公开(公告)号：US10241804B2

公开(公告)日：2019-03-26

申请号：US15483227

申请日：2017-04-10

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Rachit Chawla ,  Jeremy Ryan Volkman ,  Michael David Marr

IPC: G06F11/14 ,  G06F9/4401 ,  G06F21/57

Abstract: Approaches are described for enabling a host computing device to store credentials and other security information useful for recovering the state of the host computing device in a secure store, such as a trusted platform module (TPM) on the host computing device. When recovering the host computing device in the event of a failure (e.g., power outage, network failure, etc.), the host computing device can obtain the necessary credentials from the secure store and use those credentials to boot various services, restore the state of the host and perform various other functions. In addition, the secure store (e.g., TPM) may provide boot firmware measurement and remote attestation of the host computing devices to other devices on a network, such as when the recovering host needs to communicate with the other devices on the network.

公开(公告)号：US10003467B1

公开(公告)日：2018-06-19

申请号：US14673570

申请日：2015-03-30

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally ,  Rahul Gautam Patel

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/57 ,  H04L9/30

CPC classification number: H04L9/3268 ,  G06F21/57 ,  G06F21/575 ,  H04L9/0877 ,  H04L9/0891

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current certificate version indicators, each associated with a corresponding digital certificate, and the version indicator is used by the processor to determine the trust of the corresponding digital certificate.

公开(公告)号：US20180159891A1

公开(公告)日：2018-06-07

申请号：US15874771

申请日：2018-01-18

Applicant: Amazon Technologies, Inc.

Inventor： Hassan Sultan ,  John Schweitzer ,  Donald Lee Bailey, JR. ,  Gregory Branchek Roth ,  Nachiketh Rao Potlapally

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/55

CPC classification number: H04L63/1433 ,  G06F21/53 ,  G06F21/554 ,  H04L63/1441 ,  H04L63/20

Abstract: A graph of a plurality of resources in a computing environment is generated, with the graph associating a first resource of the plurality with a second resource of the plurality. Based at least in part on measurements obtained at a point in a test computing environment that corresponds to a point in the computing environment, a graph representing the relationship between the first resource and the second resource is generated. A threat model identifying potential risks to the computing environment is created from the graph.

公开(公告)号：US09904587B1

公开(公告)日：2018-02-27

申请号：US14975295

申请日：2015-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Donald Lee Bailey, Jr. ,  Richard Weatherly

IPC: G06F11/00 ,  G06F11/07 ,  G06F11/30 ,  G06F11/34

CPC classification number: G06F11/079 ,  G06F11/0709 ,  G06F11/0751 ,  G06F11/0757 ,  G06F11/0772 ,  G06F11/0793 ,  G06F11/3006 ,  G06F11/3419

Abstract: Anomalous behavior in a multi-tenant computing environment may be identified by analyzing hardware sensor value data associated with hardware events on a host machine. A privileged virtual machine instance executing on a host machine acquires hardware sensor values and causes the values to be compared to other hardware sensor value data that may be indicative of anomalous behavior; for example, various threshold values, patterns, and/or signatures of hardware counter values generated by analyzing and correlating hardware event counter data. In this manner, potential anomalous behavior on an instance may be determined without having to access customer data or workloads associated with the instance.

公开(公告)号：US09880866B2

公开(公告)日：2018-01-30

申请号：US15178016

申请日：2016-06-09

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Eric Jason Brandwine ,  Matthew Shawn Wilson

IPC: G06F9/455 ,  G06F9/50 ,  G06F12/14 ,  H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  G06F21/57 ,  H04L9/06

CPC classification number: G06F9/455 ,  G06F9/45558 ,  G06F9/5077 ,  G06F12/14 ,  G06F12/145 ,  G06F21/53 ,  G06F21/57 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2212/1052 ,  H04L9/0643 ,  H04L9/08 ,  H04L9/32 ,  H04L9/321 ,  H04L63/04

Abstract: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.

公开(公告)号：US09836354B1

公开(公告)日：2017-12-05

申请号：US14263701

申请日：2014-04-28

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  John Merrill Phillips ,  Nicholas Patrick Wilt ,  Deepak Singh ,  Scott Michael Le Grand

IPC: G06F11/00 ,  G06F11/14

CPC classification number: G06F11/1438

Abstract: A service provider system may implement ECC-like features when executing computations on GPUs that do not include sufficient error detection and recovery for computations that are sensitive to bit errors. During execution of critical computations on behalf of customers, the system may automatically instrument program instructions received from the customers to cause each computation to be executed using multiple sets of hardware resources (e.g., different host machines, processor cores, or internal hardware resources). The service may provide APIs with which customers may instrument their code for execution using redundant resource instances, or specify parameters for applying the ECC-like features. The service or customer may instrument code to perform (or cause the system to perform) checkpointing operations at particular points in the code, and to compare intermediate results produced by different hardware resources. If the intermediate results do not match, the computation may be restarted from a checkpointed state.

公开(公告)号：US09819727B2

公开(公告)日：2017-11-14

申请号：US13781289

申请日：2013-02-28

Applicant: Amazon Technologies, Inc.

Inventor： Nachiketh Rao Potlapally ,  Andrew Paul Mikulski ,  Donald Lee Bailey, Jr. ,  Robert Eric Fitzgerald

IPC: G06F15/16 ,  H04L29/08 ,  H04L9/08 ,  H04L29/06 ,  H04L9/06

CPC classification number: H04L67/10 ,  H04L9/0662 ,  H04L9/0869 ,  H04L63/20 ,  H04L67/1023

Abstract: Methods and apparatus for a computing infrastructure for configurable-quality random data are disclosed. A storage medium stores program instructions that when executed on a processor designate some servers of a provider network as members of a pool of producers of random data usable by random data consumers. The instructions, when executed, determine a subset of the pool to be used to supply a collection of random data intended for a random data consumer, and one or more sources of random phenomena to be used to generate the collection of random data. The instructions, when executed, initiate a transmission of the collection of random data directed to the random data consumer.

公开(公告)号：US09703951B2

公开(公告)日：2017-07-11

申请号：US14502891

申请日：2014-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Rahul Gautam Patel ,  Nachiketh Rao Potlapally ,  William John Earl ,  Matthew Shawn Wilson

IPC: G06F21/44 ,  G06F21/55 ,  G06F9/455 ,  G06F9/50 ,  G06F9/46 ,  G06F21/53

CPC classification number: G06F21/55 ,  G06F9/45533 ,  G06F9/468 ,  G06F9/5077 ,  G06F21/53

Abstract: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.

公开(公告)号：US09684630B1

公开(公告)日：2017-06-20

申请号：US13706024

申请日：2012-12-05

Applicant: Amazon Technologies, Inc.

Inventor： Michael David Marr ,  Nachiketh Rao Potlapally ,  Matthew David Klein

IPC: G06F13/00 ,  G06F15/177 ,  G06F9/455 ,  H04L29/06

CPC classification number: G06F15/177 ,  G06F9/45533 ,  G06F21/57 ,  G06F21/572 ,  H04L63/08

Abstract: Disclosed are various embodiments of a first computing device for obtaining an authentication credential for a cryptographic module of a second computing device. The authentication credential is obtained via a communication session with a module interface of the second computing device. Configuration data is determined for the cryptographic module based at least in part upon the authentication credential. The configuration data is transmitted to the second computing device via the communication session.

公开(公告)号：US09674162B1

公开(公告)日：2017-06-06

申请号：US14658137

申请日：2015-03-13

Applicant: Amazon Technologies, Inc.

Inventor： Derek Del Miller ,  Nachiketh Rao Potlapally

IPC: H04L29/00 ,  H04L29/06 ,  G06F12/14

CPC classification number: H04L63/0435 ,  G06F12/1408 ,  G06F2212/1052 ,  H04L63/0442 ,  H04L63/06 ,  H04L2463/061 ,  H04L2463/062

Abstract: A computing device has a processor and a first memory, e.g., a fuse-based memory, storing a first cryptographic key. The processor is configured to receive information related to a second cryptographic key from a cryptographic key provisioning system. The processor derives the second cryptographic key from the information related to a second cryptographic key. The first cryptographic key has fewer bits than the second cryptographic key. The processor is also configured to encrypt the second cryptographic key using the first cryptographic key, and store the encrypted second cryptographic key in a second memory, e.g., a flash memory.