公开(公告)号：US11537421B1

公开(公告)日：2022-12-27

申请号：US16435279

申请日：2019-06-07

Applicant: Amazon Technologies, Inc.

Inventor： Marc John Brooker ,  Ajay Nair

IPC: G06F9/455 ,  H04L9/08 ,  G06F21/60 ,  G06F13/42

Abstract: Computer systems and methods are disclosed to implement a virtual machine monitor (VMM) that stores cryptographic keys for guest virtual machines (VMs) and securely executes cryptographic operations on the VMs' behalf using the stored cryptographic keys. The cryptographic keys are maintained in a key store that is accessible to the VMM but not accessible to the guest VMs. The cryptographic operations are executed in a manner that does not reveal the cryptographic keys to the guest VMs. In embodiments, the guest VMs may invoke the cryptographic operations via a device driver, a memory access interface, or some other mechanism. Advantageously, the guest VMs cannot obtain the cryptographic keys in their own memory space, so that the keys cannot be exfiltrated from the guest VMs. Embodiments of the VMM may be used to implement cryptographic operations such as request signing and verification, data encryption and decryption, and others.

公开(公告)号：US11461124B2

公开(公告)日：2022-10-04

申请号：US16778437

申请日：2020-01-31

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Dylan Chandler Thomas ,  Ajay Nair

IPC: G06F9/455

Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

公开(公告)号：US10891145B2

公开(公告)日：2021-01-12

申请号：US15085902

申请日：2016-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Marc John Brooker ,  Ajay Nair

IPC: G06F12/08 ,  G06F9/455 ,  G06F12/0875

Abstract: Systems and methods are described for transforming a data set within a data source into a series of task calls to an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances, and are often used to process data in near-real time, as it is created. However, limitations in computing resources may inhibit a user from utilizing an on-demand code execution environment to simultaneously process a large, existing data set. The present application provides a task generation system that can iteratively retrieve data items from an existing data set and generate corresponding task calls to the on-demand computing environment, while ensuring that at least one task call for each data item within the existing data set is made.

公开(公告)号：US10203990B2

公开(公告)日：2019-02-12

申请号：US15199613

申请日：2016-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Marc John Brooker ,  Ajay Nair ,  Derek Steven Manwaring

IPC: G06F9/50 ,  G06F9/48

Abstract: Systems and methods are described for utilizing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment to implement an application programming interface (API) on a network-accessible service. An on-demand code execution environment can utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. While users may generally execute their own code, the present application enables code of a first user to be executed by a second user, while maintaining the privacy and security of the code and associated accounts. Further, the present application enables a set of tasks to be grouped together as an API, enabling any user to create an API for a service, while the on-demand code execution environment manages execution of the tasks and allocation of underlying computing resources.

公开(公告)号：US20170371706A1

公开(公告)日：2017-12-28

申请号：US15195897

申请日：2016-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Marc John Brooker ,  Ajay Nair

IPC: G06F9/48

CPC classification number: G06F9/52 ,  G06F9/485

Abstract: Systems and methods are described for managing asynchronous code executions in an on-demand code execution system or other distributed code execution environment, in which multiple execution environments, such as virtual machine instances, can be used to enable rapid execution of user-submitted code. When asynchronous executions occur, one execution may become blocked while waiting for completion of another execution. Because the on-demand code execution system contains multiple execution environments, the system can efficiently handle a blocked execution by saving a state of the execution, and removing it from its execution environment. When a blocking dependency operation completes, the system can resume the blocked execution using the state information, in the same or different execution environment.

公开(公告)号：US20160224360A1

公开(公告)日：2016-08-04

申请号：US14613735

申请日：2015-02-04

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Dylan Chandler Thomas ,  Ajay Nair

IPC: G06F9/455 ,  G06F9/445

CPC classification number: G06F9/45558 ,  G06F2009/4557

Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

公开(公告)号：US11762703B2

公开(公告)日：2023-09-19

申请号：US17081756

申请日：2020-10-27

Applicant: Amazon Technologies, Inc.

Inventor： Manigandan Radhakrishnan ,  Marc John Brooker ,  Yilmaz Can Cecen ,  David Alexander Dunlap ,  Craig Wesley Howard ,  Shubham Katiyar ,  Ajay Nair ,  Venkatesh Vijayaraghavan ,  Vo Vuong ,  Meenakshi Vembusubramanian

IPC: G06F9/50

CPC classification number: G06F9/5044 ,  G06F2209/549

Abstract: An on-demand code execution environment present in points of presence (POPs) and in regions serviced by the POPs is provided herein. For example, a POP may receive a request to execute a task associated with user-defined code. If the POP determines that the computing resources necessary to execute a received task are not available or that the POP should not execute the received task for another reason (e.g., the task is not commonly received and the computing resources needed to execute the task are therefore best allocated for other requests), the POP can forward the task to a region that the POP services for execution by an on-demand code execution environment present in the region. The on-demand code execution environment present in the region can execute the task and forward the results of the execution to the POP for distribution back to a user device that requested the task execution.

公开(公告)号：US10552193B2

公开(公告)日：2020-02-04

申请号：US15676777

申请日：2017-08-14

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Dylan Chandler Thomas ,  Ajay Nair

IPC: G06F9/455

Abstract: A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

公开(公告)号：US10282229B2

公开(公告)日：2019-05-07

申请号：US15195920

申请日：2016-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Marc John Brooker ,  Ajay Nair

IPC: G06F9/46 ,  G06F9/48 ,  G06F9/50

Abstract: Systems and methods are described for managing asynchronous code executions in an on-demand code execution system or other distributed code execution environment, in which multiple execution environments, such as virtual machine instances, can be used to enable rapid execution of user-submitted code. When asynchronous executions occur, a first execution may call a second execution, but not immediately need the second execution to complete. To efficiently allocate computing resources, this disclosure enables the second execution to be scheduled accordingly to a state of the on-demand code execution system, while still ensuring the second execution completes prior to the time required by the first execution. Scheduling of executions can, for example, enable more efficient load balancing on the on-demand code execution system.

公开(公告)号：US10277708B2

公开(公告)日：2019-04-30

申请号：US15199490

申请日：2016-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Timothy Allen Wagner ,  Marc John Brooker ,  Ajay Nair ,  Derek Steven Manwaring

IPC: G06F9/455 ,  H04L29/08 ,  G06F9/46

Abstract: Systems and methods are described for managing cross-account access to tasks on an on-demand code execution environment or other distributed code execution environment. Such environments utilize pre-initialized virtual machine instances to enable execution of user-specified code in a rapid manner, without delays typically caused by initialization of the virtual machine instances. However, to ensure security, the code of different users is generally maintained separately, and executed on separate virtual machines. Embodiments described herein enable users of a first account to execute code of a second account, without gaining access to the code itself and while maintaining the privacy and security of each account. Specifically, aliases for a task of a first account can be created on a task of a second account, and used to invoke that task on behalf of the first account. Aliases may also allow users to customize how the task is executed.