SECURITY PROTOCOLS FOR LOW LATENCY EXECUTION OF PROGRAM CODE

摘要

A system for providing security mechanisms for secure execution of program code is described. The system may be configured to maintain a plurality of virtual machine instances. The system may be further configured to receive a request to execute a program code and allocate computing resources for executing the program code on one of the virtual machine instances. One mechanism involves executing program code according to a user-specified security policy. Another mechanism involves executing program code that may be configured to communicate or interface with an auxiliary service. Another mechanism involves splitting and executing program code in a plurality of portions, where some portions of the program code are executed in association with a first level of trust and some portions of the program code are executed with different levels of trust.

主权项

1. A system for providing low-latency computational capacity from a virtual compute fleet, the system comprising:
an electronic data store configured to store at least a program code of a user; and a virtual compute system comprising one or more hardware computing devices executing specific computer-executable instructions, said virtual compute system in communication with the electronic data store, and configured to at least:
maintain a plurality of virtual machine instances on one or more physical computing devices, wherein the plurality of virtual machine instances comprise a warming pool comprising virtual machine instances having one or more software components loaded thereon and waiting to be assigned to a user, and an active pool comprising virtual machine instances currently assigned to one or more users;receive a request to execute a program code associated with a particular user on the virtual compute system, the request including information indicating the program code and the particular user associated with the program code, wherein the program code is associated with configuration data indicating at least a first portion of the program code to be executed using a trusted credential and a second portion of the program code to be executed without using the trusted credential;select from the warming pool or the active pool a virtual machine instance to be used to execute the program code;create a first container in the selected virtual machine instance, wherein the first container is configured to execute the first portion of the program code using the trusted credential;create a second container in the selected virtual machine instance, wherein the second container is configured to execute the second portion of the program code without using the trusted credential, and wherein the second container is configured to communicate with the first container;cause the first portion of the program code associated with the particular user to be loaded from the electronic data store onto the first container and executed in the first container; andcause the second portion of the program code associated with the particular user to be loaded from the electronic data store onto the second container.