Security protocols for low latency execution of program code
First Claim
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
- an electronic data store configured to store at least a program code of a user; and
a virtual compute system comprising a plurality of virtual machine instances usable to execute one or more program codes thereon on a per-request basis, the virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least;
maintain a first subset of the plurality of virtual machine instances in a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and a second subset of the plurality of virtual machine instances in an active pool comprising virtual machine instances assigned to one or more users;
receive a request to execute a program code associated with a user on the virtual compute system, the request including information usable to identify the program code and the user associated with the program code, wherein the program code is associated with configuration data indicating at least a first portion of the program code to be executed with a trusted credential and a second portion of the program code to be executed without the trusted credential;
select from the warming pool or the active pool a virtual machine instance to be used to execute the program code;
create a first container in the selected virtual machine instance to execute the first portion of the program code with the trusted credential;
create a second container in the selected virtual machine instance to execute the second portion of the program code without the trusted credential such that both of the first container and the second container are created in the selected virtual machine instance, wherein the second container is configured to communicate with the first container;
cause the first portion of the program code associated with the user to be loaded from the electronic data store onto the first container in the selected virtual machine instance and executed in the first container with the trusted credential; and
cause the second portion of the program code associated with the user to be loaded from the electronic data store onto the second container in the selected virtual machine instance and executed in the second container without the trusted credential.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.
-
Citations
23 Claims
-
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
-
an electronic data store configured to store at least a program code of a user; and a virtual compute system comprising a plurality of virtual machine instances usable to execute one or more program codes thereon on a per-request basis, the virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least; maintain a first subset of the plurality of virtual machine instances in a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and a second subset of the plurality of virtual machine instances in an active pool comprising virtual machine instances assigned to one or more users; receive a request to execute a program code associated with a user on the virtual compute system, the request including information usable to identify the program code and the user associated with the program code, wherein the program code is associated with configuration data indicating at least a first portion of the program code to be executed with a trusted credential and a second portion of the program code to be executed without the trusted credential; select from the warming pool or the active pool a virtual machine instance to be used to execute the program code; create a first container in the selected virtual machine instance to execute the first portion of the program code with the trusted credential; create a second container in the selected virtual machine instance to execute the second portion of the program code without the trusted credential such that both of the first container and the second container are created in the selected virtual machine instance, wherein the second container is configured to communicate with the first container; cause the first portion of the program code associated with the user to be loaded from the electronic data store onto the first container in the selected virtual machine instance and executed in the first container with the trusted credential; and cause the second portion of the program code associated with the user to be loaded from the electronic data store onto the second container in the selected virtual machine instance and executed in the second container without the trusted credential. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method comprising:
as implemented by one or more computing devices configured with specific executable instructions, receiving a request to execute a program code on a virtual compute system configured to execute program codes on a per-request basis, the request including information usable to identify the program code, wherein the virtual compute system comprising a plurality of virtual machine instances usable to execute one or more program codes thereon; determining, based on the received request, a first portion of the program code to be executed at a first level of trust and a second portion of the program code to be executed at a second level of trust different from the first level of trust; selecting, from the plurality of virtual machine instances maintained on the virtual compute system, a virtual machine instance to be used to execute the program code; creating a first container in the selected virtual machine instance to execute the first portion of the program code at the first level of trust; creating a second container in the selected virtual machine instance to execute the second portion of the program code in response to a request from the first container at the second level of trust such that both of the first container and the second container are created in the selected virtual machine instance; configuring the first container to communicate with the second container to execute the second portion of the program code at the second level of trust; causing the first portion of the program code to be loaded and executed in the first container in the selected virtual machine instance at the first level of trust; and causing the second portion of the program code to be loaded and executed in the second container in the selected virtual machine instance in response to the request from the first container at the second level of trust. - View Dependent Claims (5, 6, 7, 8)
-
9. Non-transitory physical computer storage storing computer executable instructions that, when executed by one or more computing devices, configure the one or more computing devices to:
-
receive a request to execute a program code on a virtual compute system configured to execute program codes on a per-request basis, the request including information usable to identify the program code, wherein the virtual compute system comprising a plurality of virtual machine instances usable to execute one or more program codes thereon; determine, based on the received request, a first portion of the program code to be executed with a trusted credential, wherein the first portion of the program code is configured to invoke a second portion of the program code to be executed without the trusted credential; select, from the plurality of virtual machine instances maintained on the virtual compute system, a virtual machine instance to be used to execute the program code; create a first container in the selected virtual machine instance to execute the first portion of the program code with the trusted credential; create a second container in the selected virtual machine instance to execute the second portion of the program code in response to a request from the first container without the trusted credential such that both of the first container and the second container are created in the selected virtual machine instance; configure the first container to communicate with the second container to execute the second portion of the program code without the trusted credential; cause the first portion of the program code to be loaded and executed in the first container in the selected virtual machine instance with the trusted credential; and cause the second portion of the program code to be loaded and executed in the second container in the selected virtual machine instance in response to the request from the first container without the trusted credential. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A system, comprising:
a virtual compute system comprising a plurality of virtual machine instances usable to execute one or more program codes thereon on a per-request basis, the virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions and configured to at least; receive a request to execute a program code on the virtual compute system, the request including information usable to identify the program code; determine, based on the received request, a first portion of the program code to be executed at a first level of trust and a second portion of the program code to be executed at a second level of trust different from the first level of trust; select, from the plurality of virtual machine instances maintained on the virtual compute system, a virtual machine instance to be used to execute the program code; create a first container in the selected virtual machine instance to execute the first portion of the program code at the first level of trust; create a second container in the selected virtual machine instance to execute the second portion of the program code in response to a request from the first container at the second level of trust such that both of the first container and the second container are created in the selected virtual machine instance; configure the first container to communicate with the second container to execute the second portion of the program code at the second level of trust; cause the first portion of the program code to be loaded and executed in the first container in the selected virtual machine instance at the first level of trust; and cause the second portion of the program code to be loaded and executed in the second container in the selected virtual machine instance in response to the request from the first container at the second level of trust. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
Specification