Abstract: Methods, systems, and computer programs are presented for enabling any sandboxed user-defined function code to securely access the Internet via a cloud data platform. A remote procedure call is received by a cloud data platform from a user-defined function (UDF) executing within a sandbox process. The UDF includes code related to at least one operation to be performed. The cloud data platform provides an overlay network to establish a secure egress path for UDF external access. The cloud data platform enables the UDF executing in the sandbox process to initiate a network call.

Abstract: A movement detection device includes a signal transmission device configured to transmit a radar signal transmission toward a target area and to receive reflected radar signals, and a signal analysis device configured to analyze the reflected radar signals to detect a movement in the target area that is indicative of micro-shivering. In response to detecting the micro-shivering, the movement detection device generates an alarm.

Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user code runtime configured with access to an operating system (OS) kernel of the computing node. The user code runtime is configured with a first set of filtering policies associated with a first set of allowed system calls. The OS kernel is configured with a second set of filtering policies associated with a second set of allowed system calls. A system call initiated by the user code runtime is detected to violate one or both of the first set of allowed system calls and the second set of allowed system calls. A trace of the system call is initiated based on the detecting.

Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user-defined function (UDF) server associated with a plurality of configurations. A plurality of child processes of the UDF server are instantiated using the plurality of configurations. A filtering process is configured at an operating system (OS) kernel of the computing node using a child process of the plurality of child processes. The filtering process includes a set of system call categories and a corresponding set of filtering policies. A system call received at the OS kernel and associated with a system call category of the set of system call categories is detected to violate a corresponding filtering policy of the set of filtering policies. A tracing event of the system call is initiated based on the detecting.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user code runtime configured with access to an operating system (OS) kernel of the computing node. The user code runtime is configured with a first set of filtering policies associated with a first set of allowed system calls. The OS kernel is configured with a second set of filtering policies associated with a second set of allowed system calls. A system call initiated by the user code runtime is detected to violate one or both of the first set of allowed system calls and the second set of allowed system calls. A trace of the system call is initiated based on the detecting.

Abstract: A system includes at least one hardware processor of a computing node and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include instantiating a user code runtime to execute within a sandbox process. The sandbox process configures access by the user code runtime to an operating system (OS) kernel of the computing node. The OS kernel is configured with one or more filtering policies. A determination is performed of whether a system call received by the OS kernel violates the one or more filtering policies. The system call is triggered by at least one operation of the user code runtime. A tracing event is instantiated to trace execution of the system call based on the determination.

Abstract: A system includes at least one hardware processor of a computing node and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include instantiating a user code runtime to execute within a sandbox process. The sandbox process configures access by the user code runtime to an operating system (OS) kernel of the computing node. The OS kernel is configured with one or more filtering policies. A determination is performed of whether a system call received by the OS kernel violates the one or more filtering policies. The system call is triggered by at least one operation of the user code runtime. A tracing event is instantiated to trace execution of the system call based on the determination.

Abstract: Provided herein are systems and methods for tracing and tracing supervision of UDFs in a database system. For example, a method includes receiving a user-defined function (UDF), the UDF including code related to at least one operation to be performed. A user code runtime is instantiated to execute the code of the UDF as a child process. The user code runtime includes a filtering process configured with a plurality of filtering policies. A system call of the at least one operation is detected based on a notification from an operating system (OS) manager, the notification identifying the system call. A determination is made on whether performing the system call is permitted based on the plurality of filtering policies. A report is generated based on the determining.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Techniques are disclosed for coalescing timer ticks generated by timers used to service guest operating systems executing in virtual machines. By coalescing timer ticks a logical processor can enter a low power mode thereby reducing power consumed by the system.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving, at a first computing node, a request to create a virtual machine instance, the request identifying a disk image to be associated with the virtual machine instance; determining a set of computing nodes from which to transfer the disk image on a locality of the first computing node to each computing node in the set of computing nodes, generating a set of requests for a plurality of portions of the disk image, sending at least one request from the set of requests to each computing node in the set of computing nodes; and receiving, from at least one of the set of computing nodes, one or more portions of the disk image.

Abstract: A method includes receiving a break-glass ticket scope identifying one or more secure containers of a secure container system. The secure containers are instantiated in a non-debuggable state and execute corresponding secure execution environments for contents of the corresponding secure containers. The method also includes generating a pending break-glass ticket having the break-glass ticket scope and transmitting the pending break-glass ticket to a break-glass approver for approver. In response to receiving an approved break-glass ticket from the break-glass approver, the method includes altering an access setting of the one or more secure containers defined in the break-glass ticket scope. The altered access setting allows debugging of the respective contents of the one or more secure containers executing the corresponding secure execution environments.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for instantiating and managing systems that utilize hierarchal enclaves in a cloud environment.

Abstract: Principles for enabling power management techniques for virtual machines. In a virtual machine environment, a physical computer system may maintain management facilities to direct and control one or more virtual machines executing thereon. In some techniques described herein, the management facilities may be adapted to place a virtual processor in an idle state in response to commands from a guest operating system. One or more signaling mechanisms may be supported such that the guest operating system will command the management facilities to place virtual processors in the idle state.

Abstract: The present disclosure relates to a distributed disk image deployment during virtual machine instance creation, and to deploying a virtual machine instances based on disk image locality. On example method includes receiving a request to create a virtual machine instance identifying a disk image; determining one or more storage devices storing the disk image; determining a distance measurement between each of a plurality of computing nodes and the one or more storage devices storing the disk image; selecting a computing node on which to create the virtual machine instance based on a locality of the computing node to a storage device from the one or more storage devices storing the disk image, the locality including the distance measurement between the computing node and the storage device; and creating the virtual machine instance on the computing node using the disk image from the storage device.

Abstract: In the host operating system of a computing device, entropy data is collected based at least in part on each of one or more hardware components of the computing device. An entropy pool is updated based at least in part on the collected entropy data, and data from the entropy pool is provided to a guest operating system running as a virtual machine of the computing device. The guest operating system maintains a guest operating system entropy pool based on the data from the entropy pool provided by the host operating system. The guest operating system accesses the guest operating system entropy pool and uses the guest operating system entropy pool as a basis for generating values including random numbers.