Who is the assignee on this patent?

Stickle Thomas C, Amazon Tech Inc

What technology area does this patent fall under?

Primary CPC classification G06F21/57. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Apr 14 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Validating machine images

US9009840B1 · US · B1

Patent metadata
Field	Value
Publication number	US-9009840-B1
Application number	US-201213356497-A
Country	US
Kind code	B1
Filing date	Jan 23, 2012
Priority date	Jan 23, 2012
Publication date	Apr 14, 2015
Grant date	Apr 14, 2015

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In a resource-on-demand environment, virtual machine images are validated before use. A provider or source of a virtual machine image may generate a manifest, indicating executable components of the machine image. Before use, a created virtual machine may compare its executable components with those specified by the manifest. To ensure authenticity, the manifest may be associated with a signature, and the virtual machine may use the signature to verify the manifest and the source of the machine image.

First claim

Opening claim text (preview).

The invention claimed is: 1. A resource provider, comprising: a plurality of stored machine images; source manifests corresponding respectively to the stored machine images, wherein each source manifest indicates executable components of the corresponding stored machine image; verifiable signatures corresponding respectively to the source manifests; one or more processors configured to perform actions comprising: receiving, using a application programming interface, a plurality of machine images; storing the plurality of machine images as the plurality of stored machine images; using a specified one of the stored machine images, creating a virtual machine associated with the specified one of the stored machine images; installing an inventory module to execute on the virtual machine associated with the specified one of the stored machine images; executing the inventory module in conjunction with a startup or booting of the virtual machine associated with the specified one of the stored machine images; generating, by the inventory module, a source manifest corresponding to the specified one of the stored machine images; signing the source manifest corresponding to the specified one of the stored machine images to generate a verifiable signature; receiving a request to create a virtual machine based at least in part on the specified one of the stored machine images; inventorying, by the inventory module, the specified one of the stored machine images to identify executable components of the specified one of the stored machine images; and validating the specified one of the stored machine images by (a) verifying the signature of the source manifest corresponding to the specified one of the stored machine images and (b) comparing the identified executable components of the specified one of the stored machine images with the source manifest corresponding to the specified one of the stored machine images. 2. The resource provider of claim 1 , the actions further comprising creating the virtual machine based at least in part on the specified one of the stored machine images. 3. The resource provider of claim 1 , wherein the validating is performed upon initialization of the virtual machine. 4. The resource provider of claim 1 , wherein verifying the signature of the source manifest comprises cryptographically determining that the signature was generated on behalf of a trusted entity. 5. The resource provider of claim 1 , further comprising one or more certificates corresponding to trusted entities that have generated the verifiable signatures, wherein verifying the signature of the source manifest is based at least in part upon information specified by the one or more certificates. 6. The resource provider of claim 1 , the actions further comprising: receiving submitted machine images; storing the submitted machine images; creating the source manifests based at least in part on the submitted machine images; and creating the verifiable signatures based at least in part on the created source manifests. 7. A method performed by a virtual machine with respect to a first machine image, the method comprising: under control of one or more processors configured with executable instructions, receiving a plurality of machine images; storing the plurality of machine images; using a first machine image of the plurality of stored machine images, creating a first virtual machine associated with the first machine image; installing an inventory module to execute on the first virtual machine associated with the first machine image; executing the inventory module in conjunction with a startup or booting of the first virtual machine associated with the first machine image; generating, by the inventory module, a source manifest corresponding to the first machine image; signing the source manifest corresponding to the first machine image to generate a verifiable signature; receiving a request to generate a second virtual machine based at least in part on the first machine image; inventorying, by the inventory module, the first machine image to identify executable components of the first machine image; and validating the first machine image by (a) verifying the signature of the source manifest corresponding to the first machine image and (b) comparing the identified executable components of the first machine image with the source manifest corresponding to the first machine image. 8. The method of claim 7 , wherein the method further comprises validating the source manifest comprises by verifying the signature of the source manifest. 9. The method of claim 8 , wherein validating the source manifest comprises identifying a source of the first machine image based at least in part on the signature associated with the source manifest. 10. The method of claim 8 , wherein validating the source manifest comprises identifying a trusted source of the first machine image. 11. The method of claim 8 , wherein validating the source manifest is based at least in part on a public key infrastructure. 12. A method comprising: under control of one or more processors configured with executable instructions, receiving, using an application programming interface, a plurality of machine images; storing the plurality of machine images; using a first machine image of the plurality of stored machine images, creating a first virtual machine associated with the first machine image; installing an inventory module to execute on the first virtual machine; executing the inventory module in conjunction with a startup or booting of the first virtual machine; generating, by the inventory module, a source manifest corresponding to the first machine image; signing the source manifest corresponding to the first machine image to generate a verifiable signature; receiving a request to create a second virtual machine based at least in part on the first machine image; inventorying, by the inventory module, the first machine image to identify executable components of the first machine image; and validating the first machine image by (a) verifying the signature of the source manifest corresponding to the first machine image and (b) comparing the identified executable components of the first machine image with the source manifest corresponding to the first machine image. 13. The method of claim 12 , further comprising: validating the first virtual machine by verifying the signature associated with the source manifest of the specified one of the stored machine images. 14. The method of claim 12 , wherein the validating is performed by the first virtual machine during initialization of the first virtual machine. 15. The method of claim 12 , wherein the signatures are verifiable based at least on part on information specified by one or more cryptographic certificates. 16. The method of claim 12 , further comprising storing one or more certificates with the source manifest, wherein the signature is verifiable based at least on part on information specified by the one or more certificates. 17. The method of claim 12 , wherein the first machine image is inventoried to identify executable components of the first machine image in response to receiving the request to create the second virtual machine. 18. The method of claim 12 , further comprising: in response to (i) receiving the request to create the second virtual machine and (ii) validating the first machine image, creating the second virtual machine based at least in part on the first machine image. 19

Assignees

Inventors

Stickle Thomas C

Classifications

G06F21/57Primary
Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities · CPC title
G06F21/10
Protecting distributed programs or content, e.g. vending or licensing of copyrighted material (protection in video systems or pay television H04N7/16) {; Digital rights management [DRM]} · CPC title
G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
G06F21/12Primary
Protecting executable software · CPC title
G06F21/50
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title

Patent family

Related publications grouped by family.

View patent family 52782436

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9009840B1 cover?: In a resource-on-demand environment, virtual machine images are validated before use. A provider or source of a virtual machine image may generate a manifest, indicating executable components of the machine image. Before use, a created virtual machine may compare its executable components with those specified by the manifest. To ensure authenticity, the manifest may be associated with a signatu…
Who is the assignee on this patent?: Stickle Thomas C, Amazon Tech Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/57. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Apr 14 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).