Automatic classification and parallel processing of untested code in a protected runtime environment

US 9,977,725 B2
Filed: 08/26/2016
Issued: 05/22/2018
Est. Priority Date: 08/26/2016
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving at least one new code module that processes operational data of at least one computing device;

instantiating at least one duplicate engine to run the at least one new code module on the operational data, the at least one duplicate engine running the at least one new code module in parallel with a production engine running a plurality of verified code modules that process the operational data;

running the at least one new code module on the at least one duplicate engine with the operational data to produce new code module results;

running the plurality of verified code modules on the production engine with the operational data to produce verified code module results;

combining the new code module results with the verified code module results to produce combined results describing an operational status of the computing device;

measuring a performance of the new code module running on the duplicate engine;

determining whether the performance of the new code module meets a predetermined criterion; and

responsive to a determination that the performance of the new code module meets the predetermined criterion, adding the new code module to the plurality of verified code modules.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided to run new code modules safely in a duplicative, protected environment without affecting the code modules that are already trusted to be on the system. The system receives a new code module that validates operational data of a computing device, and instantiates a new, parallel execution engine to run the new code module on the operational data in parallel with another execution engine running the trusted/verified code modules that also validate the same operational data. The new engine runs the new code module with the operational data to produce new code module results. The production engine runs the trusted/verified code modules with the operational data to produce verified code module results. The new code module results are combined with the verified code module results to produce combined results describing the operational status of the computing device.

Citations

18 Claims

1. A computer implemented method comprising:
- receiving at least one new code module that processes operational data of at least one computing device;
  
  instantiating at least one duplicate engine to run the at least one new code module on the operational data, the at least one duplicate engine running the at least one new code module in parallel with a production engine running a plurality of verified code modules that process the operational data;
  
  running the at least one new code module on the at least one duplicate engine with the operational data to produce new code module results;
  
  running the plurality of verified code modules on the production engine with the operational data to produce verified code module results;
  
  combining the new code module results with the verified code module results to produce combined results describing an operational status of the computing device;
  
  measuring a performance of the new code module running on the duplicate engine;
  
  determining whether the performance of the new code module meets a predetermined criterion; and
  
  responsive to a determination that the performance of the new code module meets the predetermined criterion, adding the new code module to the plurality of verified code modules.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the performance of the new code module includes stability of the duplicate engine, stability of the new code module, execution time of the new code module, output of the duplicate engine, or unplanned effects of the new code module on the duplicate engine.
  - 3. The method of claim 1, further comprising notifying at least one author of the new code module of the performance of the new code module.
  - 4. The method of claim 3, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules is based on characteristics of the at least one author of the new code module.
  - 5. The method of claim 1, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules includes a predetermined number of executions of the new code module on the duplicate engine.
  - 6. The method of claim 1, wherein the at least one new code module includes a plurality of new code modules, and each new code module of the plurality of new code modules is run on a separately instantiated duplicate engine.

7. An apparatus comprising:
- a network interface unit configured to receive at least one new code module that processes operational data of at least one computing device;
  
  a memory; and
  
  a processor coupled to the network interface unit and memory, the processor configured to;
  
  instantiate at least one duplicate engine to run the at least one new code module on the operational data, the at least one duplicate engine running the at least one new code module in parallel with a production engine running a plurality of verified code modules that process the operational data;
  
  run the at least one new code module on the at least one duplicate engine with the operational data to produce new code module results;
  
  run the plurality of verified code modules on the production engine with the operational data to produce verified code module results;
  
  combine the new code module results with the verified code module results to produce combined results describing an operational status of the computing device;
  
  measure a performance of the new code module running on the duplicate engine;
  
  determine whether the performance of the new code module meets a predetermined criterion; and
  
  responsive to a determination that the performance of the new code module meets the predetermined criterion, adding the new code module to the plurality of verified code modules.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the performance of the new code module includes stability of the duplicate engine, stability of the new code module, execution time of the new code module, output of the duplicate engine, or unplanned effects of the new code module on the duplicate engine.
  - 9. The apparatus of claim 7, wherein the processor is further configured to cause the network interface unit to notify at least one author of the new code module of the performance of the new code module.
  - 10. The apparatus of claim 9, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules is based on characteristics of the at least one author of the new code module.
  - 11. The apparatus of claim 7, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules includes a predetermined number of executions of the new code module on the duplicate engine.
  - 12. The apparatus of claim 7, wherein the at least one new code module includes a plurality of new code modules, and the processor is configured to instantiate a separate duplicate engine for each new code module of the plurality of new code modules.

13. One or more non-transitory computer readable storage media encoded with computer executable instructions operable to cause a processor to:
- receive at least one new code module that processes operational data of at least one computing device;
  
  instantiate at least one duplicate engine to run the at least one new code module on the operational data, the at least one duplicate engine running the at least one new code module in parallel with a production engine running a plurality of verified code modules that process the operational data;
  
  run the at least one new code module on the at least one duplicate engine with the operational data to produce new code module results;
  
  run the plurality of verified code modules on the production engine with the operational data to produce verified code module results;
  
  combine the new code module results with the verified code module results to produce combined results describing an operational status of the computing device;
  
  measure a performance of the new code module running on the duplicate engine;
  
  determine whether the performance of the new code module meets the predetermined criterion; and
  
  responsive to a determination that the performance of the new code module meets the predetermined criterion, add the new code module to the plurality of verified code modules.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer readable storage media of claim 13, wherein the performance of the new code module includes stability of the duplicate engine, stability of the new code module, execution time of the new code module, output of the duplicate engine, or unplanned effects of the new code module on the duplicate engine.
  - 15. The computer readable storage media of claim 13, further comprising instructions operable to cause the processor to notify at least one author of the new code module of the performance of the new code module.
  - 16. The computer readable storage media of claim 15, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules is based on characteristics of the at least one author of the new code module.
  - 17. The computer readable storage media of claim 13, wherein the at least one new code module includes a plurality of new code modules, and further comprising instructions operable to cause the processor to instantiate a separate duplicate engine for each new code module of the plurality of new code modules.
  - 18. The computer readable storage media of claim 13, wherein the predetermined criterion for adding the new code module to the plurality of verified code modules includes a predetermined number of executions of the new code module on the duplicate engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
White, Jr., David C., Mortensen, Magnus, Johnston, Jay K.
Primary Examiner(s)
Khatri, Anil

Application Number

US15/248,077
Publication Number

US 20180060208A1
Time in Patent Office

634 Days
Field of Search

717120-129
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 11/3612   by runtime analysis perform...

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 2221/033   Test or assess software

G06F 8/71   Version control security ar...

Automatic classification and parallel processing of untested code in a protected runtime environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic classification and parallel processing of untested code in a protected runtime environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links