Patents by Inventor Matthew Shawn Wilson
Matthew Shawn Wilson has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9712503Abstract: Technology for migration of a computing instance is provided. In one example, a method may include receiving instructions to initiate migration of the computing instance from a first host to a second host. A first message for sending to the first host may be generated which includes instructions to send data representing the computing instance to the second host. The first message may further include encryption information for use in deriving at least one key for encrypting communications to the second host from the first host. A second message for sending to the second host may be generated which includes instructions to receive the data representing the computing instance from the first host. The second message may further include information for use in deriving at least one key for decrypting communications from the first host. The first and second messages may be sent to the respective first and second hosts.Type: GrantFiled: March 23, 2015Date of Patent: July 18, 2017Assignee: Amazon Technologies, Inc.Inventors: Khaja Ehteshamuddin Ahmed, Diwakar Gupta, Matthew Shawn Wilson
-
Patent number: 9703951Abstract: Techniques are described for allocating resources to a task from a shared hardware structure. A plurality of tasks may execute on a processor, wherein the processor may include one or more processing cores and each task may include a plurality of computer executable instructions. In accordance with one technique for allocating resources to a task from a shared hardware structure amongst multiple tasks, aspects of the disclosure describe assigning a first identifier to a first task from the plurality of tasks, associating a portion of the shared hardware resource with the first identifier, and restricting access and/or observability for computer executable instructions executed from any other task than the first task to the portion of the hardware resource associated with the first identifier.Type: GrantFiled: September 30, 2014Date of Patent: July 11, 2017Assignee: Amazon Technologies, Inc.Inventors: Rahul Gautam Patel, Nachiketh Rao Potlapally, William John Earl, Matthew Shawn Wilson
-
Publication number: 20170161505Abstract: A tiered credentialing approach provides assurance to customers having virtual machines running in a remote environment that the virtual images for these machines are in a pristine state and running in a trusted execution environment. The environment can be divided into multiple subsystems, each having its own cryptographic boundary, secure storage, and trusted computing capabilities. A trusted, limited subsystem can handle the administrative tasks for virtual machines running on the main system of a host computing device. The limited system can receive a certificate from a certificate authority, and can act as a certificate authority to provide credentials to the main system. Upon an attestation request, the subsystems can provide attestation information using the respective credentials as well as the certificate chain. An entity having the appropriate credentials can determine the state of the system from the response and verify the state is as expected.Type: ApplicationFiled: December 7, 2015Publication date: June 8, 2017Inventors: Matthew John Campagna, Gregory Alan Rubin, Eric Jason Brandwine, Matthew Shawn Wilson, Cristian M. Ilac
-
Patent number: 9667414Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.Type: GrantFiled: March 30, 2015Date of Patent: May 30, 2017Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Eric Jason Brandwine, David R. Richardson, Matthew Shawn Wilson, Ian Paul Nowland, Anthony Nicholas Liguori, Brian William Barrett
-
Patent number: 9626512Abstract: Generally described, physical computing devices in a virtual network can be configured to host a number of virtual machine instances. The physical computing devices can be operably coupled with offload devices. In accordance with an aspect of the present disclosure, a security component can be incorporated into an offload device. The security component can be a physical device including a microprocessor and storage. The security component can include a set of instructions configured to validate an operational configuration of the offload device or the physical computing device to establish that they are configured in accordance with a secure or trusted configuration. In one example, a first security component on the offload device can validate the operational computing environment on the offload device and a second security component on the physical computing device can validate the operational computing environment on the physical computing device.Type: GrantFiled: March 30, 2015Date of Patent: April 18, 2017Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Eric Jason Brandwine, David R. Richardson, Matthew Shawn Wilson, Ian Paul Nowland, Anthony Nicholas Liguori, Brian William Barrett
-
Publication number: 20170090971Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: ApplicationFiled: August 19, 2016Publication date: March 30, 2017Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Publication number: 20170078204Abstract: Encapsulated packets may be generated for different packets transmitted between a source instance and destination instance in a computer system. The source instance and destination instance may be implemented by different physical hosts linked by multiple network paths. Congestion of the multiple network paths may be determined and path-balancing polices may be implemented in response to the determined congestion. Each encapsulation packet comprises contents of a corresponding packet, and one or more data values selected in accordance with a path-balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.Type: ApplicationFiled: November 28, 2016Publication date: March 16, 2017Inventors: Alan Michael Judge, Matthew Shawn Wilson
-
Publication number: 20170078203Abstract: Encapsulated packets may be generated for different packets transmitted between a source instance and destination instance in a computer system. The source instance and destination instance may be implemented by different physical hosts linked by multiple network paths. Congestion of the multiple network paths may be determined and path-balancing polices may be implemented in response to the determined congestion. Each encapsulation packet comprises contents of a corresponding packet, and one or more data values selected in accordance with a path-balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.Type: ApplicationFiled: November 28, 2016Publication date: March 16, 2017Inventors: Alan Michael Judge, Matthew Shawn Wilson
-
Publication number: 20170052808Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: ApplicationFiled: July 22, 2016Publication date: February 23, 2017Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 9509616Abstract: Encapsulated packets may be generated for different packets transmitted between a source instance and destination instance in a computer system. The source instance and destination instance may be implemented by different physical hosts linked by multiple network paths. Congestion of the multiple network paths may be determined and path-balancing polices may be implemented in response to the determined congestion. Each encapsulation packet comprises contents of a corresponding packet, and one or more data values selected in accordance with a path-balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.Type: GrantFiled: November 24, 2014Date of Patent: November 29, 2016Assignee: Amazon Technologies, Inc.Inventors: Alan Michael Judge, Matthew Shawn Wilson
-
Patent number: 9503268Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request.Type: GrantFiled: January 22, 2013Date of Patent: November 22, 2016Assignee: Amazon Technologies, Inc.Inventors: Eric Jason Brandwine, Matthew Shawn Wilson
-
Patent number: 9491098Abstract: Methods and apparatus for transparent multipath utilization through encapsulation are disclosed. Respective encapsulation packets are generated for at least two different baseline packets transmitted between a source and destination linked by multiple network paths. Each encapsulation packet comprises contents of a corresponding baseline packet, and one or more data values selected in accordance with a path balancing policy. The data values added to one encapsulation packet may differ from those added to another. Different network paths to the destination may be selected for different encapsulation packets of a given transmission based at least in part on the added data values.Type: GrantFiled: November 18, 2013Date of Patent: November 8, 2016Assignee: Amazon Technologies, Inc.Inventors: Matthew Shawn Wilson, Andrew Bruce Dickinson, Justin Oliver Pietsch, Aaron C. Thompson, Frederick David Sinn, Alan Michael Judge, Jagwinder Singh Brar
-
Publication number: 20160313986Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.Type: ApplicationFiled: March 21, 2016Publication date: October 27, 2016Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Publication number: 20160291992Abstract: Approaches to enable the configuration of computing resources for executing virtual machines on behalf of users to be cryptographically attested to or verified. When a user requests a virtual machine to be provisioned, an operator of the virtualized computing environment can initiate a two phase launch of the virtual machine. In the first phase, the operator provisions the virtual machine on a host computing device and obtains cryptographic measurements of the software and/or hardware resources on the host computing device. The operator may then provide those cryptographic measurements to the user that requested the virtual machine. If the user approves the cryptographic measurements, the operator may proceed with the second phase and actually launch the virtual machine on the host. In some cases, operator may compare the cryptographic measurements to a list of approved measurements to determine whether the host computing device is acceptable for hosting the virtual machine.Type: ApplicationFiled: June 9, 2016Publication date: October 6, 2016Inventors: Nachiketh Rao Potlapally, Eric Jason Brandwine, Matthew Shawn Wilson
-
Publication number: 20160283421Abstract: A DMA-capable device of a virtualization host stores a DMA write record, indicating a portion of host memory that is targeted by a DMA write operation, in a write buffer accessible from a virtualization management component of the host. The virtualization management component uses the DMA write record to identify a portion of memory to be copied to a target location to save a representation of a state of a particular virtual machine instantiated at the host.Type: ApplicationFiled: June 3, 2016Publication date: September 29, 2016Applicant: Amazon Technologies, Inc.Inventors: MATTHEW SHAWN WILSON, ANTHONY NICHOLAS LIGUORI, SHUVABRATA GANGULY
-
Patent number: 9424067Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: GrantFiled: December 11, 2014Date of Patent: August 23, 2016Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Patent number: 9400674Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: GrantFiled: December 11, 2014Date of Patent: July 26, 2016Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Publication number: 20160170784Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a bus interface. The bus interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: ApplicationFiled: December 11, 2014Publication date: June 16, 2016Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Publication number: 20160170781Abstract: Generally described, aspects of the present disclosure relate to loading an updated virtual machine monitor on the physical computing device during a boot process. The updated virtual machine monitor may be loaded from an update manager external to the virtual machine monitor, such as the offload device or a server connected with the physical computing device over a network. In certain embodiments, the updated virtual machine monitor may be loaded in a tiered process by first loading a startup virtual machine monitor, which automatically updates by loading the updated virtual machine monitor. The startup virtual machine monitor may be a virtual machine monitor with less functionality than the updated machine manager, such as where the startup virtual machine monitor may be a “lite” or simple virtual machine monitor while the updated virtual machine monitor may be a fully functional virtual machine monitor of the most recent update or version.Type: ApplicationFiled: December 11, 2014Publication date: June 16, 2016Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland
-
Publication number: 20160170785Abstract: Generally described, the present application relates to systems and methods for the managing virtual machines instances using a physical computing device and an offload device. The offload device can be a separate computing device that includes computing resources (e.g., processor and memory) separate from the computing resources of the physical computing device. The offload device can be connected to the physical computing device via a interconnect interface. The interconnect interface can be a high speed, high throughput, low latency interface such as a Peripheral Component Interconnect Express (PCIe) interface. The offload device can be used to offload virtualization and processing of virtual components from the physical computing device, thereby increasing the computing resources available to the virtual machine instances.Type: ApplicationFiled: December 11, 2014Publication date: June 16, 2016Inventors: Anthony Nicholas Liguori, Matthew Shawn Wilson, Ian Paul Nowland