| 发明名称 | Hypervisor enforcement of cryptographic policy | ||
| 摘要 | Techniques for restricting the execution of algorithms contained in applications executing on virtual machines executing within a computer system are described herein. A first sampled set of computer executable instructions is gathered from a virtual machine by a controlling domain and compared against a reference set of computer executable instructions. If the first set is similar to the reference set, and if the execution of the algorithm corresponding to the reference set is restricted by one or more computer system polices, one or more operations limiting the execution of the restricted algorithm are performed, thus ensuring conformance with the computer system policies. | ||
| 申请公布号 | US9135437(B1) | 申请公布日期 | 2015.09.15 |
| 申请号 | US201414223868 | 申请日期 | 2014.03.24 |
| 申请人 | Amazon Technologies, Inc. | 发明人 | Allen Nicholas Alexander |
| 分类号 | G06F17/00;G06F21/53 | 主分类号 | G06F17/00 |
| 代理机构 | Davis Wright Tremaine LLP | 代理人 | Davis Wright Tremaine LLP |
| 主权项 | 1. A computer-implemented method for enforcing policy on a virtual machine, comprising: under the control of one or more computer systems configured with executable instructions, collecting a plurality of execution traces, each execution trace comprising one or more items of information corresponding to execution of a computer executable instruction executed on the virtual machine;constructing a representation of one or more of the plurality of execution traces that is usable to reconstruct a sequential order of execution of the one or more of the plurality of execution traces;grouping one or more of the plurality of execution traces into a set of groups of execution traces based at least in part on identifying one or more loop structures, based at least in part on the representation;selecting a subset of the set of groups of execution traces based at least in part on one or more data elements shared in common between one or more members of the subset of the set of groups;computing one or more likelihood scores based at least in part on comparing a first set of execution traces comprising the execution traces contained in one or more of the groups of execution traces in the subset of the set of groups against a second set of execution traces comprised of one or more execution traces in a reference algorithm, the one or more likelihood scores based at least in part on one or more similarity measurements between the first set of execution traces and the second set of execution traces;evaluating whether the execution of one or more of the plurality of execution traces is disallowed based at least in part on a subset of the one or more likelihood scores and based at least in part on one or more policies, and wherein the one or more policies are based at least in part on one or more likelihood score conditions; andas a result of determining that the execution of the one or more of the plurality of execution traces is disallowed, performing one or more actions to restrict the virtual machine. | ||
| 地址 | Seattle WA US | ||