Patents by Inventor Matthew Shawn Wilson
Matthew Shawn Wilson has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10198377Abstract: A DMA-capable device of a virtualization host stores a DMA write record, indicating a portion of host memory that is targeted by a DMA write operation, in a write buffer accessible from a virtualization management component of the host. The virtualization management component uses the DMA write record to identify a portion of memory to be copied to a target location to save a representation of a state of a particular virtual machine instantiated at the host.Type: GrantFiled: June 3, 2016Date of Patent: February 5, 2019Assignee: Amazon Technologies, Inc.Inventors: Matthew Shawn Wilson, Anthony Nicholas Liguori, Shuvabrata Ganguly
-
Patent number: 10169591Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.Type: GrantFiled: December 7, 2015Date of Patent: January 1, 2019Assignee: Amazon Technologies, Inc.Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine, Matthew Shawn Wilson, Cristian M. Ilac
-
Publication number: 20180300166Abstract: Generally described, aspects of the present disclosure relate to loading an updated virtual machine monitor on the physical computing device during a boot process. The updated virtual machine monitor may be loaded from an update manager external to the virtual machine monitor, such as the offload device or a server connected with the physical computing device over a network. In certain embodiments, the updated virtual machine monitor may be loaded in a tiered process by first loading a startup virtual machine monitor, which automatically updates by loading the updated virtual machine monitor. The startup virtual machine monitor may be a virtual machine monitor with less functionality than the updated machine manager, such as where the startup virtual machine monitor may be a “lite” or simple virtual machine monitor while the updated virtual machine monitor may be a fully functional virtual machine monitor of the most recent update or version.Type: ApplicationFiled: January 25, 2018Publication date: October 18, 2018Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 10084784Abstract: Functionality is disclosed herein for providing a resource monitoring environment that restricts access to computing resource data in a service provider network. The resource monitoring environment processes requests to access computing resource data, and denies requests not signed or authorized by a customer of a service provider network or other entity. Access to the computing resource data includes access to non-obfuscated data and/or access to encrypted computing resource data encrypted by way of a public encryption key held by a customer of the service provider network or other entity instead of a requestor of the computing resource data.Type: GrantFiled: December 2, 2014Date of Patent: September 25, 2018Assignee: Amazon Technologies, Inc.Inventors: Eric J. Brandwine, Matthew Shawn Wilson
-
Patent number: 10063380Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.Type: GrantFiled: January 22, 2013Date of Patent: August 28, 2018Assignee: Amazon Technologies, Inc.Inventors: Eric Jason Brandwine, Matthew Shawn Wilson
-
Publication number: 20180165455Abstract: Disclosed herein are techniques for maintaining a secure execution environment on a server. In one embodiment, the server includes a non-volatile memory storing firmware, a programmable security logic coupled to the non-volatile memory, an adapter device coupled to the programmable security logic, and a processor communicatively coupled to the non-volatile memory via the programmable security logic. The adapter device and/or the programmable security logic can verify the firmware in the non-volatile memory while holding the processor and/or a baseboard management controller (BMC) in power reset, release the processor and the BMC from reset to boot the processor and the BMC after the firmware is verified, and then disable communications between the processor and the BMC and deny at least some requests to write to the non-volatile memory by the processor or the BMC.Type: ApplicationFiled: December 13, 2016Publication date: June 14, 2018Inventors: Anthony Nicholas Liguori, Jason Alexander Harland, Matthew Shawn Wilson, Nafea Bshara, Ziv Harel, Darin Lee Frink
-
Publication number: 20180139110Abstract: Methods and apparatus are disclosed for programming reconfigurable logic devices such as FPGAs in a networked server environment. In one example, a system hosting a network service providing field programmable gate array (FPGA) services includes a network service provider configured to receive a request to implement application logic in a plurality of FPGAs, allocate a computing instance comprising the FPGAs in responses to receiving the request, produce configuration information for programming the FPGAs, and send the configuration information to an allocated computing instance. The system further includes a computing host that is allocated by the network service provider as a computing instance which includes memory, processors configured to execute computer-executable instructions stored in the memory, and the programmed FPGAs.Type: ApplicationFiled: November 17, 2016Publication date: May 17, 2018Applicant: Amazon Technologies, Inc.Inventors: Robert Michael Johnson, Nafea Bshara, Matthew Shawn Wilson
-
Publication number: 20180136961Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.Type: ApplicationFiled: September 8, 2017Publication date: May 17, 2018Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 9940123Abstract: Techniques for updating code of a device may be described. In an example, bus may connect the device to a management entity. The device may run a first version of the code. A second version of the code may be available from memory. The device may access the second version from the memory, stop running the first version of the code, and start running the second version of the code without restarting the management entity or the device.Type: GrantFiled: December 29, 2015Date of Patent: April 10, 2018Assignee: Amazon Technologies, Inc.Inventors: Hani Ayoub, Nafea Bshara, Matthew Shawn Wilson, Clint Joseph Sbisa, Barak Wasserstrom, Brian William Barrett, Ronen Shitrit, Anthony Nicholas Liguori
-
Publication number: 20180088804Abstract: A peripheral device may implement storage virtualization for non-volatile storage devices connected to the peripheral device. A host system connected to the peripheral device may host one or multiple virtual machines. The peripheral device may implement different virtual interfaces for the virtual machines or the host system that present a storage partition at a non-volatile storage device to the virtual machine or host system for storage. Access requests from the virtual machines or host system are directed to the respective virtual interface at the peripheral device. The peripheral device may perform data encryption or decryption, or may perform throttling of access requests. The peripheral device may generate and send physical access requests to perform the access requests received via the virtual interfaces to the non-volatile storage devices. Completion of the access requests may be indicated to the virtual machines via the virtual interfaces.Type: ApplicationFiled: September 28, 2016Publication date: March 29, 2018Applicant: Amazon Technologies, Inc.Inventors: Raviprasad Venkatesha Murthy Mummidi, MATTHEW SHAWN WILSON, ANTHONY NICHOLAS LIGUORI, NAFEA BSHARA, Saar Gross, Jaspal Kohli
-
Patent number: 9928207Abstract: Provided are systems and methods for generating transactions with a configurable port. In some implementations, a peripheral device is provided. The peripheral device comprises a configurable port. In some implementations, the configurable port may be configured to receive a first transaction. In these implementations, the first transactions may include an address. The address may include a transaction attribute. In some implementations, the configurable port may extract the transaction attribute and a transaction address from the address. The configurable port may further generate a second transaction that includes the transaction attribute and the transaction address. The configurable port may also transmit the second transaction.Type: GrantFiled: September 29, 2015Date of Patent: March 27, 2018Assignee: Amazon Technologies, Inc.Inventors: Adi Habusha, Nafea Bshara, Itay Poleg, Erez Izenberg, Guy Nakibly, Matthew Shawn Wilson
-
Patent number: 9898601Abstract: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.Type: GrantFiled: July 6, 2017Date of Patent: February 20, 2018Assignee: Amazon Technologies, Inc.Inventors: Rahul Gautam Patel, Nachiketh Rao Potlapally, William John Earl, Matthew Shawn Wilson
-
Patent number: 9886297Abstract: Generally described, aspects of the present disclosure relate to loading an updated virtual machine monitor on the physical computing device during a boot process. The updated virtual machine monitor may be loaded from an update manager external to the virtual machine monitor, such as the offload device or a server connected with the physical computing device over a network. In certain embodiments, the updated virtual machine monitor may be loaded in a tiered process by first loading a startup virtual machine monitor, which automatically updates by loading the updated virtual machine monitor. The startup virtual machine monitor may be a virtual machine monitor with less functionality than the updated machine manager, such as where the startup virtual machine monitor may be a “lite” or simple virtual machine monitor while the updated virtual machine monitor may be a fully functional virtual machine monitor of the most recent update or version.Type: GrantFiled: December 11, 2014Date of Patent: February 6, 2018Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 9880866Abstract: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.Type: GrantFiled: June 9, 2016Date of Patent: January 30, 2018Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Nachiketh Rao Potlapally, Eric Jason Brandwine, Matthew Shawn Wilson
-
Publication number: 20180013552Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.Type: ApplicationFiled: May 23, 2017Publication date: January 11, 2018Inventors: Eric Jason Brandwine, David R. Richardson, Matthew Shawn Wilson, Ian Paul Nowland, Anthony Nicholas Liguori, Brian William Barrett
-
Publication number: 20170308696Abstract: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.Type: ApplicationFiled: July 6, 2017Publication date: October 26, 2017Inventors: Rahul Gautam Patel, Nachiketh Rao Potlapally, William John Earl, Matthew Shawn Wilson
-
Patent number: 9794195Abstract: A communication device with receded ports includes one or more port connectors in a first position, one or more port connectors in a setback position that is receded back from the first position, and one or more port connectors in one or more additional setback positions. The communication device with receded ports includes, a circuit board, and one or more circuits mounted on the circuit board. Circuit traces electrically connect the port connectors in the first position, the setback position, and the one or more subsequent setback positions to a circuit mounted on a circuit board. The port connectors in the first position, setback position, and one or more subsequent setback positions may be situated in a triangular pattern, stair-stepped pattern, curved pattern, or some other pattern.Type: GrantFiled: June 26, 2015Date of Patent: October 17, 2017Assignee: Amazon Technologies, Inc.Inventors: Matthew Shawn Wilson, Nafea Bshara, Peter Nicholas Desantis
-
Patent number: 9792143Abstract: The performing of virtual machine (VM)-based secure operations is enabled using a trusted co-processor that is able to operate in a secure mode to perform operations in a multi-tenant environment that are protected from other VMs and DOM-0, among other domains and components. A customer VM can contact a VM manager (VMM) to perform an operation with respect to sensitive data. The VMM can trigger secure mode operation, whereby memory pages are marked and access blocked to entities outside a trusted enclave. The trusted co-processer can measure the VMM and compare the result against an earlier result to ensure that the VMM has not been compromised. Once the operations are performed, the trusted co-processor can return the results, and the VMM can exit the secure mode such that access to the marked pages and customer data is restored.Type: GrantFiled: October 23, 2015Date of Patent: October 17, 2017Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Nachiketh Rao Potlapally, Derek Del Miller, Mark Bradley Davis, Matthew Shawn Wilson, Eric Jason Brandwine, Anthony Nicholas Liguori, Rahul Gautam Patel
-
Patent number: 9760394Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.Type: GrantFiled: March 21, 2016Date of Patent: September 12, 2017Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 9729517Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to enable secure migration of virtual machine instances between multiple host computing devices. The migration is performed by receiving a request to migrate a virtual machine where the request includes public keys for the source host computing and the destination host computing. The source and destination hosts use the public keys to establish an encrypted session and then use the encrypted session to migrate the virtual machine.Type: GrantFiled: January 22, 2013Date of Patent: August 8, 2017Assignee: Amazon Technologies, Inc.Inventors: Eric Jason Brandwine, Matthew Shawn Wilson