Execution locations for request-driven code
First Claim
1. A computer-implemented method of selecting virtual machine instances on which to execute user-specified code within an on-demand code execution environment, the on-demand code execution environment comprising a plurality of virtual machine instances executing an initialized operating system and awaiting requests to execute user-specified code within that operating system, the method comprising:
- as implemented by one or more computing devices configured with specific computer-executable instructions,generating a first risk profile for a first task associated with the on-demand code execution environment, the first task corresponding to a first set of user-defined executable code, wherein the risk profile for the first task indicates a risk that execution of the first task on a virtual machine instance will compromise security of other tasks executing on the virtual machine instance, wherein the first risk profile for the first task is determined based at least in part on at least one of one or more function calls included within the first set of user-defined code, one or more libraries included within the first set of user-defined code, one or more computing resources expected to be utilized during execution of the first set of user-defined code, or one or more permissions requested for execution of the first set of user-defined code;
obtaining a request to execute the first task on the on-demand code execution environment;
selecting the virtual machine instance from the plurality of virtual machine instances on which to execute the first task at least partly by;
obtaining a second risk profile for a second task assigned to be executed on the virtual machine instance, the second task corresponding to a second set of user-defined executable code, wherein the risk profile for the second task indicates a risk that execution of the second task on the virtual machine instance will compromise security of other tasks executing on the virtual machine instance; and
determining, based at least in part on the first risk profile and the second risk profile, that a risk level associated with execution of both the first task and second task on the virtual machine instance does not exceed a threshold value; and
assigning the virtual machine instance to execute the first task.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described for determining a location in an on-demand code execution environment to execute user-specified code. Virtual machines can be utilized to isolate different executions of code from one another. However, virtual machines require additional computing resources to implement, and may slow code executions. This disclosure enables multiple items of code, potentially associated with different users, to be executed on a single virtual machine instance or other device. Specifically, the present disclosure enables the generation of a risk profile for an item of code, which can be used to determine the security or privacy risk that would occur by executing the code on a device. By comparing the risk profiles of a given item of code to other items of code executing on a device, the on-demand code execution environment can selectively group code executions, thus increasing the efficiency of the system while maintaining security and privacy.
333 Citations
21 Claims
-
1. A computer-implemented method of selecting virtual machine instances on which to execute user-specified code within an on-demand code execution environment, the on-demand code execution environment comprising a plurality of virtual machine instances executing an initialized operating system and awaiting requests to execute user-specified code within that operating system, the method comprising:
as implemented by one or more computing devices configured with specific computer-executable instructions, generating a first risk profile for a first task associated with the on-demand code execution environment, the first task corresponding to a first set of user-defined executable code, wherein the risk profile for the first task indicates a risk that execution of the first task on a virtual machine instance will compromise security of other tasks executing on the virtual machine instance, wherein the first risk profile for the first task is determined based at least in part on at least one of one or more function calls included within the first set of user-defined code, one or more libraries included within the first set of user-defined code, one or more computing resources expected to be utilized during execution of the first set of user-defined code, or one or more permissions requested for execution of the first set of user-defined code; obtaining a request to execute the first task on the on-demand code execution environment; selecting the virtual machine instance from the plurality of virtual machine instances on which to execute the first task at least partly by; obtaining a second risk profile for a second task assigned to be executed on the virtual machine instance, the second task corresponding to a second set of user-defined executable code, wherein the risk profile for the second task indicates a risk that execution of the second task on the virtual machine instance will compromise security of other tasks executing on the virtual machine instance; and determining, based at least in part on the first risk profile and the second risk profile, that a risk level associated with execution of both the first task and second task on the virtual machine instance does not exceed a threshold value; and assigning the virtual machine instance to execute the first task. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A system for selecting devices on which to execute user-specified code within an on-demand code execution environment, the system comprising:
-
a non-transitory data store including a risk profile for a task associated with the on-demand code execution environment, the task corresponding to a first set of executable code that may be executed by a device of the on-demand code execution environment, wherein the risk profile for the task indicates a risk that execution of the task on the device will compromise security of other processes executing on the device, and wherein the risk profile for the task is determined based at least in part on at least one of one or more function calls included within the first set of executable code, one or more libraries included within the first set of executable code, one or more computing resources expected to be utilized during execution of the first set of executable code, or one or more permissions requested for execution of the first set of executable code; and a computing device comprising a processor in communication with the non-transitory data store and configured with specific computer-executable instructions to; obtain a request to execute the task on the on-demand code execution environment; obtain a second risk profile for a process assigned to be executed on the device, wherein the risk profile for the process indicates a risk that execution of the process on the device will compromise security of other processes executing on the device; determine, based at least in part on the first risk profile and the second risk profile, that a risk level associated with execution of both the task and the process on the device does not exceed a threshold value; and assign the device to execute the first task. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. Non-transitory, computer-readable storage media comprising computer-executable instructions for selecting devices on which to execute user-specified code within an on-demand code execution environment, wherein the computer-executable instructions, when executed by a computer system, cause the computer system to:
-
generate a risk profile for a process executing on a device of the on-demand code execution environment, wherein the risk profile for the process indicates a risk that execution of the process on the device will compromise security of other processes executing on the device, and wherein the risk profile for the device is determined based at least in part on at least one of one or more function calls included within code corresponding to the process, one or more libraries included within the code, one or more computing resources expected to be utilized during execution of the process, or one or more permissions requested for execution of the process; obtain a request to execute a task on the on-demand code execution environment; obtain a risk profile for the task, wherein the risk profile for the task indicates a risk that execution of the task on the device will compromise security of other processes executing on the device; determine, based at least in part on the risk profile for the process and the risk profile for the task, that a risk level associated with execution of both the task and the process on the device does not exceed a threshold value; and assign the device to execute the task. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification