Patents by Inventor Manuel Costa
Manuel Costa has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11921911Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.Type: GrantFiled: July 13, 2021Date of Patent: March 5, 2024Assignee: Microsoft Technology Licensing, LLC.Inventors: Stavros Volos, David Thomas Chisnall, Saurabh Mohan Kulkarni, Kapil Vaswani, Manuel Costa, Samuel Alexander Webster, Cédric Alain Marie Fournet, Richard Osborne, Daniel John Pelham Wilkinson, Graham Bernard Cunningham
-
Patent number: 11756398Abstract: Aspects of the present disclosure include methods, systems, and non-transitory computer readable media for identifying a first sector proximal to a reader and a second sector proximal to the reader, receiving one or more parameters associated with at least one of a minimum sector count setting, an opposite sector threshold setting, or a suppression threshold setting, applying, to the reader, the one or more parameters associated with the at least one of the minimum sector count setting, the opposite sector threshold setting, or the suppression threshold setting, and detecting a tag based on the one or more parameters.Type: GrantFiled: March 18, 2021Date of Patent: September 12, 2023Assignee: Sensormatic Electronics, LLCInventors: Gregory Colaluca, Eric Reich, Luis Tiago Bola Lagarto, Hugo Manuel Costa Ribeiro, João Carlos Veríssimo Costa Teixeira De Sousa, Bruno Miguel Rodrigues Costa Moura, Wilson Fernandes Carvalho Pinto De Oliveira, Chad M. Gundlach, Yosbi Antonio Alves Saenz, Leandro André Azevedo Soares
-
Publication number: 20220413883Abstract: A system comprising a hosting service configured to perform: providing, to a trusted entity on a central processing unit, a command for a launch of a virtual machine (VM); assigning, to the VM, at least a portion of memory for the guest operating system; submitting, to the trusted entity, a request to measure an address space of the VM to provide a measurement digest of the address space of the guest operating system; including, in a configuration object, a policy provided by the user for the service logic, wherein the policy defines one or more rules for the service logic, wherein the one or more rules include at least one rule for which containers may run in the guest operating system; hashing the policy to provide a hash digest of the policy; submitting, to the trusted entity, the hash digest of the policy; and completing the launch of the VM.Type: ApplicationFiled: June 25, 2021Publication date: December 29, 2022Inventors: Sylvan CLEBSCH, Stavros VOLOS, Sean ALLEN, Antonio Nino DIAZ, John STARKS, Ken GORDON, Manuel COSTA
-
Patent number: 11526613Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.Type: GrantFiled: July 3, 2019Date of Patent: December 13, 2022Assignee: Microsoft Technology Licensing, LLCInventors: David Thomas Chisnall, Cédric Alain Marie Fournet, Manuel Costa, Samuel Alexander Webster, Sylvan Clebsch, Kapil Vaswani
-
Publication number: 20220301404Abstract: Aspects of the present disclosure include methods, systems, and non-transitory computer readable media for identifying a first sector proximal to a reader and a second sector proximal to the reader, receiving one or more parameters associated with at least one of a minimum sector count setting, an opposite sector threshold setting, or a suppression threshold setting, applying, to the reader, the one or more parameters associated with the at least one of the minimum sector count setting, the opposite sector threshold setting, or the suppression threshold setting, and detecting a tag based on the one or more parameters.Type: ApplicationFiled: March 18, 2021Publication date: September 22, 2022Inventors: Gregory COLALUCA, Eric REICH, Luis Tiago BOLA LAGARTO, Hugo Manuel COSTA RIBEIRO, João Carlos Veríssimo Costa TEIXEIRA DE SOUSA, Bruno Miguel Rodrigues Costa MOURA, Wilson Fernandes Carvalho PINTO DE OLIVEIRA, Chad M. GUNDLACH, Yosbi Antonio Alves SAENZ, Leandro André Azevedo SOARES
-
Patent number: 11443033Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.Type: GrantFiled: January 24, 2017Date of Patent: September 13, 2022Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 11438155Abstract: Techniques for implementing a key vault as an enclave are presented. The techniques include securely storing, in a key vault enclave, a key for an encryption system according to a key use policy; sending an vault attestation report of a key vault enclave to a vault client; and performing an operation in the key vault enclave with the key. Some embodiments further include receiving, at the key vault enclave, a client attestation report of the vault client wherein the vault client and key vault enclave are hosted on different native enclave platforms.Type: GrantFiled: January 24, 2017Date of Patent: September 6, 2022Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 11405177Abstract: A nested enclave identity is presented. A nested identity is indicative of one or more possible enclave instantiations according to one or more identity types. Enclave identities may be nested such that a lower level identity type corresponds to a subset of the possible enclave instantiations that a higher level identity type corresponds to. Techniques disclosed include instantiating an enclave with a nested identity at a software interface to an enclave platform, and performing an operation related to the instantiated enclave using the nested identity.Type: GrantFiled: January 24, 2017Date of Patent: August 2, 2022Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 11403390Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.Type: GrantFiled: January 24, 2017Date of Patent: August 2, 2022Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 11218457Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.Type: GrantFiled: November 17, 2019Date of Patent: January 4, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Mark Russinovich, Manuel Costa, Matthew Kerner, Thomas Moscibroda
-
Publication number: 20210342492Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.Type: ApplicationFiled: July 13, 2021Publication date: November 4, 2021Inventors: Stavros VOLOS, David Thomas CHISNALL, Saurabh Mohan KULKARNI, Kapil VASWANI, Manuel COSTA, Samuel Alexander WEBSTER, Cédric Alain Marie FOURNET, Richard OSBORNE, Daniel John Pelham WILKINSON, Graham Bernard CUNNINGHAM
-
Patent number: 11126757Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.Type: GrantFiled: October 19, 2018Date of Patent: September 21, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Stavros Volos, David Thomas Chisnall, Saurabh Mohan Kulkarni, Kapil Vaswani, Manuel Costa, Samuel Alexander Webster, Cédric Alain Marie Fournet
-
Patent number: 11036875Abstract: Techniques for instantiating an enclave from dependent enclave images are presented. The techniques include identifying a first set of dependent enclave indicators from a primary enclave image, identifying a first dependent enclave image corresponding to one of the first set of dependent enclave indicators, creating a secure enclave container, and copying at least a portion of the primary enclave image and at least a portion of the first dependent enclave image into the secure enclave container.Type: GrantFiled: January 24, 2017Date of Patent: June 15, 2021Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 11017113Abstract: A database transaction is executed in a computer of a system of networked computers having secure processing enclaves. Within the secure processing enclave, a database transaction log record for the executed database transaction is generated and cryptographically secured using a private key held in secure storage of the secure processing enclave. A state of the distributed database is recorded in a series of transaction log records which is replicated in distributed computer storage accessible to the networked computers. Consensus messages are transmitted and received via secure communication links between the secure processing enclaves of the networked computers, to incorporate the database transaction log record into the series of transaction log records in accordance with a distributed consensus protocol, which is implemented based on consensus protocol logic held within the secure processing enclave.Type: GrantFiled: November 26, 2018Date of Patent: May 25, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Kapil Vaswani, Manuel Costa
-
Patent number: 10931652Abstract: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.Type: GrantFiled: January 24, 2017Date of Patent: February 23, 2021Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 10911451Abstract: Techniques for securely sealing and unsealing enclave data across platforms are presented. Enclave data from a source enclave hosted on a first computer may be securely sealed to a sealing enclave on a second computer, and may further be securely unsealed for a destination enclave on a third computer. Securely transferring an enclave workload from one computer to another is disclosed.Type: GrantFiled: January 24, 2017Date of Patent: February 2, 2021Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Publication number: 20210004469Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.Type: ApplicationFiled: July 3, 2019Publication date: January 7, 2021Inventors: David Thomas CHISNALL, Cédric Alain Marie FOURNET, Manuel COSTA, Samuel Alexander WEBSTER, Sylvan CLEBSCH, Kapil VASWANI
-
Patent number: 10877785Abstract: Abstraction programming models of enclave security platforms are described, including receiving a request from an enclave according to an enclave abstraction protocol, converting the request into a native enclave protocol, and sending the converted request to a native platform. The request may be, for example: to create an attestation report, to seal data to the enclave, a request to call a function in a client of the enclave, read a monotonic counter, to take a trusted time measurement, or to allocate memory that is shared with both the enclave and the enclave client.Type: GrantFiled: January 24, 2017Date of Patent: December 29, 2020Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 10867029Abstract: Abstraction programming models of enclave security platforms are described, including receiving a request from an enclave client according to a client abstraction protocol, converting the request into a native enclave protocol, and sending the converted request to a native platform. The request may be, for example: a request to instantiate an enclave, verify an attestation report of an enclave, a request to call into an enclave, or a request to allocate memory that is shared with both the enclave and the enclave client.Type: GrantFiled: January 24, 2017Date of Patent: December 15, 2020Assignee: Microsoft Technology Licensing, LLCInventor: Manuel Costa
-
Patent number: 10859463Abstract: The present invention relates to a method for producing a bag in the interior space of a container and for testing said bag, and to a system for this purpose, to a computer program product for execution, and to the use of the system for the methods.Type: GrantFiled: September 22, 2017Date of Patent: December 8, 2020Assignee: BOEHRINGER INGELHEIM INTERNATIONAL GMBHInventors: Gerald Mathe, Carlos-Manuel Costa Pereira-Kirchwehm