Patents by Inventor Jonas Pfoh

Jonas Pfoh has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20260064606
    Abstract: Memory address boundaries of an isolated section of code and data is received from a guest in a virtualized system. One or more memory addresses that are legitimate entry points to the isolated section of code is received from the guest. One or more memory addresses that are each a return address of a call made from code in the isolated section into code that is not part of the isolated section is received from the guest. The host receives a second-level address translation (SLAT) violation during execution of a virtual central processing unit (vCPU) of the guest, where the first SLAT violation is associated with a memory address. The host determines that the first SLAT violation resulted from the vCPU attempting to access data in the isolated section of code and data and performs a remediation.
    Type: Application
    Filed: September 2, 2025
    Publication date: March 5, 2026
    Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
  • Patent number: 12505050
    Abstract: Physical memory isolation in a virtualized system is described. A notification is received from a guest in the virtualized system that an address space isolation component has been created in the guest. At the host of the virtualized system, a memory isolation domain that is bound with the address space isolation component is created. The memory isolation domain includes a set of second level address translation tables dedicated for that memory isolation domain. Guest-physical address (GPA) range(s) are received from the guest that are mapped into memory of the guest, and memory access permissions for the GPA range(s) are received and are being mapped for a process into the created memory isolation domain. The host determines whether the mapping for the process into the created memory isolation domain is permitted. If not permitted, the mapping is blocked thereby preventing access. If permitted, the mapping is granted thereby allowing access.
    Type: Grant
    Filed: April 26, 2024
    Date of Patent: December 23, 2025
    Assignee: BLUEROCK SECURITY, INC.
    Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
  • Patent number: 12443694
    Abstract: Process credential protection in a virtualized system is described. In-guest process credentials of a guest operating system are registered including binding the process credentials with the following values: a guest address of a first structure that includes subjective credentials, a guest address of a second structure that includes a context in which the process credentials reside, and data fields of the first structure that are not subject to change. A first tag is created from at least the information bound with the process credentials and stored. An integrity verification check is performed at a verification point that is triggered by a function or system call being called by the guest operating system, and includes creating a second tag from at least the information bound with the process credentials and determining if the first tag and second tag match. If they do not match, then the integrity of the in-guest process credentials has been compromised and remedial action is taken.
    Type: Grant
    Filed: August 30, 2023
    Date of Patent: October 14, 2025
    Assignee: BLUEROCK SECURITY, INC.
    Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Robert Gawlik, Jonas Pfoh
  • Publication number: 20250284520
    Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.
    Type: Application
    Filed: September 24, 2024
    Publication date: September 11, 2025
    Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
  • Publication number: 20240362171
    Abstract: Physical memory isolation in a virtualized system is described. A notification is received from a guest in the virtualized system that an address space isolation component has been created in the guest. At the host of the virtualized system, a memory isolation domain that is bound with the address space isolation component is created. The memory isolation domain includes a set of second level address translation tables dedicated for that memory isolation domain. Guest-physical address (GPA) range(s) are received from the guest that are mapped into memory of the guest, and memory access permissions for the GPA range(s) are received and are being mapped for a process into the created memory isolation domain. The host determines whether the mapping for the process into the created memory isolation domain is permitted. If not permitted, the mapping is blocked thereby preventing access. If permitted, the mapping is granted thereby allowing access.
    Type: Application
    Filed: April 26, 2024
    Publication date: October 31, 2024
    Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
  • Patent number: 12099864
    Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.
    Type: Grant
    Filed: September 12, 2022
    Date of Patent: September 24, 2024
    Assignee: BlueRock Security, Inc.
    Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
  • Publication number: 20240070260
    Abstract: Process credential protection in a virtualized system is described. In-guest process credentials of a guest operating system are registered including binding the process credentials with the following values: a guest address of a first structure that includes subjective credentials, a guest address of a second structure that includes a context in which the process credentials reside, and data fields of the first structure that are not subject to change. A first tag is created from at least the information bound with the process credentials and stored. An integrity verification check is performed at a verification point that is triggered by a function or system call being called by the guest operating system, and includes creating a second tag from at least the information bound with the process credentials and determining if the first tag and second tag match. If they do not match, then the integrity of the in-guest process credentials has been compromised and remedial action is taken.
    Type: Application
    Filed: August 30, 2023
    Publication date: February 29, 2024
    Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Robert Gawlik, Jonas Pfoh
  • Publication number: 20230004418
    Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.
    Type: Application
    Filed: September 12, 2022
    Publication date: January 5, 2023
    Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
  • Patent number: 11442770
    Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.
    Type: Grant
    Filed: October 13, 2021
    Date of Patent: September 13, 2022
    Assignee: BedRock Systems, Inc.
    Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
  • Publication number: 20220114009
    Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.
    Type: Application
    Filed: October 13, 2021
    Publication date: April 14, 2022
    Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
  • Patent number: 10621338
    Abstract: A method for detecting a ROP attack comprising processing of an object within a virtual machine managed by a virtual machine monitor (VMM), intercepting an attempted execution by the object of an instruction, the instruction stored on a page in memory that is accessed by the virtual machine, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of a function call, and (ii) setting a permission of the page to be execute only, and responsive to triggering the first transition event, halting, by the VMM, the processing of the object and analyzing, by logic within the VMM, content of last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a ROP attack is shown.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: April 14, 2020
    Assignee: FireEye, Inc.
    Inventors: Jonas Pfoh, Phung-Te Ha
  • Patent number: 10565378
    Abstract: A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including comparing a current privilege of a first process with an initial privilege of the first process recorded in a privilege list, and responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack is shown.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: February 18, 2020
    Assignee: FireEye, Inc.
    Inventors: Michael Vincent, Sai Omkar Vashist, Jonas Pfoh