Security protocols for low latency execution of program code
First Claim
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
- an electronic data store configured to store at least a program code of a user; and
a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions, said virtual compute system in communication with the electronic data store, and configured to at least;
maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprise a warming pool comprising virtual machine instances having one or more software components loaded thereon and waiting to be assigned to a user, and an active pool comprising virtual machine instances currently assigned to one or more users;
receive a request to execute a program code associated with a particular user on the virtual compute system, the request including information indicating the program code and the particular user associated with the program code;
determine, based on the received request, a user-specified security policy specifying one or more security parameters by which the program code is to be executed;
select from the warming pool or the active pool a virtual machine instance to be used to execute the program code;
determine that the virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the user-specified security policy;
create a container in the selected virtual machine instance based on the user-specified security policy; and
cause the program code associated with the particular user to be loaded from the electronic data store onto the container and executed in the container according to the user-specified security policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.
212 Citations
20 Claims
-
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
-
an electronic data store configured to store at least a program code of a user; and a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions, said virtual compute system in communication with the electronic data store, and configured to at least; maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprise a warming pool comprising virtual machine instances having one or more software components loaded thereon and waiting to be assigned to a user, and an active pool comprising virtual machine instances currently assigned to one or more users; receive a request to execute a program code associated with a particular user on the virtual compute system, the request including information indicating the program code and the particular user associated with the program code; determine, based on the received request, a user-specified security policy specifying one or more security parameters by which the program code is to be executed; select from the warming pool or the active pool a virtual machine instance to be used to execute the program code; determine that the virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the user-specified security policy; create a container in the selected virtual machine instance based on the user-specified security policy; and cause the program code associated with the particular user to be loaded from the electronic data store onto the container and executed in the container according to the user-specified security policy. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions and configured to at least; determine, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user; select, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code; determine that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters; create a container configured according to the one or more security parameters in the selected virtual machine instance and cause the program code associated with the particular user to be loaded from an electronic data store onto the container; and cause the program code associated with the particular user to be executed in the container based at least in part on the user-specified security policy. - View Dependent Claims (5, 6, 7, 8, 9, 10)
-
11. A computer-implemented method comprising:
as implemented by one or more computing devices configured with specific executable instructions, determining, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user; selecting, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code; determining that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters; creating a container configured according to the one or more security parameters in the selected virtual machine instance causing the program code associated with the particular user to be loaded from an electronic data store onto the container; and causing the program code associated with the particular user to be executed in the container based at least in part on the user-specified security policy. - View Dependent Claims (12, 13, 14, 15)
-
16. A computer-readable, non-transitory storage medium storing computer executable instructions that, when executed by one or more computing devices, configure the one or more computing devices to:
-
determine, based on a request to execute a program code on the virtual compute system, a user-specified security policy specifying one or more security parameters by which the program code is to be executed, said program code associated with a particular user; select, from a plurality of virtual machine instances maintained on one or more physical computing devices, a virtual machine instance to be used for executing the program code; determine that the selected virtual machine instance does not contain a configured container that has the program code loaded thereon and configured according to the one or more security parameters; create a container configured according to the one or more security parameters in the selected virtual machine instance; and cause the program code associated with the particular user to be loaded from an electronic data store onto the container and executed in the container based at least in part on the user-specified security policy. - View Dependent Claims (17, 18, 19, 20)
-
Specification