Patents by Inventor Kapil Vaswani

Kapil Vaswani has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20220019700
    Abstract: A system and method for encrypting and decrypting data exchanged between a multi-tile processing unit and a storage, where a plurality of keys are used for the encryption. Each of the plurality of keys is associated with a different one or more sets of the processors. Encryption hardware is configured to select a key to use for encryption/decryption operations in dependence upon the set of tiles associated with the data being exchanged. Each write request from a tile contains identifier bits associated with that tile's set of tiles, enabling the encryption hardware to select the key to use for encrypting the data in the write request. Each read completion for a tile contains identifier bits associated with that tile's set of tiles, enabling the encryption hardware to select the key to use for decrypting the data in the read completion.
    Type: Application
    Filed: July 13, 2021
    Publication date: January 20, 2022
    Inventors: Daniel John Pelham WILKINSON, Graham Bernard CUNNINGHAM, Stavros VOLOS, Kapil VASWANI, Cedric Alain Marie FOURNET, Balaji VEMBU
  • Publication number: 20210382876
    Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.
    Type: Application
    Filed: August 25, 2021
    Publication date: December 9, 2021
    Inventors: Christian PRIEBE, Kapil VASWANI, Manuel Silverio da Silva COSTA
  • Publication number: 20210342492
    Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.
    Type: Application
    Filed: July 13, 2021
    Publication date: November 4, 2021
    Inventors: Stavros VOLOS, David Thomas CHISNALL, Saurabh Mohan KULKARNI, Kapil VASWANI, Manuel COSTA, Samuel Alexander WEBSTER, Cédric Alain Marie FOURNET, Richard OSBORNE, Daniel John Pelham WILKINSON, Graham Bernard CUNNINGHAM
  • Patent number: 11126757
    Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.
    Type: Grant
    Filed: October 19, 2018
    Date of Patent: September 21, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Stavros Volos, David Thomas Chisnall, Saurabh Mohan Kulkarni, Kapil Vaswani, Manuel Costa, Samuel Alexander Webster, Cédric Alain Marie Fournet
  • Patent number: 11120011
    Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.
    Type: Grant
    Filed: April 17, 2018
    Date of Patent: September 14, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Christian Priebe, Kapil Vaswani, Manuel Silverio da Silva Costa
  • Patent number: 11016949
    Abstract: In various examples, there is a database system which comprises an operating system, a query engine, a transaction manager and components implementing database administration functionality. The query engine and the transaction manager are configured to be executed within one or more memory enclaves of a host computer system separately from the operating system and the components implementing database administration functionality.
    Type: Grant
    Filed: April 17, 2018
    Date of Patent: May 25, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Kapil Vaswani, Manuel Silverio Da Silva Costa
  • Patent number: 11016883
    Abstract: A method of manual memory management is described which comprises enabling one or more threads to access an object created in a manual heap by storing a reference to the object in thread-local state and subsequently deleting the stored reference after accessing the object. In response to abandonment of the object, an identifier for the object and a current value of either a local counter of a thread or a global counter are stored in a delete queue and all threads are prevented from storing any further references to the object in thread-local state. Deallocation of the object only occurs when all references to the object stored in thread-local state for any threads have been deleted and a current value of the local counter for the thread or the global counter has incremented to a value that is at least a pre-defined amount more than the stored value, wherein the global counter is updated using one or more local counters.
    Type: Grant
    Filed: June 6, 2017
    Date of Patent: May 25, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Matthew John Parkinson, Manuel Silverio da Silva Costa, Dimitrios Vytiniotis, Kapil Vaswani
  • Patent number: 11017113
    Abstract: A database transaction is executed in a computer of a system of networked computers having secure processing enclaves. Within the secure processing enclave, a database transaction log record for the executed database transaction is generated and cryptographically secured using a private key held in secure storage of the secure processing enclave. A state of the distributed database is recorded in a series of transaction log records which is replicated in distributed computer storage accessible to the networked computers. Consensus messages are transmitted and received via secure communication links between the secure processing enclaves of the networked computers, to incorporate the database transaction log record into the series of transaction log records in accordance with a distributed consensus protocol, which is implemented based on consensus protocol logic held within the secure processing enclave.
    Type: Grant
    Filed: November 26, 2018
    Date of Patent: May 25, 2021
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Kapil Vaswani, Manuel Costa
  • Publication number: 20210004469
    Abstract: A computer system has a separation mechanism which enforces separation between at least two execution environments such that one execution environment is a gatekeeper which interposes on all communications of the other execution environment. The computer system has an attestation mechanism which enables the gatekeeper to attest to properties of the at least two execution environments. A first one of the execution environments runs application specific code which may contain security vulnerabilities. The gatekeeper is configured to enforce an input output policy on the first execution environment by interposing on all communication to and from the first execution environment by forwarding, modifying or dropping individual ones of the communications according to the policy. The gatekeeper provides evidence of attestation both for the application specific code and the policy.
    Type: Application
    Filed: July 3, 2019
    Publication date: January 7, 2021
    Inventors: David Thomas CHISNALL, Cédric Alain Marie FOURNET, Manuel COSTA, Samuel Alexander WEBSTER, Sylvan CLEBSCH, Kapil VASWANI
  • Patent number: 10719567
    Abstract: Methods, systems, apparatuses, and computer program products are provided for secure handling of queries by a data server and a database application. A parameterized query is received from a client. Table column metadata is loaded for one or more table columns referenced by the parameterized query. Datatypes of expressions in the parameterized query are derived with any parameters and variables of the parameterized query indicated as having unknown datatypes. Unsupported datatype conversions in the parameterized query are determined. An encryption scheme is inferred for any parameters and variables to generate an inferred encryption scheme set. The datatypes of expressions in the parameterized query are re-derived with any parameters and variables having their inferred encryption schemes. Encryption key metadata corresponding to the inferred encryption scheme set is loaded. An encryption configuration is transmitted to the client that includes the inferred encryption scheme for any parameters and variables.
    Type: Grant
    Filed: January 7, 2019
    Date of Patent: July 21, 2020
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Panagiotis Antonopoulos, Kapil Vaswani, Krishna Nibhanupudi, Neerumalla Bala Rama Koteswara Rao
  • Publication number: 20200125772
    Abstract: A peripheral device, for use with a host, comprises one or more compute elements a security module and at least one encryption unit. The security module is configured to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code. The sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device. The at least one encryption unit is configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device. The security module is configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment.
    Type: Application
    Filed: October 19, 2018
    Publication date: April 23, 2020
    Inventors: Stavros VOLOS, David Thomas CHISNALL, Saurabh Mohan KULKARNI, Kapil VASWANI, Manuel COSTA, Samuel Alexander WEBSTER, Cédric Alain Marie FOURNET
  • Publication number: 20200117825
    Abstract: A database transaction is executed in a computer of a system of networked computers having secure processing enclaves. Within the secure processing enclave, a database transaction log record for the executed database transaction is generated and cryptographically secured using a private key held in secure storage of the secure processing enclave. A state of the distributed database is recorded in a series of transaction log records which is replicated in distributed computer storage accessible to the networked computers. Consensus messages are transmitted and received via secure communication links between the secure processing enclaves of the networked computers, to incorporate the database transaction log record into the series of transaction log records in accordance with a distributed consensus protocol, which is implemented based on consensus protocol logic held within the secure processing enclave.
    Type: Application
    Filed: November 26, 2018
    Publication date: April 16, 2020
    Inventors: Kapil VASWANI, Manuel COSTA
  • Publication number: 20200117730
    Abstract: A database management system (DBMS) comprises one or more transaction processing engines (such as SQL engines) configured to execute a series of database transactions, each being executed according to one or more commands received in at least one transaction execution message so as to cause a change of state of the database from a previous state to a new state. The DBMS is configured to generate a series of transaction log records and provide the series of transaction log records to a blockchain network for storing in a blockchain secured by the blockchain network. Each transaction log record corresponds to one of the database transactions and comprises (i) the one or more commands according to which it was executed and (ii) results of its execution. The series of transaction log records constitutes an immutable audit log from which database is fully recoverable for auditing purposes.
    Type: Application
    Filed: October 16, 2018
    Publication date: April 16, 2020
    Inventors: Kapil VASWANI, Manuel COSTA, Mark RUSSINOVICH
  • Patent number: 10601596
    Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.
    Type: Grant
    Filed: February 12, 2019
    Date of Patent: March 24, 2020
    Assignee: MICROSOFT TECHNOLOGY LICENSING, LLC
    Inventors: Manuel Costa, Orion Tamlin Hodson, Sriram Kottarakurichi Rajamani, Marcus Peinado, Mark Eugene Russinovich, Kapil Vaswani
  • Publication number: 20200004993
    Abstract: A peripheral device package for use in a host computing device has a plurality of compute elements and a plurality of resources shared by the plurality of compute elements. A datastructure is stored in a hidden memory of the peripheral device package. The data structure holds metadata about ownership of resources of the peripheral device package by a plurality of user runtime processes of the host computing device which use the compute elements. At least one of the user runtime processes is a secure user runtime process. The peripheral device package has a command processor configured to use the datastructure to enforce isolation of the resources used by the secure user runtime process.
    Type: Application
    Filed: June 29, 2018
    Publication date: January 2, 2020
    Inventors: Stavros Volos, Kapil Vaswani
  • Patent number: 10496534
    Abstract: A method of manual memory management is described. In response to detecting an access violation triggered by the use of an invalid reference to an object in a manual heap, a source of the access in a register or stack is identified. An updated reference for the object using stored mapping data is determined and used to replace the invalid reference in the source.
    Type: Grant
    Filed: June 15, 2017
    Date of Patent: December 3, 2019
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Dimitrios Vytiniotis, Manuel Silverio da Silva Costa, Kapil Vaswani, Matthew John Parkinson, Piyus Kumar Kedia
  • Patent number: 10482263
    Abstract: Methods, systems, apparatuses, and computer program products are provided for processing queries. A data server includes a query processor configured to receive a query from a database application, which was received by the database application from a requestor. The query is directed to data stored at the data server. The query processor includes a deferred evaluation determiner and deferred expression determiner. The deferred evaluation determiner is configured to analyze the query, and to designate the query for deferred evaluation by the database application if a predetermined factor is met, such as the query including an operation on encrypted data that is not supported at the data server. The deferred expression determiner is configured to determine expression evaluation information for evaluating at least a portion of the query at the database application. The query processor provides the encrypted data and the expression evaluation information to the database application for evaluation.
    Type: Grant
    Filed: April 1, 2015
    Date of Patent: November 19, 2019
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Panagiotis Antonopoulos, Ajay S. Manchepalli, Kapil Vaswani, Haohai Yu, Michael James Zwilling
  • Publication number: 20190236168
    Abstract: In various examples, there is a database system which comprises an operating system, a query engine, a transaction manager and components implementing database administration functionality. The query engine and the transaction manager are configured to be executed within one or more memory enclaves of a host computer system separately from the operating system and the components implementing database administration functionality.
    Type: Application
    Filed: April 17, 2018
    Publication date: August 1, 2019
    Inventors: Kapil VASWANI, Manuel Silverio da Silva COSTA
  • Publication number: 20190236179
    Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.
    Type: Application
    Filed: April 17, 2018
    Publication date: August 1, 2019
    Inventors: Christian PRIEBE, Kapil VASWANI, Manuel Silverio da Silva COSTA
  • Publication number: 20190182052
    Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.
    Type: Application
    Filed: February 12, 2019
    Publication date: June 13, 2019
    Applicant: Microsoft Technology Licensing, LLC
    Inventors: Manuel Costa, Orion Tamlin Hodson, Sriram Kottarakurichi Rajamani, Marcus Peinado, Mark Eugene Russinovich, Kapil Vaswani