Patents by Inventor David Alan Hepkin
David Alan Hepkin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240126580Abstract: Transparently providing a virtualization feature to an unenlightened guest operating system (OS). A guest partition, corresponding to a virtual machine, is divided into a first guest privilege context and a second guest privilege context. A compatibility component executes within the first guest privilege context, while a guest OS executes within the second guest privilege context. The compatibility component is configured to intercept input/output (I/O) operations associated with the guest operating OS. Based on the compatibility component intercepting an I/O operation associated with the guest OS, the compatibility component processes the I/O operation using a virtualization feature that is unsupported by the guest OS. Examples of the virtualization feature include accelerated access to a hardware device and virtual machine guest confidentiality.Type: ApplicationFiled: December 22, 2022Publication date: April 18, 2024Inventors: Jin LIN, David Alan HEPKIN, Michael Bishop EBERSOL, Matthew David KURJANOWICZ, Aditya BHANDARI, Attilio MAINETTI, Amy Anthony PARISH
-
Publication number: 20240104193Abstract: Methods, systems, and computer program products for direct assignment of physical devices to confidential virtual machines (VMs). At a first guest privilege context of a guest partition, a direct assignment of a physical device associated with a host computer system to the guest partition is identified. The guest partition includes the first guest privilege context and a second guest privilege context, which is restricted from accessing memory associated with the first guest privilege context. The guest partition corresponds to a confidential VM, such that a memory region associated with the guest partition is inaccessible to a host operating system. It is determined, based on a policy, that the physical device is allowed to be directly assigned to the guest partition. Communication between the physical device and the second guest privilege context is permitted, such as by exposing the physical device on a virtual bus and/or forwarding an interrupt.Type: ApplicationFiled: September 26, 2022Publication date: March 28, 2024Inventors: Jin LIN, Jason Stewart WOHLGEMUTH, Michael Bishop EBERSOL, Aditya BHANDARI, Steven Adrian WEST, Emily Cara CLEMENS, Michael Halstead KELLEY, Dexuan CUI, Attilio MAINETTI, Sarah Elizabeth STEPHENSON, Carolina Cecilia PEREZ-VARGAS, Antoine Jean Denis DELIGNAT-LAVAUD, Kapil VASWANI, Alexander Daniel GREST, Steve Michel PRONOVOST, David Alan HEPKIN
-
Publication number: 20240069943Abstract: Data-at-rest protection for virtual machines includes operating a data protection component within a first privilege context of a guest partition, and operating a guest operating system (OS) within a second privilege context of the guest partition. The data protection component participates in data input/output operations of the guest OS. Based on a data output operation of the guest OS, the data protection component applies a first data protection operation to first data associated with the data output operation; and initiates storage of a first result of the first data protection operation to a data storage device. Based a data input operation of the guest OS, the data protection component applies a second data protection operation to second data associated with the data input operation; and, based on applying the second data protection operation to the second data, communicates an outcome of the data input operation to the guest OS.Type: ApplicationFiled: August 29, 2022Publication date: February 29, 2024Inventors: Jin LIN, David Alan HEPKIN, Michael Bishop EBERSOL, Matthew David KURJANOWICZ, Taylor Alan HOPE
-
Patent number: 11875145Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.Type: GrantFiled: December 13, 2022Date of Patent: January 16, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Kevin Michael Broas, David Alan Hepkin, Wen Jia Liu, Hadden Mark Hoppert
-
Publication number: 20230401081Abstract: Isolating resources of a virtual machine (VM) guest from a host operating system. A computer system receives an acceptance request from a guest partition corresponding to an isolated VM. The acceptance request identifies a guest memory page that is mapped into a guest physical address space of the guest partition, and a memory page visibility class. The computer system determines whether a physical memory page that is mapped to the guest memory page meets the memory page visibility class. The computer system sets a page acceptance indication for the guest memory page from an unaccepted state to an accepted state based on the physical memory page meeting the memory page visibility class.Type: ApplicationFiled: June 10, 2022Publication date: December 14, 2023Inventors: Jin LIN, David Alan HEPKIN, Michael Bishop EBERSOL, Stephanie Sumyi LUCK, Jonathan Edward LANGE, Bruce J. SHERWIN, JR., Kevin Michael BROAS, Wen Jia LIU, Xin David ZHANG, Alexander Daniel GREST
-
Publication number: 20230244601Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.Type: ApplicationFiled: February 13, 2023Publication date: August 3, 2023Applicant: Microsoft Technology Licensing, LLCInventors: Yevgeniy M. BAK, Kevin Michael BROAS, David Alan HEPKIN, Landy WANG, Mehmet IYIGUN, Brandon Alec ALLSOP, Arun U. KISHAN
-
Publication number: 20230116221Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.Type: ApplicationFiled: December 13, 2022Publication date: April 13, 2023Inventors: Kevin Michael BROAS, David Alan HEPKIN, Wen Jia LIU, Hadden Mark HOPPERT
-
Patent number: 11580019Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.Type: GrantFiled: April 17, 2020Date of Patent: February 14, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Yevgeniy M. Bak, Kevin Michael Broas, David Alan Hepkin, Landy Wang, Mehmet Iyigun, Brandon Alec Allsop, Arun U. Kishan
-
Patent number: 11531533Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.Type: GrantFiled: April 12, 2021Date of Patent: December 20, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Kevin Michael Broas, David Alan Hepkin, Wen Jia Liu, Hadden Mark Hoppert
-
Publication number: 20210326253Abstract: Techniques for computer memory management are disclosed herein. In one embodiment, a method includes in response to receiving a request for allocation of memory, determining whether the request is for allocation from a first memory region or a second memory region of the physical memory. The first memory region has first memory subregions of a first size and the second memory region having second memory subregions of a second size larger than the first size of the first memory region. The method further includes in response to determining that the request for allocation of memory is for allocation from the first or second memory region, allocating a portion of the first or second multiple memory subregions of the first or second memory region, respectively, in response to the request.Type: ApplicationFiled: April 17, 2020Publication date: October 21, 2021Inventors: Yevgeniy M. Bak, Kevin Michael Broas, David Alan Hepkin, Landy Wang, Mehmet Iyigun, Brandon Alec Allsop, Arun U. Kishan
-
Publication number: 20210232383Abstract: A computing system running a host operating system and a virtual machine (VM). The computing system includes at least one device that is directly assigned to the VM. The computing system is configured to execute one or more first VM components and one or more second VM components. The one or more first VM components are configured to manage the one or more second VM components via one or more identification pointers. While the one or more second VM components remain loaded in a system memory, and the directly assigned device remains attached to the VM and remains configured to communicate with the one or more second VM component, the one or more first VM components are shut down and restored.Type: ApplicationFiled: April 12, 2021Publication date: July 29, 2021Inventors: Kevin Michael BROAS, David Alan HEPKIN, Wen Jia LIU, Hadden Mark HOPPERT
-
Patent number: 10990374Abstract: An operation of a VM running first and second VM components is suspended so that a servicing operation for the VM can be performed. The VM has devices directly attached to it. A state of the first VM components is saved. An identification pointer for the second VM components is saved in a portion of the computing system physical memory without removing any underlying data structures of second VM components from computing system physical hardware. The directly attached devices remain configured as attached to the VM and remain configured to communicate with the VM while the VM is suspended and while the servicing operation is performed. The first VM components are shut down and then restored at the completion of the servicing operation using the saved state. The restored first VM components are reconnected to the second VM components using the identification pointers. The operation of the VM is restored.Type: GrantFiled: September 14, 2018Date of Patent: April 27, 2021Assignee: MICROSOFTTECHNOLOGY LICENSING, LLCInventors: Kevin Michael Broas, David Alan Hepkin, Wen Jia Liu, Hadden Mark Hoppert
-
Patent number: 10649763Abstract: The disclosed technology is generally directed to the patching of executing binaries. In one example of the technology, at separate times, a plurality of hot patch requests is received. Each hot patch request of the plurality of hot patch requests includes a corresponding hot patch to hot patch the executing binary. A cardinality of the plurality of hot patch requested is greater than the fixed number of logical patch slots. with the executing binary continuing to execute, each time a request to apply a hot patch to the executing binary is received, the corresponding hot patch is assigned to an inactive logical patch slot of the fixed number of logical patch slots. The corresponding hot patch is executed from the assigned logical patch slot to hot patch the executing binary based on the corresponding hot patch.Type: GrantFiled: June 15, 2018Date of Patent: May 12, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Sai Ganesh Ramachandran, Bruce J. Sherwin, Jr., David Alan Hepkin
-
Patent number: 10621342Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.Type: GrantFiled: November 2, 2017Date of Patent: April 14, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Kenneth D. Johnson, Sai Ganesh Ramachandran, Xin David Zhang, Arun Upadhyaya Kishan, David Alan Hepkin
-
Publication number: 20200089484Abstract: An operation of a VM running first and second VM components is suspended so that a servicing operation for the VM can be performed. The VM has devices directly attached to it. A state of the first VM components is saved. An identification pointer for the second VM components is saved in a portion of the computing system physical memory without removing any underlying data structures of second VM components from computing system physical hardware. The directly attached devices remain configured as attached to the VM and remain configured to communicate with the VM while the VM is suspended and while the servicing operation is performed. The first VM components are shut down and then restored at the completion of the servicing operation using the saved state. The restored first VM components are reconnected to the second VM components using the identification pointers. The operation of the VM is restored.Type: ApplicationFiled: September 14, 2018Publication date: March 19, 2020Inventors: Kevin Michael BROAS, David Alan HEPKIN, Wen Jia LIU, Hadden Mark HOPPERT
-
Patent number: 10540199Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.Type: GrantFiled: March 12, 2018Date of Patent: January 21, 2020Assignee: Microsoft Technology Licensing, LLCInventor: David Alan Hepkin
-
Publication number: 20190384591Abstract: The disclosed technology is generally directed to the patching of executing binaries. In one example of the technology, at separate times, a plurality of hot patch requests is received. Each hot patch request of the plurality of hot patch requests includes a corresponding hot patch to hot patch the executing binary. A cardinality of the plurality of hot patch requested is greater than the fixed number of logical patch slots. with the executing binary continuing to execute, each time a request to apply a hot patch to the executing binary is received, the corresponding hot patch is assigned to an inactive logical patch slot of the fixed number of logical patch slots. The corresponding hot patch is executed from the assigned logical patch slot to hot patch the executing binary based on the corresponding hot patch.Type: ApplicationFiled: June 15, 2018Publication date: December 19, 2019Inventors: Sai Ganesh RAMACHANDRAN, Bruce J. SHERWIN, JR., David Alan HEPKIN
-
Publication number: 20190130102Abstract: Speculative side channels exist when memory is accessed by speculatively-executed processor instructions. Embodiments use uncacheable memory mappings to close speculative side channels that could allow an unprivileged execution context to access a privileged execution context's memory. Based on allocation of memory location(s) to the unprivileged execution context, embodiments map these memory location(s) as uncacheable within first page table(s) corresponding to the privileged execution context, but map those same memory locations as cacheable within second page table(s) corresponding to the unprivileged execution context. This prevents a processor from carrying out speculative execution of instruction(s) from the privileged execution context that access any of this memory allocated to the unprivileged execution context, due to the unprivileged execution context's memory being mapped as uncacheable for the privileged execution context.Type: ApplicationFiled: November 2, 2017Publication date: May 2, 2019Inventors: Kenneth D. JOHNSON, Sai Ganesh RAMACHANDRAN, Xin David ZHANG, Arun Upadhyaya KISHAN, David Alan HEPKIN
-
Publication number: 20180196692Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.Type: ApplicationFiled: March 12, 2018Publication date: July 12, 2018Inventor: David Alan Hepkin
-
Patent number: 9928094Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.Type: GrantFiled: March 25, 2015Date of Patent: March 27, 2018Assignee: Microsoft Technology Licensing, LLCInventor: David Alan Hepkin