公开(公告)号：US11714682B1

公开(公告)日：2023-08-01

申请号：US16808235

申请日：2020-03-03

Applicant: Amazon Technologies, Inc.

Inventor： Vishal Shahane ,  Marc Brooker

IPC: G06F9/50 ,  G06F9/455

CPC classification number: G06F9/5016 ,  G06F9/45558 ,  G06F2009/45583

Abstract: Systems and methods are described for reclamation of computing resources in an on-demand code execution system. An on-demand code execution system may execute user-submitted code on virtual machine instances, which may be provisioned with quantities of various computing resources (memory, storage, processor time, etc.). These quantities of computing resources may be unused or underutilized depending on the resource requirements of the user-submitted code, or may become idle once the user-submitted code has completed execution. A resource reclamation system may thus reclaim these underutilized computing resources and reallocate them to other uses. The resource reclamation system may interact with a reclaimable resource identification process that executes within the virtual machine instance, which may identify unused or underused computing resources, claim them, and then allow the resource reclamation system to reallocate them. The resource reclamation system may thus enable reclaiming the computing resources without requiring the virtual machine instance to be reprovisioned.

公开(公告)号：US11604669B2

公开(公告)日：2023-03-14

申请号：US16782873

申请日：2020-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Mikhail Danilov ,  Osman Surkatty ,  Tao Chen

IPC: G06F9/455 ,  G06F12/0882 ,  G06F12/0891

Abstract: Systems and methods are provided for efficiently configuring an execution environment for an on-demand code execution system to handle a single request (or session) for a single user. Once the session or request is complete, the execution environment is reset, such as by having the hardware processor state, memory, and storage reset. In particular, prior to the execution of code, state of the execution environment of the host computing device is retrieved, such as hardware processor(s), memory, and/or storage state. Moreover, during execution of the code instructions, intermediate state can be gathered. Following the execution of the code, the execution environment is reset based on the saved state related to the hardware processor(s), memory, and/or storage. A subsequent code execution securely occurs in the execution environment and the execution environment is reset again, and so forth.

公开(公告)号：US11593270B1

公开(公告)日：2023-02-28

申请号：US17105233

申请日：2020-11-25

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Philip Daniel Piwonka ,  Nare Hayrapetyan

IPC: G06F11/00 ,  G06F12/0891 ,  G06F16/22 ,  G06F11/10

Abstract: Systems and methods are described for providing rapid access to data objects stored in a cache. Rather than storing data objects directly, each object can be broken into a number of parts via erasure coding, which enables the object to be generated from less than all parts. When servicing a request for the data object, a device can attempt to retrieve all parts, but begin to generate the data object as soon as a sufficient number of parts is retrieved, even if requests for other parts are outstanding. In this way, the data object can be retrieved without delay due to the slowest requests. For example, where one or more requests timeout, such as due to failure of cache devices, this timeout may have no effect on time required to retrieve the data object from the cache.

公开(公告)号：US11546324B1

公开(公告)日：2023-01-03

申请号：US16782774

申请日：2020-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Osman Surkatty ,  Mikhail Danilov

IPC: H04L9/40 ,  G06F16/23 ,  G06F16/24

Abstract: Systems and methods are provided for scoped credentials within secure execution environments executing within virtual machines instances in an on-demand code execution system. In the on-demand code execution system, the execution environments are reset after every request or session. By resetting the single execution environment after each request or session, security issues are addressed, such as side-channel attacks and persistent malware. Additionally, the use of scoped credentials improves security by limiting the access rights for each code execution request or session to the smallest atomic level for the request or session. Following the request or session, the scoped credential is invalidated.

公开(公告)号：US20240330320A1

公开(公告)日：2024-10-03

申请号：US18193406

申请日：2023-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Falesh Singh ,  Gourav Roy ,  Steven Michael Hershey ,  Marc Bowes

IPC: G06F16/27 ,  G06F16/23

CPC classification number: G06F16/275 ,  G06F16/2379

Abstract: Synchronous replication for a distributed database system may be performed using an erasure coding scheme. A request that causes a write to a database hosted in a distributed database system is received. A replication message for a synchronous replication technique is generated, then divided and encoded into a number of chunks according to an erasure encoding scheme that allows the replication message to be reassembled with less than the number of chunks. The chunks are sent to another instance of the database which receives and reassembles the replication message from the chunks and responds to acknowledge that the write is committed.

公开(公告)号：US11582025B2

公开(公告)日：2023-02-14

申请号：US17037369

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Derek Manwaring ,  Osman Surkatty ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.

公开(公告)号：US09910881B1

公开(公告)日：2018-03-06

申请号：US14105111

申请日：2013-12-12

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Madhuvanesh Parthasarathy ,  Tao Chen ,  Marc Levy

IPC: G06F17/30

CPC classification number: G06F17/30356 ,  H04L41/0859

Abstract: A system may implement maintaining control plane data versions for a network-based service control plane. Various control plane actions may be performed which create new versions of control plane data that may be maintained for the control plane in a database. Some of these actions may be performed by multiple actors creating new versions of the same control plane data. For a particular control plane action, a new version number may be obtained to include in a new version of control plane data, and a conditional write request may be performed to insert the new version of control plane data at the database as part of an optimistic concurrency technique in order to maintain consistency for control plane data.

公开(公告)号：US20240220305A1

公开(公告)日：2024-07-04

申请号：US18412105

申请日：2024-01-12

Applicant: Amazon Technologies, Inc.

Inventor： Niall Mullen ,  Philip Piwonka ,  Timothy Allen Wagner ,  Marc Brooker

IPC: G06F9/455 ,  G06F9/48 ,  G06F9/50

CPC classification number: G06F9/45558 ,  G06F9/455 ,  G06F9/45533 ,  G06F9/48 ,  G06F9/4806 ,  G06F9/4881 ,  G06F9/50 ,  G06F9/5005 ,  G06F9/5027 ,  G06F9/5038 ,  G06F2009/45562 ,  G06F2009/4557 ,  G06F2009/45575 ,  G06F2009/45591 ,  G06F2009/45595

Abstract: Systems and methods are described for providing auxiliary functions in an on-demand code execution system in a manner that enables efficient execution of code. A user may generate a task on the system by submitting code. The system may determine the auxiliary functions that the submitted code may require when executed on the system, and may provide these auxiliary functions by provisioning or configuring sidecar virtualized execution environments that work in conjunction with the main virtualized execution environment executing the submitted code. Sidecar virtualized execution environments may be identified and obtained from a library of preconfigured sidecar virtualized execution environments, or a sidecar agent that provides the auxiliary function may be identified from a library, and then a virtualized execution environment may be provisioned with the agent and/or configured to work in conjunction with the main virtualized execution environment.

公开(公告)号：US11329803B2

公开(公告)日：2022-05-10

申请号：US17037427

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Osman Surkatty ,  Derek Manwaring ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: H04L29/06 ,  H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing storage of encrypted data sets, deduplication of such data sets, and control of the redundancy of those data sets. A form of modified convergent encryption can be employed, whereby an encryption key for a data set is selected based on a combination of the plaintext of the data set and a salt value, with the salt value being selected from a number of permutations corresponding to a desired redundancy of the data set in a storage system. Accordingly, a given data set can result in a number of ciphertexts equal to the desired redundancy, and deduplication can occur by removing duplicative instances of individual ciphertexts. Salt values can be selected according to a variety of criteria, including user-based, time-based, and location-based criteria.

公开(公告)号：US20220103338A1

公开(公告)日：2022-03-31

申请号：US17037369

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Derek Manwaring ,  Osman Surkatty ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.