Monitoring execution environments for approved configurations
First Claim
Patent Images
1. A system, comprising:
- one or more servers including one or more memories and one or more first processors configured to run an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories;
one or more second processors configured to run a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and
one or more servers including one or more memories and one or more processors configured to run a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration,wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Functionality is disclosed herein for monitoring an execution environment to determine if the execution environment is in an approved configuration. Memory used by the execution environment may be scanned from outside of the execution environment to determine whether the execution environment is in an unapproved configuration. The scanning may include examining the memory for abnormalities or other irregular or unapproved data. When the execution environment is in the unapproved configuration, actions may be performed that change how the execution environment accesses resources or performing other types of functionality.
-
Citations
21 Claims
-
1. A system, comprising:
-
one or more servers including one or more memories and one or more first processors configured to run an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories; one or more second processors configured to run a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and one or more servers including one or more memories and one or more processors configured to run a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration, wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method, comprising:
-
running, on one or more servers including one or more memories and one or more first processors, an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories; running, on one or more second processors, a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and running, on one or more servers including one or more memories and one or more processors, a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration, wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to:
-
cause to run, using one or more memories and one or more first processors, an execution environment, wherein at least one of the first processors is configured to load and execute instructions from a first memory of the one or more memories; cause to run, on one or more second processors, a monitoring environment within a second memory that is a different memory area from the first memory, wherein the monitoring environment is coupled to, but separate from, the execution environment, wherein at least one of the second processors is configured to perform a scan of at least a portion of the first memory associated with the one or more first processors configured to run the execution environment to detect that the execution environment is in an unapproved configuration, wherein the unapproved configuration indicates an anomaly of the execution environment; and cause to run, on one or more memories and one or more processors, a configuration environment that is coupled to the execution environment and the monitoring environment, wherein at least one of the processors is configured to cause the instructions to be stored in the first memory for execution by the execution environment and wherein the configuration environment is configured to change an access to one or more resources by the execution environment based at least in part on a determination by the monitoring environment that the execution environment is in the unapproved configuration, wherein to change the access by the execution environment comprises one or more of terminating a virtual machine instance, isolating the virtual machine instance in a sandbox, or placing the virtual machine instance into a forensics mode of operation. - View Dependent Claims (18, 19, 20, 21)
-
Specification