| 发明名称 | Securing results of privileged computing operations | ||
| 摘要 | A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request. | ||
| 申请公布号 | US9503268(B2) | 申请公布日期 | 2016.11.22 |
| 申请号 | US201313746780 | 申请日期 | 2013.01.22 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Brandwine Eric Jason;Wilson Matthew Shawn |
| 分类号 | G06F21/00;H04L9/32;G06F21/33;G06F21/44;G06F21/60;G06F21/62;G06F21/53;G06F9/455 | 主分类号 | G06F21/00 |
| 代理机构 | Hogan Lovells US LLP | 代理人 | Hogan Lovells US LLP |
| 主权项 | 1. A computer implemented method for securing data in a virtualized computing environment, said method comprising: providing an interface to receive application programming interface (API) requests on a host computing device, the host computing device including at least one of: a hypervisor or a kernel; receiving, by the host computing device, a request to perform a privileged operation on the hypervisor or the kernel, the request being encrypted using a first key, the request including a second key as a parameter with the request, wherein the second key is used to at least encrypt information by the hypervisor or the kernel; wherein the hypervisor or the kernel is configured to decrypt the request and execute the privileged operation to produce a set of results on the host computing device, the set of results comprising hypervisor or kernel information including abnormal state information; encrypting, by the hypervisor or the kernel, the set of results by using the second key provided with the request, the set of results encrypted before the set of results are communicated out of the hypervisor or the kernel to an external location; and communicating the set of results encrypted with the second key to a location that is external with respect to the host computing device, wherein the set of results is decrypted using a private key. | ||
| 地址 | Reno NV US | ||