Patents by Inventor Pierre-Olivier J. Martel
Pierre-Olivier J. Martel has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11514157Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: GrantFiled: April 20, 2020Date of Patent: November 29, 2022Assignee: Apple Inc.Inventors: Andrew S. Terry, Kelly B. Yancey, Pierre-Olivier J. Martel, Richard L. Hagy, Timothy P. Hannon, Alastair K. Fettes
-
Patent number: 11385816Abstract: Representative embodiments set forth herein disclose techniques for implementing improved links between paths of one or more file systems. According to some embodiments, techniques are disclosed for establishing a system volume and a data volume within a container. According to other embodiments, techniques are disclosed for establishing a link from a source path of a system volume within a container to a target path of a data volume within the container. According to yet other embodiments, techniques are disclosed for determining whether to allow a file system operation on a data volume of a container based on at least determining whether a target path is associated with a reference to a source path.Type: GrantFiled: May 20, 2020Date of Patent: July 12, 2022Inventors: Vivek Verma, Damien P. Sorresso, Pavel Sokolov, Pierre-Olivier J. Martel, Eric B. Tamura, Yoni Baron
-
Patent number: 11228421Abstract: Secure secrets can be used, in one embodiment, to generate a master key. In one embodiment, a first secret value, generated and stored in a first secure element, can be used with a user's credential (e.g., a user's passcode) to generate, through a first key derivation function, a second secret value. A master key can then be generated through a second key derivation function based on the second secret value and a derived or stored secret such as a device's unique identifier.Type: GrantFiled: January 30, 2018Date of Patent: January 18, 2022Assignee: Apple Inc.Inventors: Arthur Mesh, Jerrold V. Hauck, Pierre-Olivier J. Martel, Wade Benson, Oren M. Elrad
-
Patent number: 11188477Abstract: In an embodiment, a computer system comprises a page protection layer. The page protection layer may be the component in the system which manages the page tables for virtual to physical page mappings. Transactions to the page protection layer are used to create/manage mappings created in the page tables. The page protection layer may enforce dynamic security policies in the system (i.e. security policies that may not be enforced using only a static hardware configuration). In an embodiment, the page protection layer may ensure that it is the only component which is able to modify the page tables. The page protection layer may ensure than no component in the system is able to modify a page that is marked executable in any process' address space. The page protection may ensure that any page that is marked executable has code with a verified code signature, in an embodiment.Type: GrantFiled: September 9, 2019Date of Patent: November 30, 2021Assignee: Apple Inc.Inventors: Julien Oster, Thomas G. Holland, Bernard J. Semeria, Jason A. Harmening, Pierre-Olivier J. Martel, Gregory D. Hughes, P. Love Hornquist Astrand, Jacques Fortier, Ryan P. Nielson, Simon P. Cooper
-
Patent number: 11176280Abstract: Techniques are disclosed in which a secure circuit controls a gating circuit to enable or disable other circuity of a device (e.g., one or more input sensors). For example, the gating circuit may be a power gating circuit and the secure circuit may be configured to disable power to an input sensor in certain situations. As another example, the gating circuit may be a clock gating circuit and the secure circuit may be configured to disable the clock to an input sensor. As yet another example, the gating circuit may be configured to gate a control bus and the secure circuit may be configured to disable control signals to an input sensor. In some embodiments, hardware resources included in or controlled by the secure circuit are not accessible by other elements of the device, other than by sending requests to a predetermined set of memory locations (e.g., a secure mailbox).Type: GrantFiled: September 29, 2017Date of Patent: November 16, 2021Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Jeffrey R. Wilcox, Ian P. Shaeffer, Andrew D. Myrick, Robert W. Hill, Tristan F. Schaap
-
Patent number: 11176021Abstract: Improved messaging applications are described that use a first set of software to test rendering of a message, and if the test is successful the message is allowed to be presented. In one embodiment, a first set of software can attempt to test the renderability of a message and if the test is successful, the message can be stored in a message database. In one embodiment, the first set of software operates in a separate sandbox from a sandbox for a messaging application which displays the message. The first set of software can operate in a first process which is different than a process in which the messaging application runs.Type: GrantFiled: May 29, 2019Date of Patent: November 16, 2021Assignee: APPLE INC.Inventors: Eugene Bistolas, Ryan Nielsen, Pierre J. De Filippis, David P. Remahl, Cristina Formaini, Pierre-Olivier J. Martel, Lilynaz Hashemi, Stephen Lottermoser
-
Patent number: 11100242Abstract: Techniques for access control of a data processing system are described. In one embodiment, in response to a request from an application for accessing a resource of a data processing system, it is determined a first class of resources the requested resource belongs. A second class of resources the application is entitled to access is determined based on a resource entitlement encoded within the application and authorized by a predetermined authority. The application is allowed to access the resource if the first class and the second class of resources are matched. The application is denied from accessing the resource if the first class and the second class are not matched, regardless an operating privilege level of the application.Type: GrantFiled: May 30, 2014Date of Patent: August 24, 2021Assignee: Apple Inc.Inventors: Ivan Krstic, Pierre-Olivier J. Martel, Austin G. Jennings
-
Patent number: 11023587Abstract: In an embodiment, a system supports an external trust cache. That is, the trust cache is separate from the kernel image on the non-volatile storage in the system. During boot, the boot code may read the trust cache from the storage and write it to the working memory of the system (e.g. the Random Access Memory (RAM) forming the memory system in the system). The boot code may also validate the kernel image and write it to the memory system. The boot code may program a region register in the processor to define a region in the working memory that encompasses the kernel image and the trust cache, to protect the region from modification/tampering.Type: GrantFiled: September 29, 2018Date of Patent: June 1, 2021Assignee: Apple Inc.Inventors: Julien Oster, Eric S. Harmon, Mitchell K. Allison, Pierre-Olivier J. Martel, Damien P. Sorresso, Dallas B. De Atley, Ryan P. Nielsen
-
Publication number: 20200379662Abstract: Representative embodiments set forth herein disclose techniques for implementing improved links between paths of one or more file systems. According to some embodiments, techniques are disclosed for establishing a system volume and a data volume within a container. According to other embodiments, techniques are disclosed for establishing a link from a source path of a system volume within a container to a target path of a data volume within the container. According to yet other embodiments, techniques are disclosed for determining whether to allow a file system operation on a data volume of a container based on at least determining whether a target path is associated with a reference to a source path.Type: ApplicationFiled: May 20, 2020Publication date: December 3, 2020Inventors: Vivek VERMA, Damien P. SORRESSO, Pavel SOKOLOV, Pierre-Olivier J. MARTEL, Eric B. TAMURA, Yoni BARON
-
Patent number: 10754931Abstract: According to one embodiment, a security manager of a first operating system executed by a processor of a data processing system receives a request received from an application to modify a security settings of the data processing system. In response to the request, the data processing system is restarted into a second operating system, where the second operating system includes functionalities that are fewer than the first operating system. The security settings of the data processing system is modified within the second operating system. After the security settings of the data processing system has been modified, the data processing is rebooted back to the first operating system. A security measure within the first operating system is enforced based on the modified security settings.Type: GrantFiled: January 19, 2016Date of Patent: August 25, 2020Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Austin G. Jennings
-
Publication number: 20200265157Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: ApplicationFiled: April 20, 2020Publication date: August 20, 2020Inventors: Andrew S. TERRY, Kelly B. YANCEY, Pierre-Olivier J. MARTEL, Richard L. HAGY, Timothy P. HANNON, Alastair K. FETTES
-
Patent number: 10747908Abstract: Techniques are disclosed in which a secure circuit controls a gating circuit to enable or disable other circuitry of a device (e.g., one or more input sensors). For example, the gating circuit may be a power gating circuit and the secure circuit may be configured to disable power to an input sensor in certain situations. As another example, the gating circuit may be a clock gating circuit and the secure circuit may be configured to disable the clock to an input sensor. As yet another example, the gating circuit may be configured to gate a control bus and the secure circuit may be configured to disable control signals to an input sensor. In some embodiments, hardware resources included in or controlled by the secure circuit are not accessible by other elements of the device, other than by sending requests to a predetermined set of memory locations (e.g., a secure mailbox).Type: GrantFiled: September 11, 2018Date of Patent: August 18, 2020Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Jeffrey R. Wilcox, Ian P. Shaeffer, Andrew D. Myrick, Robert W. Hill, Tristan F. Schaap
-
Patent number: 10628580Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: GrantFiled: September 22, 2016Date of Patent: April 21, 2020Assignee: APPLE INC.Inventors: Andrew S. Terry, Kelly B. Yancey, Pierre-Olivier J. Martel, Richard L. Hagy, Timothy P. Hannon, Alastair K. Fettes
-
Publication number: 20200081847Abstract: In an embodiment, a computer system comprises a page protection layer. The page protection layer may be the component in the system which manages the page tables for virtual to physical page mappings. Transactions to the page protection layer are used to create/manage mappings created in the page tables. The page protection layer may enforce dynamic security policies in the system (i.e. security policies that may not be enforced using only a static hardware configuration). In an embodiment, the page protection layer may ensure that it is the only component which is able to modify the page tables. The page protection layer may ensure than no component in the system is able to modify a page that is marked executable in any process' address space. The page protection may ensure that any page that is marked executable has code with a verified code signature, in an embodiment.Type: ApplicationFiled: September 9, 2019Publication date: March 12, 2020Inventors: Julien Oster, Thomas G. Holland, Bernard J. Semeria, Jason A. Harmening, Pierre-Olivier J. Martel, Gregory D. Hughes, P. Love Hornquist Astrand, Jacques Fortier, Ryan P. Nielson, Simon P. Cooper
-
Patent number: 10515209Abstract: A method and apparatus of a device for security management by sandboxing third-party components is described. The device can determine whether a third-party component supports network access. If the third-party component supports network access, the device can request a user input regarding whether to restrict the network access of the component. The device can receive a user input to restrict network access of the third-party component. Upon receiving the user input to restrict network access, the device can construct a sandbox for the third-party component to restrict network access of the component and prevent the component from performing data exfiltration. Other embodiments are also described and claimed.Type: GrantFiled: April 12, 2018Date of Patent: December 24, 2019Assignee: Apple Inc.Inventors: Kelly B. Yancey, Pierre-Olivier J. Martel
-
Publication number: 20190370154Abstract: Improved messaging applications are described that use a first set of software to test rendering of a message, and if the test is successful the message is allowed to be presented. In one embodiment, a first set of software can attempt to test the renderability of a message and if the test is successful, the message can be stored in a message database. In one embodiment, the first set of software operates in a separate sandbox from a sandbox for a messaging application which displays the message. The first set of software can operate in a first process which is different than a process in which the messaging application runs.Type: ApplicationFiled: May 29, 2019Publication date: December 5, 2019Inventors: Eugene Bistolas, Ryan Nielsen, Pierre J. De Filippis, David P. Remahl, Cristina Formaini, Pierre-Olivier J. Martel, Lilynaz Hashemi, Stephen Lottermoser
-
Publication number: 20190370469Abstract: In an embodiment, a system supports an external trust cache. That is, the trust cache is separate from the kernel image on the non-volatile storage in the system. During boot, the boot code may read the trust cache from the storage and write it to the working memory of the system (e.g. the Random Access Memory (RAM) forming the memory system in the system). The boot code may also validate the kernel image and write it to the memory system. The boot code may program a region register in the processor to define a region in the working memory that encompasses the kernel image and the trust cache, to protect the region from modification/tampering.Type: ApplicationFiled: September 29, 2018Publication date: December 5, 2019Inventors: Julien Oster, Eric S. Harmon, Mitchell K. Allison, Pierre-Olivier J. Martel, Damien P. Sorresso, Dallas B. De Atley, Ryan P. Nielsen
-
Patent number: 10216928Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: GrantFiled: July 28, 2017Date of Patent: February 26, 2019Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy
-
Publication number: 20190026501Abstract: Techniques are disclosed in which a secure circuit controls a gating circuit to enable or disable other circuitry of a device (e.g., one or more input sensors). For example, the gating circuit may be a power gating circuit and the secure circuit may be configured to disable power to an input sensor in certain situations. As another example, the gating circuit may be a clock gating circuit and the secure circuit may be configured to disable the clock to an input sensor. As yet another example, the gating circuit may be configured to gate a control bus and the secure circuit may be configured to disable control signals to an input sensor. In some embodiments, hardware resources included in or controlled by the secure circuit are not accessible by other elements of the device, other than by sending requests to a predetermined set of memory locations (e.g., a secure mailbox).Type: ApplicationFiled: September 11, 2018Publication date: January 24, 2019Inventors: Pierre-Olivier J. Martel, Jeffrey R. Wilcox, Ian P. Shaeffer, Andrew D. Myrick, Robert W. Hill, Tristan F. Schaap
-
Publication number: 20180349649Abstract: Techniques are disclosed in which a secure circuit controls a gating circuit to enable or disable other circuity of a device (e.g., one or more input sensors). For example, the gating circuit may be a power gating circuit and the secure circuit may be configured to disable power to an input sensor in certain situations. As another example, the gating circuit may be a clock gating circuit and the secure circuit may be configured to disable the clock to an input sensor. As yet another example, the gating circuit may be configured to gate a control bus and the secure circuit may be configured to disable control signals to an input sensor. In some embodiments, hardware resources included in or controlled by the secure circuit are not accessible by other elements of the device, other than by sending requests to a predetermined set of memory locations (e.g., a secure mailbox).Type: ApplicationFiled: September 29, 2017Publication date: December 6, 2018Inventors: Pierre-Olivier J. Martel, Jeffrey R. Wilcox, Ian P. Shaeffer, Andrew D. Myrick, Robert W. Hill, Tristan F. Schaap