公开(公告)号：US10248409B1

公开(公告)日：2019-04-02

申请号：US14559869

申请日：2014-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack ,  Uwe Dannowski ,  Geoffrey Plouviez

IPC: G06F8/656 ,  G06F8/65 ,  G06F8/71 ,  G06F8/658

Abstract: A code patching component may insert a binary patch into a native-code representation of a program during execution. Prior to inserting the binary patch, a patch code analysis tool may receive a source code patch for the program, and determine that applying the source code patch would change the binary for the program outside of the patched area (e.g., due to changes in the number of lines, changes in the file names or path information for source code files from which the program is built, or line directives that embed line numbers or file names in the binary for the patched program). The tool may modify the source code patch to limit its effects to the patch area by adding empty lines, merging of lines of code, or forcing a line number change. The tool may filter line directives to match previously embedded file name information.

公开(公告)号：US10706147B1

公开(公告)日：2020-07-07

申请号：US15600460

申请日：2017-05-19

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack ,  Uwe Dannowski

IPC: G06F21/55 ,  H04L29/06 ,  G06F21/72 ,  G06F21/60

Abstract: A computer system and associated methods are disclosed for mitigating side-channel attacks using a shared cache. The computer system includes a host having a main memory and a shared cache. The host executes a virtual machine manager (VMM) that supports a plurality of co-located virtual machines (VMs), which can initiate side-channel attacks using the shared cache. The VMM is configured to maintain respective memory maps for the VMs. The VMM is further configured to determine a subset of current host memory pages for a selected VM that can be used in a side-channel attack, relocate the contents of the current host memory pages to replacement host memory pages in the main memory, and modify the subset of entries to change current host memory pages to the respective replacement host memory pages.

公开(公告)号：US09405708B1

公开(公告)日：2016-08-02

申请号：US14614077

申请日：2015-02-04

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack

IPC: G06F12/14

CPC classification number: G06F21/54

Abstract: In a virtualization environment, a guest process may protect itself from potential timing side-channel attacks by other guest processes on the same host machine by taking steps to avoid same-page merging for memory pages that it accesses. Pages that include critical code (e.g., cryptographic functions) or sensitive data (e.g., cryptography keys) may be designated as important pages to protect from such attacks. A placeholder location of a specified size for storing a non-deterministic value (e.g., a random or pseudorandom number) may be inserted into these pages when instantiated, making them unlikely to match pages accessed by other guests. Therefore, the host machine may be unlikely to identify them as pages for which there is a same-page merging opportunity. The values in the placeholder locations may be updated periodically or in response to certain events (e.g., context switches between guests or the detection of same-page merging).

Abstract translation: 在虚拟化环境中，访客进程可以通过采取步骤避免其访问的内存页的同页合并来保护自身免受同一主机上的其他访客进程的潜在定时侧信道攻击。 可以将包括关键代码（例如加密功能）或敏感数据（例如加密密钥）的页面指定为重要页面以防止这种攻击。 用于存储非确定性值（例如，随机或伪随机数）的指定大小的占位符位置可以在实例化时被插入到这些页面中，使得它们不太可能匹配其他访客访问的页面。 因此，主机可能不太可能将其识别为具有相同页面合并机会的页面。 占位符位置中的值可以周期性地或响应于某些事件（例如，客人之间的上下文切换或检测到同一页面合并）被更新。

公开(公告)号：US11200047B2

公开(公告)日：2021-12-14

申请号：US16797827

申请日：2020-02-21

Applicant: Amazon Technologies, Inc.

Inventor： Bjoern Doebel ,  Konrad Jan Miller ,  Martin Thomas Pohlack

IPC: G06F8/656 ,  G06F8/71

Abstract: A particular portion of a program which can be read from on-disk representations of the program as well as from memory images of the program is identified for use as a version discriminator. A first representation of the portion may be obtained from a first memory image of the program, corresponding to a first running instance of the program. The first representation may be compared to a second representation obtained at a development environment. Based on the results of the comparison, a particular version of the program corresponding to the first running instance may be identified. An indication of the particular version may be stored.

公开(公告)号：US11017417B1

公开(公告)日：2021-05-25

申请号：US14314990

申请日：2014-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack

IPC: G06Q40/00 ,  G06Q30/02 ,  G06N5/02

Abstract: Systems and methods are described for managing computing resources by a provider network. A selection of a pricing plan for use of a computing resource is received. The pricing plan can include inclusion of a premium for continued use of the computing resource during a maintenance window, or a cost benefit for interrupting use of the computing resource during the maintenance window. Maintenance is performed on the computing device in accordance with the maintenance window and based on the selected pricing plan.

公开(公告)号：US10698668B1

公开(公告)日：2020-06-30

申请号：US15992074

申请日：2018-05-29

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack ,  Pawel Piotr Wieczorkiewicz

IPC: G06F9/44 ,  G06F9/46 ,  G06F11/34 ,  G06F17/50 ,  G06F8/41 ,  G06F21/57 ,  G06F8/30 ,  G06F8/71 ,  G06F11/36 ,  G06F9/455 ,  G06F8/65

Abstract: Computer systems and associated methods are disclosed for performing custom code transformations using a compiler that does not support the custom transformations. In embodiments, a wrapper program intercepts a command to the compiler. The wrapper program generates intermediate code using the compiler in accordance with the command. The wrapper program then performs the code transformations on the intermediate code using a code transformer, for example, by performing a search and replace operation to replace particular code sequences in the intermediate code. The wrapper program then generates the binary code from the transformed intermediate code in accordance with the command. In this manner, software may be compiled with the custom code transformations without extensive changes to the source code or the compiler. In one application, the technique may be used to build a hot patch that applies a security update to a software using the software's original compiler.

公开(公告)号：US11714560B2

公开(公告)日：2023-08-01

申请号：US17079358

申请日：2020-10-23

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack

IPC: G06F3/06 ,  G06F21/57

CPC classification number: G06F3/0622 ,  G06F3/0659 ,  G06F3/0661 ,  G06F3/0673 ,  G06F21/57

Abstract: Systems and processes for managing memory compression security to mitigate security risks related to compressed memory page access are disclosed herein. A system for managing memory compression security includes a system memory and a memory manager. The system memory includes an uncompressed region configured to store a plurality of uncompressed memory pages and a compressed region configured to store a plurality of compressed memory pages. The memory manager identifies a memory page in the uncompressed region of the system memory as a candidate for compression and estimate a decompression time for a compressed version of the identified memory page. The memory manager determines whether the estimated decompression time is less than a constant decompression time. The memory manager, based on a determination that the estimated decompression time is less than the constant decompression time, compresses the memory page and writes the compressed memory page in the compressed region.

公开(公告)号：US20210042044A1

公开(公告)日：2021-02-11

申请号：US17079358

申请日：2020-10-23

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack

IPC: G06F3/06 ,  G06F21/57

Abstract: Systems and processes for managing memory compression security to mitigate security risks related to compressed memory page access are disclosed herein. A system for managing memory compression security includes a system memory and a memory manager. The system memory includes an uncompressed region configured to store a plurality of uncompressed memory pages and a compressed region configured to store a plurality of compressed memory pages. The memory manager identifies a memory page in the uncompressed region of the system memory as a candidate for compression and estimate a decompression time for a compressed version of the identified memory page. The memory manager determines whether the estimated decompression time is less than a constant decompression time. The memory manager, based on a determination that the estimated decompression time is less than the constant decompression time, compresses the memory page and writes the compressed memory page in the compressed region.

公开(公告)号：US10572245B1

公开(公告)日：2020-02-25

申请号：US15252038

申请日：2016-08-30

Applicant: Amazon Technologies, Inc.

Inventor： Bjoern Doebel ,  Konrad Jan Miller ,  Martin Thomas Pohlack

IPC: G06F8/656 ,  G06F8/71

Abstract: A particular portion of a program which can be read from on-disk representations of the program as well as from memory images of the program is identified for use as a version discriminator. A first representation of the portion may be obtained from a first memory image of the program, corresponding to a first running instance of the program. The first representation may be compared to a second representation obtained at a development environment. Based on the results of the comparison, a particular version of the program corresponding to the first running instance may be identified. An indication of the particular version may be stored.

公开(公告)号：US09106257B1

公开(公告)日：2015-08-11

申请号：US13927913

申请日：2013-06-26

Applicant: Amazon Technologies, Inc.

Inventor： Martin Thomas Pohlack ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F11/10 ,  H03M13/00 ,  H03M13/09

CPC classification number: H03M13/09 ,  H03M13/353 ,  H04L1/0061

Abstract: Methods and apparatus for checksumming network packets encapsulated according to an encapsulation protocol are described in which a single checksum is performed at the encapsulation layer, with checksum generation performed at the source encapsulation layer and checksum validation performed at the destination encapsulation layer. The packet source and packet destination may be informed by the encapsulation layer that a checksum operation is not necessary for the network packets. By performing checksumming at the encapsulation layer, the method may reduce overhead as checksum computation is initiated once rather than twice as in conventional encapsulation techniques. In addition, checksum algorithms may be used that provide stronger error detection or correction than is provided by standard network protocol checksumming, different checksum algorithms may be selected for different paths according to one or more criteria, and checksum operations may be offloaded to hardware.

Abstract translation: 描述了根据封装协议封装的网络分组的校验和的方法和装置，其中在封装层执行单个校验和，在源封装层执行校验和生成，并在目的封装层执行校验和验证。 分组源和分组目的地可以由封装层通知网络分组不需要校验和操作。 通过在封装层执行校验和，该方法可以减少开销，因为校验和计算开始一次，而不是传统封装技术中的两次。 此外，可以使用校验和算法，其提供比由标准网络协议校验和提供的更强的错误检测或校正，可以根据一个或多个标准针对不同的路径选择不同的校验和算法，并且校验和操作可以被卸载到硬件。