Patents by Inventor Gerardo Diaz-Cuellar
Gerardo Diaz-Cuellar has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11962694Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.Type: GrantFiled: November 29, 2021Date of Patent: April 16, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: David Garfield Thaler, III, Joerg-Thomas Pfenning, Gerardo Diaz-Cuellar
-
Patent number: 11861414Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.Type: GrantFiled: January 28, 2022Date of Patent: January 2, 2024Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Gerardo Diaz-Cuellar, Poornananda R. Gaddehosur, Vance P. O'Neill
-
Patent number: 11809611Abstract: The present disclosure relates to devices and methods for protecting data from physical attacks. The devices and methods may establish an encryption protocol to encrypt data transmitted over a bus to one or more removable devices in communication with a computer device. The devices and methods may use the encryption protocol to communicate with the removal devices and perform storage requests at the removal devices. The devices and methods may also perform another layer of encryption on the data stored at the removal devices using a data at rest key stored on the removal devices.Type: GrantFiled: February 24, 2020Date of Patent: November 7, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Gerardo Diaz-Cuellar, Venkata Subrahmanyam Raman
-
Publication number: 20230336530Abstract: Examples of the present disclosure describe systems and methods for configuring and executing per-service TLS settings in a forward proxy. In examples, a proxy device receives a connection request from a client device to access a service. The proxy device identifies service connection information included in the connection request and selects a connection scheme for connecting to the service. The service connection information is compared to a static mapping of connection data in the connection scheme. If the service connection information matches the static mapping of connection data, a TLS type is determined for the connection request. If the service connection information does not match the static mapping of connection information, the service connection information is compared to a dynamic mapping of session information. Based on the comparison of the service connection information to the dynamic mapping of session information, a TLS type is determined for the connection request.Type: ApplicationFiled: April 19, 2022Publication date: October 19, 2023Inventors: Arupendra N. Roy, Arun Yadav, Chin Pong Kwong, Gerardo Diaz Cuellar, Alexandru Naparu, Jing Li
-
Patent number: 11729187Abstract: Devices and methods for protecting server devices from physical attacks use an encrypted overlay network to securely communicate between a trusted network and one or more host computer devices in communication with the trusted network. The devices and methods may generate VPN tunnels to communicate directly with individual host computer devices. The devices and methods may securely transmit data packets between the trusted network and the host computer devices using the VPN tunnels.Type: GrantFiled: February 24, 2020Date of Patent: August 15, 2023Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Gerardo Diaz-Cuellar, Venkata Subrahmanyam Raman
-
Patent number: 11695650Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.Type: GrantFiled: February 21, 2021Date of Patent: July 4, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Gerardo Diaz-Cuellar, Stefan Thom, Joerg-Thomas Pfenning
-
Patent number: 11558189Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.Type: GrantFiled: November 30, 2020Date of Patent: January 17, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Fernando Garcia Valenzuela, Venkatasubrahmanyam Raman, Gerardo Diaz Cuellar, Arupendra Narayan Roy, Bisconde Ramon Aquino, Alexandru Naparu
-
Publication number: 20220291875Abstract: Examples described herein generally relate to hosting virtual memory backed kernel isolated containers. A server includes at least one physical processor and at least one physical computer memory addressable via physical memory addresses. The at least one physical computer memory stores executable code configured to provide at least one host including a kernel and at least one kernel isolated container within the at least one host. The host allocates virtual memory having virtual memory addresses to a respective container of the at least one kernel isolated container. The host pins a subset of the virtual memory addresses to a subset of the physical memory addresses. The host performs a direct memory access operation or device memory-mapped input-output operation of the respective container on the subset of the physical memory addresses. At least part of the physical computer memory that is not pinned is oversubscribed.Type: ApplicationFiled: August 25, 2020Publication date: September 15, 2022Inventors: Gerardo DIAZ-CUELLAR, Omar CARDONA, Jacob Kappeler OSHINS, John STARKS, Craig Daniel WILHITE
-
Publication number: 20220276886Abstract: Examples described herein generally relate to a server for hosting process isolated containers within a virtual machine. The server includes at least one physical processor; at least one physical computer memory storing executable code for execution by the at least one physical processor, and a physical network interface controller, NIC. The executable code may be configured to provide a host virtual machine and at least one process isolated container within the host virtual machine. The physical NIC includes a physical NIC switch configured to distribute incoming data packets to a plurality of functions including a physical function and virtual functions. At least one of the virtual functions is assigned to an individual process isolated container within the virtual machine. The virtual function assigned to the individual process isolated container allows the physical NIC switch to distribute incoming data packets for the individual process isolated container at a hardware level.Type: ApplicationFiled: August 25, 2020Publication date: September 1, 2022Inventors: Gerardo DIAZ-CUELLAR, Omar CARDONA, Dinesh Kumar GOVINDASAMY, Jason MESSER
-
Publication number: 20220173901Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.Type: ApplicationFiled: November 30, 2020Publication date: June 2, 2022Inventors: Fernando GARCIA VALENZUELA, Venkata Subrahmanyam RAMAN, Gerardo DIAZ CUELLAR, Arupendra Narayan ROY, Bisconde Ramon AQUINO, Alexandru NAPARU
-
Publication number: 20220156126Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.Type: ApplicationFiled: January 28, 2022Publication date: May 19, 2022Inventors: Gerardo DIAZ-CUELLAR, Poornananda R. GADDEHOSUR, Vance P. O'NEILL
-
Publication number: 20220085995Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.Type: ApplicationFiled: November 29, 2021Publication date: March 17, 2022Inventors: David Garfield THALER, III, Joerg-Thomas PFENNING, Gerardo DIAZ-CUELLAR
-
Patent number: 11237878Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.Type: GrantFiled: September 9, 2019Date of Patent: February 1, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Gerardo Diaz-Cuellar, Poornananda R. Gaddehosur, Vance P. O'Neill
-
Patent number: 11190352Abstract: A computing device, such as a personal computing device (e.g., laptop, smartphone, etc.) or server, is configured to utilize environmental factors in generating public/private key pairs to access restricted data or operations. The environmental factors can include location, time, barometric pressure, acceleration, temperature, humidity, and the like. An initial key pair may be used to encrypt data and enable other conventional security features. A key pair can be subsequently generated based on the same environmental factors as with the initial key pair generation and used to access the data or operations which have been restricted using the initial key pair.Type: GrantFiled: November 27, 2018Date of Patent: November 30, 2021Assignee: Microsoft Technology Licensing, LLCInventors: David Garfield Thaler, III, Joerg-Thomas Pfenning, Gerardo Diaz-Cuellar
-
Publication number: 20210266336Abstract: The present disclosure relates to devices and methods for protecting server devices from physical attacks. The devices and methods may use an encrypted overlay network to securely communicate between a trusted network and one or more host computer devices on network racks in communication with the trusted network. The devices and methods may generate VPN tunnels to communicate directly with individual host computer devices on the network racks. The devices and methods may securely transmit data packets between the trusted network and the host computer devices using the VPN tunnels.Type: ApplicationFiled: February 24, 2020Publication date: August 26, 2021Inventors: Gerardo DIAZ-CUELLAR, Venkata Subrahmanyam RAMAN
-
Publication number: 20210264064Abstract: The present disclosure relates to devices and methods for protecting data from physical attacks. The devices and methods may establish an encryption protocol to encrypt data transmitted over a bus to one or more removable devices in communication with a computer device. The devices and methods may use the encryption protocol to communicate with the removal devices and perform storage requests at the removal devices. The devices and methods may also perform another layer of encryption on the data stored at the removal devices using a data at rest key stored on the removal devices.Type: ApplicationFiled: February 24, 2020Publication date: August 26, 2021Inventors: Gerardo DIAZ-CUELLAR, Venkata Subrahmanyam RAMAN
-
Publication number: 20210176141Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.Type: ApplicationFiled: February 21, 2021Publication date: June 10, 2021Inventors: Gerardo DIAZ-CUELLAR, Stefan THOM, Joerg-Thomas PFENNING
-
Patent number: 10965551Abstract: Inducements are provided to customers to regularly connect back to a service provider and report usage that is expressed using a count of requests from a local computing device for cloud-based operations such as packet routing, container instantiation, virtual machine (VM) utilization, calls to a service or application, and the like. The count information is reported within a secure context, such as a trusted execution environment (TEE), using public-private key pair cryptography by which key derivation is dependent on some form of counting. For example, a customer computing device that is subject to a usage license encrypts an operation count and reports it to the service provider.Type: GrantFiled: November 21, 2018Date of Patent: March 30, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Gerardo Diaz-Cuellar, Stefan Thom, Joerg-Thomas Pfenning
-
Publication number: 20210073045Abstract: Techniques are disclosed for implementing system calls in a virtualized computing environment. An interface is configured to abstract partitions in the virtualized computing environment. A system call is received that is to be executed across a system boundary in a localized computing environment. Based on a declarative policy, one or more of a device type, device path, or process identity associated with the system call is determined. The system call is executed in the virtualized computing environment.Type: ApplicationFiled: September 9, 2019Publication date: March 11, 2021Inventors: Gerardo Diaz-Cuellar, Poornananda R. Gaddehosur, Vance P. O'Neill
-
Patent number: 10855725Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.Type: GrantFiled: June 2, 2016Date of Patent: December 1, 2020Assignee: Microsoft Technology Licensing, LLCInventors: Navin Narayan Pai, Charles G. Jeffries, Giridhar Viswanathan, Benjamin M. Schultz, Frederick J. Smith, Lars Reuther, Michael B. Ebersol, Gerardo Diaz Cuellar, Ivan Dimitrov Pashov, Poornananda R. Gaddehosur, Hari R. Pulapaka, Vikram Mangalore Rao