Patents by Inventor Md. Nazmus Sakib
Md. Nazmus Sakib has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240048615Abstract: An application is installed on a computing device from an application package. An origin of the application (e.g., a managed installer for an enterprise, a reputation checking service) is propagated to files written to a storage device of the computing device as part of the installation, such as by writing origin information to the storage device as metadata associated with the file. The origin information for a file, in conjunction with a policy on the computing device specifying one or more trusted origins for applications on the computing device, is used to identify whether a particular action can be taken with and/or by the file. These actions can include, for example, execution of an application from an executable file. If the origin information for a file indicates an origin that is a trusted origin specified by the policy, then the action can be performed.Type: ApplicationFiled: July 5, 2023Publication date: February 8, 2024Applicant: Microsoft Technology Licensing, LLCInventors: Scott R. Shell, Kinshumann Kinshumann, Thomas W. Caldwell, Jeffrey A. Sutherland, Jeffrey R. McKune, Deskin M. Miller, Scott D. Anderson, Md. Nazmus Sakib
-
Patent number: 11893118Abstract: Embodiments described herein are directed to transferring the ownership of a computing device from one entity to another entity. For example, a security processor is utilized to boot the computing device. During a boot session, the security processor loads and executes boot code, which determines whether specialized firmware authorized by the current owner indicates whether a transfer of ownership is to occur. In response to determining that the specialized firmware indicates that a transfer of ownership is to occur, the secure processor loads and executes the specialized firmware. The specialized firmware, when executed, causes the security processor to program a set of fuses with the public key of the new owner. Execution of the specialized firmware also causes the security processor to invalidate the public key of the original owner, which is stored in another set of fuses.Type: GrantFiled: May 25, 2021Date of Patent: February 6, 2024Assignee: Microsoft Technology Licensing, LLCInventors: Md. Nazmus Sakib, Bryan David Kelly, Ling Tony Chen, Peter David Waxman
-
Patent number: 11853428Abstract: Embodiments described herein are directed to firmware policy enforcement of a computing device. For example, a security processor of the computing device is utilized to boot the computing device. During a boot session, the security processor loads and executes specialized firmware. The specialized firmware, when executed, causes the security processor to determine whether other types of firmware to be executed on the computing device is in compliance with a policy specified by the specialized firmware. Based at least on a determination that the other firmware is in compliance with the policy, the security processor executes the other firmware. Based at least on a determination that the other firmware is not in compliance with the policy, the security processor performs a mitigation with respect to the other firmware.Type: GrantFiled: June 2, 2021Date of Patent: December 26, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Md. Nazmus Sakib, Bryan David Kelly, Ling Tony Chen, Peter David Waxman
-
Patent number: 11722566Abstract: An application is installed on a computing device from an application package. An origin of the application (e.g., a managed installer for an enterprise, a reputation checking service) is propagated to files written to a storage device of the computing device as part of the installation, such as by writing origin information to the storage device as metadata associated with the file. The origin information for a file, in conjunction with a policy on the computing device specifying one or more trusted origins for applications on the computing device, is used to identify whether a particular action can be taken with and/or by the file. These actions can include, for example, execution of an application from an executable file. If the origin information for a file indicates an origin that is a trusted origin specified by the policy, then the action can be performed.Type: GrantFiled: July 19, 2021Date of Patent: August 8, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Scott R. Shell, Kinshumann Kinshumann, Thomas W. Caldwell, Jeffrey A. Sutherland, Jeffrey R. McKune, Deskin M. Miller, Scott D. Anderson, Md. Nazmus Sakib
-
Publication number: 20230051347Abstract: Methods, systems, apparatuses, and computer-readable storage mediums described herein enable executable code of a hardware security platform (HSP) circuit to communicate with a hypervisor in a separate processor. The hypervisor generates and manages virtual machines. The HSP code comprises trusted platform module (TPM) logic, that processes TPM commands received via the hypervisor, and in response to the processing, communicates security information (e.g., measurements, keys, authorization data) with the virtual machines via the hypervisor. The TPM logic receives security information related to a virtual machine from the hypervisor and stores the security information in non-volatile memory of the HSP circuit, where security information from a particular VM is distinguishable from security information from another VM in the HSP memory.Type: ApplicationFiled: August 12, 2021Publication date: February 16, 2023Inventors: Md. Nazmus SAKIB, Ronald AIGNER, Ling Tony CHEN, Peter David WAXMAN, David Guy WESTON, Bryan David KELLY
-
Publication number: 20220391510Abstract: Embodiments described herein are directed to firmware policy enforcement of a computing device. For example, a security processor of the computing device is utilized to boot the computing device. During a boot session, the security processor loads and executes specialized firmware. The specialized firmware, when executed, causes the security processor to determine whether other types of firmware to be executed on the computing device is in compliance with a policy specified by the specialized firmware. Based at least on a determination that the other firmware is in compliance with the policy, the security processor executes the other firmware. Based at least on a determination that the other firmware is not in compliance with the policy, the security processor performs a mitigation with respect to the other firmware.Type: ApplicationFiled: June 2, 2021Publication date: December 8, 2022Inventors: Md. Nazmus SAKIB, Bryan David KELLY, Ling Tony CHEN, Peter David WAXMAN
-
Publication number: 20220382872Abstract: Embodiments described herein are directed to transferring the ownership of a computing device from one entity to another entity. For example, a security processor is utilized to boot the computing device. During a boot session, the security processor loads and executes boot code, which determines whether specialized firmware authorized by the current owner indicates whether a transfer of ownership is to occur. In response to determining that the specialized firmware indicates that a transfer of ownership is to occur, the secure processor loads and executes the specialized firmware. The specialized firmware, when executed, causes the security processor to program a set of fuses with the public key of the new owner. Execution of the specialized firmware also causes the security processor to invalidate the public key of the original owner, which is stored in another set of fuses.Type: ApplicationFiled: May 25, 2021Publication date: December 1, 2022Inventors: Md. Nazmus SAKIB, Bryan David KELLY, Ling Tony CHEN, Peter David WAXMAN
-
Patent number: 11263309Abstract: Integrity verification of a containerized application using a block device signature is described. For example, a container deployed to a host system is signed with a single block device signature. The operating system of the host system implements an integrity policy to verify the integrity of the container when the container is loaded into memory and when its program code executes. During such events, the operating system verifies whether the block device signature is valid. If the block device signature is determined to be valid, the operating system enables the program code to successfully execute. Otherwise, the program code is prevented from being executed. By doing so, certain program code or processes that are not properly signed are prevented from executing, thereby protecting the host system from such processes. Moreover, by using a single block device signature for a container, the enforcement of the integrity policy is greatly simplified.Type: GrantFiled: October 31, 2019Date of Patent: March 1, 2022Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Md Nazmus Sakib, Jeffrey A. Sutherland, Deven Robert Desai, Jaskaran Singh Khurana, Scott Randall Shell, Jessica M. Krynitsky
-
Publication number: 20220014587Abstract: An application is installed on a computing device from an application package. An origin of the application (e.g., a managed installer for an enterprise, a reputation checking service) is propagated to files written to a storage device of the computing device as part of the installation, such as by writing origin information to the storage device as metadata associated with the file. The origin information for a file, in conjunction with a policy on the computing device specifying one or more trusted origins for applications on the computing device, is used to identify whether a particular action can be taken with and/or by the file. These actions can include, for example, execution of an application from an executable file. If the origin information for a file indicates an origin that is a trusted origin specified by the policy, then the action can be performed.Type: ApplicationFiled: July 19, 2021Publication date: January 13, 2022Inventors: Scott R. Shell, Kinshumann Kinshumann, Thomas W. Caldwell, Jeffrey A. Sutherland, Jeffrey R. McKune, Deskin M. Miller, Scott D. Anderson, Md. Nazmus Sakib
-
Patent number: 11086985Abstract: Examples described herein generally relate to a computer device including a memory, and at least one processor configured to determine whether to allow execution of an application file on the computer device. The processor receives a command to execute a file. The processor determines whether the file is associated with a package reputation of an installation package. The processor determines a file reputation of the file. The processor determines whether to allow execution of the file based on a combination of the file reputation of the file and whether the file is associated with the good package reputation.Type: GrantFiled: December 4, 2017Date of Patent: August 10, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Md. Nazmus Sakib, Thomas Walter Caldwell, III, Jeffrey Sutherland, Deskin Miller, Scott Anderson, Deepak Jagannathan Manohar, Adrian Marinescu
-
Patent number: 11082491Abstract: An application is installed on a computing device from an application package. An origin of the application (e.g., a managed installer for an enterprise, a reputation checking service) is propagated to files written to a storage device of the computing device as part of the installation, such as by writing origin information to the storage device as metadata associated with the file. The origin information for a file, in conjunction with a policy on the computing device specifying one or more trusted origins for applications on the computing device, is used to identify whether a particular action can be taken with and/or by the file. These actions can include, for example, execution of an application from an executable file. If the origin information for a file indicates an origin that is a trusted origin specified by the policy, then the action can be performed.Type: GrantFiled: October 7, 2016Date of Patent: August 3, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Scott R. Shell, Kinshumann Kinshumann, Thomas W. Caldwell, Jeffrey A. Sutherland, Jeffrey R. McKune, Deskin M. Miller, Scott D. Anderson, Md. Nazmus Sakib
-
Publication number: 20210133313Abstract: Integrity verification of a containerized application using a block device signature is described. For example, a container deployed to a host system is signed with a single block device signature. The operating system of the host system implements an integrity policy to verify the integrity of the container when the container is loaded into memory and when its program code executes. During such events, the operating system verifies whether the block device signature is valid. If the block device signature is determined to be valid, the operating system enables the program code to successfully execute. Otherwise, the program code is prevented from being executed. By doing so, certain program code or processes that are not properly signed are prevented from executing, thereby protecting the host system from such processes. Moreover, by using a single block device signature for a container, the enforcement of the integrity policy is greatly simplified.Type: ApplicationFiled: October 31, 2019Publication date: May 6, 2021Inventors: Md Nazmus Sakib, Jeffrey A. Sutherland, Deven Robert Desai, Jaskaran Singh Khurana, Scott Randall Shell, Jessica M. Krynitsky
-
Patent number: 10956615Abstract: Embodiments are directed to managing software components loaded on a device by identifying a platform manifest having a valid certificate, confirming that the platform manifest is bound to the device, identifying components listed on the platform manifest, confirming that the listed components have a valid certificate, and loading listed components with valid certificates on the device. The components may be binaries and packages for an operating system. The components may be signed in an embedded manner or with detached signatures. The platform manifest may be bound to the device in a manner that allows for identification of unauthorized platform manifests.Type: GrantFiled: February 17, 2017Date of Patent: March 23, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Scott R. Shell, Md. Nazmus Sakib, Kinshumann, Dale R. Rolf, Daryn E. Robbins, Ian McCarty, JianMing M. Zhou, David J. Linsley
-
Publication number: 20200274939Abstract: The present disclosure concerns systems and methods for generating application-control policies. A system may receive application-usage data for a set of devices. The application-usage data may identify binaries with which a user interacted. The system may determine one or more application-usage characteristics for one or more devices in the set of devices based at least in part on the application-usage data and may rely solely on data associated with the binaries with which the user interacted. The system may identify a set of candidate devices based on the one or more application-usage characteristics. The application-usage characteristics may include a measure of distinct applications used during a specified time period and a measure of variability of application usage across a set of specified time periods. The system may generate an application-control policy for the set of candidate devices based on application-usage data for the set of candidate devices.Type: ApplicationFiled: February 26, 2019Publication date: August 27, 2020Inventors: Md. Nazmus SAKIB, Isha Aniruddha OKE, Scott Randall SHELL, Jeffrey Alan SUTHERLAND, Jaskaran Singh KHURANA, Thomas Walter CALDWELL, III, Zhouheng SUN, Noah McGregor HARPER
-
Publication number: 20190171809Abstract: Examples described herein generally relate to a computer device including a memory, and at least one processor configured to determine whether to allow execution of an application file on the computer device. The processor receives a command to execute a file. The processor determines whether the file is associated with a package reputation of an installation package. The processor determines a file reputation of the file. The processor determines whether to allow execution of the file based on a combination of the file reputation of the file and whether the file is associated with the good package reputation.Type: ApplicationFiled: December 4, 2017Publication date: June 6, 2019Inventors: Md. Nazmus SAKIB, Thomas Walter CALDWELL, III, Jeffrey SUTHERLAND, Deskin MILLER, Scott ANDERSON, Deepak Jagannathan MANOHAR, Adrian MARINESCU
-
Patent number: 10268816Abstract: A system for changing policy information of a process is provided. When a process is to execute, the system stores policy information for the process in association with the process code. The system also creates a token for the process. The token provides evidence of the policy for the process and includes at least a reference to the stored policy information. The system provides the token to the process for use by the process as evidence of the policy for the process. When the process provides the token to a service provider, the service provider uses the reference to access the policy information for the process. While the process is executing, the system modifies the stored policy information. When the process subsequently provides the token to a service provider, the service provider uses the reference to access the modified policy information for the process.Type: GrantFiled: March 31, 2016Date of Patent: April 23, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Md. Nazmus Sakib, Yogesh Mehta, Kinshumann Kinshumann, Vishal Agarwal, Giridharan Sridharan, Arnold Paul Pereira, Deskin Miller, Narendra Acharya
-
Publication number: 20180239929Abstract: Embodiments are directed to managing software components loaded on a device by identifying a platform manifest having a valid certificate, confirming that the platform manifest is bound to the device, identifying components listed on the platform manifest, confirming that the listed components have a valid certificate, and loading listed components with valid certificates on the device. The components may be binaries and packages for an operating system. The components may be signed in an embedded manner or with detached signatures. The platform manifest may be bound to the device in a manner that allows for identification of unauthorized platform manifests.Type: ApplicationFiled: February 17, 2017Publication date: August 23, 2018Inventors: Scott R. SHELL, Md. Nazmus SAKIB, KINSHUMANN, Dale R. ROLF, Daryn E. ROBBINS, Ian MCCARTY, JianMing M. ZHOU, David J. Linsley
-
Publication number: 20180103097Abstract: An application is installed on a computing device from an application package. An origin of the application (e.g., a managed installer for an enterprise, a reputation checking service) is propagated to files written to a storage device of the computing device as part of the installation, such as by writing origin information to the storage device as metadata associated with the file. The origin information for a file, in conjunction with a policy on the computing device specifying one or more trusted origins for applications on the computing device, is used to identify whether a particular action can be taken with and/or by the file. These actions can include, for example, execution of an application from an executable file. If the origin information for a file indicates an origin that is a trusted origin specified by the policy, then the action can be performed.Type: ApplicationFiled: October 7, 2016Publication date: April 12, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Scott R. Shell, Kinshumann Kinshumann, Thomas W. Caldwell, Jeffrey A. Sutherland, Jeffrey R. McKune, Deskin M. Miller, Scott D. Anderson, Md. Nazmus Sakib