Abstract: Systems and methods are provided for efficiently configuring an execution environment for an on-demand code execution system to handle a single request (or session) for a single user. Once the session or request is complete, the execution environment is reset, such as by having the hardware processor state, memory, and storage reset. In particular, prior to the execution of code, state of the execution environment of the host computing device is retrieved, such as hardware processor(s), memory, and/or storage state. Moreover, during execution of the code instructions, intermediate state can be gathered. Following the execution of the code, the execution environment is reset based on the saved state related to the hardware processor(s), memory, and/or storage. A subsequent code execution securely occurs in the execution environment and the execution environment is reset again, and so forth.

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.

Abstract: Systems and methods are provided for scoped credentials within secure execution environments executing within virtual machines instances in an on-demand code execution system. In the on-demand code execution system, the execution environments are reset after every request or session. By resetting the single execution environment after each request or session, security issues are addressed, such as side-channel attacks and persistent malware. Additionally, the use of scoped credentials improves security by limiting the access rights for each code execution request or session to the smallest atomic level for the request or session. Following the request or session, the scoped credential is invalidated.

Abstract: Systems and methods are described for providing on-demand virtual private environments (VPEs) to serverless code executions. Each VPE can represent a logical isolated network environment. On receiving a request to execute code, an on-demand code execution system can generate a VPE for the code and provision the VPE with network endpoints and gateways that provide access to network services and locations that the code is permitted to access, which services and locations can be identified based on permissions for the code. The on-demand code execution system can then execute the code within an execution environment attached to the VPE, such that network transmissions caused by the code are subject to network-level enforcement of the permissions for the code.

Abstract: Systems and methods are described for providing storage of encrypted data sets, deduplication of such data sets, and control of the redundancy of those data sets. A form of modified convergent encryption can be employed, whereby an encryption key for a data set is selected based on a combination of the plaintext of the data set and a salt value, with the salt value being selected from a number of permutations corresponding to a desired redundancy of the data set in a storage system. Accordingly, a given data set can result in a number of ciphertexts equal to the desired redundancy, and deduplication can occur by removing duplicative instances of individual ciphertexts. Salt values can be selected according to a variety of criteria, including user-based, time-based, and location-based criteria.

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.

Abstract: Systems and methods are described for providing storage of encrypted data sets, deduplication of such data sets, and control of the redundancy of those data sets. A form of modified convergent encryption can be employed, whereby an encryption key for a data set is selected based on a combination of the plaintext of the data set and a salt value, with the salt value being selected from a number of permutations corresponding to a desired redundancy of the data set in a storage system. Accordingly, a given data set can result in a number of ciphertexts equal to the desired redundancy, and deduplication can occur by removing duplicative instances of individual ciphertexts. Salt values can be selected according to a variety of criteria, including user-based, time-based, and location-based criteria.

Abstract: Systems and methods are provided for efficiently configuring an execution environment for an on-demand code execution system to handle a single request (or session) for a single user. Once the session or request is complete, the execution environment is reset, such as by having the hardware processor state, memory, and storage reset. In particular, prior to the execution of code, state of the execution environment of the host computing device is retrieved, such as hardware processor(s), memory, and/or storage state. Moreover, during execution of the code instructions, intermediate state can be gathered. Following the execution of the code, the execution environment is reset based on the saved state related to the hardware processor(s), memory, and/or storage. A subsequent code execution securely occurs in the execution environment and the execution environment is reset again, and so forth.

Abstract: Systems and methods are disclosed herein for performing automated testing of software. Information characterizing a set of application programming interface (API) calls is associated with the software. Dependencies between the API calls are determined using the information and a representation is generated using the dependencies. The dependencies of the representation are verified by providing API requests to the API calls. The verified representation is provided for automated testing of an API and the associated API calls.

Abstract: A computing system that provides virtual computing services may generate and manage remote computing sessions between client computing devices and virtual desktop instances hosted on the service provider's network. Each virtual desktop instance may include a network interface for communication between the virtual desktop instance and client computing devices, and a second interface that connects the virtual desktop instance to entities on other networks (e.g., Internet destinations, or shared resources on an internal network).

Abstract: A method and system are disclosed for coordinated file system security via rules. A file system condition rule can specify any of a wide variety of file system conditions related to security risks, such as sensitive information in impermissible locations, impermissible file permissions, stray files, and the like. The rules can be administered at a central location and distributed across machines. The machines can then execute the rules against their local file systems. The rules can further specify actions to be taken, including deleting files, sanitizing files, sending an alert, or the like. Violations can be tracked and analyzed to determine what is causing recurring scenarios. A web service can expose the technologies to cloud service consumers.