Patents by Inventor Jonas Pfoh
Jonas Pfoh has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20260064606Abstract: Memory address boundaries of an isolated section of code and data is received from a guest in a virtualized system. One or more memory addresses that are legitimate entry points to the isolated section of code is received from the guest. One or more memory addresses that are each a return address of a call made from code in the isolated section into code that is not part of the isolated section is received from the guest. The host receives a second-level address translation (SLAT) violation during execution of a virtual central processing unit (vCPU) of the guest, where the first SLAT violation is associated with a memory address. The host determines that the first SLAT violation resulted from the vCPU attempting to access data in the isolated section of code and data and performs a remediation.Type: ApplicationFiled: September 2, 2025Publication date: March 5, 2026Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
-
Patent number: 12505050Abstract: Physical memory isolation in a virtualized system is described. A notification is received from a guest in the virtualized system that an address space isolation component has been created in the guest. At the host of the virtualized system, a memory isolation domain that is bound with the address space isolation component is created. The memory isolation domain includes a set of second level address translation tables dedicated for that memory isolation domain. Guest-physical address (GPA) range(s) are received from the guest that are mapped into memory of the guest, and memory access permissions for the GPA range(s) are received and are being mapped for a process into the created memory isolation domain. The host determines whether the mapping for the process into the created memory isolation domain is permitted. If not permitted, the mapping is blocked thereby preventing access. If permitted, the mapping is granted thereby allowing access.Type: GrantFiled: April 26, 2024Date of Patent: December 23, 2025Assignee: BLUEROCK SECURITY, INC.Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
-
Patent number: 12443694Abstract: Process credential protection in a virtualized system is described. In-guest process credentials of a guest operating system are registered including binding the process credentials with the following values: a guest address of a first structure that includes subjective credentials, a guest address of a second structure that includes a context in which the process credentials reside, and data fields of the first structure that are not subject to change. A first tag is created from at least the information bound with the process credentials and stored. An integrity verification check is performed at a verification point that is triggered by a function or system call being called by the guest operating system, and includes creating a second tag from at least the information bound with the process credentials and determining if the first tag and second tag match. If they do not match, then the integrity of the in-guest process credentials has been compromised and remedial action is taken.Type: GrantFiled: August 30, 2023Date of Patent: October 14, 2025Assignee: BLUEROCK SECURITY, INC.Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Robert Gawlik, Jonas Pfoh
-
Publication number: 20250284520Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.Type: ApplicationFiled: September 24, 2024Publication date: September 11, 2025Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
-
Publication number: 20240362171Abstract: Physical memory isolation in a virtualized system is described. A notification is received from a guest in the virtualized system that an address space isolation component has been created in the guest. At the host of the virtualized system, a memory isolation domain that is bound with the address space isolation component is created. The memory isolation domain includes a set of second level address translation tables dedicated for that memory isolation domain. Guest-physical address (GPA) range(s) are received from the guest that are mapped into memory of the guest, and memory access permissions for the GPA range(s) are received and are being mapped for a process into the created memory isolation domain. The host determines whether the mapping for the process into the created memory isolation domain is permitted. If not permitted, the mapping is blocked thereby preventing access. If permitted, the mapping is granted thereby allowing access.Type: ApplicationFiled: April 26, 2024Publication date: October 31, 2024Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Jonas Pfoh
-
Patent number: 12099864Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.Type: GrantFiled: September 12, 2022Date of Patent: September 24, 2024Assignee: BlueRock Security, Inc.Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
-
Publication number: 20240070260Abstract: Process credential protection in a virtualized system is described. In-guest process credentials of a guest operating system are registered including binding the process credentials with the following values: a guest address of a first structure that includes subjective credentials, a guest address of a second structure that includes a context in which the process credentials reside, and data fields of the first structure that are not subject to change. A first tag is created from at least the information bound with the process credentials and stored. An integrity verification check is performed at a verification point that is triggered by a function or system call being called by the guest operating system, and includes creating a second tag from at least the information bound with the process credentials and determining if the first tag and second tag match. If they do not match, then the integrity of the in-guest process credentials has been compromised and remedial action is taken.Type: ApplicationFiled: August 30, 2023Publication date: February 29, 2024Inventors: Sergej Proskurin, Sebastian Wolfgang Vogl, Robert Gawlik, Jonas Pfoh
-
Publication number: 20230004418Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.Type: ApplicationFiled: September 12, 2022Publication date: January 5, 2023Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
-
Patent number: 11442770Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.Type: GrantFiled: October 13, 2021Date of Patent: September 13, 2022Assignee: BedRock Systems, Inc.Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
-
Publication number: 20220114009Abstract: A formally verified trusted computing base with active security and policy enforcement is described. The formally verified trusted computing base includes a formally verified microkernel and multiple formally verified hyper-processes including a virtual machine monitor (VMM), virtual machine introspection (VMI), policy enforcers including an active security policy enforcer (ASPE), and a virtual switch. The active security and policy enforcement continuously monitors for semantic behavior detection or policy violations and enforces the policies at the virtualization layer. Further, policies can be attached to the network layer to provide granular control of the communication of the computing device.Type: ApplicationFiled: October 13, 2021Publication date: April 14, 2022Inventors: Osman Abdoul Ismael, Ashar Aziz, Jonas Pfoh
-
Patent number: 10621338Abstract: A method for detecting a ROP attack comprising processing of an object within a virtual machine managed by a virtual machine monitor (VMM), intercepting an attempted execution by the object of an instruction, the instruction stored on a page in memory that is accessed by the virtual machine, responsive to determining the page includes instructions corresponding to one of a predefined set of function calls, (i) inserting a first transition event into the memory at a starting address location of a function call, and (ii) setting a permission of the page to be execute only, and responsive to triggering the first transition event, halting, by the VMM, the processing of the object and analyzing, by logic within the VMM, content of last branch records associated with the virtual machine to determine whether the processing of the object displays characteristics of a ROP attack is shown.Type: GrantFiled: June 29, 2016Date of Patent: April 14, 2020Assignee: FireEye, Inc.Inventors: Jonas Pfoh, Phung-Te Ha
-
Patent number: 10565378Abstract: A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including comparing a current privilege of a first process with an initial privilege of the first process recorded in a privilege list, and responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack is shown.Type: GrantFiled: June 29, 2016Date of Patent: February 18, 2020Assignee: FireEye, Inc.Inventors: Michael Vincent, Sai Omkar Vashist, Jonas Pfoh