-
公开(公告)号:US11621996B2
公开(公告)日:2023-04-04
申请号:US15811592
申请日:2017-11-13
发明人: Nachiketh Rao Potlapally , Andrew Paul Mikulski , Donald Lee Bailey, Jr. , Robert Eric Fitzgerald
IPC分类号: H04L67/10 , H04L9/08 , H04L67/1023 , H04L9/40 , H04L9/06
摘要: Methods and apparatus for a computing infrastructure for configurable-quality random data are disclosed. A storage medium stores program instructions that when executed on a processor designate some servers of a provider network as members of a pool of producers of random data usable by random data consumers. The instructions, when executed, determine a subset of the pool to be used to supply a collection of random data intended for a random data consumer, and one or more sources of random phenomena to be used to generate the collection of random data. The instructions, when executed, initiate a transmission of the collection of random data directed to the random data consumer.
-
公开(公告)号:US10810015B2
公开(公告)日:2020-10-20
申请号:US16289384
申请日:2019-02-28
IPC分类号: G06F11/14 , G06F9/4401 , G06F21/57
摘要: Approaches are described for enabling a host computing device to store credentials and other security information useful for recovering the state of the host computing device in a secure store, such as a trusted platform module (TPM) on the host computing device. When recovering the host computing device in the event of a failure (e.g., power outage, network failure, etc.), the host computing device can obtain the necessary credentials from the secure store and use those credentials to boot various services, restore the state of the host and perform various other functions. In addition, the secure store (e.g., TPM) may provide boot firmware measurement and remote attestation of the host computing devices to other devices on a network, such as when the recovering host needs to communicate with the other devices on the network.
-
公开(公告)号:US10154013B1
公开(公告)日:2018-12-11
申请号:US15610509
申请日:2017-05-31
摘要: A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.
-
公开(公告)号:US20180084032A1
公开(公告)日:2018-03-22
申请号:US15811592
申请日:2017-11-13
发明人: Nachiketh Rao Potlapally , Andrew Paul Mikulski , Donald Lee Bailey, JR. , Robert Eric Fitzgerald
CPC分类号: H04L67/10 , H04L9/0662 , H04L9/0869 , H04L63/20 , H04L67/1023
摘要: Methods and apparatus for a computing infrastructure for configurable-quality random data are disclosed. A storage medium stores program instructions that when executed on a processor designate some servers of a provider network as members of a pool of producers of random data usable by random data consumers. The instructions, when executed, determine a subset of the pool to be used to supply a collection of random data intended for a random data consumer, and one or more sources of random phenomena to be used to generate the collection of random data. The instructions, when executed, initiate a transmission of the collection of random data directed to the random data consumer.
-
公开(公告)号:US09876815B2
公开(公告)日:2018-01-23
申请号:US15256381
申请日:2016-09-02
发明人: Hassan Sultan , John Schweitzer , Donald Lee Bailey, Jr. , Gregory Branchek Roth , Nachiketh Rao Potlapally
CPC分类号: H04L63/1433 , G06F21/53 , G06F21/554 , H04L63/1441 , H04L63/20
摘要: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, an expected value or expected range of values is determined. An assessment of a security state of the computing environment is generated based at least in part on a comparison between a measurement obtained at the point in the computing environment and the expected value or expected range of values, and responsive to a determination that the assessment indicates a rule violation in the computing environment, a security action is performed.
-
公开(公告)号:US20170308696A1
公开(公告)日:2017-10-26
申请号:US15643408
申请日:2017-07-06
CPC分类号: G06F21/55 , G06F9/45533 , G06F9/468 , G06F9/5077 , G06F21/53
摘要: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.
-
公开(公告)号:US09514324B1
公开(公告)日:2016-12-06
申请号:US14311027
申请日:2014-06-20
发明人: Nachiketh Rao Potlapally , Jonathan Matthew Miller , Eric Jason Brandwine , Stephen Edward Schmidt , Donald Lee Bailey, Jr.
CPC分类号: G06F21/6218 , G06F2221/2111 , H04L63/06 , H04L63/10
摘要: A computer-implemented method includes restricting access to customer data to certain geographic regions authorized by the customer. The restriction can be managed by associating policy information with the customer data that identifies the geographic regions authorized by the customer. Resources attempting to access the customer data can evaluate the policy information associated with the customer data with respect to the geographic location in which the resource is located to determine whether the resource is permitted to access the customer data. The restriction can also be managed by encrypting the customer data with a cryptographic key that corresponds to the customer and/or the authorized geographic regions.
摘要翻译: 计算机实现的方法包括将客户数据的访问限制到客户授权的某些地理区域。 可以通过将策略信息与识别客户授权的地理区域的客户数据相关联来管理该限制。 尝试访问客户数据的资源可以针对资源所在的地理位置评估与客户数据相关联的策略信息,以确定资源是否被允许访问客户数据。 也可以通过使用与客户和/或授权的地理区域对应的加密密钥加密客户数据来管理该限制。
-
8.发明授权Threat detection and mitigation through run-time introspection and instrumentation 有权通过运行时反省和检测来进行威胁检测和缓解公开(公告)号:US09438618B1
公开(公告)日:2016-09-06
申请号:US14673642
申请日:2015-03-30
发明人: Hassan Sultan , John Schweitzer , Donald Lee Bailey, Jr. , Gregory Branchek Roth , Nachiketh Rao Potlapally
CPC分类号: H04L63/1433 , G06F21/53 , G06F21/554 , H04L63/1441 , H04L63/20
摘要: A system and method for threat detection and mitigation through run-time introspection. The system and method comprising receiving a request to monitor a computing environment. Based on the received request, the system and method further includes determining a set of introspection points for monitoring the computing environment. receive a request to monitor a computing environment, measuring at individual introspection points of the set of introspection points to obtain a set of measurements, generating a graph of a set of resources in the computing environment, wherein the graph correlates individual resources in the set of resources to other resources based on at based at least in part on the set of measurements, and determining whether to perform a security action based at least in part on whether an evaluation of the graph indicates a threat to the computing environment.
摘要翻译: 一种通过运行时内省进行威胁检测和缓解的系统和方法。 该系统和方法包括接收监视计算环境的请求。 基于接收的请求,系统和方法还包括确定用于监视计算环境的一组内省点。 接收监视计算环境的请求,在所述一组内省点的各个内省点处进行测量以获得一组测量,生成计算环境中的一组资源的图,其中所述图将所述一组 至少部分地基于所述一组测量,以及至少部分地基于所述图形的评估是否指示对所述计算环境的威胁来确定是否执行安全动作来确定基于其他资源的资源。
-
公开(公告)号:US09037854B2
公开(公告)日:2015-05-19
申请号:US13746924
申请日:2013-01-22
CPC分类号: G06F21/72 , G06F21/53 , G06F21/57 , G06F21/575 , G06F21/602 , G06F21/64
摘要: A privileged cryptographic service is described, such as a service running in system management mode (SMM). The privileged service is operable to store and manage cryptographic keys and/or other security resources in a multitenant remote program execution environment. The privileged service can receive requests to use the cryptographic keys and issue responses to these requests. In addition, the privileged service can measure the hypervisor at runtime (e.g., either periodically or in response to the requests) in an attempt to detect evidence of tampering with the hypervisor. Because the privileged service is operating in system management mode that is more privileged than the hypervisor, the privileged service can be robust against virtual machine escape and other hypervisor attacks.
摘要翻译: 描述了一种特权加密服务,例如在系统管理模式(SMM)中运行的服务。 特权服务可操作以在多租户远程程序执行环境中存储和管理加密密钥和/或其他安全资源。 特权服务可以接收使用加密密钥的请求并发出对这些请求的响应。 此外,特权服务可以在运行时(例如,周期性地或响应于请求)来测量管理程序,以试图检测篡改管理程序的证据。 由于特权服务在比管理程序更具特权的系统管理模式下运行,因此特权服务可以针对虚拟机逃脱和其他管理程序攻击而强大。
-
公开(公告)号:US20150007175A1
公开(公告)日:2015-01-01
申请号:US13932828
申请日:2013-07-01
IPC分类号: G06F9/455
CPC分类号: G06F9/455 , G06F9/45558 , G06F9/5077 , G06F12/14 , G06F12/145 , G06F21/53 , G06F21/57 , G06F2009/45562 , G06F2009/45587 , G06F2212/1052 , H04L9/0643 , H04L9/08 , H04L9/32 , H04L9/321 , H04L63/04
摘要: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.
摘要翻译: 允许代表用户配置用于执行虚拟机的计算资源的方法被加密地验证或验证。 当用户请求虚拟机被配置时,虚拟化计算环境的操作者可以启动虚拟机的两阶段启动。 在第一阶段中,操作者将主机计算设备上的虚拟机提供给主机计算设备上的软件和/或硬件资源的加密测量。 然后,操作者可以向请求虚拟机的用户提供那些加密测量。 如果用户批准加密测量,则操作员可以继续进行第二阶段,并且在主机上实际启动虚拟机。 在某些情况下,操作员可以将加密测量值与已批准测量列表进行比较,以确定主机计算设备是否可接受托管虚拟机。
-
-
-
-
-
-
-
-
-
搜索结果
77 条记录 (耗时 0.037 秒)
