Patents by Inventor Nir Ben-Zvi
Nir Ben-Zvi has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11770450Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: GrantFiled: May 23, 2022Date of Patent: September 26, 2023Assignee: Microsoft Technology Licensing, LLCInventors: Tanu Mutreja, Nir Ben-Zvi
-
Publication number: 20220286509Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: ApplicationFiled: May 23, 2022Publication date: September 8, 2022Inventors: Tanu Mutreja, Nir Ben-Zvi
-
Patent number: 11375015Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: GrantFiled: January 27, 2021Date of Patent: June 28, 2022Assignee: Microsoft Technology Licensing, LLCInventors: Tanu Mutreja, Nir Ben-Zvi
-
Publication number: 20210218809Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: ApplicationFiled: January 27, 2021Publication date: July 15, 2021Inventors: Tanu Mutreja, Nir Ben-Zvi
-
Patent number: 10956321Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.Type: GrantFiled: January 6, 2019Date of Patent: March 23, 2021Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Niels T. Ferguson, Yevgeniy Anatolievich Samsonov, Kinshumann, Samartha Chandrashekar, John Anthony Messec, Mark Fishel Novak, Christopher McCarron, Amitabh Prakash Tamhane, Qiang Wang, David Matthew Kruse, Nir Ben-Zvi, Anders Bertil Vinberg
-
Patent number: 10938902Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: GrantFiled: May 31, 2017Date of Patent: March 2, 2021Assignee: Microsoft Technology Licensing, LLCInventors: Tanu Mutreja, Nir Ben-Zvi
-
Patent number: 10771439Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.Type: GrantFiled: June 28, 2017Date of Patent: September 8, 2020Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Alan Thomas Gavin Jowett, Ravi T. Rao, Gregory M. Cusanza, Nir Ben-Zvi, Dean A. Wells
-
Patent number: 10423791Abstract: A device runs a hypervisor and a virtual machine. The virtual machine includes a virtual security module, which can be a virtual trusted platform module (TPM). The virtual security module for the virtual machine is encrypted, and in order for the hypervisor to run the virtual machine the virtual security module is decrypted using a security module key. If a host guardian service is accessible, then the hypervisor obtains the key to decrypt the virtual security module from the host guardian service. However, if the host guardian service is inaccessible, then the hypervisor uses a key securely stored in a key cache of the device to decrypt the virtual security module. In one or more embodiments, the hypervisor can obtain the key from the key cache only if a health certificate indicating that the host guardian service trusts the device has been previously obtained from the host guardian service.Type: GrantFiled: April 27, 2017Date of Patent: September 24, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Dean Anthony Wells, Nir Ben-Zvi, Ryan P. Puffer
-
Publication number: 20190155728Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.Type: ApplicationFiled: January 6, 2019Publication date: May 23, 2019Inventors: Niels T. Ferguson, Yevgeniy Anatolievich Samsonov, Kinshumann, Samartha Chandrashekar, John Anthony Messec, Mark Fishel Novak, Christopher McCarron, Amitabh Prakash Tamhane, Qiang Wang, David Matthew Kruse, Nir Ben-Zvi, Anders Bertil Vinberg
-
Patent number: 10181037Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.Type: GrantFiled: November 9, 2016Date of Patent: January 15, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Mark Fishel Novak, Nir Ben-Zvi, John Anthony Messec, Kinshumann, Christopher McCarron
-
Patent number: 10176095Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.Type: GrantFiled: August 22, 2016Date of Patent: January 8, 2019Assignee: Microsoft Technology Licensing, LLCInventors: Niels T. Ferguson, Yevgeniy Anatolievich Samsonov, Kinshumann, Samartha Chandrashekar, John Anthony Messec, Mark Fishel Novak, Christopher McCarron, Amitabh Prakash Tamhane, Qiang Wang, David Matthew Kruse, Nir Ben-Zvi, Anders Bertil Vinberg
-
Publication number: 20190007378Abstract: Embodiments relate to a host encrypting network communications of virtual machines (VMs) in ways that minimize exposure of the network communications in cleartext form. The host captures and registers a measure of a secure state of the host. The measure is registered with a guardian service communicable via a network. The guardian service also securely stores keys of the VMs. Each VM's key is associated with authorization information indicating which machines are authorized to obtain the corresponding VM's key. The host obtains access to a VM's key based on a confirmation that its state matches the registered measured state and based on the authorization information of the VM indicating that the host is authorized to access the key. The VM's key is then used to transparently encrypt/decrypt network communications of the VM as they pass through a virtualization layer on the host that executes the VMs.Type: ApplicationFiled: June 28, 2017Publication date: January 3, 2019Inventors: Alan Thomas Gavin JOWETT, Ravi T. RAO, Gregory M. CUSANZA, Nir BEN-ZVI, Dean A. WELLS
-
Publication number: 20180352034Abstract: Methods, systems, and apparatuses are described for dynamic management of file system objects (e.g., a file or a directory). Such management includes syncing, routing, and storing capabilities. A file system object may be tagged with one or more tags based on at least one of file system object content or file system object location. Dynamic rules that control routing of file system objects to one or more locations based on the one or more tags are accessed and searched for an applicable rule. The file system object may be routed and/or stored based on the applicable rule. The rules may specify allowable locations as well as locations that are not allowed for a given file system object. The location may be a cloud-based location, a location that is on the premises of the enterprise, a location provided by and/or serviced by a competing entity, etc.Type: ApplicationFiled: May 31, 2017Publication date: December 6, 2018Inventors: Tanu Mutreja, Nir Ben-Zvi
-
Publication number: 20180314827Abstract: A device runs a hypervisor and a virtual machine. The virtual machine includes a virtual security module, which can be a virtual trusted platform module (TPM). The virtual security module for the virtual machine is encrypted, and in order for the hypervisor to run the virtual machine the virtual security module is decrypted using a security module key. If a host guardian service is accessible, then the hypervisor obtains the key to decrypt the virtual security module from the host guardian service. However, if the host guardian service is inaccessible, then the hypervisor uses a key securely stored in a key cache of the device to decrypt the virtual security module. In one or more embodiments, the hypervisor can obtain the key from the key cache only if a health certificate indicating that the host guardian service trusts the device has been previously obtained from the host guardian service.Type: ApplicationFiled: April 27, 2017Publication date: November 1, 2018Applicant: Microsoft Technology Licensing, LLCInventors: Dean Anthony Wells, Nir Ben-Zvi, Ryan P. Puffer
-
Patent number: 9652631Abstract: Managing encrypted datasets is illustrated. A method includes obtaining a first decryption key. The first decryption key is configured to be used to decrypt an encrypted dataset that has been encrypted using a first encryption mechanism. The first encryption mechanism is associated with the first decryption key that can be used to decrypt the dataset. The method further includes encrypting the first decryption key with a second encryption mechanism. The method further includes encrypting the first decryption key with a third encryption mechanism. The method further includes creating a package including at least the first decryption key encrypted with the second encryption method and the first decryption key encrypted with the third encryption method. The method further includes signing the package with a guardian signature and signing the package with a signature created from the first decryption key.Type: GrantFiled: September 9, 2014Date of Patent: May 16, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Mark Fishel Novak, Nir Ben-Zvi, Niels T. Ferguson
-
Patent number: 9652466Abstract: Described is caching classification-related metadata for a file in an alternate data stream of that file. When a file is classified (e.g., for data management), the classification properties are cached in association with the file, along with classification-related metadata that indicates the state of the file at the time of caching. The classification-related metadata in the alternate data stream is then useable in determining whether the classification properties are valid and up-to-date when next accessed, or whether the file needs to be reclassified. If the properties are valid and up-to-date, they may be used without requiring the computationally costly steps of reclassification. Also described is using more than one alternate data stream for the cache, and extending the classification-related metadata through a defined extension mechanism.Type: GrantFiled: August 11, 2014Date of Patent: May 16, 2017Assignee: MICROSOFT TECHNOLOGY LICENSING, LLCInventors: Clyde Law, Paul Adrian Oltean, Ran Kalach, Nir Ben-Zvi, Matthias H. Wollnik
-
Publication number: 20170061128Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.Type: ApplicationFiled: November 9, 2016Publication date: March 2, 2017Inventors: Mark Fishel Novak, Nir Ben-Zvi, John Anthony Messec, Kinshuman Kinshumann, Christopher McCarron
-
Patent number: 9578017Abstract: Deploying an encrypted entity on a trusted entity is illustrated herein. A method includes, at a trusted entity, wherein the trusted entity is trusted by an authority as a result of providing a verifiable indication of certain characteristics of the trusted entity meeting certain requirements, receiving an encrypted entity from an untrusted entity. The untrusted entity is not trusted by the authority. At the trusted entity, a trust credential from the authority is used to obtain a key from a key distribution service. The key distribution service is trusted by the authority. The key is used to decrypt the encrypted entity to allow the encrypted entity to be deployed at the trusted entity.Type: GrantFiled: October 1, 2014Date of Patent: February 21, 2017Assignee: Microsoft Technology Licensing, LLCInventors: Niels T. Ferguson, Yevgeniy Anatolievich Samsonov, Kinshuman Kinshumann, Samartha Chandrashekar, John Anthony Messec, Mark Fishel Novak, Christopher McCarron, Amitabh Prakash Tamhane, Qiang Wang, David Matthew Kruse, Nir Ben-Zvi, Anders Bertil Vinberg
-
Patent number: 9519787Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.Type: GrantFiled: November 14, 2014Date of Patent: December 13, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Mark Fishel Novak, Nir Ben-Zvi, John Anthony Messec, Kinshuman Kinshumann, Christopher McCarron
-
Publication number: 20160357988Abstract: A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.Type: ApplicationFiled: August 22, 2016Publication date: December 8, 2016Inventors: Niels T. Ferguson, Yevgeniy Anatolievich Samsonov, Kinshuman Kinshumann, Samartha Chandrashekar, John Anthony Messec, Mark Fishel Novak, Christopher McCarron, Amitabh Prakash Tamhane, Qiang Wang, David Matthew Kruse, Nir Ben-Zvi, Anders Bertil Vinberg