Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a trusted execution environment (TEE). The TEE is provisioned with a workload and includes an introspection module. The introspection module is configured to execute an introspection command according to an introspection policy. The introspection command is configured to validate at least one memory access associated with the workload. The introspection module is also configured to determine a status of a result of the introspection commands, wherein the status is one of a failure status and a success status.

Abstract: Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving, at a first time, a first function for execution within a serverless computing environment; generating, by an interpreter, a first bytecode based on the first function; storing the first bytecode in association with an identifier of the first function; receiving, at a second time after the first time, a second function for execution within the serverless computing environment; identifying the second function as corresponding to the first function; injecting the first bytecode into a container for execution of the second function; receiving performance metrics regarding execution of the second function; and determining, based on the performance metrics, whether to allow or prevent future injection of the first bytecode.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Sensitive information can be managed using a trusted platform module. For example, a system can encrypt target information using a cryptographic key to generate encrypted data. The system can also receive an encrypted key from a trusted platform module, where the encrypted key is a version of the cryptographic key that is encrypted using a public key stored in the trusted platform module. The system can then transmit the encrypted data and the encrypted key to a remote computing system, for example to store the encrypted data and the encrypted key on the remote computing system. Using these techniques, the target information may be secured and stored in remote locations.

Abstract: Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving, at a first time, a first function for execution within a serverless computing environment; generating, by an interpreter, a first bytecode based on the first function; storing the first bytecode in association with an identifier of the first function; receiving, at a second time after the first time, a second function for execution within the serverless computing environment; identifying the second function as corresponding to the first function; injecting the first bytecode into a container for execution of the second function; receiving performance metrics regarding execution of the second function; and determining, based on the performance metrics, whether to allow or prevent future injection of the first bytecode.

Abstract: Sensitive information can be managed using a trusted platform module. For example, a system can encrypt target information using a cryptographic key to generate encrypted data. The system can also receive an encrypted key from a trusted platform module, where the encrypted key is a version of the cryptographic key that is encrypted using a public key stored in the trusted platform module. The system can then transmit the encrypted data and the encrypted key to a remote computing system, for example to store the encrypted data and the encrypted key on the remote computing system. Using these techniques, the target information may be secured and stored in remote locations.

Abstract: Aspects and features of the present disclosure can provide a trusted, privacy-preserved deduplication process by executing deduplication functions in a trusted execution environment (TEE). In some examples, encrypted, incoming user data blocks are decrypted in the TEE to produce unencrypted user data blocks. An incoming digital fingerprint or each unencrypted user data block is produced. A processing device can compare the incoming digital fingerprint to existing digital fingerprints stored in the TEE to determine a presence of the incoming digital fingerprint and hence the presence of a copy of the data block in the storage platform, and writes the encrypted. Incoming data blocks are written to storage only when necessary. The technique allows public mass storage systems to meet cybersecurity objectives while achieving the storage space efficiency that deduplication provides.

Abstract: Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as corresponding to the first function and the first bytecode may be received. The first bytecode may then be injected into a container for execution of the second function.

Abstract: According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.

Abstract: A system includes a memory, a processor in communication with the memory, a supervisor, and a trusted execution environment (“TEE”). The TEE includes an introspection module and is configured to execute the introspection module on a workload according to an introspection security policy. Additionally, the TEE is configured to generate an introspection result for the workload. The introspection security policy specifies at least one of (i) a portion of the TEE that is exposed to the introspection module and (ii) at least one of an accelerator and a device the introspection module has access to. Additionally, the introspection module is configured to validate the workload. The introspection result is one of a passing result and a failing result.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Aspects and features of the present disclosure can provide a trusted, privacy-preserved deduplication process by executing deduplication functions in a trusted execution environment (TEE). In some examples, encrypted, incoming user data blocks are decrypted in the TEE to produce unencrypted user data blocks. An incoming digital fingerprint or each unencrypted user data block is produced. A processing device can compare the incoming digital fingerprint to existing digital fingerprints stored in the TEE to determine a presence of the incoming digital fingerprint and hence the presence of a copy of the data block in the storage platform, and writes the encrypted. Incoming data blocks are written to storage only when necessary. The technique allows public mass storage systems to meet cybersecurity objectives while achieving the storage space efficiency that deduplication provides.

Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a trusted execution environment (TEE). The TEE is provisioned with a workload and includes an introspection module. The introspection module is configured to execute an introspection command according to an introspection policy. The introspection command is configured to validate at least one memory access associated with the workload. The introspection module is also configured to determine a status of a result of the introspection commands, wherein the status is one of a failure status and a success status.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Methods and systems for storing and injecting bytecode are provided. In one embodiment, a method is provided that includes receiving a first function for execution at a first time and generating a first bytecode based on the first function for use in executing the first function. The first bytecode may then be stored with an identifier of the first function. At a second time after the first time, a second function may be received for execution. The second function may be identified as corresponding to the first function and the first bytecode may be received. The first bytecode may then be injected into a container for execution of the second function.

Abstract: According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Abstract: Storage associated with a virtual machine or other type of device may be migrated between locations (e.g., physical devices, network locations, etc.). To maintain the security of the storage, a system may manage the encryption of the storage area such that a storage area is encrypted with a first encryption key that may be maintained through the migration. A header of the storage area, on the other hand, may be encrypted using a second encryption key and the first encryption key may be stored therein. Upon transfer, the header may be re-encrypted to affect the transfer of security.

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.