Security protocols for low latency execution of program code
First Claim
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
- an electronic data store configured to store at least a program code of a user; and
a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least;
maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and an active pool comprising virtual machine instances currently assigned to one or more users;
receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials usable to interface with a logging service associated with the first user, and a network address associated with the logging service;
determine whether the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
in response to determining that the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service, select the preconfigured virtual machine instance to be used to execute the program code;
in response to determining that the active pool does not contain a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service;
select an available virtual machine instance from the warming pool to be used for executing the program code; and
configure the available virtual machine instance to enable the program code to interface with the logging service during execution of the program code;
acquire a container in the selected virtual machine instance and assign the container to process the request to execute the program code on the virtual compute system; and
cause the program code associated with the first user to be loaded from the electronic data store onto the container and executed in the container, wherein the virtual compute system is configured to cause, during the execution of the program code in the container, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.
-
Citations
26 Claims
-
1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
-
an electronic data store configured to store at least a program code of a user; and a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions, the virtual compute system in communication with the electronic data store and configured to at least; maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and having one or more software components loaded thereon and an active pool comprising virtual machine instances currently assigned to one or more users; receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials usable to interface with a logging service associated with the first user, and a network address associated with the logging service; determine whether the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service; in response to determining that the active pool contains a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service, select the preconfigured virtual machine instance to be used to execute the program code; in response to determining that the active pool does not contain a preconfigured virtual machine instance that is assigned to the first user and configured to interface with the logging service; select an available virtual machine instance from the warming pool to be used for executing the program code; and configure the available virtual machine instance to enable the program code to interface with the logging service during execution of the program code; acquire a container in the selected virtual machine instance and assign the container to process the request to execute the program code on the virtual compute system; and cause the program code associated with the first user to be loaded from the electronic data store onto the container and executed in the container, wherein the virtual compute system is configured to cause, during the execution of the program code in the container, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
a virtual compute system comprising one or more hardware computing devices configured to execute specific computer-executable instructions and configured to at least; maintain a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more respective users and configured to interface with one or more respective auxiliary services; receive a request to execute a program code associated with a first user on the virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service; select, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the logging service during execution of the program code using the one or more trusted credentials indicated in the request; and cause the program code to be executed on the selected virtual machine instance, wherein the virtual compute system is configured to cause, during the execution of the program code on the selected virtual machine instance, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
13. A computer-implemented method comprising:
as implemented by one or more computing devices configured with specific executable instructions, maintaining a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more users and configured to interface with one or more respective auxiliary services; receiving a request to execute a program code associated with a first user on a virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service; selecting, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the auxiliary logging service during execution of the program code using the one or more trusted credentials indicated in the request; and executing the program code on the selected virtual machine instance, wherein during the execution of the program code on the selected virtual machine instance, the program code establishes a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provides data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
20. Non-transitory physical computer storage storing instructions that, when executed by one or more computing devices, configure the one or more computing devices to:
-
maintain a plurality of virtual machine instances, wherein the plurality of virtual machine instances comprises a warming pool comprising virtual machine instances to be assigned to a user and an active pool comprising virtual machine instances assigned to one or more users and configured to interface with one or more respective auxiliary services; receive a request to execute a program code associated with a first user on a virtual compute system, the request indicating the program code associated with the first user, one or more trusted credentials associated with the first user usable to interface with a logging service associated with the first user, and a network address associated with the logging service; select, from the plurality of virtual machine instances, a virtual machine instance to be used to execute the program code, wherein the virtual machine instance is configured to enable the program code to interface with the auxiliary logging service during execution of the program code using the one or more trusted credentials associated with the first user; and cause the program code to be executed on the selected virtual machine instance, wherein the instructions configure the one or more computing devices to cause, during the execution of the program code on the selected virtual machine instance, the program code to establish a network connection to the logging service associated with the first user using the one or more trusted credentials and the network address indicated by the request and provide data relating to the execution of the program code on the selected virtual machine instance to the logging service over the network connection. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
Specification