Patents by Inventor Derek Denny-Brown
Derek Denny-Brown has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11930045Abstract: Methods, systems, and computer programs are presented for enabling any sandboxed user-defined function code to securely access the Internet via a cloud data platform. A remote procedure call is received by a cloud data platform from a user-defined function (UDF) executing within a sandbox process. The UDF includes code related to at least one operation to be performed. The cloud data platform provides an overlay network to establish a secure egress path for UDF external access. The cloud data platform enables the UDF executing in the sandbox process to initiate a network call.Type: GrantFiled: April 28, 2023Date of Patent: March 12, 2024Assignee: Snowflake Inc.Inventors: Brandon S. Baker, Derek Denny-Brown, Michael A. Halcrow, Sven Tenzing Choden Konigsmark, Niranjan Kumar Sharma, Nitya Kumar Sharma, Haowei Yu, Andong Zhan
-
Patent number: 11822645Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user code runtime configured with access to an operating system (OS) kernel of the computing node. The user code runtime is configured with a first set of filtering policies associated with a first set of allowed system calls. The OS kernel is configured with a second set of filtering policies associated with a second set of allowed system calls. A system call initiated by the user code runtime is detected to violate one or both of the first set of allowed system calls and the second set of allowed system calls. A trace of the system call is initiated based on the detecting.Type: GrantFiled: January 30, 2023Date of Patent: November 21, 2023Assignee: Snowflake Inc.Inventors: Brandon S. Baker, Derek Denny-Brown, Mark M. Manning, Andong Zhan
-
Publication number: 20230353568Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: ApplicationFiled: June 30, 2023Publication date: November 2, 2023Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Patent number: 11736483Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: GrantFiled: October 28, 2022Date of Patent: August 22, 2023Assignee: Snowflake Inc.Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Publication number: 20230177145Abstract: A method for tracing function execution includes instantiating, by at least one hardware processor of a computing node, a user code runtime configured with access to an operating system (OS) kernel of the computing node. The user code runtime is configured with a first set of filtering policies associated with a first set of allowed system calls. The OS kernel is configured with a second set of filtering policies associated with a second set of allowed system calls. A system call initiated by the user code runtime is detected to violate one or both of the first set of allowed system calls and the second set of allowed system calls. A trace of the system call is initiated based on the detecting.Type: ApplicationFiled: January 30, 2023Publication date: June 8, 2023Inventors: Brandon S. Baker, Derek Denny-Brown, Mark M. Manning, Andong Zhan
-
Patent number: 11640458Abstract: A system includes at least one hardware processor of a computing node and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include instantiating a user code runtime to execute within a sandbox process. The sandbox process configures access by the user code runtime to an operating system (OS) kernel of the computing node. The OS kernel is configured with one or more filtering policies. A determination is performed of whether a system call received by the OS kernel violates the one or more filtering policies. The system call is triggered by at least one operation of the user code runtime. A tracing event is instantiated to trace execution of the system call based on the determination.Type: GrantFiled: June 29, 2022Date of Patent: May 2, 2023Assignee: Snowflake Inc.Inventors: Brandon S. Baker, Derek Denny-Brown, Mark M. Manning, Andong Zhan
-
Publication number: 20230076680Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: ApplicationFiled: October 28, 2022Publication date: March 9, 2023Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Publication number: 20220391492Abstract: A system includes at least one hardware processor of a computing node and at least one memory storing instructions that cause the at least one hardware processor to perform operations. The operations include instantiating a user code runtime to execute within a sandbox process. The sandbox process configures access by the user code runtime to an operating system (OS) kernel of the computing node. The OS kernel is configured with one or more filtering policies. A determination is performed of whether a system call received by the OS kernel violates the one or more filtering policies. The system call is triggered by at least one operation of the user code runtime. A tracing event is instantiated to trace execution of the system call based on the determination.Type: ApplicationFiled: June 29, 2022Publication date: December 8, 2022Inventors: Brandon S. Baker, Derek Denny-Brown, Mark M. Manning, Andong Zhan
-
Patent number: 11516216Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: GrantFiled: April 27, 2021Date of Patent: November 29, 2022Assignee: Snowflake Inc.Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Patent number: 11409864Abstract: Provided herein are systems and methods for tracing and tracing supervision of UDFs in a database system. For example, a method includes receiving a user-defined function (UDF), the UDF including code related to at least one operation to be performed. A user code runtime is instantiated to execute the code of the UDF as a child process. The user code runtime includes a filtering process configured with a plurality of filtering policies. A system call of the at least one operation is detected based on a notification from an operating system (OS) manager, the notification identifying the system call. A determination is made on whether performing the system call is permitted based on the plurality of filtering policies. A report is generated based on the determining.Type: GrantFiled: July 30, 2021Date of Patent: August 9, 2022Assignee: Snowflake Inc.Inventors: Brandon S. Baker, Derek Denny-Brown, Mark M. Manning, Andong Zhan
-
Patent number: 11347527Abstract: A system comprises at least one hardware processor and a memory storing instructions. When executed, the instructions cause the at least one hardware processor to perform operations comprising receiving, in a computing process, a Java user-defined table function (Java UDTF), the Java UDTF including code related to a process method to be performed that includes receiving one or more input tables and transforming the one or more input tables to an output table; determining, using at least a security policy, whether performing one or more portions of the process method are permitted; and performing portions of the process method determined to be permitted.Type: GrantFiled: July 30, 2021Date of Patent: May 31, 2022Assignee: Snowflake Inc.Inventors: Elliott Brossard, Istvan Cseri, Derek Denny-Brown, Filip Drozdowski, Isaac Kunen, Edward Ma
-
Patent number: 11347485Abstract: A system comprises at least one hardware processor and a memory storing instructions. When executed, the instructions cause the at least one hardware processor to perform operations comprising receiving, in a compiling process, a request to create a Java user-defined table function (Java UDTF), the Java UDTF including code related to receiving one or more input tables and transforming the one or more input tables to an output table; verifying a construct of the Java UDTF in the request is correct; and compiling to generate execution code that includes the Java UDTF when the construct of the Java UDTF is correct.Type: GrantFiled: July 30, 2021Date of Patent: May 31, 2022Assignee: Snowflake Inc.Inventors: Elliott Brossard, Istvan Cseri, Derek Denny-Brown, Filip Drozdowski, Isaac Kunen, Edward Ma
-
Patent number: 11295009Abstract: The subject technology receives, in a computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology determines by a security manager whether performing the at least one operation is permitted, the security manager determines restrictions, based at least in part on a security policy. The subject technology performs the at least one operation. The subject technology sends a result of the at least one operation to the computing process, where sending the result of the at least one operation utilizes a data transport mechanism that supports a network transfer of columnar data.Type: GrantFiled: June 18, 2021Date of Patent: April 5, 2022Assignee: Snowflake Inc.Inventors: Elliott Brossard, Derek Denny-Brown, Isaac Kunen, Soumitr Rajiv Pandey, Jacob Salassi, Srinath Shankar, Haowei Yu, Andong Zhan
-
Publication number: 20210374235Abstract: The subject technology receives, in a computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology determines by a security manager whether performing the at least one operation is permitted, the security manager determines restrictions, based at least in part on a security policy. The subject technology performs the at least one operation. The subject technology sends a result of the at least one operation to the computing process, where sending the result of the at least one operation utilizes a data transport mechanism that supports a network transfer of columnar data.Type: ApplicationFiled: June 18, 2021Publication date: December 2, 2021Inventors: Elliott Brossard, Derek Denny-Brown, Isaac Kunen, Soumitr Rajiv Pandey, Jacob Salassi, Srinath Shankar, Haowei Yu, Andong Zhan
-
Publication number: 20210344677Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: ApplicationFiled: April 27, 2021Publication date: November 4, 2021Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Patent number: 11113390Abstract: The subject technology receives, in a first computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology sends a request based at least in part on the at least one operation to a second computing process to perform. The subject technology determines, by a security manager executing within the second computing process, whether performing the at least one operation is permitted, the security manager determines restrictions, based at least in part on a security policy, on operations executing within a sandbox environment provided by the second computing process. The subject technology performs, in the second computing process, the at least one operation, the security manager executing within the second computing process.Type: GrantFiled: April 21, 2021Date of Patent: September 7, 2021Assignee: Snowflake Inc.Inventors: Elliott Brossard, Derek Denny-Brown, Isaac Kunen, Soumitr Rajiv Pandey, Jacob Salassi, Srinath Shankar, Haowei Yu, Andong Zhan
-
Patent number: 11057381Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.Type: GrantFiled: April 29, 2020Date of Patent: July 6, 2021Assignee: Snowflake Inc.Inventors: Derek Denny-Brown, Tyler Jones, Isaac Kunen
-
Patent number: 10997286Abstract: The subject technology receives, in a first computing process, a user defined function, the user defined function including code related to at least one operation to be performed. The subject technology sends a request based on the at least one operation to a second computing process to perform, the second computing process being different than the first computing process and comprising a sandbox for executing the at least one operation. The subject technology receives, by the second computing process, the request. The subject technology determines, using at least a security policy, whether performing the at least one operation is permitted. The subject technology performs, in the second computing process, the least one operation. The subject technology sends, by the second computing process, a result of the at least one operation to the first computing process.Type: GrantFiled: July 31, 2020Date of Patent: May 4, 2021Assignee: Snowflake Inc.Inventors: Elliott Brossard, Derek Denny-Brown, Isaac Kunen, Soumitr Rajiv Pandey, Jacob Salassi, Srinath Shankar, Haowei Yu, Andong Zhan
-
Publication number: 20050289457Abstract: A method of binding elements of a structured document to an observer structure includes obtaining the logical structure of a document. Nodes representing information contained in the document are mapped to an observer structure which can include both a user interface or a programming object. The user interface may be a graphical user interface including a display form of a grid-like structure to contain the structured document information. The data binding which maps the structured document information to the observer form may be directionally controllable such that any change made to the information at the observer may be reflected in the source structured document.Type: ApplicationFiled: June 29, 2004Publication date: December 29, 2005Applicant: Microsoft CorporationInventors: Dare Obasanjo, Erik Meijer, Derek Denny-Brown, Mark Fussell, Srikanth Mandadi, Ilia Ioffe