Security protocols for low latency execution of program code

US 9,733,967 B2
Filed: 02/04/2015
Issued: 08/15/2017
Est. Priority Date: 02/04/2015
Status: Active Grant

First Claim

Patent Images

1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:

an electronic data store configured to store at least a program code of a user; and

a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least;

maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and an active pool comprising virtual machine instances currently assigned to one or more users;

receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials usable to interface with a logging service associated with the first user, and a network address associated with the logging service;

determine whether the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;

in response to determining that the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service, select the preconfigured virtual machine instance to be used to execute the program code;

in response to determining that the active pool does not contain a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;

select an available virtual machine instance from the warming pool to be used for executing the program code; and

configure the available virtual machine instance to enable the program code to interface with the logging service during execution of the program code;

acquire a container in the selected virtual machine instance and assign the container to process the request to execute the program code on the virtual compute system; and

cause the program code associated with the first user to be loaded from the electronic data store onto the container and executed in the container, wherein the virtual compute system is configured to cause, during the execution of the program code in the container, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

Citations

26 Claims

1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
- an electronic data store configured to store at least a program code of a user; and
  
  a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least;
  
  maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and an active pool comprising virtual machine instances currently assigned to one or more users;
  
  receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials usable to interface with a logging service associated with the first user, and a network address associated with the logging service;
  
  determine whether the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
  
  in response to determining that the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service, select the preconfigured virtual machine instance to be used to execute the program code;
  
  in response to determining that the active pool does not contain a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
  
  select an available virtual machine instance from the warming pool to be used for executing the program code; and
  
  configure the available virtual machine instance to enable the program code to interface with the logging service during execution of the program code;
  
  acquire a container in the selected virtual machine instance and assign the container to process the request to execute the program code on the virtual compute system; and
  
  cause the program code associated with the first user to be loaded from the electronic data store onto the container and executed in the container, wherein the virtual compute system is configured to cause, during the execution of the program code in the container, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the one or more trusted credentials comprise a login credential associated with the first user.
  - 3. The system of claim 1, wherein the logging service associated with the first user is located in a geographic location different from a geographic location of the virtual compute system.

4. A system, comprising:
- a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions and configured to at least;
  
  maintain a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more respective users and configured to interface with one or more respective auxiliary services;
  
  receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service;
  
  select, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the logging service during execution of the program code using the one or more trusted credentials indicated in the request; and
  
  cause the program code to be executed on the selected virtual machine instance, wherein the virtual compute system is configured to cause, during the execution of the program code on the selected virtual machine instance, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The system of claim 4, wherein the one or more trusted credentials comprise a login credential associated with the first user.
  - 6. The system of claim 4, wherein the logging service is configured to loci one or more inputs, outputs, or other parameters of the program code executed on the selected virtual machine instance.
  - 7. The system of claim 4, wherein the logging service is provided by a third party computing system different from the virtual compute system.
  - 8. The system of claim 4, wherein the plurality of virtual machine instances are maintained on one or more physical computing devices.
  - 9. The system of claim 4, wherein the one or more trusted credentials specify a credential and a file system mount point.
  - 10. The system of claim 9, wherein the file system mount point identifies a shared repository accessible by the plurality of virtual machine instances.
  - 11. The system of claim 4, wherein the virtual compute system is further configured to:
    - acquire a container in the selected virtual machine instance and assign the container to handle the request to execute the program code on the virtual compute system; and
      
      cause the program code associated with the first user to be loaded from an electronic data store onto the container and executed in the container.
  - 12. The system of claim 4, wherein the virtual compute system is further configured to:
    - determine whether the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
      
      in response to determining that the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service, assign the preconfigured virtual machine instance to serve as a configured virtual machine instance; and
      
      in response to determining that the active pool does not contain a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
      
      select an available virtual machine instance from the warming pool to serve as the configured virtual machine instance; and
      
      configure the available virtual machine instance to enable the program code to interface with the logging service during execution of the program code.

13. A computer-implemented method comprising:
- as implemented by one or more computing devices configured with specific executable instructions,maintaining a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more users and configured to interface with one or more respective auxiliary services;
  
  receiving a request to execute a program code associated with a first user on a virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service;
  
  selecting, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the auxiliary logging service during execution of the program code using the one or more trusted credentials indicated in the request; and
  
  executing the program code on the selected virtual machine instance, wherein during the execution of the program code on the selected virtual machine instance, the program code establishes a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provides data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computer-implemented method of claim 13, wherein the one or more trusted credentials comprise a login credential associated with the first user.
  - 15. The computer-implemented method of claim 13, wherein the logging service is configured to loci one or more inputs, outputs, or other parameters of the program code executed on the selected virtual machine instance.
  - 16. The computer-implemented method of claim 13, wherein the logging service is provided by a third party computing system different from the virtual compute system.
  - 17. The computer-implemented method of claim 16, further comprising:
    - acquiring a container in the selected virtual machine instance and assigning the container to handle the request to execute the program code on the virtual compute system; and
      
      causing the program code associated with the first user to be loaded from an electronic data store onto the container and executed in the container.
  - 18. The computer-implemented method of claim 13, wherein the one or more trusted credentials specify a credential and a file system mount point.
  - 19. The computer-implemented method of claim 18, wherein the file system mount point identifies a shared repository accessible by the plurality of virtual machine instances.

20. Non-transitory physical computer storage storing instructions that, when executed by one or more computing devices, configure the one or more computing devices to:
- maintain a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more users and configured to interface with one or more respective auxiliary services;
  
  receive a request to execute a program code associated with a first user on a virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service;
  
  select, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the auxiliary logging service during execution of the program code using the one or more trusted credentials associated with the first user; and
  
  cause the program code to be executed on the selected virtual machine instance, wherein the instructions configure the one or more computing devices to cause, during the execution of the program code on the selected virtual machine instance, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The non-transitory physical computer storage of claim 20, wherein the one or more trusted credentials comprise a login credential associated with the first user.
  - 22. The non-transitory physical computer storage of claim 20, wherein the logging service is configured to loci one or more inputs, outputs, or other parameters of the program code executed on the selected virtual machine instance.
  - 23. The non-transitory physical computer storage of claim 20, wherein the logging service is provided by a third party computing system different from the virtual compute system.
  - 24. The non-transitory physical computer storage of claim 20, wherein the instructions further configure the one or more computing devices to:
    - acquire a container in the selected virtual machine instance and assign the container to handle the request to execute the program code on the virtual compute system; and
      
      cause the program code associated with the first user to be loaded from an electronic data store onto the container and executed in the container.
  - 25. The non-transitory physical computer storage of claim 20, wherein the one or more trusted credentials specify a credential and a file system mount point.
  - 26. The non-transitory physical computer storage of claim 25, wherein the file system mount point identifies a shared repository accessible by the plurality of virtual machine instances.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Nair, Ajay, Wagner, Timothy Allen, Thomas, Dylan Chandler
Primary Examiner(s)
KIM, DONG U

Application Number

US14/613,735
Publication Number

US 20160224360A1
Time in Patent Office

923 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/4557 Distribution of virtual mac...

G06F 9/45558 Hypervisor-specific managem...

Security protocols for low latency execution of program code

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Security protocols for low latency execution of program code

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links