公开(公告)号：US09442752B1

公开(公告)日：2016-09-13

申请号：US14476520

申请日：2014-09-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Aaron Douglas Dokey ,  Eric Jason Brandwine ,  Nathan Bartholomew Thomas

IPC: G06F21/00 ,  G06F9/455 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F2009/45587

Abstract: A method and system for running an additional execution environment associated with a primary execution environment, receiving a request from the primary execution environment to create the additional execution environment, and, in response to the request, creating the additional execution environment such that entities other than the primary execution environment have insufficient privileges to access the additional execution environment.

Abstract translation: 用于运行与主执行环境相关联的附加执行环境的方法和系统，从主执行环境接收请求以创建附加执行环境，以及响应于所述请求，创建附加执行环境，使得除 主执行环境具有访问附加执行环境的权限不足。

公开(公告)号：US09438618B1

公开(公告)日：2016-09-06

申请号：US14673642

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, Jr. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: G06F7/04 ,  H04L29/06

CPC classification number: H04L63/1433 ,  G06F21/53 ,  G06F21/554 ,  H04L63/1441 ,  H04L63/20

Abstract: A system and method for threat detection and mitigation through run-time introspection. The system and method comprising receiving a request to monitor a computing environment. Based on the received request, the system and method further includes determining a set of introspection points for monitoring the computing environment. receive a request to monitor a computing environment, measuring at individual introspection points of the set of introspection points to obtain a set of measurements, generating a graph of a set of resources in the computing environment, wherein the graph correlates individual resources in the set of resources to other resources based on at based at least in part on the set of measurements, and determining whether to perform a security action based at least in part on whether an evaluation of the graph indicates a threat to the computing environment.

Abstract translation: 一种通过运行时内省进行威胁检测和缓解的系统和方法。 该系统和方法包括接收监视计算环境的请求。 基于接收的请求，系统和方法还包括确定用于监视计算环境的一组内省点。 接收监视计算环境的请求，在所述一组内省点的各个内省点处进行测量以获得一组测量，生成计算环境中的一组资源的图，其中所述图将所述一组 至少部分地基于所述一组测量，以及至少部分地基于所述图形的评估是否指示对所述计算环境的威胁来确定是否执行安全动作来确定基于其他资源的资源。

公开(公告)号：US09397835B1

公开(公告)日：2016-07-19

申请号：US14284278

申请日：2014-05-21

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Gregory Branchek Roth

IPC: H04L29/00 ,  H04L9/32

CPC classification number: H04L9/3247 ,  G06F12/1408 ,  G06F2212/1016 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0891 ,  H04L9/0897 ,  H04L9/3234 ,  H04L63/06 ,  H04L63/12 ,  H04L63/20 ,  H04L2209/38

Abstract: A web of trust is used to validate states of a distributed system. The distributed system operates based at least in part on a domain trust. A root of trust issues the domain trust issues a domain trust. Domain trusts are updatable in accordance with rules of previous domain trusts so that a version of a domain trust is verifiable by verifying a chain of previous domain trust versions.

Abstract translation: 信任网络用于验证分布式系统的状态。 分布式系统至少部分地基于域信任来运行。 信任根源发布域信任发出域信任。 域信任可以根据以前的域信任的规则进行更新，以便通过验证以前的域信任版本的一系列来验证域信任的版本。

公开(公告)号：US09394723B1

公开(公告)日：2016-07-19

申请号：US13747278

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Alexander Zissis Ginos

IPC: E05B27/00 ,  E05B47/00 ,  E05B47/02

CPC classification number: E05B27/006 ,  E05B17/2092 ,  E05B27/0057 ,  E05B45/06 ,  E05B47/00 ,  E05B47/0004 ,  E05B47/02 ,  E05B47/063 ,  E05B2045/065 ,  E05B2047/002

Abstract: Pin tumbler locks are provided that include features for detecting tampering. Tampering may be detected in a number of different ways. As an example, abnormal movement of one or more of the driver pins in a pin tumbler lock can be an indication of tampering. In addition, one or more sensors can be included at the end of a keyway that detect picking or bumping beyond the length of normal key insertion. A mechanical actuator can be used for detection.

Abstract translation: 提供引脚翻转锁，其中包括用于检测篡改的功能。 可以以多种不同的方式检测篡改。 作为示例，一个或多个驱动器针在销转换器锁中的异常运动可以是篡改的指示。 此外，一个或多个传感器可以包括在键槽的末端，其检测超过正常键插入长度的拾取或碰撞。 机械执行器可用于检测。

公开(公告)号：US20160191237A1

公开(公告)日：2016-06-30

申请号：US15060487

申请日：2016-03-03

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth

IPC: H04L9/08

CPC classification number: H04L9/0891

Abstract: Information, such as a cryptographic key, is used repeatedly in the performance of operations, such as certain cryptographic operations. To prevent repeated use of the information from enabling security breaches, the information is rotated (replaced with other information). To avoid the resource costs of maintaining a counter on the number of operations performed, decisions of when to rotate the information are performed based at least in part on the output of stochastic processes.

Abstract translation: 诸如加密密钥的信息在诸如某些加密操作的操作的执行中被重复使用。 为了防止重复使用信息来实现安全漏洞，将旋转信息（替换为其他信息）。 为了避免对执行的操作数量维持计数器的资源成本，至少部分地基于随机过程的输出执行何时旋转信息的决定。

公开(公告)号：US09367697B1

公开(公告)日：2016-06-14

申请号：US13765020

申请日：2013-02-12

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Matthew James Wren ,  Eric Jason Brandwine ,  Brian Irl Pratt

IPC: G06F21/00 ,  G06F21/60

CPC classification number: G06F21/602 ,  H04L9/0897 ,  H04L63/1416 ,  H04L2209/76

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract translation: 一个安全模块可以安全地管理密钥。 安全模块可用于实现包括请求处理组件的加密服务。 请求处理组件通过使安全模块执行密码操作来响应请求，请求处理组件由于缺乏对适当的密钥的访问而无法执行。 安全模块可以是安全管理密钥的一组安全模块的成员。 将秘密信息从一个安全模块传递到另一个安全模块的技术防止未经授权的访问秘密信息。

公开(公告)号：US20160154963A1

公开(公告)日：2016-06-02

申请号：US15004592

申请日：2016-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Sandeep Kumar ,  Gregory Branchek Roth ,  Gregory Alan Rubin ,  Mark Christopher Seigle ,  Kamran Tirdad

IPC: G06F21/60 ,  H04L9/14

CPC classification number: G06F21/602 ,  G06F11/1076 ,  G06F11/1464 ,  G06F11/1469 ,  G06F12/1408 ,  G06F21/6209 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/14 ,  H04L2209/24

Abstract: A data storage service redundantly stores data and keys used to encrypt the data. Data objects are encrypted with first cryptographic keys. The first cryptographic keys are encrypted by second cryptographic keys. The first cryptographic keys and second cryptographic keys are redundantly stored in a data storage system to enable access of the data objects, such as to respond to requests to retrieve the data objects. The second cryptographic keys may be encrypted by third keys and redundantly stored in the event access to a second cryptographic key is lost.

Abstract translation: 数据存储服务冗余地存储用于加密数据的数据和密钥。 数据对象使用第一加密密钥进行加密。 第一加密密钥由第二加密密钥加密。 第一加密密钥和第二加密密钥被冗余地存储在数据存储系统中，以使数据对象能够访问，例如响应检索数据对象的请求。 可以通过第三密钥来加密第二加密密钥，并且在丢失对第二加密密钥的访问的情况下被冗余地存储。

公开(公告)号：US09313191B1

公开(公告)日：2016-04-12

申请号：US14181078

申请日：2014-02-14

Applicant: Amazon Technologies, Inc.

Inventor： Nicholas Alexander Allen ,  Gregory Branchek Roth ,  Elena Dykhno

IPC: H04L29/06

CPC classification number: H04L63/08 ,  H04L67/2823

Abstract: A first request from a client using a first protocol is translated into one or more second requests by a servicer using a second protocol through a virtual request using the first protocol. A client may use parameters of the first protocol to pass virtual request components to the servicer. A format agreement between the client, servicer and/or authentication service may allow the servicer and/or authentication service to translate the virtual request components over the first protocol to one or more second requests using the second protocol. Virtual request components may also prove the authenticity of the virtual request received by the servicer to an authentication service. If virtual request is valid, the authentication service may issue a credential to the servicer to send the one or more second requests to an independent service. Virtual requests may be included in various protocols, including credential-based protocols and certificate exchange-based protocols.

Abstract translation: 来自使用第一协议的客户端的第一请求由服务器使用第一协议通过虚拟请求使用第二协议转换成一个或多个第二请求。 客户端可以使用第一协议的参数将虚拟请求组件传递给服务器。 客户端，服务器和/或认证服务之间的格式协议可以允许服务器和/或认证服务使用第二协议将第一协议上的虚拟请求组件转换成一个或多个第二请求。 虚拟请求组件也可以证明服务器接收到的认证服务的虚拟请求的真实性。 如果虚拟请求有效，则认证服务可以向服务器发出凭证以将一个或多个第二请求发送到独立服务。 虚拟请求可以包括在各种协议中，包括基于证书的协议和基于证书交换的协议。

公开(公告)号：US09311500B2

公开(公告)日：2016-04-12

申请号：US14037292

申请日：2013-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Eric Jason Brandwine

IPC: H04L9/08 ,  G06F21/62 ,  H04L9/32

CPC classification number: G06F21/602 ,  G06F21/6209 ,  H04L9/0819 ,  H04L9/0822 ,  H04L9/3226 ,  H04L9/3242 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/06 ,  H04L2209/76

Abstract: Requests are submitted to a request processing entity where the requests include a cryptographic key to be used in fulfilling the request. The request processing entity, upon receipt of the request, extracts the key from the request and uses the key to perform one or more cryptographic operations to fulfill the request. The one or more cryptographic operations may include encryption/decryption of data that to be/is stored, in encrypted form, by a subsystem of the request processing entity. Upon fulfillment of the request, the request processing entity may perform one or more operations to lose access to the key in the request, thereby losing the ability to use the key.

Abstract translation: 请求被提交给请求处理实体，其中请求包括用于满足请求的加密密钥。 所述请求处理实体在接收到所述请求时从所述请求中提取所述密钥，并且使用所述密钥来执行一个或多个密码操作以完成所述请求。 一个或多个加密操作可以包括以加密的形式由请求处理实体的子系统加载/解密要存储的数据。 在请求完成时，请求处理实体可以执行一个或多个操作以失去对请求中的密钥的访问，从而失去使用该密钥的能力。

公开(公告)号：US09306814B1

公开(公告)日：2016-04-05

申请号：US13732993

申请日：2013-01-02

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Christopher Richard Jacques de Kadt ,  James Alfred Gordon Greenfield ,  Randall Avery Shealey ,  Robin Alan Golden ,  Arjun Radhakrishnan

IPC: H04L12/26 ,  H04L12/917

CPC classification number: H04L47/76 ,  H04L41/085 ,  H04L41/22 ,  H04L43/0805

Abstract: A distributed execution environment provides instances of computing resources for customer use, such as instances of data processing resources, data storage resources, database resources, and networking resources. Data is collected from systems internal to and external to the distributed execution environment. Some or all of the data is utilized to compute instance availability information for instances of computing resources provided by the distributed execution environment. The instance availability information might then be provided to customers and other users of the distributed execution environment. Various types of actions might be taken in a manual or automated way based upon the computed instance availability information.

Abstract translation: 分布式执行环境提供用于客户使用的计算资源的实例，例如数据处理资源的实例，数据存储资源，数据库资源和网络资源。 数据从分布式执行环境内部和外部的系统收集。 部分或全部数据用于计算由分布式执行环境提供的计算资源的实例的实例可用性信息。 然后可以将实例可用性信息提供给分布式执行环境的客户和其他用户。 可以基于所计算的实例可用性信息以手动或自动的方式采取各种类型的动作。