Security protocols for low latency execution of program code

US 9,471,775 B1
Filed: 02/04/2015
Issued: 10/18/2016
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:

an electronic data store configured to store at least a program code of a user; and

a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions, said virtual compute system in communication with the electronic data store, and configured to at least;

maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprise a warming pool comprising virtual machine instances having one or more software components loaded thereon and waiting to be assigned to a user, and an active pool comprising virtual machine instances currently assigned to one or more users;

receive a request to execute a program code associated with a particular user on the virtual compute system, the request including information indicating the program code and the particular user associated with the program code;

determine, based on the received request, a user-specified security policy specifying one or more security parameters by which the program code is to be executed;

select from the warming pool or the active pool a virtual machine instance to be used to execute the program code;

determine that the virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the user-specified security policy;

create a container in the selected virtual machine instance based on the user-specified security policy; and

cause the program code associated with the particular user to be loaded from the electronic data store onto the container and executed in the container according to the user-specified security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

212 Citations

20 Claims

1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
- an electronic data store configured to store at least a program code of a user; and
  
  a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions, said virtual compute system in communication with the electronic data store, and configured to at least;
  
  maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprise a warming pool comprising virtual machine instances having one or more software components loaded thereon and waiting to be assigned to a user, and an active pool comprising virtual machine instances currently assigned to one or more users;
  
  receive a request to execute a program code associated with a particular user on the virtual compute system, the request including information indicating the program code and the particular user associated with the program code;
  
  determine, based on the received request, a user-specified security policy specifying one or more security parameters by which the program code is to be executed;
  
  select from the warming pool or the active pool a virtual machine instance to be used to execute the program code;
  
  determine that the virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the user-specified security policy;
  
  create a container in the selected virtual machine instance based on the user-specified security policy; and
  
  cause the program code associated with the particular user to be loaded from the electronic data store onto the container and executed in the container according to the user-specified security policy.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the one or more security parameters include one or more of a processing duration limit, a memory limit, a parameter to enable a transmission control protocol (“
    - TCP”
      
      ) socket connection, a parameter to enable an inbound or outbound network connection to the container, a parameter to enable the container to communicate with a virtual private cloud, a parameter to enable the container to communicate with a second container contained on the selected virtual machine instance, a parameter to enable the container to communicate with a second container contained on a second virtual machine instance, and a list of access-restricted functions which the container is permitted to execute in association with the program code.
  - 3. The system of claim 1, wherein the user-specified security policy is based in part on a security policy associated with the particular user.

4. A system, comprising:
- a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions and configured to at least;
  
  determine, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user;
  
  select, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code;
  
  determine that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters;
  
  create a container configured according to the one or more security parameters in the selected virtual machine instance and cause the program code associated with the particular user to be loaded from an electronic data store onto the container; and
  
  cause the program code associated with the particular user to be executed in the container based at least in part on the user-specified security policy.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The system of claim 4, wherein the one or more security parameters include one or more of a processing duration limit, a memory limit, a parameter to enable a transmission control protocol (“
    - TCP”
      
      ) socket connection, a parameter to enable an inbound or an outbound network connection to the container, a parameter to enable the container to communicate with an auxiliary service, a parameter to enable the container to communicate with a second container contained on the selected virtual machine instance, a parameter to enable the container to communicate with a second container contained on a second virtual machine instance, and a list of access-restricted functions which the container is permitted to execute in association with the program code.
  - 6. The system of claim 4, wherein the security policy further specifies an amount of computing resources to be allocated for executing the program code on the virtual compute system, and wherein creating the container on the virtual machine instance at least comprises allocating the indicated amount of computing resources from computing resources available on the virtual machine instance.
  - 7. The system of claim 4, wherein the security policy further comprises configuration data indicating at least a first portion of the program code to be executed using a trusted credential and a second portion of the program code to be executed without using the trusted credential.
  - 8. The system of claim 4, wherein the user-specified security policy is based in part on a security policy associated with the particular user.
  - 9. The system of claim 4, wherein the virtual compute system is further configured to:
    - maintain an active pool of virtual machine instances currently assigned to one or more users, wherein each virtual machine instance in the active pool has one or more software components loaded thereon; and
      
      select the virtual machine instance from the active pool, wherein the virtual machine instance is configured according to the user-specified security policy.
  - 10. The system of claim 4, wherein the virtual compute system is further configured to:
    - in response to receiving a subsequent request to execute the program code on the virtual compute system, determine that the virtual machine instance contains the container that has the program code loaded thereon and configured according to the one or more security parameters; and
      
      select the container for use to execute the program code.

11. A computer-implemented method comprising:
- as implemented by one or more computing devices configured with specific executable instructions,determining, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user;
  
  selecting, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code;
  
  determining that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters;
  
  creating a container configured according to the one or more security parameters in the selected virtual machine instance causing the program code associated with the particular user to be loaded from an electronic data store onto the container; and
  
  causing the program code associated with the particular user to be executed in the container based at least in part on the user-specified security policy.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer-implemented method of claim 11, wherein the one or more security parameters include one or more of a processing duration limit, a memory limit, a parameter to enable a transmission control protocol (“
    - TCP”
      
      ) socket connection, a parameter to enable an inbound or an outbound network connection to the container, a parameter to enable the container to communicate with an auxiliary service, a parameter to enable the container to communicate with a second container contained on the selected virtual machine instance, a parameter to enable the container to communicate with a second container contained on a second virtual machine instance, and a list of access-restricted functions which the container is permitted to execute in association with the program code.
  - 13. The computer-implemented method of claim 11, wherein the security policy further specifies an amount of computing resources to be allocated for executing the program code on the virtual compute system, and wherein creating the container on the virtual machine instance at least comprises allocating the indicated amount of computing resources from computing resources available on the virtual machine instance.
  - 14. The computer-implemented method of claim 11, wherein the security policy further comprises configuration data indicating at least a first portion of the program code to be executed using a trusted credential and a second portion of the program code to be executed without using the trusted credential.
  - 15. The computer-implemented method of claim 11, further comprising:
    - in response to receiving a subsequent request to execute the program code on the virtual compute system, determining that the virtual machine instance contains the container that has the program code loaded thereon and configured according to the one or more security parameters; and
      
      selecting the container for use to execute the program code.

16. A computer-readable, non-transitory storage medium storing computer executable instructions that, when executed by one or more computing devices, configure the one or more computing devices to:
- determine, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user;
  
  select, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code;
  
  determine that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters;
  
  create a container configured according to the one or more security parameters in the selected virtual machine instance; and
  
  cause the program code associated with the particular user to be loaded from an electronic data store onto the container and executed in the container based at least in part on the user-specified security policy.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable, non-transitory storage medium of claim 16, wherein the one or more security parameters include one or more of a processing duration limit, a memory limit, a parameter to enable a transmission control protocol (“
    - TCP”
      
      ) socket connection, a parameter to enable an inbound or an outbound network connection to the container, a parameter to enable the container to communicate with an auxiliary service, a parameter to enable the container to communicate with a second container contained on the selected virtual machine instance, a parameter to enable the container to communicate with a second container contained on a second virtual machine instance, and a list of access-restricted functions which the container is permitted to execute in association with the program code.
  - 18. The computer-readable, non-transitory storage medium of claim 16, wherein the security policy further specifies an amount of computing resources to be allocated for executing the program code on the virtual compute system, and wherein creating the container on the virtual machine instance at least comprises allocating the indicated amount of computing resources from computing resources available on the virtual machine instance.
  - 19. The computer-readable, non-transitory storage medium of claim 16, wherein the security policy further comprises configuration data indicating at least a first portion of the program code to be executed using a trusted credential and a second portion of the program code to be executed without using the trusted credential.
  - 20. The computer-readable, non-transitory storage medium of claim 19, wherein the operations further comprise:
    - maintaining an active pool of virtual machine instances currently assigned to one or more users, wherein each virtual machine instance in the active pool has one or more software components loaded thereon; and
      
      selecting the virtual machine instance from the active pool, wherein the virtual machine instance is configured according to the user-specified security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Wagner, Timothy Allen, Thomas, Dylan Chandler, Nair, Ajay
Primary Examiner(s)
Song, Hosuk

Application Number

US14/613,688
Time in Patent Office

622 Days
Field of Search

726/1, 726/14, 726/15, 726/22, 726 27- 30, 713/193
US Class Current

1/1
CPC Class Codes

G06F 2009/4557   Distribution of virtual mac...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 2221/2149   Restricted operating enviro...

G06F 9/445   Program loading or initiati...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Security protocols for low latency execution of program code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

212 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security protocols for low latency execution of program code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

212 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links