Patents by Inventor Ling Tony Chen
Ling Tony Chen has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20170337380Abstract: A device-local key derivation scheme generates, during a first boot session for an electronic device, a sealing key that is derived at least in part from a device-generated random seed and an internal secret that is unique to the electronic device. After generating the sealing key, access to the internal secret is disabled for a remainder of the first boot session and until a second boot session is initiated. At runtime, the sealing key is used to sign a module manifest that describes the software that is authorized to access the sealing key, and the module manifest containing the sealing key is persisted in non-volatile memory of the electronic device. The module manifest can be used to validate software during a subsequent boot session and to authorize software updates on the electronic device without relying on an external entity or external information to protect on-device secrets.Type: ApplicationFiled: May 18, 2016Publication date: November 23, 2017Inventors: Felix Domke, Ling Tony Chen
-
Patent number: 9762396Abstract: When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.Type: GrantFiled: December 2, 2016Date of Patent: September 12, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Mihai Irinel Susan, Bogdan Andreiu, Scott R. Shell, Scott Michael Bragg, Ling Tony Chen
-
Patent number: 9716708Abstract: A system-on-chip (SoC) includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features. Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules. The security certificate additionally includes a certificate signature signed by a secure key.Type: GrantFiled: September 13, 2013Date of Patent: July 25, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Michael Love, Ling Tony Chen, Felix Domke, Kenneth Ray
-
Publication number: 20170193226Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: ApplicationFiled: December 5, 2016Publication date: July 6, 2017Inventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Patent number: 9646154Abstract: Return oriented programming (ROP) attack prevention techniques are described. In one or more examples, a method is described of protecting against return oriented programming attacks. The method includes initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and the associated location on the stack the return address is stored and causing storage of the computed signature along with the return address in the stack. The method also includes enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address on the stack and responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.Type: GrantFiled: January 20, 2015Date of Patent: May 9, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Ling Tony Chen, Jonathan E. Lange, Greg M. Zaverucha
-
Publication number: 20170113145Abstract: Systems and method for providing a single sign in a gaming console that associates online activity that is out-of-game/cross game, and/or online activity that is in-game, and/or activity that is offline and in-game with that account. While online, a service tracks activity of gamers and provides usage statistics in a profile. While offline, the game console tracks the player's activity via a mechanism to collect detailed information about a specific player's in-game statistics and accomplishments. The offline activity is cached and uploaded when the console connects to the online service. Players can accumulate achievements offline that are credited towards online activities.Type: ApplicationFiled: January 4, 2017Publication date: April 27, 2017Applicant: Microsoft Technology Licensing, LLCInventors: Michal Bortnik, Erik John Arthur, James David Macauley, Ling Tony Chen, Yasser B. Asmi, Steven D. Lamb, James N. Helm
-
Publication number: 20170085386Abstract: When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.Type: ApplicationFiled: December 2, 2016Publication date: March 23, 2017Applicant: Microsoft Technology Licensing, LLCInventors: Mihai Irinel Susan, Bogdan Andreiu, Scott R. Shell, Scott Michael Bragg, Ling Tony Chen
-
Patent number: 9565169Abstract: When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.Type: GrantFiled: June 8, 2015Date of Patent: February 7, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Mihai Irinel Susan, Bogdan Andreiu, Scott R. Shell, Scott Michael Bragg, Ling Tony Chen
-
Patent number: 9530000Abstract: The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.Type: GrantFiled: June 14, 2013Date of Patent: December 27, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Jonathan E. Lange, John V. Sell, Ling Tony Chen, Eric O. Mejdrich
-
Publication number: 20160294790Abstract: When theft protection of a computing device is initiated, credentials of the user are provided to one or more services that verify the credentials and generate a recovery key. A data value is generated based on the recovery key and an identifier of the computing device (e.g., by applying a cryptographic hash function to the recovery key and the computing device identifier), and the data value is provided to the computing device, which stores the data value at the computing device. When a user is prompted to prove his or her ownership of the device, the owner can prove his or her ownership of the device in different manners by accessing the one or more services via a network (e.g., the Internet), or by providing the recovery key (e.g., obtained using another computing device) to the computing device.Type: ApplicationFiled: June 8, 2015Publication date: October 6, 2016Inventors: Mihai Irinel Susan, Bogdan Andreiu, Scott R. Shell, Scott Michael Bragg, Ling Tony Chen
-
Patent number: 9454661Abstract: The subject disclosure is directed towards providing a computing device with access to key that depends on the current software version, e.g., the software version of a security processor. If the software is compromised, another key becomes available with release of each new (non-compromised) software version. Keys for future versions cannot be derived, while keys for earlier versions can be derived from the current key. A secure boot process uses a secret to generate a first key, after which access to the secret is turned off. The first key is used with key blob data to compute a second key used for data decryption (and encryption) as needed. The key blob data may be global for all devices, and/or device specific; a hash stick comprising a set of derivable keys may be used at manufacturing time to generate the device-specific key blob data.Type: GrantFiled: June 30, 2014Date of Patent: September 27, 2016Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Ling Tony Chen, Felix Stefan Domke, Kenneth D. Ray
-
Publication number: 20160171211Abstract: Return oriented programming (ROP) attack prevention techniques are described. In one or more examples, a method is described of protecting against return oriented programming attacks. The method includes initiating a compute signature hardware instruction of a computing device to compute a signature for a return address and the associated location on the stack the return address is stored and causing storage of the computed signature along with the return address in the stack. The method also includes enforcing that before executing the return instruction using the return address on the stack, initiating a verify signature hardware instruction of the computing device to verify the signature matches the target return address on the stack and responding to successful verification of the signature through execution of the verify signature hardware instruction by the computing device, executing the return instruction to the return address.Type: ApplicationFiled: January 20, 2015Publication date: June 16, 2016Inventors: Ling Tony Chen, Jonathan E. Lange, Greg M. Zaverucha
-
Patent number: 9367543Abstract: Systems and method for providing a game achievements system where players are rewarded with game achievements based on mastering certain in-game facets of the games they play. Each game achievement may be conveyed in a profile as a badge or trophy, title, description, date, etc. Players may also accumulate points based on game achievements. A display interface may be made available such that a player may see his achievements and total points, as well as those of others.Type: GrantFiled: May 1, 2013Date of Patent: June 14, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Michal Bortnik, Vincent H. Curley, James Hsi-kai Jen, James David Macauley, Ling Tony Chen, Steven D. Lamb
-
Patent number: 9355097Abstract: Systems and method for providing a game achievements system where players are rewarded with game achievements based on mastering certain in-game facets of the games they play. Each game achievement may be conveyed in a profile as a badge or trophy, title, description, date, etc. Players may also accumulate points based on game achievements. A display interface may be made available such that a player may see his achievements and total points, as well as those of others.Type: GrantFiled: May 1, 2013Date of Patent: May 31, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Michal Bortnik, Vincent H. Curley, James Hsi-Kai Jen, James David Macauley, Ling Tony Chen, Steven D. Lamb
-
Publication number: 20150379270Abstract: The subject disclosure is directed towards providing a computing device with access to key that depends on the current software version, e.g., the software version of a security processor. If the software is compromised, another key becomes available with release of each new (non-compromised) software version. Keys for future versions cannot be derived, while keys for earlier versions can be derived from the current key. A secure boot process uses a secret to generate a first key, after which access to the secret is turned off. The first key is used with key blob data to compute a second key used for data decryption (and encryption) as needed. The key blob data may be global for all devices, and/or device specific; a hash stick comprising a set of derivable keys may be used at manufacturing time to generate the device-specific key blob data.Type: ApplicationFiled: June 30, 2014Publication date: December 31, 2015Inventors: Ling Tony Chen, Felix Stefan Domke, Kenneth D. Ray
-
Publication number: 20150371046Abstract: The subject disclosure is directed towards protecting code in memory from being modified after boot, such as code used in a dedicated microprocessor or microcontroller. Hardware, such as in logic or in a memory protection unit, allows a range of memory to be made non-writeable after being loaded, e.g., via a secure boot load operation. Further, startup code that is used to configure the hardware/memory may be made non-executable after having run once, so that no further execution may occur in that space, e.g., as a result of an attack. A function in the runtime code may allow for a limited, attack-protected reconfiguration of sub-regions of memory regions during the runtime execution.Type: ApplicationFiled: June 20, 2014Publication date: December 24, 2015Inventors: Ling Tony Chen, Felix Stefan Domke
-
Patent number: 9144741Abstract: Systems and method for providing a single sign in a gaming console that associates online activity that is out-of-game/cross game, and/or online activity that is in-game, and/or activity that is offline and in-game with that account. While online, a service tracks activity of gamers and provides usage statistics in a profile. While offline, the game console tracks the player's activity via a mechanism to collect detailed information about a specific player's in-game statistics and accomplishments. The offline activity is cached and uploaded when the console connects to the online service. Players can accumulate achievements offline that are credited towards online activities.Type: GrantFiled: July 31, 2013Date of Patent: September 29, 2015Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Michal Bortnik, Erik John Arthur, James David Macauley, Ling Tony Chen, Yasser B. Asmi, Steven D. Lamb, James N. Helm
-
Publication number: 20150238870Abstract: Systems and method for providing a single sign in a gaming console that associates online activity that is out-of-game/cross game, and/or online activity that is in-game, and/or activity that is offline and in-game with that account. While online, a service tracks activity of gamers and provides usage statistics in a profile. While offline, the game console tracks the player's activity via a mechanism to collect detailed information about a specific player's in-game statistics and accomplishments. The offline activity is cached and uploaded when the console connects to the online service. Players can accumulate achievements offline that are credited towards online activities.Type: ApplicationFiled: May 12, 2015Publication date: August 27, 2015Inventors: Michal Bortnik, Erik John Arthur, James David Macauley, Ling Tony Chen, Yasser B. Asmi, Steven D. Lamb, James N. Helm
-
Publication number: 20150095661Abstract: Regions of system memory in a computer system are managed to maintain privacy and integrity of data. A system address space for memory is divided into a plurality of aliased addressed spaces. Each of the aliased address spaces is associated with its own unique encryption key. The system address space is managed using the aliased address spaces to provide data isolation and privacy for different system processes. One or more aliased address spaces can be provided with additional data integrity capabilities. Data associated with an integrity-checked aliased address space is subjected to data integrity checking, using authentication-based techniques such as hashing, for example. Additionally, a set of contiguous addresses in the aliased address space is defined, while being mapped to a set of non-contiguous addresses in the corresponding physical address space for additional data security.Type: ApplicationFiled: September 30, 2013Publication date: April 2, 2015Applicant: Microsoft CorporationInventors: John V. Sell, Ling Tony Chen, Paul Paternoster
-
Publication number: 20150082420Abstract: A SoC includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features. Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules. The security certificate additionally includes a certificate signature signed by a secure key.Type: ApplicationFiled: September 13, 2013Publication date: March 19, 2015Applicant: Microsoft CorporationInventors: Michael Love, Ling Tony Chen, Felix Domke, Kenneth Ray