Posture assessment in a secure execution environment

US 10,061,915 B1
Filed: 09/03/2014
Issued: 08/28/2018
Est. Priority Date: 09/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

for a computer system implemented using compute capacity of hardware of a service of a service provider, receiving, from a customer of the service provider, a request to monitor the computer system of a customer of the service provider; and

using the compute capacity to launch a monitoring agent in an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to;

generate an assessment of a state of the computer system, andprovide the assessment of the state of the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing computer system monitoring as a service of a computing resource service provider, monitoring capacity computer system of a customer of the computing resource service provider, and based on the request, launching a monitoring agent in a protected execution environment in which the monitoring agent is configured to generate an assessment of the computer system and provide the assessment of the computer system.

115 Citations

26 Claims

1. A computer-implemented method, comprising:
- for a computer system implemented using compute capacity of hardware of a service of a service provider, receiving, from a customer of the service provider, a request to monitor the computer system of a customer of the service provider; and
  
  using the compute capacity to launch a monitoring agent in an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to;
  
  generate an assessment of a state of the computer system, andprovide the assessment of the state of the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the monitoring agent comprises executable instructions provided by the customer.
  - 3. The computer-implemented method of claim 1, wherein the monitoring agent comprises executable instructions provided by the service provider.
  - 4. The computer-implemented method of claim 1, further comprising determining, based at least in part on the assessment, whether to perform one or more operations, wherein the one or more operations comprise at least one of stopping the computer system, deprovisioning the computer system, denying or modifying network traffic sent to or from the computer system, modifying an allocation of resources of the computer system, and allowing or denying access to one or more devices.
  - 5. The computer-implemented method of claim 1, wherein the computer system is a physical machine that supports enclave functionality.
  - 6. The computer-implemented method of claim 1, further comprising updating an accounting system in accordance with the state of the monitored computer system.
  - 7. The computer-implemented method of claim 6, further comprising:
    - detecting, based at least in part on the assessment, an invalid state of compliance of the computer system; and
      
      updating the accounting system based at least in part on the invalid state.
  - 8. The computer-implemented method of claim 1, wherein the monitoring agent is a type of anti-virus software, anomaly detection software, software that verifies that other software has been authorized for installation on the computer system, or software that verifies that software installed on the computer system is up-to-date.

9. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, upon execution by one or more processors of a first computer system, cause the first computer system to at least:
- receive a request whose fulfillment involves monitoring a second computer system hosted by a computing resource service provider for a customer of the computing resource service provider;
  
  launch a monitoring agent in an enclave on the first computer system of the computing resource service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from the customer, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is configured to monitor the second computer system to produce an assessment of the second computer system; and
  
  based at least in part on the assessment, cause the computing resource service provider to perform one or more corresponding operations in connection with management of the second computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The one or more non-transitory computer-readable storage media of claim 9, wherein the monitoring agent is obtained from a marketplace of the computing resource service provider and monitoring rules for the monitoring agent are defined by a third-party different from the customer and from the computing resource service provider.
  - 11. The one or more non-transitory computer-readable storage media of claim 9, wherein:
    - the protected execution environment is an enclave; and
      
      the instructions further comprise instructions that, when executed by the one or more processors, cause the first computer system to instantiate the enclave.
  - 12. The one or more non-transitory computer-readable storage media of claim 9, wherein the monitoring agent is further configured to provide the assessment as a parameter of a hypercall to a hypervisor, wherein the assessment is digitally signed using a key stored within the protected execution environment.
  - 13. The one or more non-transitory computer-readable storage media of claim 9, wherein the one or more corresponding operations comprise at least one of updating an accounting system associated with the second computer system, stopping the second computer system, and denying the second computer system access to a network.
  - 14. The one or more non-transitory computer-readable storage media of claim 9, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the first computer system to provide the assessment to a third-party different from the customer and from the computing resource service provider.
  - 15. The one or more non-transitory computer-readable storage media of claim 9, wherein the monitoring agent is provided by a third-party different from the customer and from the computing resource service provider.
  - 16. The one or more non-transitory computer-readable storage media of claim 9, wherein the monitoring agent is further configured to transmit the assessment over a network to a computer system different than the second computer system.
  - 17. The one or more non-transitory computer-readable storage media of claim 9, wherein the request is a web services request for launching a monitoring agent and a parameter of the web services request indicates that the monitoring agent should produce an assessment of the second computer system.
  - 18. The one or more non-transitory computer-readable storage media of claim 9, wherein the assessment comprises a determination of compliance of the second computer system with one or more conditions set by the computing resource service provider.

19. A system, comprising, a set of computing devices that:
- provide compute capacity as a service using hardware of a computing resource service provider;
  
  execute instructions corresponding to a customer-specified software image;
  
  receive a request whose fulfillment involves monitoring a computer system having a corresponding allocation of the compute capacity provided by the computing resource service provider;
  
  use at least a portion of the compute capacity to instantiate an enclave on the hardware of the service provider, the enclave being a protected execution environment in memory address space of the computer system that provides confidentiality and integrity for applications and data in the memory address space; and
  
  launch a monitoring agent in the protected execution environment, wherein the protected execution environment provides functionality for remote attestation as to a state of the protected execution environment, has a root of trust protected from being accessed outside the protected execution environment, and prevents unauthorized access to the monitoring agent, such that the monitoring agent is operable to;
  
  generate an assessment of a state of the computer system, andprovide the assessment of the state of the computer system.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the one or more services are further configured to:
    - determine, based at least in part on the assessment, whether to continue to allow the computer system to operate; and
      
      stop operation of application code executing for the computer system in response to a determination to disallow the computer system from operating.
  - 21. The system of claim 20, wherein the one or more services are further configured to determine, based at least in part on the assessment, whether to allow or deny access to one or more resources of the service provider based on a determination of whether the computer system is in a compliant state.
  - 22. The system of claim 19, wherein the one or more services are further configured to use additional compute capacity offered as a service of the service provider to instantiate a virtual machine instance under the control of a control plane.
  - 23. The system of claim 22, wherein the virtual machine instance is configured to:
    - request measurements from the monitoring agent; and
      
      determine, based at least in part on the measurements, whether to provide data to the computer system.
  - 24. The system of claim 19, wherein the one or more services are configured to allow or deny access to one or more resources of the computing resource service provider based on the assessment of the state of the computer system.
  - 25. The system of claim 24, wherein the one or more resources include a network and the assessment includes information sufficient to determine whether the computer system is in a compliant state, such that allowing or denying access to one or more resources conditions access to the network upon the computer system being in the compliant state.
  - 26. The system of claim 19, wherein the computer system is a virtual computer system to which a hypervisor allocates capacity of a hardware device and the monitoring agent utilizes the capacity of the hardware device allocated to the virtual computer system by the hypervisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Dokey, Aaron Douglas, Brandwine, Eric Jason, Thomas, Nathan Bartholomew
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US14/476,593
Time in Patent Office

1,455 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 9/4401   Bootstrapping security arra...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 67/10   in which an application is ...

Posture assessment in a secure execution environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

115 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Posture assessment in a secure execution environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links