Application instances authenticated by secure measurements

US 10,044,695 B1
Filed: 09/02/2014
Issued: 08/07/2018
Est. Priority Date: 09/02/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, at an application programming interface of a computing resource service provider, a request from a customer of the computing resource service provider to associate a measurement of executable instructions of an application operating within an enclave with an application identity of the application, wherein the application identity specifies a version for the application;

registering the measurement in association with the application identity in a data store of a policy enforcement service;

receiving, at a service of the computing resource service provider, a request from a version of an installed application to access a resource in an environment of the computing resource service provider, the request specifying the application identity and a credential;

authenticating the version of the installed application by determining that the received application identity matches a registered application identity and verifying that the credential is a measurement of executable instructions of the installed application that matches the measurement of executable instructions of the application; and

allowing the version of the installed application to access the resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for receiving a request to associate one or more application instance definitions with an application identity of an application configured with a set of permissions to access computer resources in an environment of a computing resource service provider. The system and method cause a computer system to store the one or more application instance definitions in association with the application identity of the application. The system and method also cause the computer system to evaluate a request originating from an application corresponding to the application identity and the application instance definition to determine if fulfillment of the request complies with the permissions.

134 Citations

19 Claims

1. A computer-implemented method, comprising:
- receiving, at an application programming interface of a computing resource service provider, a request from a customer of the computing resource service provider to associate a measurement of executable instructions of an application operating within an enclave with an application identity of the application, wherein the application identity specifies a version for the application;
  
  registering the measurement in association with the application identity in a data store of a policy enforcement service;
  
  receiving, at a service of the computing resource service provider, a request from a version of an installed application to access a resource in an environment of the computing resource service provider, the request specifying the application identity and a credential;
  
  authenticating the version of the installed application by determining that the received application identity matches a registered application identity and verifying that the credential is a measurement of executable instructions of the installed application that matches the measurement of executable instructions of the application; and
  
  allowing the version of the installed application to access the resource.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein the method further comprises:
    - receiving, at the application programming interface, application code for the application;
      
      executing the application code in an enclave of the computing resource service provider; and
      
      generating the measurement at least in part by measuring the application code in the enclave.
  - 3. The computer-implemented method of claim 1, wherein the method further includes registering a code corresponding to one or more instances of the installed application in association with the application identity.
  - 4. The computer-implemented method of claim 1, wherein:
    - the application identity is associated with one or more policies allowing the application to access one or more resources in the environment of the computing resource service provider; and
      
      the authenticating further includes confirming that the one or more policies allow the application to access the resource.
  - 5. The computer-implemented method of claim 1, wherein verifying that the credential is a measurement of executable instructions of the installed application that matches the measurement of executable instructions of the application includes verifying that an attestation associated with the measurement of executable instructions of the installed application corresponds to an accepted root of trust.

6. A system, comprising:
- memory to store instructions, if executed by one or more processors, cause the system to at least;
  
  receive a request to associate an application instance definition with an application identity specifying a version of an application, wherein the application instance definition is a measurement produced by measuring at least a portion of an instance of the application executing within an enclave;
  
  store the application instance definition in association with the application identity;
  
  receive a request from a version of an installed client application to access a resource, the request specifying the application identity and a credential;
  
  determine that the credential is another application instance definition that matches the application instance definition and that the received application identity matches the application identity associated with the application instance definition; and
  
  allow the version of the client application to access the resource.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein the system further comprises:
    - an application marketplace; and
      
      the request to associate an application instance definition with the application identity is received from the marketplace in response to a request to provide the application to an end user.
  - 8. The system of claim 6, wherein a bootloader causes the at least a portion of the instance of the application be launched into the enclave and causes the enclave to measure the at least a portion of the instance of the application.
  - 9. The system of claim 6, wherein the application identity is associated with a plurality of application instance definitions that correspond to different versions of the application.
  - 10. The system of claim 9, wherein the different versions of the application are manageable through an interface of a computing resource service provider.
  - 11. The system of claim 6, wherein the application identity is associated with a plurality of application instances of the application.
  - 12. The system of claim 11, wherein one or more cryptographic keys used by an individual application instance of the plurality of application instances are rotatable independently from cryptographic keys used by other application instances of the plurality of application instances.

13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
- receive a request from a version of an installed client application to access a resource of a provider, wherein the request includes a measurement of an application instance measured executing within an enclave;
  
  obtain, from a data store that associates measurements of application instances with application identities, an application identity and a credential for the version of the client application associated with the measurement;
  
  determine, based at least in part on the application identity and the credential, a respective set of permissions associated with the application identity;
  
  determine that the respective set of permissions are sufficient to allow the version of the application to access the resource; and
  
  fulfill the request by allowing the version of the client application to access the resource.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to deliver the application to an end user through an online marketplace that offers applications for delivery.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further cause the computer system to:
    - generate code to be inserted into the application for delivery;
      
      cause the code to be inserted into the application for delivery; and
      
      cause at least a portion of the code to be registered with a computing resource service provider in association with the application for delivery.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the code to be inserted into the application for delivery includes bootstrapping code that, when executed by the one or more processors, causes executable instructions of the application in memory to be measured before a first instruction of the executable instructions is executed.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the measurement is a constituent of a plurality of credentials stored in the data store, each of which is associated with at least one installation of the application.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions that cause the computer system to at least receive the request from the client application cause the computer system to at least:
    - receive the measurement through a bootstrapping process of the at least one installation of the application, the measurement being a measurement of an execution state of the application; and
      
      associate the measurement with the at least one installation of the application.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions that cause the computer system to receive the request from the client application include instructions that cause the computer system to at least:
    - request, from an end user, one or more install codes of the at least one installation of the application;
      
      receive the one or more install codes from the end user; and
      
      register the one or more install codes and the measurement as a credential in association with the at least one installation of the application dependent at least in part on successful verification of the provided one or more install codes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Cahill, Conor Patrick, Roth, Gregory Branchek
Primary Examiner(s)
Abedin, Shanto M

Application Number

US14/475,382
Time in Patent Office

1,435 Days
Field of Search

726 26, 726 27, 726 2- 7, 713168, 713175
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

Application instances authenticated by secure measurements

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

134 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Application instances authenticated by secure measurements

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links