Posture assessment in a secure execution environment
First Claim
Patent Images
1. A computer-implemented method, comprising:
- for a computer system implemented using compute capacity of hardware of a service of a service provider, receiving, from a customer of the service provider, a request to monitor the computer system of a customer of the service provider; and
using the compute capacity to launch a monitoring agent in an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to;
generate an assessment of a state of the computer system, andprovide the assessment of the state of the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.
115 Citations
26 Claims
-
1. A computer-implemented method, comprising:
-
for a computer system implemented using compute capacity of hardware of a service of a service provider, receiving, from a customer of the service provider, a request to monitor the computer system of a customer of the service provider; and using the compute capacity to launch a monitoring agent in an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to; generate an assessment of a state of the computer system, and provide the assessment of the state of the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, upon execution by one or more processors of a first computer system, cause the first computer system to at least:
-
receive a request whose fulfillment involves monitoring a second computer system hosted by a computing resource service provider for a customer of the computing resource service provider; launch a monitoring agent in an enclave on the first computer system of the computing resource service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from the customer, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is configured to monitor the second computer system to produce an assessment of the second computer system; and based at least in part on the assessment, cause the computing resource service provider to perform one or more corresponding operations in connection with management of the second computer system. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system, comprising, a set of computing devices that:
-
provide compute capacity as a service using hardware of a computing resource service provider; execute instructions corresponding to a customer-specified software image; receive a request whose fulfillment involves monitoring a computer system having a corresponding allocation of the compute capacity provided by the computing resource service provider; use at least a portion of the compute capacity to instantiate an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space; and launch a monitoring agent in the protected execution environment, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to; generate an assessment of a state of the computer system, and provide the assessment of the state of the computer system. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification