公开(公告)号：US20170139462A1

公开(公告)日：2017-05-18

申请号：US15420008

申请日：2017-01-30

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  James R. Hamilton

IPC: G06F1/32 ,  G06F1/26 ,  G06F9/50 ,  G06F1/28

CPC classification number: G06F1/329 ,  G06F1/20 ,  G06F1/26 ,  G06F1/3206 ,  G06F9/5088 ,  G06F9/5094 ,  G06F11/3062 ,  H05K7/1492 ,  H05K7/1498 ,  Y02D10/24

Abstract: Methods and apparatus for datacenter power management optimization are disclosed. Metrics, including workload data, thermal measurements and the like are collected from numerous endpoints within a datacenter. System profiles of a plurality of servers, and application workload profiles for various workloads, are stored. Based on analysis of collected metrics, power optimization operations comprising either workload scheduling operations, power configuration change operations, or both, are initiated.

公开(公告)号：US20160092677A1

公开(公告)日：2016-03-31

申请号：US14502891

申请日：2014-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Rahul Gautam Patel ,  Nachiketh Rao Potlapally ,  William John Earl ,  Matthew Shawn Wilson

IPC: G06F21/55 ,  G06F9/50 ,  G06F9/455

CPC classification number: G06F21/55 ,  G06F9/45533 ,  G06F9/468 ,  G06F9/5077 ,  G06F21/53

Abstract: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.

Abstract translation: 描述了用于从共享硬件结构向任务分配资源的技术。 多个任务可以在处理器上执行，其中处理器可以包括一个或多个处理核，并且每个任务可以包括多个计算机可执行指令。 根据用于从多个任务之间的共享硬件结构向任务分配资源的一种技术，本公开的方面描述了从多个任务向第一任务分配第一标识符，将共享硬件资源的一部分与第一 标识符，并且将与从第一任务到任何其他任务执行的计算机可执行指令的访问和/或可观察性限制到与第一标识符相关联的硬件资源的部分。

公开(公告)号：US09300625B1

公开(公告)日：2016-03-29

申请号：US13733019

申请日：2013-01-02

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Patrick Brigham Cullen

IPC: H04L29/12 ,  H04L29/06

CPC classification number: H04L63/12 ,  G06Q10/00 ,  H04L61/20 ,  H04L63/04 ,  H04L63/0876 ,  H04L63/164

Abstract: Data payloads that may not be accessible to customer computing devices may be utilized to verify network address ownership. In some examples, a first payload may be provided to a computing device having an address. Additionally, a second payload may be received from the computing device. Based at least in part on a relationship between the first payload and the second payload, an action associated with the address may be performed.

Abstract translation: 客户计算设备可能无法访问的数据有效载荷可用于验证网络地址所有权。 在一些示例中，可以向具有地址的计算设备提供第一有效载荷。 另外，可以从计算设备接收第二有效载荷。 至少部分地基于第一有效载荷和第二有效载荷之间的关系，可以执行与地址相关联的动作。

公开(公告)号：US20160070929A1

公开(公告)日：2016-03-10

申请号：US14868006

申请日：2015-09-28

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Michael David Marr ,  Eric Jason Brandwine ,  Donald Lee Bailey, JR.

IPC: G06F21/64

CPC classification number: G06F21/55 ,  G06F21/57 ,  G06F21/602 ,  G06F21/64 ,  H04L9/0861 ,  H04L9/30

Abstract: A trusted computing host is described that provides various security computations and other functions in a distributed multitenant and/or virtualized computing environment. The trusted host computing device can communicate with one or more host computing devices that host virtual machines to provide a number of security-related functions, including but not limited to boot firmware measurement, cryptographic key management, remote attestation, as well as security and forensics management. The trusted computing host maintains an isolated partition for each host computing device in the environment and communicates with peripheral cards on host computing devices in order to provide one or more security functions.

Abstract translation: 描述了在分布式多租户和/或虚拟化计算环境中提供各种安全计算和其他功能的可信计算主机。 可信主机计算设备可以与主机虚拟机的一个或多个主机计算设备进行通信，以提供许多与安全相关的功能，包括但不限于启动固件测量，密码密钥管理，远程验证以及安全和取证 管理。 可信计算主机为环境中的每个主机计算设备维护隔离的分区，并与主机计算设备上的外围卡进行通信，以便提供一个或多个安全功能。

公开(公告)号：US09251384B1

公开(公告)日：2016-02-02

申请号：US13788306

申请日：2013-03-07

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Michael David Marr

IPC: H04L29/00 ,  G06F21/85

CPC classification number: H04L63/10 ,  G06F21/82 ,  G06F21/85 ,  H04L63/08

Abstract: A trusted peripheral device can be utilized with an electronic resource, such as a host machine, in order to enable the secured performance of security and remote management in the electronic environment, where various users might be provisioned on, or otherwise have access to, the electronic resource. The peripheral can have a secure channel for communicating with a centralized management system or service, whereby the management service can remotely connect to this trusted peripheral, using a secure and authenticated network connection, in order to run the above-described functionality on the host to which the peripheral is attached.

Abstract translation: 可信赖的外围设备可以与电子资源（例如主机）一起使用，以便能够在电子环境中实现安全性和远程管理的安全性能，其中各种用户可以在其中被设置或以其他方式访问 电子资源 外围设备可以具有用于与集中式管理系统或服务通信的安全信道，由此管理服务可以使用安全且经过认证的网络连接来远程连接到该信任的外围设备，以便在主机上运行上述功能 外围设备连接。

公开(公告)号：US09049232B2

公开(公告)日：2015-06-02

申请号：US13781298

申请日：2013-02-28

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Donald Lee Bailey, Jr. ,  Andrew Paul Mikulski ,  Robert Eric Fitzgerald

IPC: G06F17/00 ,  H04L29/06 ,  H04L9/08

CPC classification number: H04L63/164 ,  H04L9/0869 ,  H04L63/04 ,  H04L63/16

Abstract: Methods and apparatus for a configurable-quality random data service are disclosed. A method includes implementing programmatic interfaces enabling a determination of respective characteristics of random data to be delivered to one or more clients of a random data service of a provider network. The method includes implementing security protocols for transmission of random data to the clients, including a protocol for transmission of random data to trusted clients at devices within the provider network. The method further includes obtaining, on behalf of a particular client and in accordance with the determined characteristics, random data from one or more servers of the provider network, and initiating a transmission of the random data directed to a destination associated with the particular client.

Abstract translation: 公开了可配置质量随机数据服务的方法和装置。 一种方法包括实现程序化接口，使得能够将随机数据的相应特性确定为递送给提供者网络的随机数据服务的一个或多个客户端。 该方法包括实现用于向客户端发送随机数据的安全协议，包括用于在提供商网络内的设备处将随机数据传输到可信客户端的协议。 该方法还包括代表特定客户端并根据确定的特征获得来自提供商网络的一个或多个服务器的随机数据，以及发起指向与特定客户端相关联的目的地的随机数据的传输。

公开(公告)号：US20140208123A1

公开(公告)日：2014-07-24

申请号：US13746924

申请日：2013-01-22

Applicant: Amazon Technologies, Inc.

Inventor： Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: G06F21/72

CPC classification number: G06F21/72 ,  G06F21/53 ,  G06F21/57 ,  G06F21/575 ,  G06F21/602 ,  G06F21/64

Abstract: A privileged cryptographic service is described, such as a service running in system management mode (SMM). The privileged service is operable to store and manage cryptographic keys and/or other security resources in a multitenant remote program execution environment. The privileged service can receive requests to use the cryptographic keys and issue responses to these requests. In addition, the privileged service can measure the hypervisor at runtime (e.g., either periodically or in response to the requests) in an attempt to detect evidence of tampering with the hypervisor. Because the privileged service is operating in system management mode that is more privileged than the hypervisor, the privileged service can be robust against virtual machine escape and other hypervisor attacks.

Abstract translation: 描述了一种特权加密服务，例如在系统管理模式（SMM）中运行的服务。 特权服务可操作以在多租户远程程序执行环境中存储和管理加密密钥和/或其他安全资源。 特权服务可以接收使用加密密钥的请求并发出对这些请求的响应。 此外，特权服务可以在运行时（例如，周期性地或响应于请求）来测量管理程序，以试图检测篡改管理程序的证据。 由于特权服务在比管理程序更具特权的系统管理模式下运行，因此特权服务可以针对虚拟机逃脱和其他管理程序攻击而强大。

公开(公告)号：US10579405B1

公开(公告)日：2020-03-03

申请号：US13799134

申请日：2013-03-13

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Michael David Marr

IPC: G06F9/455 ,  G06F21/60

Abstract: A processor on a host machine can concurrently operate a standard virtual machine manager (VMM) and a security VMM (SVMM), where the SVMM has a higher privilege level and manages access to a hardware TPM or other trusted source on the host machine. Such a configuration prevents a compromised VMM from gaining access to secrets stored in the hardware TPM. The SVMM can create a virtual TPM (vTPM) for each guest VM, and can seal information in each vTPM to the hardware TPM. A guest VM or the standard VMM can access information in the corresponding vTPM only through the corresponding SVMM. Such an approach enables the host to securely implement critical security functionality that can be exposed to customers, and provides protection against leakage of customer secrets in case of a security compromise.

公开(公告)号：US20190312851A1

公开(公告)日：2019-10-10

申请号：US16450801

申请日：2019-06-24

Applicant: Amazon Technologies, Inc.

Inventor： Matthew John Campagna ,  Derek Del Miller ,  Nachiketh Rao Potlapally ,  Gregory Branchek Roth

IPC: H04L29/06 ,  H04L12/46

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

公开(公告)号：US10348759B2

公开(公告)日：2019-07-09

申请号：US15874771

申请日：2018-01-18

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, Jr. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: G08B23/00 ,  H04L29/06 ,  G06F21/53 ,  G06F21/55

Abstract: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, a graph representing the relationship between the first resource and the second resource is generated. A threat model identifying potential risks to the computing environment is created from the graph.