Securing service layer on third party hardware

US 10,079,681 B1
Filed: 09/03/2014
Issued: 09/18/2018
Est. Priority Date: 09/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

adding one or more computer systems to a set of computer systems, the one or more computer systems controlled by one or more third parties to a computing resource service provider;

receiving a first application programming interface request from a customer of the computing resource service provider; and

fulfilling the first application programming interface request by at least;

selecting a target computer system from the set of computer systems, the target computer system selected based at least in part on the target computer system being operable to instantiate a secure execution environment, the target computer system selected from the one or more computer systems controlled by a third party of the one or more third parties;

sending a provisioning request to the target computer system, the provisioning request causing the target computer system to instantiate the secure execution environment on the target computer system by at least;

causing the target computer system to increase an available computer resource capacity based at least in part on the available computer resource capacity;

increasing the available computer resource capacity of the target computer system; and

causing the target computer system to instantiate an agent within the secure execution environment using a secure execution environment key; and

upon validating the secure execution environment using one or more first cryptographic measurements calculated by a processor of the target computer system, instantiating the application within the secure execution environment, the application providing one or more computer system resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securely instantiating applications associated with computing resource service provider services on hardware that is controlled by third parties and/or customers of the computing resource service provider are described herein. A request to instantiate an application is received and fulfilled by selecting a computer system from computer systems that are controlled by a third party and/or a customer of the computing resource service provider. The computer system is selected based at least in part on the hardware capabilities of the computer system associated with instantiating a secure execution environment. The application is then instantiated within a secure execution environment operating on the computer system.

114 Citations

20 Claims

1. A computer-implemented method, comprising:
- adding one or more computer systems to a set of computer systems, the one or more computer systems controlled by one or more third parties to a computing resource service provider;
  
  receiving a first application programming interface request from a customer of the computing resource service provider; and
  
  fulfilling the first application programming interface request by at least;
  
  selecting a target computer system from the set of computer systems, the target computer system selected based at least in part on the target computer system being operable to instantiate a secure execution environment, the target computer system selected from the one or more computer systems controlled by a third party of the one or more third parties;
  
  sending a provisioning request to the target computer system, the provisioning request causing the target computer system to instantiate the secure execution environment on the target computer system by at least;
  
  causing the target computer system to increase an available computer resource capacity based at least in part on the available computer resource capacity;
  
  increasing the available computer resource capacity of the target computer system; and
  
  causing the target computer system to instantiate an agent within the secure execution environment using a secure execution environment key; and
  
  upon validating the secure execution environment using one or more first cryptographic measurements calculated by a processor of the target computer system, instantiating the application within the secure execution environment, the application providing one or more computer system resources.
- View Dependent Claims (2, 3, 20)
- - 2. The computer-implemented method of claim 1, wherein the application further comprises:
    - receiving a second application programming interface request from a client application, the second application programming interface request at least specifying access to the one or more computer system resources;
      
      forwarding the second application programming interface request to the computing resource service provider;
      
      receiving a first response from the computing resource service provider, the first response based at least in part on the second application programming interface request; and
      
      providing a second response to the client application, the second response based at least in part on the first response.
  - 3. The computer-implemented method of claim 1, wherein the application comprises a set of one or more executable instructions provided by the computing resource service provider to perform one or more operations associated with the one or more computer system resources.
  - 20. The computer-implemented method of claim 1, wherein increasing the available computer resource capacity further comprises:
    - adding one or more additional computer systems to the set of computer systems, the one or more additional computer systems controlled by the third party of the one or more third parties to the computing resource service provider, the one or more additional computer systems including resources to increase the available computer resource capacity; and
      
      providing, to the application within the secure execution environment, access to the one or more additional computer systems.

4. A system, comprising:
- at least one computing device including a hardware processor and instructions stored in memory that, as a result of being executed by the hardware processor, implements one or more services, wherein the one or more services;
  
  select a target computer system from a set of one or more computer systems operated by an entity distinct from a service provider, the target computer system selected based at least in part on the target computer system being operable to instantiate a secure execution environment;
  
  instantiate, within the secure execution environment, executable code associated with a computer system service, the computer system service provided by the service provider, the executable code, as a result of being executed, causes fulfillment of one or more service application programming interface requests associated with the computer system service;
  
  cause the target computer system to increase an amount of available computing resources accessible to the computer system service based at least in part on a set of available computing resources;
  
  increase the amount of available computing resources of the target computer system; and
  
  cause the target computer system to instantiate an agent within the secure execution environment using a secure execution environment key.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 19)
- - 5. The system of claim 4, wherein the executable code associated with the computer system service, when executed, causes fulfillment of one or more application programming interface requests, the one or more application programming interface requests received from a customer of the service provider.
  - 6. The system of claim 5, wherein the executable code associated with the computer system service, when executed, causes the one or more application programming interface requests received from the customer of the service provider to be sent to the service provider over a secure network connection, the secure network connection established by the service provider.
  - 7. The system of claim 4, wherein the secure execution environment is secured by executing one or more security operations on a processor of the target computer system, the processor including one or more hardware capabilities that provide the secure execution environment.
  - 8. The system of claim 4, wherein the executable code associated with the computer system service, when executed, causes fulfillment of one or more client application programming interface requests for utilizing the computer system service, the one or more client application programming interface requests received from one or more client applications.
  - 9. The system of claim 4, wherein the executable code associated with the computer system service comprises a virtual machine instance.
  - 10. The system of claim 4, wherein the executable code associated with the computer system service, when executed, causes storage of one or more data items received from the computer system service, using a data storage service operating within the secure execution environment.
  - 11. The system of claim 4, wherein the target computer system is further selected based at least in part on a proximity measurement between the target computer system and the computer system service.
  - 12. The system of claim 11, wherein the proximity measurement includes at least one of:
    - a network latency measurement, a network bandwidth measurement, or a physical distance measurement.
  - 19. The system of claim 4, wherein increasing the amount of available computing resources further comprises:
    - assigning one or more additional computer systems to the set of computer systems; and
      
      providing the secure execution environment with access to the one or more additional computer systems.

13. A non-transitory computer-readable storage medium having stored thereon a set of executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
- select a target computer system based at least in part on the target computer system being operable to instantiate a secure execution environment;
  
  instantiate, within the secure execution environment, a subset of the set of executable instructions, the subset of the set of executable instructions associated with a service of the computer system, the service provided by a computing resource service provider;
  
  increase an amount of computing resources accessible to the service of the target computer system based at least in part after causing the target computer system to increase the amount of computing resources based at least in part on an available computer resource capacity;
  
  cause the target computer system to instantiate an agent within the secure execution environment using a secure execution environment key; and
  
  execute one or more instructions of the subset of the set of executable instructions that, as a result of being executed within the secure execution environment, cause the target computer system to perform a set of operations that include at least a partial fulfillment of an application programming interface request associated with the service, the target computer system operated by a third party distinct from the computing resource service provider.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the set of executable instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to instantiate, within the secure execution environment, a set of encrypted data usable for the partial fulfillment of the application programming interface request, the set of encrypted data encrypted based at least in part on a key protected by the secure execution environment.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the subset of the set of executable instructions further comprise instructions that, when executed within the secure execution environment, cause the target computer system to decrypt at least a subset of the set of encrypted data in response to the application programming interface request.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the subset of the set of executable instructions further comprise instructions that, when executed within the secure execution environment, comprise a virtual machine instance.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the one or more instructions of the subset of the set of executable instructions further include instructions that, as a result of executing within the secure execution environment, cause the target computer system to store one or more data items within the secure execution environment.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the one or more data items are encrypted based at least in part on a key protected by the secure execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Dokey, Aaron Douglas, Brandwine, Eric Jason, Thomas, Nathan Bartholomew
Primary Examiner(s)
Tran, Jimmy H

Application Number

US14/476,533
Time in Patent Office

1,476 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/629   to features or functions of...

H04L 47/70   Admission control; Resource...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

H04L 9/32   including means for verifyi...

H04L 9/3263   involving certificates, e.g...

Securing service layer on third party hardware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

114 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing service layer on third party hardware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links