公开(公告)号：US09667414B1

公开(公告)日：2017-05-30

申请号：US14673729

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  David R. Richardson ,  Matthew Shawn Wilson ,  Ian Paul Nowland ,  Anthony Nicholas Liguori ,  Brian William Barrett

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/0819 ,  H04L9/0861 ,  H04L9/32 ,  H04L9/3247

Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.

公开(公告)号：US20160313986A1

公开(公告)日：2016-10-27

申请号：US15075508

申请日：2016-03-21

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Matthew Shawn Wilson ,  Ian Paul Nowland

IPC: G06F9/445 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F8/65 ,  G06F8/656 ,  G06F8/658 ,  G06F2009/4557 ,  G06F2009/45575 ,  G06F2009/45583

Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.

Abstract translation: 通常描述，本公开的方面涉及在虚拟机实例的操作期间虚拟机监视器的实时更新过程。 由于虚拟机实例的操作，对虚拟机监视器的更新可能是难以执行的过程。 通常，为了更新虚拟机监视器，需要重新启动物理计算设备，这会中断虚拟机实例的操作。 实时更新过程提供了一种在不重新启动物理计算设备的情况下更新虚拟机监视器的方法。

公开(公告)号：US20160291992A1

公开(公告)日：2016-10-06

申请号：US15178016

申请日：2016-06-09

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F9/455 ,  G06F21/57 ,  G06F12/14 ,  G06F9/50

CPC classification number: G06F9/455 ,  G06F9/45558 ,  G06F9/5077 ,  G06F12/14 ,  G06F12/145 ,  G06F21/53 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2212/1052 ,  H04L9/0643 ,  H04L9/08 ,  H04L9/32 ,  H04L9/321 ,  H04L63/04

Abstract: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.

公开(公告)号：US20160170784A1

公开(公告)日：2016-06-16

申请号：US14567157

申请日：2014-12-11

Applicant: Amazon Technologies, Inc.

Inventor： Anthony Nicholas Liguori ,  Matthew Shawn Wilson ,  Ian Paul Nowland

IPC: G06F9/455 ,  G06F9/50

CPC classification number: G06F9/45558 ,  G06F9/5027 ,  G06F13/24 ,  G06F13/4282 ,  G06F2009/45579

Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.

Abstract translation: 通常描述，本申请涉及使用物理计算设备和卸载设备管理虚拟机实例的系统和方法。 卸载设备可以是单独的计算设备，其包括与物理计算设备的计算资源分离的计算资源（例如，处理器和存储器）。 卸载设备可以通过总线接口连接到物理计算设备。 总线接口可以是高速，高吞吐量，低延迟的接口，例如外围组件互连Express（PCIe）接口。 卸载设备可用于从物理计算设备卸载虚拟化和处理虚拟组件，从而增加虚拟机实例可用的计算资源。

公开(公告)号：US09185008B1

公开(公告)日：2015-11-10

申请号：US13829756

申请日：2013-03-14

Applicant: Amazon Technologies, Inc.

Inventor： Thomas Charles Stickle ,  Peter Klewinghaus ,  Matthew Shawn Wilson

IPC: H04L12/26 ,  H04L12/14 ,  H04L12/18 ,  G06Q30/00

CPC classification number: H04L43/0817 ,  G06F9/452 ,  G06F9/45558 ,  G06F11/30 ,  G06F11/3003 ,  G06F11/302 ,  G06F11/3082 ,  G06F11/3086 ,  G06F11/3093 ,  G06F11/3409 ,  G06F2009/45591 ,  G06F2201/815 ,  G06F2201/865 ,  G06Q10/06 ,  G06Q30/016 ,  H04L12/1471 ,  H04L12/18 ,  H04L12/1822 ,  H04L41/046 ,  H04L41/5096 ,  H04L43/04 ,  H04L43/06 ,  H04L43/065

Abstract: In a system that provides network-based computer infrastructure services, a monitoring agent is installed on a computer to gather and report operational metrics from various sources, which may include infrastructure support services as well as elements of the computer itself. Metrics to be gathered and reported by the monitoring agent, as well as the format in which metrics are to be reported, are specified declaratively so that they can be changed without altering the procedural aspects of the monitoring agent.

Abstract translation: 在提供基于网络的计算机基础设施服务的系统中，监视代理被安装在计算机上以收集和报告来自各种来源的操作指标，其可以包括基础架构支持服务以及计算机本身的元件。 由监视代理收集和报告的指标以及要报告度量的格式以声明方式进行指定，以便可以在不改变监视代理程序方面的情况下进行更改。

公开(公告)号：US20140208097A1

公开(公告)日：2014-07-24

申请号：US13746780

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: H04L9/08

CPC classification number: H04L9/3263 ,  G06F9/45558 ,  G06F21/33 ,  G06F21/44 ,  G06F21/53 ,  G06F21/606 ,  G06F21/629 ,  G06F2221/2107

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request.

Abstract translation: 描述了一组形式化的接口（例如，应用程序编程接口（API）），其使用诸如不对称（或对称）密码学的安全方案，以便保护诸如操作系统的系统上的特权操作的结果 OS）内核和/或管理程序。 该接口允许将公钥包括在对管理程序和/或内核执行特权操作的请求中。 内核和/或管理程序使用请求中包含的密钥加密特权操作的结果。 在一些实施例中，请求本身也可被加密，使得任何中间方不能读取请求的参数和其他信息。