Monitoring execution environments for approved configurations

US 9,600,664 B1
Filed: 09/03/2014
Issued: 03/21/2017
Est. Priority Date: 09/03/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more servers including one or more memories and one or more first processors configured to run an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories;

one or more second processors configured to run a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and

one or more servers including one or more memories and one or more processors configured to run a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration,wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.

17 Citations

View as Search Results

21 Claims

1. A system, comprising:
- one or more servers including one or more memories and one or more first processors configured to run an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories;
  
  one or more second processors configured to run a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and
  
  one or more servers including one or more memories and one or more processors configured to run a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration,wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the execution environment is a first virtual machine instance and wherein the instructions comprise an operating system.
  - 3. The system of claim 1, wherein the execution environment is a first virtual machine and wherein the monitoring environment is a second virtual machine instance configured to read the first memory.
  - 4. The system of claim 1, wherein the scan comprises identifying a portion of the first memory for inspection and determining that the instructions contained in the portion are approved.
  - 5. The system of claim 1, wherein the monitoring environment is configured to intercept from the execution environment a read to an address in the first memory not previously scanned and scan the first memory not previously scanned before it is read by the execution environment.
  - 6. The system of claim 1, wherein the configuration environment is further configured to receive a request from a customer of a service provider network indicating software to run in the execution environment and wherein causing the instructions to be stored in first memory comprises instantiating a virtual machine instance to provide the execution environment.
  - 7. The system of claim 1, wherein the configuration environment is further configured to receive a request from a customer of a service provider network that indicates a configuration associated with the one or more resources.
  - 8. The system of claim 1, wherein changing the access to the one or more resources comprises changing an access to a virtual network and allowing access to the configuration environment.
  - 9. The system of claim 1, wherein the configuration environment is further configured to examine an access policy to determine an approved configuration to access at least one of the one or more resources.
  - 10. The system of claim 1, wherein at least one of the one or more computing devices of the execution environment are further operative to buffer a portion of past network traffic flowing to the execution environment and storing at least a portion of the past network traffic in response to determining that the execution environment is in the unapproved configuration.
  - 11. The system of claim 1, wherein the scanning is performed by at least one of a hypervisor or a second virtual machine instance.

12. A computer-implemented method, comprising:
- running, on one or more servers including one or more memories and one or more first processors, an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories;
  
  running, on one or more second processors, a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and
  
  running, on one or more servers including one or more memories and one or more processors, a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration, wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the execution environment is a first virtual machine instance and wherein the instructions comprise an operating system.
  - 14. The method of claim 12, wherein the execution environment is a first virtual machine and wherein the monitoring environment is a second virtual machine instance configured to read the first memory.
  - 15. The method of claim 12, wherein the scan comprises identifying a portion of the first memory for inspection and determining that the instructions contained in the portion are approved.
  - 16. The method of claim 12, wherein the monitoring environment is configured to intercept from the execution environment a read to an address in the first memory not previously scanned and scan the first memory not previously scanned before it is read by the execution environment.

17. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
- cause to run, using one or more memories and one or more first processors, an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories;
  
  cause to run, on one or more second processors, a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and
  
  cause to run, on one or more memories and one or more processors, a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration, wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the execution environment is a first virtual machine instance and wherein the instructions comprise an operating system.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the execution environment is a first virtual machine and wherein the monitoring environment is a second virtual machine instance configured to read the first memory.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the scan comprises identifying a portion of the first memory for inspection and determining that the instructions contained in the portion are approved.
  - 21. The non-transitory computer-readable storage medium of claim 17, wherein the monitoring environment is configured to intercept from the execution environment a read to an address in the first memory not previously scanned and scan the first memory not previously scanned before it is read by the execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Bowen, Peter Zachary
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/475,940
Time in Patent Office

930 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/604   Tools and structures for ma...

G06F 2221/034   Test or assess a computer o...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Monitoring execution environments for approved configurations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring execution environments for approved configurations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links