Hypervisor enforcement of cryptographic policy

US 9,892,254 B2
Filed: 09/11/2015
Issued: 02/13/2018
Est. Priority Date: 03/24/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

collecting a plurality of execution traces, each execution trace comprising one or more items of information corresponding to execution of a computer executable instruction executed on a virtual machine;

grouping one or more of the plurality of execution traces into a set of groups of execution traces based at least in part on identifying a set of instructions that is executed in a consistent pattern;

selecting a subset of the set of groups of execution traces based at least in part on one or more data elements shared in common between one or more members of the subset of the set of groups;

computing one or more scores based at least in part on comparing a first set of execution traces comprising the execution traces contained in one or more of the groups of execution traces in the subset of the set of groups against a second set of execution traces comprised of one or more execution traces in a reference algorithm, the one or more scores based at least in part on one or more similarity measurements between the first set of execution traces and the second set of execution traces, the one or more scores indicating whether the first set of execution traces includes at least a portion of an implementation of an algorithm;

making a determination whether the first set of execution traces matches the algorithm based at least in part on the one or more scores; and

causing the virtual machine to perform one or more actions based at least in part on the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for restricting the execution of algorithms contained in applications executing on virtual machines executing within a computer system are described herein. A first sampled set of computer executable instructions is gathered from a virtual machine by a controlling domain and compared against a reference set of computer executable instructions. If the first set is similar to the reference set, and if the execution of the algorithm corresponding to the reference set is restricted by one or more computer system polices, one or more operations limiting the execution of the restricted algorithm are performed, thus ensuring conformance with the computer system policies.

Citations

20 Claims

1. A computer-implemented method, comprising:
- collecting a plurality of execution traces, each execution trace comprising one or more items of information corresponding to execution of a computer executable instruction executed on a virtual machine;
  
  grouping one or more of the plurality of execution traces into a set of groups of execution traces based at least in part on identifying a set of instructions that is executed in a consistent pattern;
  
  selecting a subset of the set of groups of execution traces based at least in part on one or more data elements shared in common between one or more members of the subset of the set of groups;
  
  computing one or more scores based at least in part on comparing a first set of execution traces comprising the execution traces contained in one or more of the groups of execution traces in the subset of the set of groups against a second set of execution traces comprised of one or more execution traces in a reference algorithm, the one or more scores based at least in part on one or more similarity measurements between the first set of execution traces and the second set of execution traces, the one or more scores indicating whether the first set of execution traces includes at least a portion of an implementation of an algorithm;
  
  making a determination whether the first set of execution traces matches the algorithm based at least in part on the one or more scores; and
  
  causing the virtual machine to perform one or more actions based at least in part on the determination.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising constructing a representation of one or more of the plurality of execution traces that is usable to reconstruct a sequential order of execution of the one or more of the plurality of execution traces, and wherein grouping one or more of the plurality of execution traces into a set of groups of execution traces includes grouping one or more of the plurality of execution traces into a set of groups of execution traces based at least in part on the representation.
  - 3. The computer-implemented method of claim 2, wherein the representation of one or more of the plurality of execution traces is a graph comprising a plurality of vertices and a plurality of edges wherein each vertex corresponds to an executable instruction and each edge of at least a subset of the plurality of edges between pairs of vertices represents a temporal ordering between pairs of vertices.
  - 4. The computer-implemented method of claim 1, wherein grouping one or more of the plurality of execution traces into a set of groups of execution traces based at least in part on identifying a set of instructions that is executed in a consistent pattern includes identifying a loop structure in the plurality of execution traces based upon locating a structure in the plurality of execution traces that is executed multiple times with consistent entry and exit points.
  - 5. The computer-implemented method of claim 1, wherein the one or more scores are based at least in part on an edit distance between the first set of execution traces and the second set of execution traces.
  - 6. The computer-implemented method of claim 1, further comprising altering a sampling frequency for collecting of the plurality of execution traces as a result of one or more events occurring in one or more of the one or more computer systems.

7. A system, comprising:
- at least one computing device configured to implement one or more services, the one or more services configured to;
  
  obtain a first representation of a first subset of execution traces, the first subset of execution traces comprising execution traces selected, based at least in part on one or more common data elements shared between execution traces, from a set of execution traces comprising samples of execution of a computer executable instruction executed on a virtual machine, the set of execution traces grouped together based at least in part on identifying a set of instructions that are executed in a consistent pattern;
  
  make a determination, based at least in part on comparing the first representation to a second representation of a second subset of execution traces, the second subset of execution traces comprising execution traces selected from a set of execution traces comprising traces of execution of a reference algorithm implementation, whether one or more of the first subset of execution traces includes at least a portion of an implementation of an algorithm; and
  
  cause the virtual machine to perform one or more actions based at least in part on the determination.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, wherein the first representation is a graph comprising a plurality of vertices and a plurality of edges wherein each vertex of the plurality of vertices corresponds to an executable instruction and each edge of the plurality of edges connects a pair of vertices, of the plurality of vertices, and represents a temporal ordering between the pair of vertices.
  - 9. The system of claim 8, wherein the service configured to compare the first representation to the second representation is further configured to identify a loop structure in the first representation by locating a structure in the first representation that is executed multiple times with consistent entry and exit points and to compare the loop structure in the first representation to one or more structures in the second representation.
  - 10. The system of claim 8, wherein the service configured to compare the first representation to the second representation is further configured to identify a loop structure in the first representation by locating a back edge which points to a first vertex in the plurality of vertices that has already been traversed and to compare the loop structure in the first representation to one or more structures in the second representation.
  - 11. The system of claim 7, wherein the service configured to determine whether one or more of the first subset of execution traces includes at least a portion of an implementation of a algorithm is further configured to determine whether the one or more of the first subset of execution traces includes at least a portion of an implementation of a algorithm based at least in part on a likelihood score, the likelihood score based at least in part on a distance metric between the first representation and the second representation.
  - 12. The system of claim 7, wherein the algorithm includes a cryptographic algorithm.
  - 13. The system of claim 7, wherein as a result of one or more events occurring within one or more of the one or more services, a sampling frequency at which the one or more services collects the execution traces is altered.

14. A non-transitory computer-readable storage medium having collectively stored thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
- obtain a first subset of execution traces from an application, the first subset of execution traces comprising execution traces selected from a set of execution traces comprising samples of execution of a computer executable instruction from the application executed on a machine, the set of execution traces grouped together based at least in part on identifying a set of instructions that are executed in a consistent pattern;
  
  compare the first subset of execution traces to a second subset of execution traces comprising execution traces selected from a set of execution traces comprising samples of execution of an implementation of an algorithm to make a determination whether the first subset of execution traces includes at least a portion of the implementation of the algorithm; and
  
  cause the machine to perform one or more actions based at least in part on the determination.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to compare the first subset of execution traces to a second subset of execution traces further calculate a similarity measurement based at least in part on a distance metric between the first subset of execution traces and the second subset of execution traces and determine whether the first subset of execution traces includes at least a portion of the implementation of the algorithm based on the similarity measurement.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to obtain the first subset of execution traces from the application include instructions that cause the computer system to select the first subset of execution traces based on an identification of a loop structure in the set of execution traces.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the machine is a virtual machine.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the algorithm includes a cryptographic algorithm.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to compare the first subset of execution traces to the second subset of execution traces further include instructions that cause the computer system to compare a first loop of execution traces in the first subset of execution traces to a second loop of execution traces in the second subset of execution traces.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to alter a sampling frequency at which samples of execution traces are collected as a result of one or more events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Allen, Nicholas Alexander
Primary Examiner(s)
NGUYEN, THU HA T

Application Number

US14/852,361
Publication Number

US 20160004860A1
Time in Patent Office

886 Days
Field of Search

726 3, 726 6, 726 7, 726 15, 726 22
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

Hypervisor enforcement of cryptographic policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hypervisor enforcement of cryptographic policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links