Assignee: Microsoft CorporationInventors: Andrey Lelikov, Caglar Gunyakti, Kristjan E. Hatlelid
-
Patent number: 7779478Abstract: Distributed module authentication allows security checks to be initiated by multiple software modules. Module authentication processes can be inserted into two or more modules in an operating system and/or various other applications. These module authentication processes can verify the integrity of binaries associated with one or more modules in computer memory. Security checks can be performed on modules stored on disk, in active system memory, or in any other location. Various security checks can be coordinated with each other to ensure variety and frequency of module authentication, as well as to randomize the module authentication process that performs a particular security check. In addition, security processor code can be interleaved within normal application code, so the security code is difficult for attackers to remove or disable without damaging the useful functionality of an application.Type: GrantFiled: January 28, 2008Date of Patent: August 17, 2010Assignee: Microsoft CorporationInventors: Lazar Ivanov Ivanov, Caglar Gunyakti, Kristjan E. Hatlelid
-
Publication number: 20090327696Abstract: Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server.Type: ApplicationFiled: June 27, 2008Publication date: December 31, 2009Applicant: MICROSOFT CORPORATIONInventors: Kristjan E. Hatlelid, Kelvin S. Yiu
-
Publication number: 20090327704Abstract: Embodiments for providing strong authentication to a network from a networked device are disclosed. In accordance with one embodiment, a method for authentication to a server includes sharing a session key between the networked device and the server. The method further includes sending an encrypted secret key that is encoded based on the session key to a memory of the networked device. The also method includes sending original data to the networked device for encryption into encrypted data using the secret key. The method additionally includes decrypting the encrypted data received from the networked device using the secret key to obtain decrypted data for comparison with the original data for determining access to networked resources.Type: ApplicationFiled: June 27, 2008Publication date: December 31, 2009Applicant: MICROSOFT CORPORATIONInventor: Kristjan E. Hatlelid
-
Patent number: 7607122Abstract: A mechanism is provided, where a post-build utility is used to store stack and call tree information within a section of an executable program or separate file. The stack information aids an authentication module during the execution of the program in walking up a stack in order to obtain return addresses on the stack. In one aspect of the invention, by comparing the return address sequence to the call tree sequence, which specifies the allowed function call sequence of the program, a determination can be made whether the program is executing (as evidenced by the stack) the way it should be executing (as required by the call tree). If the call tree sequence differs from the return address sequence, a suspicion is raised that a hacker is attempting to jump from foreign code into sensitive code of the program by changing the function calling sequence.Type: GrantFiled: June 17, 2005Date of Patent: October 20, 2009Assignee: Microsoft CorporationInventors: Kristjan E. Hatlelid, Uri London, Vladimir A. Shubin
-
Publication number: 20080235791Abstract: Distributed module authentication allows security checks to be initiated by multiple software modules. Module authentication processes can be inserted into two or more modules in an operating system and/or various other applications. These module authentication processes can verify the integrity of binaries associated with one or more modules in computer memory. Security checks can be performed on modules stored on disk, in active system memory, or in any other location. Various security checks can be coordinated with each other to ensure variety and frequency of module authentication, as well as to randomize the module authentication process that performs a particular security check. In addition, security processor code can be interleaved within normal application code, so the security code is difficult for attackers to remove or disable without damaging the useful functionality of an application.Type: ApplicationFiled: January 28, 2008Publication date: September 25, 2008Applicant: Microsoft CorporationInventors: Lazar Ivanov Ivanov, Caglar Gunyakti, Kristjan E. Hatlelid
-
Patent number: 7426718Abstract: A method and system are provided that override constructors such that the constructors not only initialize objects but also provide notification about virtual pointers of the objects. This notification is provided to a list that stores which virtual pointers are created and where they are supposed to be pointing. By knowing the address of the virtual tables that the virtual pointers are supposed to be pointing to, a determination can be made whether the virtual tables are the correct virtual tables or whether they may be different virtual tables that have been substituted in by a hacker and that contain pointers to foreign code.Type: GrantFiled: March 21, 2005Date of Patent: September 16, 2008Assignee: Microsoft CorporationInventors: Kristjan E. Hatlelid, Uri London, Vladimir A. Shubin
-
Patent number: 7380269Abstract: A mechanism for redirecting a code execution path in a running process. A one-byte interrupt instruction (e.g., INT 3) is inserted into the code path. The interrupt instruction passes control to a kernel handler, which after executing a replacement function, returns to continue executing the process. The replacement function resides in a memory space that is accessible to the kernel handler. The redirection mechanism may be applied without requiring a reboot of the computing device on which the running process is executing. In addition, the redirection mechanism may be applied without overwriting more than one byte in the original code.Type: GrantFiled: April 14, 2006Date of Patent: May 27, 2008Assignee: Microsoft CorporationInventors: Nir Ben Zvi, Kristjan E. Hatlelid, Andrey V. Lelikov