Virtual machine monitor providing secure cryptographic operations

    公开(公告)号:US11537421B1

    公开(公告)日:2022-12-27

    申请号:US16435279

    申请日:2019-06-07

    Abstract: Computer systems and methods are disclosed to implement a virtual machine monitor (VMM) that stores cryptographic keys for guest virtual machines (VMs) and securely executes cryptographic operations on the VMs' behalf using the stored cryptographic keys. The cryptographic keys are maintained in a key store that is accessible to the VMM but not accessible to the guest VMs. The cryptographic operations are executed in a manner that does not reveal the cryptographic keys to the guest VMs. In embodiments, the guest VMs may invoke the cryptographic operations via a device driver, a memory access interface, or some other mechanism. Advantageously, the guest VMs cannot obtain the cryptographic keys in their own memory space, so that the keys cannot be exfiltrated from the guest VMs. Embodiments of the VMM may be used to implement cryptographic operations such as request signing and verification, data encryption and decryption, and others.

    Security protocols for low latency execution of program code

    公开(公告)号:US11461124B2

    公开(公告)日:2022-10-04

    申请号:US16778437

    申请日:2020-01-31

    Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

    Processing pre-existing data sets at an on demand code execution environment

    公开(公告)号:US10891145B2

    公开(公告)日:2021-01-12

    申请号:US15085902

    申请日:2016-03-30

    Abstract: Systems and methods are described for transforming a data set within a data source into a series of task calls to an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances, and are often used to process data in near-real time, as it is created. However, limitations in computing resources may inhibit a user from utilizing an on-demand code execution environment to simultaneously process a large, existing data set. The present application provides a task generation system that can iteratively retrieve data items from an existing data set and generate corresponding task calls to the on-demand computing environment, while ensuring that at least one task call for each data item within the existing data set is made.

    On-demand network code execution with cross-account aliases

    公开(公告)号:US10203990B2

    公开(公告)日:2019-02-12

    申请号:US15199613

    申请日:2016-06-30

    Abstract: Systems and methods are described for utilizing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment to implement an application programming interface (API) on a network-accessible service. An on-demand code execution environment can utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. While users may generally execute their own code, the present application enables code of a first user to be executed by a second user, while maintaining the privacy and security of the code and associated accounts. Further, the present application enables a set of tasks to be grouped together as an API, enabling any user to create an API for a service, while the on-demand code execution environment manages execution of the tasks and allocation of underlying computing resources.

    ASYNCHRONOUS TASK MANAGEMENT IN AN ON-DEMAND NETWORK CODE EXECUTION ENVIRONMENT

    公开(公告)号:US20170371706A1

    公开(公告)日:2017-12-28

    申请号:US15195897

    申请日:2016-06-28

    CPC classification number: G06F9/52 G06F9/485

    Abstract: Systems and methods are described for managing asynchronous code executions in an on-demand code execution system or other distributed code execution environment, in which multiple execution environments, such as virtual machine instances, can be used to enable rapid execution of user-submitted code. When asynchronous executions occur, one execution may become blocked while waiting for completion of another execution. Because the on-demand code execution system contains multiple execution environments, the system can efficiently handle a blocked execution by saving a state of the execution, and removing it from its execution environment. When a blocking dependency operation completes, the system can resume the blocked execution using the state information, in the same or different execution environment.

    SECURITY PROTOCOLS FOR LOW LATENCY EXECUTION OF PROGRAM CODE

    公开(公告)号:US20160224360A1

    公开(公告)日:2016-08-04

    申请号:US14613735

    申请日:2015-02-04

    CPC classification number: G06F9/45558 G06F2009/4557

    Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

    Security protocols for low latency execution of program code

    公开(公告)号:US10552193B2

    公开(公告)日:2020-02-04

    申请号:US15676777

    申请日:2017-08-14

    Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

    Asynchronous task management in an on-demand network code execution environment

    公开(公告)号:US10282229B2

    公开(公告)日:2019-05-07

    申请号:US15195920

    申请日:2016-06-28

    Abstract: Systems and methods are described for managing asynchronous code executions in an on-demand code execution system or other distributed code execution environment, in which multiple execution environments, such as virtual machine instances, can be used to enable rapid execution of user-submitted code. When asynchronous executions occur, a first execution may call a second execution, but not immediately need the second execution to complete. To efficiently allocate computing resources, this disclosure enables the second execution to be scheduled accordingly to a state of the on-demand code execution system, while still ensuring the second execution completes prior to the time required by the first execution. Scheduling of executions can, for example, enable more efficient load balancing on the on-demand code execution system.

    On-demand network code execution with cross-account aliases

    公开(公告)号:US10277708B2

    公开(公告)日:2019-04-30

    申请号:US15199490

    申请日:2016-06-30

    Abstract: Systems and methods are described for managing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. However, to ensure security, the code of different users is generally maintained separately, and executed on separate virtual machines. Embodiments described herein enable users of a first account to execute code of a second account, without gaining access to the code itself and while maintaining the privacy and security of each account. Specifically, aliases for a task of a first account can be created on a task of a second account, and used to invoke that task on behalf of the first account. Aliases may also allow users to customize how the task is executed.

Patent Agency Ranking