Security protocols for low latency execution of program code

Description

BACKGROUND

Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Companies and organizations operate computer networks that interconnect a number of computing devices to support operations or provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or data processing centers, herein generally referred to as a “data center,” may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public.

To facilitate increased utilization of data center resources, virtualization technologies may allow a single physical computing device to host one or more instances of virtual machines that appear and operate as independent computing devices to users of a data center. With virtualization, the single physical computing device can create, maintain, delete, or otherwise manage virtual machines in a dynamic manner. In turn, users can request computer resources from a data center, including single computing devices or a configuration of networked computing devices, and be provided with varying numbers of virtual machine resources.

In some scenarios, virtual machine instances may be configured according to a number of virtual machine instance types to provide specific functionality. For example, various computing devices may be associated with different combinations of operating systems or operating system configurations, virtualized hardware resources and software applications to enable a computing device to provide different desired functionalities, or to provide similar functionalities more efficiently. These virtual machine instance type configurations are often contained within a device image, which includes static data containing the software (e.g., the OS and applications together with their configuration and data files, etc.) that the virtual machine will run once started. The device image is typically stored on the disk used to create or initialize the instance. Thus, a computing device may process the device image in order to implement the desired software configuration.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages of this disclosure will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram depicting an illustrative environment for providing low latency compute capacity, according to an example aspect.

FIG. 2 depicts a general architecture of a computing device providing a security manager for managing security in an environment for providing low latency compute capacity, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

FIG. 3 is a flow diagram illustrating a security routine which involves a user-specified security policy, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

FIG. 4 is a flow diagram illustrating a security routine which involves interfacing with an auxiliary service, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

FIG. 5 is a flow diagram illustrating a security routine which involves executing program code in portions associated with different levels of trust, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

FIG. 6 is a block diagram depicting an illustrative environment for a security routine which involves interfacing with an auxiliary service, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

FIG. 7 is a block diagram depicting an illustrative environment for a security routine which involves executing program code in portions associated with different levels of trust, as implemented by a virtual compute system, such as the virtual compute system of FIG. 1.

DETAILED DESCRIPTION

Companies and organizations no longer need to acquire and manage their own data centers in order to perform computing operations (e.g., execute code, including threads, programs, functions, software, routines, subroutines, processes, etc.). With the advent of cloud computing, storage space and compute power traditionally provided by hardware computing devices can now be obtained and configured in minutes over the Internet. Thus, developers can quickly purchase a desired amount of computing resources without having to worry about acquiring physical machines. Such computing resources are typically purchased in the form of virtual computing resources, or virtual machine instances. These instances of virtual machines are software implementations of physical machines (e.g., computers), which are hosted on physical computing devices and may contain their own operating systems and other applications that are traditionally provided on physical machines. These virtual machine instances are configured with a set of computing resources (e.g., memory, CPU, disk, network, etc.) that applications running on the virtual machine instances may request and can be utilized in the same manner as physical computers.

However, even when virtual computing resources are purchased (e.g., in the form of virtual machine instances), developers still have to decide how many and what type of virtual machine instances to purchase, and how long to keep them. For example, the costs of using the virtual machine instances may vary depending on the type and the number of hours they are rented. In addition, the minimum time a virtual machine may be rented is typically on the order of hours. Further, developers have to specify the hardware and software resources (e.g., type of operating systems and language runtimes, etc.) to install on the virtual machines. Other concerns that they might have include over-utilization (e.g., acquiring too little computing resources and suffering performance issues), under-utilization (e.g., acquiring more computing resources than necessary to run the codes, and thus overpaying), prediction of change in traffic (e.g., so that they know when to scale up or down), and instance and language runtime startup delay, which can take 3-10 minutes, or longer, even though users may desire computing capacity on the order of seconds or even milliseconds. Thus, an improved method of allowing users to take advantage of the virtual machine instances provided by service providers is desired.

According to aspects of the present disclosure, by maintaining a pool of pre-initialized virtual machine instances that are ready for use as soon as a user request is received, delay (sometimes referred to as latency) associated with executing the user code (e.g., instance and language runtime startup time) can be significantly reduced.

Generally described, aspects of the present disclosure relate to the management of virtual machine instances and containers created therein. Specifically, systems and methods are disclosed which facilitate management of virtual machine instances in a virtual compute system. The virtual compute system maintains a pool of virtual machine instances that have one or more software components (e.g., operating systems, language runtimes, libraries, etc.) loaded thereon. Maintaining the pool of virtual machine instances may involve creating a new instance, acquiring a new instance from an external instance provisioning service, destroying an instance, assigning/reassigning an instance to a user, modifying an instance (e.g., containers or resources therein), etc. The virtual machine instances in the pool can be designated to service user requests to execute program codes. In the present disclosure, the phrases “program code,” “user code,” and “cloud function” may sometimes be interchangeably used. The program codes can be executed in isolated containers that are created on the virtual machine instances. Since the virtual machine instances in the pool have already been booted and loaded with particular operating systems and language runtimes by the time the requests are received, the delay associated with finding compute capacity that can handle the requests (e.g., by executing the user code in one or more containers created on the virtual machine instances) is significantly reduced.

In another aspect, a virtual compute system may monitor and log information related to the amount of resources allocated for executing user code. By doing so, the virtual compute system may be able to identify opportunities for improving the performance of the user code execution by adjusting the amount of allocated resources. Error rates may be reduced by increasing the amount of allocated resources in the event of over-utilization, and costs associated with executing the user code may be reduced by decreasing the amount of allocated resources in the event of under-utilization.

Specific embodiments and example applications of the present disclosure will now be described with reference to the drawings. These embodiments and example applications are intended to illustrate, and not limit, the present disclosure.

With reference to FIG. 1, a block diagram illustrating an embodiment of a virtual environment 100 will be described. The example shown in FIG. 1 includes a virtual environment 100 in which users (e.g., developers, etc.) of user computing devices 102 may run various program codes using the virtual computing resources provided by a virtual compute system 110.

By way of illustration, various example user computing devices 102 are shown in communication with the virtual compute system 110, including a desktop computer, laptop, and a mobile phone. In general, the user computing devices 102 can be any computing device such as a desktop, laptop, mobile phone (or smartphone), tablet, kiosk, wireless device, and other electronic devices. In addition, the user computing devices 102 may include web services running on the same or different data centers, where, for example, different web services may programmatically communicate with each other to perform one or more techniques described herein. Further, the user computing devices 102 may include Internet of Things (IoT) devices such as Internet appliances and connected devices. The virtual compute system 110 may provide the user computing devices 102 with one or more user interfaces, command-line interfaces (CLI), application programing interfaces (API), and/or other programmatic interfaces for generating and uploading user codes, invoking the user codes (e.g., submitting a request to execute the user codes on the virtual compute system 110), scheduling event-based jobs or timed jobs, tracking the user codes, and/or viewing other logging or monitoring information related to their requests and/or user codes. Although one or more embodiments may be described herein as using a user interface, it should be appreciated that such embodiments may, additionally or alternatively, use any CLIs, APIs, or other programmatic interfaces.

The user computing devices 102 access the virtual compute system 110 over a network 104. The network 104 may be any wired network, wireless network, or combination thereof. In addition, the network 104 may be a personal area network, local area network, wide area network, over-the-air broadcast network (e.g., for radio or television), cable network, satellite network, cellular telephone network, or combination thereof. For example, the network 104 may be a publicly accessible network of linked networks, possibly operated by various distinct parties, such as the Internet. In some embodiments, the network 104 may be a private or semi-private network, such as a corporate or university intranet. The network 104 may include one or more wireless networks, such as a Global System for Mobile Communications (GSM) network, a Code Division Multiple Access (CDMA) network, a Long Term Evolution (LTE) network, or any other type of wireless network. The network 104 can use protocols and components for communicating via the Internet or any of the other aforementioned types of networks. For example, the protocols used by the network 104 may include Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS), Message Queue Telemetry Transport (MQTT), Constrained Application Protocol (CoAP), and the like. Protocols and components for communicating via the Internet or any of the other aforementioned types of communication networks are well known to those skilled in the art and, thus, are not described in more detail herein.

The virtual compute system 110 is depicted in FIG. 1 as operating in a distributed computing environment including several computer systems that are interconnected using one or more computer networks. The virtual compute system 110 could also operate within a computing environment having a fewer or greater number of devices than are illustrated in FIG. 1. Thus, the depiction of the virtual compute system 110 in FIG. 1 should be taken as illustrative and not limiting to the present disclosure. For example, the virtual compute system 110 or various constituents thereof could implement various Web services components, hosted or “cloud” computing environments, and/or peer-to-peer network configurations to implement at least a portion of the processes described herein.

Further, the virtual compute system 110 may be implemented in hardware and/or software and may, for instance, include one or more physical or virtual servers implemented on physical computer hardware configured to execute computer executable instructions for performing various features that will be described herein. The one or more servers may be geographically dispersed or geographically co-located, for instance, in one or more data centers.

In the environment illustrated FIG. 1, the virtual environment 100 includes a virtual compute system 110, which includes a frontend 120, a warming pool manager 130, a worker manager 140, and a security manager 150. In the depicted example, virtual machine instances (“instances”) 152, 154 are shown in a warming pool 130A managed by the warming pool manager 130, and instances 156, 157, 158, 159 are shown in an active pool 140A managed by the worker manager 140. The illustration of the various components within the virtual compute system 110 is logical in nature and one or more of the components can be implemented by a single computing device or multiple computing devices. For example, the instances 152, 154, 156, 157, 158, 159 can be implemented on one or more physical computing devices in different various geographic regions. Similarly, each of the frontend 120, the warming pool manager 130, the worker manager 140, and the security manager 150 can be implemented across multiple physical computing devices. Alternatively, one or more of the frontend 120, the warming pool manager 130, the worker manager 140, and the security manager 150 can be implemented on a single physical computing device. In some embodiments, the virtual compute system 110 may comprise multiple frontends, multiple warming pool managers, multiple worker managers, and/or multiple capacity managers. Although six virtual machine instances are shown in the example of FIG. 1, the embodiments described herein are not limited as such, and one skilled in the art will appreciate that the virtual compute system 110 may comprise any number of virtual machine instances implemented using any number of physical computing devices. Similarly, although a single warming pool and a single active pool are shown in the example of FIG. 1, the embodiments described herein are not limited as such, and one skilled in the art will appreciate that the virtual compute system 110 may comprise any number of warming pools and active pools.

In the example of FIG. 1, the virtual compute system 110 is illustrated as being connected to the network 104. In some embodiments, any of the components within the virtual compute system 110 can communicate with other components (e.g., the user computing devices 102 and auxiliary services 106, which may include monitoring/logging/billing services 107, storage service 108, an instance provisioning service 109, and/or other services that may communicate with the virtual compute system 110) of the virtual environment 100 via the network 104. In other embodiments, not all components of the virtual compute system 110 are capable of communicating with other components of the virtual environment 100. In one example, only the frontend 120 may be connected to the network 104, and other components of the virtual compute system 110 may communicate with other components of the virtual environment 100 via the frontend 120.

Users may use the virtual compute system 110 to execute user code thereon. For example, a user may wish to run a piece of code in connection with a web or mobile application that the user has developed. One way of running the code would be to acquire virtual machine instances from service providers who provide infrastructure as a service, configure the virtual machine instances to suit the user's needs, and use the configured virtual machine instances to run the code. Alternatively, the user may send a code execution request to the virtual compute system 110. The virtual compute system 110 can handle the acquisition and configuration of compute capacity (e.g., containers, instances, etc., which are described in greater detail below) based on the code execution request, and execute the code using the compute capacity. The virtual compute system 110 may automatically scale up and down based on the volume, thereby relieving the user from the burden of having to worry about over-utilization (e.g., acquiring too little computing resources and suffering performance issues) or under-utilization (e.g., acquiring more computing resources than necessary to run the codes, and thus overpaying).

The frontend 120 processes all the requests to execute user code on the virtual compute system 110. In one embodiment, the frontend 120 serves as a front door to all the other services provided by the virtual compute system 110. The frontend 120 processes the requests and makes sure that the requests are properly authorized. For example, the frontend 120 may determine whether the user associated with the request is authorized to access the user code specified in the request.

The user code as used herein may refer to any program code (e.g., a program, routine, subroutine, thread, etc.) written in a specific program language. In the present disclosure, the terms “code,” “user code,” and “program code,” may be used interchangeably. Such user code may be executed to achieve a specific task, for example, in connection with a particular web application or mobile application developed by the user. For example, the user codes may be written in JavaScript (node.js), Java, Python, and/or Ruby. The request may include the user code (or the location thereof) and one or more arguments to be used for executing the user code. For example, the user may provide the user code along with the request to execute the user code. In another example, the request may identify a previously uploaded program code (e.g., using the API for uploading the code) by its name or its unique ID. In yet another example, the code may be included in the request as well as uploaded in a separate location (e.g., the storage service 108 or a storage system internal to the virtual compute system 110) prior to the request is received by the virtual compute system 110. The virtual compute system 110 may vary its code execution strategy based on where the code is available at the time the request is processed.

The frontend 120 may receive the request to execute such user codes in response to Hypertext Transfer Protocol Secure (HTTPS) requests from a user. Also, any information (e.g., headers and parameters) included in the HTTPS request may also be processed and utilized when executing the user code. As discussed above, any other protocols, including, for example, HTTP, MQTT, and CoAP, may be used to transfer the message containing the code execution request to the frontend 120. The frontend 120 may also receive the request to execute such user codes when an event is detected, such as an event that the user has registered to trigger automatic request generation. For example, the user may have registered the user code with an auxiliary service 106 and specified that whenever a particular event occurs (e.g., a new file is uploaded), the request to execute the user code is sent to the frontend 120. Alternatively, the user may have registered a timed job (e.g., execute the user code every 24 hours). In such an example, when the scheduled time arrives for the timed job, the request to execute the user code may be sent to the frontend 120. In yet another example, the frontend 120 may have a queue of incoming code execution requests, and when the user's batch job is removed from the virtual compute system's work queue, the frontend 120 may process the user request. In yet another example, the request may originate from another component within the virtual compute system 110 or other servers or services not illustrated in FIG. 1.

A user request may specify one or more third-party libraries (including native libraries) to be used along with the user code. In one embodiment, the user request is a ZIP file containing the user code and any libraries (and/or identifications of storage locations thereof). In some embodiments, the user request includes metadata that indicates the program code to be executed, the language in which the program code is written, the user associated with the request, and/or the computing resources (e.g., memory, CPU, storage, network packets, etc.) to be reserved for executing the program code. For example, the program code may be provided with the request, previously uploaded by the user, provided by the virtual compute system 110 (e.g., standard routines), and/or provided by third parties. In some embodiments, resource-level constraints (e.g., how much memory is to be allocated for executing a particular user code) are specified for the particular user code, and may not vary over each execution of the user code. In such cases, the virtual compute system 110 may have access to such resource-level constraints before each individual request is received, and the individual requests may not specify such resource-level constraints. In some embodiments, the resource-level constraints are adjusted over time and may vary across different executions of a single program code. For example, the same program code may be used to process two different sets of data, where one set of data requires more resources than the other. In such a case, the user may specify different resource constraints for the two different executions or the virtual compute system 110 may automatically adjust the amount of resources allocated to each execution of the program code based on spatial (e.g., in other parts of the virtual compute system 110) or historical (e.g., over time) trends for the user and/or program code. In some embodiments, the user request may specify other constraints such as permission data that indicates what kind of permissions that the request has to execute the user code. Such permission data may be used by the virtual compute system 110 to access private resources (e.g., on a private network).

In some embodiments, the user request may specify the behavior that should be adopted for handling the user request. In such embodiments, the user request may include an indicator for enabling one or more execution modes in which the user code associated with the user request is to be executed. For example, the request may include a flag or a header for indicating whether the user code should be executed in a debug mode in which the debugging and/or logging output that may be generated in connection with the execution of the user code is provided back to the user (e.g., via a console user interface). In such an example, the virtual compute system 110 may inspect the request and look for the flag or the header, and if it is present, the virtual compute system 110 may modify the behavior (e.g., logging facilities) of the container in which the user code is executed, and cause the output data to be provided back to the user. In some embodiments, the behavior/mode indicators are added to the request by the user interface provided to the user by the virtual compute system 110. Other features such as source code profiling, remote debugging, etc. may also be enabled or disabled based on the indication provided in the request.

In some embodiments, the virtual compute system 110 may include multiple frontends 120. In such embodiments, a load balancer may be provided to distribute the incoming requests to the multiple frontends 120, for example, in a round-robin fashion. In some embodiments, the manner in which the load balancer distributes incoming requests to the multiple frontends 120 may be based on the state of the warming pool 130A and/or the active pool 140A. For example, if the capacity in the warming pool 130A is deemed to be sufficient, the requests may be distributed to the multiple frontends 120 based on the individual capacities of the frontends 120 (e.g., based on one or more load balancing restrictions). On the other hand, if the capacity in the warming pool 130A is less than a threshold amount, one or more of such load balancing restrictions may be removed such that the requests may be distributed to the multiple frontends 120 in a manner that reduces or minimizes the number of virtual machine instances taken from the warming pool 130A. For example, even if, according to a load balancing restriction, a request is to be routed to Frontend A, if Frontend A needs to take an instance out of the warming pool 130A to service the request but Frontend B can use one of the instances in its active pool to service the same request, the request may be routed to Frontend B.

The warming pool manager 130 ensures that virtual machine instances are ready to be used by the worker manager 140 when the virtual compute system 110 receives a request to execute user code on the virtual compute system 110. In the example illustrated in FIG. 1, the warming pool manager 130 manages the warming pool 130A, which is a group (sometimes referred to as a pool) of pre-initialized and pre-configured virtual machine instances that may be used to service incoming user code execution requests. In some embodiments, the warming pool manager 130 causes virtual machine instances to be booted up on one or more physical computing machines within the virtual compute system 110 and added to the warming pool 130A. In other embodiments, the warming pool manager 130 communicates with an auxiliary virtual machine instance service (e.g., the instance provisioning service 109 of FIG. 1) to create and add new instances to the warming pool 130A. In some embodiments, the warming pool manager 130 may utilize both physical computing devices within the virtual compute system 110 and one or more virtual machine instance services to acquire and maintain compute capacity that can be used to service code execution requests received by the frontend 120. In some embodiments, the virtual compute system 110 may comprise one or more logical knobs or switches for controlling (e.g., increasing or decreasing) the available capacity in the warming pool 130A. For example, a system administrator may use such a knob or switch to increase the capacity available (e.g., the number of pre-booted instances) in the warming pool 130A during peak hours. In some embodiments, virtual machine instances in the warming pool 130A can be configured based on a predetermined set of configurations independent from a specific user request to execute a user's code. The predetermined set of configurations can correspond to various types of virtual machine instances to execute user codes. The warming pool manager 130 can optimize types and numbers of virtual machine instances in the warming pool 130A based on one or more metrics related to current or previous user code executions.

As shown in FIG. 1, instances may have operating systems (OS) and/or language runtimes loaded thereon. For example, the warming pool 130A managed by the warming pool manager 130 comprises instances 152, 154. The instance 152 includes an OS 152A and a runtime 152B. The instance 154 includes an OS 152A. In some embodiments, the instances in the warming pool 130A may also include containers (which may further contain copies of operating systems, runtimes, user codes, etc.), which are described in greater detail below. Although the instance 152 is shown in FIG. 1 to include a single runtime, in other embodiments, the instances depicted in FIG. 1 may include two or more runtimes, each of which may be used for running a different user code. In some embodiments, the warming pool manager 130 may maintain a list of instances in the warming pool 130A. The list of instances may further specify the configuration (e.g., OS, runtime, container, etc.) of the instances.

In some embodiments, the virtual machine instances in the warming pool 130A may be used to serve any user's request. In one embodiment, all the virtual machine instances in the warming pool 130A are configured in the same or substantially similar manner. In another embodiment, the virtual machine instances in the warming pool 130A may be configured differently to suit the needs of different users. For example, the virtual machine instances may have different operating systems, different language runtimes, and/or different libraries loaded thereon. In yet another embodiment, the virtual machine instances in the warming pool 130A may be configured in the same or substantially similar manner (e.g., with the same OS, language runtimes, and/or libraries), but some of those instances may have different container configurations. For example, two instances may have runtimes for both Python and Ruby, but one instance may have a container configured to run Python code, and the other instance may have a container configured to run Ruby code. In some embodiments, multiple warming pools 130A, each having identically-configured virtual machine instances, are provided.

The warming pool manager 130 may pre-configure the virtual machine instances in the warming pool 130A, such that each virtual machine instance is configured to satisfy at least one of the operating conditions that may be requested or specified by the user request to execute program code on the virtual compute system 110. In one embodiment, the operating conditions may include program languages in which the potential user codes may be written. For example, such languages may include Java, JavaScript, Python, Ruby, and the like. In some embodiments, the set of languages that the user codes may be written in may be limited to a predetermined set (e.g., set of 4 languages, although in some embodiments sets of more or less than four languages are provided) in order to facilitate pre-initialization of the virtual machine instances that can satisfy requests to execute user codes. For example, when the user is configuring a request via a user interface provided by the virtual compute system 110, the user interface may prompt the user to specify one of the predetermined operating conditions for executing the user code. In another example, the service-level agreement (SLA) for utilizing the services provided by the virtual compute system 110 may specify a set of conditions (e.g., programming languages, computing resources, etc.) that user requests should satisfy, and the virtual compute system 110 may assume that the requests satisfy the set of conditions in handling the requests. In another example, operating conditions specified in the request may include: the amount of compute power to be used for processing the request; the type of the request (e.g., HTTP vs. a triggered event); the timeout for the request (e.g., threshold time after which the request may be terminated); security policies (e.g., may control which instances in the warming pool 130A are usable by which user); and etc.

The worker manager 140 manages the instances used for servicing incoming code execution requests. In the example illustrated in FIG. 1, the worker manager 140 manages the active pool 140A, which is a group (sometimes referred to as a pool) of virtual machine instances that are currently assigned to one or more users. Although the virtual machine instances are described here as being assigned to a particular user, in some embodiments, the instances may be assigned to a group of users, such that the instance is tied to the group of users and any member of the group can utilize resources on the instance. For example, the users in the same group may belong to the same security group (e.g., based on their security credentials) such that executing one member's code in a container on a particular instance after another member's code has been executed in another container on the same instance does not pose security risks. Similarly, the worker manager 140 may assign the instances and the containers according to one or more policies that dictate which requests can be executed in which containers and which instances can be assigned to which users. An example policy may specify that instances are assigned to collections of users who share the same account (e.g., account for accessing the services provided by the virtual compute system 110). In some embodiments, the requests associated with the same user group may share the same containers (e.g., if the user codes associated therewith are identical). In some embodiments, a request does not differentiate between the different users of the group and simply indicates the group to which the users associated with the requests belong.

In the example illustrated in FIG. 1, user codes are executed in isolated compute systems referred to as containers. Containers are logical units created within a virtual machine instance using the resources available on that instance. For example, the worker manager 140 may, based on information specified in the request to execute user code, create a new container or locate an existing container in one of the instances in the active pool 140A and assign the container to the request to handle the execution of the user code associated with the request. In one embodiment, such containers are implemented as Linux containers. The virtual machine instances in the active pool 140A may have one or more containers created thereon and have one or more program codes associated with the user loaded thereon (e.g., either in one of the containers or in a local cache of the instance).

As shown in FIG. 1, instances may have operating systems (OS), language runtimes, and containers. The containers may have individual copies of the OS and the language runtimes and user codes loaded thereon. In the example of FIG. 1, the active pool 140A managed by the worker manager 140 includes the instances 156, 157, 158, 159. The instance 156 has containers 156A, 156B. The container 156A has OS 156A-1, runtime 156A-2, and code 156A-3 loaded therein. In the depicted example, the container 156A has its own OS, runtime, and code loaded therein. In one embodiment, the OS 156A-1 (e.g., the kernel thereof), runtime 156A-2, and/or code 156A-3 are shared among the containers 156A, 156B (and any other containers not illustrated in FIG. 1). In another embodiment, the OS 156A-1 (e.g., any code running outside the kernel), runtime 156A-2, and/or code 156A-3 are independent copies that are created for the container 156A and are not shared with other containers on the instance 156. In yet another embodiment, some portions of the OS 156A-1, runtime 156A-2, and/or code 156A-3 are shared among the containers on the instance 156, and other portions thereof are independent copies that are specific to the container 156A. The instance 157 includes containers 157A, 157B, 157C, the instance 158 includes a container 158A, and the instance 159 includes a container 159A.

In the example of FIG. 1, the sizes of the containers depicted in FIG. 1 may be proportional to the actual size of the containers. For example, the container 156A occupies more space than the container 156B on the instance 156. Similarly, the containers 157A, 157B, 157C, 157A may be equally sized, and the container 158A may be larger (e.g., have more computing resources allocated thereto) than the containers 157A, 157B, 157C, 157A. The dotted boxes labeled “C” shown in the instance 159 indicate the space remaining on the instances that may be used to create new instances. In some embodiments, the sizes of the containers may be 64 MB or any multiples thereof. In other embodiments, the sizes of the containers may be any arbitrary size smaller than or equal to the size of the instances in which the containers are created. In some embodiments, the sizes of the containers may be any arbitrary size smaller than, equal to, or larger than the size of the instances in which the containers are created. By how much the sizes of the containers can exceed the size of the instance may be determined based on how likely that those containers might be utilized beyond the capacity provided by the instance. For example, five containers having a memory size of 1 GB (5 GB in total) may be created in an instance having a memory size of 4 GB. If each of the containers does not reach the full capacity of 1 GB, the containers may function properly despite the over-subscription.

Although the components inside the containers 156B, 157A, 157B, 157C, 158A, 157A are not illustrated in the example of FIG. 1, each of these containers may have various operating systems, language runtimes, libraries, and/or user code. In some embodiments, instances may have user codes loaded thereon (e.g., in an instance-level cache), and containers within those instances may also have user codes loaded therein. In some embodiments, the worker manager 140 may maintain a list of instances in the active pool 140A. The list of instances may further specify the configuration (e.g., OS, runtime, container, etc.) of the instances. In some embodiments, the worker manager 140 may have access to a list of instances in the warming pool 130A (e.g., including the number and type of instances). In other embodiments, the worker manager 140 requests compute capacity from the warming pool manager 130 without having knowledge of the virtual machine instances in the warming pool 130A.

After a request has been successfully processed by the frontend 120, the worker manager 140 finds capacity to service the request to execute user code on the virtual compute system 110. For example, if there exists a particular virtual machine instance in the active pool 140A that has a container with the same user code loaded therein (e.g., code 156A-3 shown in the container 156A), the worker manager 140 may assign the container to the request and cause the user code to be executed in the container. Alternatively, if the user code is available in the local cache of one of the virtual machine instances (e.g., stored on the instance 158 but do not belong to any individual containers), the worker manager 140 may create a new container on such an instance, assign the container to the request, and cause the user code to be loaded and executed in the container.

If the worker manager 140 determines that the user code associated with the request is not found on any of the instances (e.g., either in a container or the local cache of an instance) in the active pool 140A, the worker manager 140 may determine whether any of the instances in the active pool 140A is currently assigned to the user associated with the request and has compute capacity to handle the current request. If there is such an instance, the worker manager 140 may create a new container on the instance and assign the container to the request. Alternatively, the worker manager 140 may further configure an existing container on the instance assigned to the user, and assign the container to the request. For example, the worker manager 140 may determine that the existing container may be used to execute the user code if a particular library demanded by the current user request is loaded thereon. In such a case, the worker manager 140 may load the particular library and the user code onto the container and use the container to execute the user code.

If the active pool 140A does not contain any instances currently assigned to the user, the worker manager 140 pulls a new virtual machine instance from the warming pool 130A, assigns the instance to the user associated with the request, creates a new container on the instance, assigns the container to the request, and causes the user code to be downloaded and executed on the container.

In some embodiments, the virtual compute system 110 is adapted to begin execution of the user code shortly after it is received (e.g., by the frontend 120). A time period can be determined as the difference in time between initiating execution of the user code (e.g., in a container on a virtual machine instance associated with the user) and receiving a request to execute the user code (e.g., received by a frontend). The virtual compute system 110 is adapted to begin execution of the user code within a time period that is less than a predetermined duration. In one embodiment, the predetermined duration is 500 ms. In another embodiment, the predetermined duration is 300 ms. In another embodiment, the predetermined duration is 100 ms. In another embodiment, the predetermined duration is 50 ms. In another embodiment, the predetermined duration is 10 ms. In another embodiment, the predetermined duration may be any value chosen from the range of 10 ms to 500 ms. In some embodiments, the virtual compute system 110 is adapted to begin execution of the user code within a time period that is less than a predetermined duration if one or more conditions are satisfied. For example, the one or more conditions may include any one of: (1) the user code is loaded on a container in the active pool 140A at the time the request is received; (2) the user code is stored in the code cache of an instance in the active pool 140A at the time the request is received; (3) the active pool 140A contains an instance assigned to the user associated with the request at the time the request is received; or (4) the warming pool 130A has capacity to handle the request at the time the request is received.

The user code may be downloaded from an auxiliary service 106 such as the storage service 108 of FIG. 1. Data 108A illustrated in FIG. 1 may comprise user codes uploaded by one or more users, metadata associated with such user codes, or any other data utilized by the virtual compute system 110 to perform one or more techniques described herein. Although only the storage service 108 is illustrated in the example of FIG. 1, the virtual environment 100 may include other levels of storage systems from which the user code may be downloaded. For example, each instance may have one or more storage systems either physically (e.g., a local storage resident on the physical computing system on which the instance is running) or logically (e.g., a network-attached storage system in network communication with the instance and provided within or outside of the virtual compute system 110) associated with the instance on which the container is created. Alternatively, the code may be downloaded from a web-based data store provided by the storage service 108.

Once the worker manager 140 locates one of the virtual machine instances in the warming pool 130A that can be used to serve the user code execution request, the warming pool manager 130 or the worker manager 140 takes the instance out of the warming pool 130A and assigns it to the user associated with the request. The assigned virtual machine instance is taken out of the warming pool 130A and placed in the active pool 140A. In some embodiments, once the virtual machine instance has been assigned to a particular user, the same virtual machine instance cannot be used to service requests of any other user. This provides security benefits to users by preventing possible co-mingling of user resources. Alternatively, in some embodiments, multiple containers belonging to different users (or assigned to requests associated with different users) may co-exist on a single virtual machine instance. Such an approach may improve utilization of the available compute capacity. In some embodiments, the virtual compute system 110 may maintain a separate cache in which user codes are stored to serve as an intermediate level of caching system between the local cache of the virtual machine instances and a web-based network storage (e.g., accessible via the network 104).

After the user code has been executed, the worker manager 140 may tear down the container used to execute the user code to free up the resources it occupied to be used for other containers in the instance. Alternatively, the worker manager 140 may keep the container running to use it to service additional requests from the same user. For example, if another request associated with the same user code that has already been loaded in the container, the request can be assigned to the same container, thereby eliminating the delay associated with creating a new container and loading the user code in the container. In some embodiments, the worker manager 140 may tear down the instance in which the container used to execute the user code was created. Alternatively, the worker manager 140 may keep the instance running to use it to service additional requests from the same user. The determination of whether to keep the container and/or the instance running after the user code is done executing may be based on a threshold time, the type of the user, average request volume of the user, and/or other operating conditions. For example, after a threshold time has passed (e.g., 5 minutes, 30 minutes, 1 hour, 24 hours, 30 days, etc.) without any activity (e.g., running of the code), the container and/or the virtual machine instance is shutdown (e.g., deleted, terminated, etc.), and resources allocated thereto are released. In some embodiments, the threshold time passed before a container is torn down is shorter than the threshold time passed before an instance is torn down.

In some embodiments, the virtual compute system 110 may provide data to one or more of the auxiliary services 106 as it services incoming code execution requests. For example, the virtual compute system 110 may communicate with the monitoring/logging/billing services 107. The monitoring/logging/billing services 107 may include: a monitoring service for managing monitoring information received from the virtual compute system 110, such as statuses of containers and instances on the virtual compute system 110; a logging service for managing logging information received from the virtual compute system 110, such as activities performed by containers and instances on the virtual compute system 110; and a billing service for generating billing information associated with executing user code on the virtual compute system 110 (e.g., based on the monitoring information and/or the logging information managed by the monitoring service and the logging service). In addition to the system-level activities that may be performed by the monitoring/logging/billing services 107 (e.g., on behalf of the virtual compute system 110) as described above, the monitoring/logging/billing services 107 may provide application-level services on behalf of the user code executed on the virtual compute system 110. For example, the monitoring/logging/billing services 107 may monitor and/or log various inputs, outputs, or other data and parameters on behalf of the user code being executed on the virtual compute system 110. Although shown as a single block, the monitoring, logging, and billing services 107 may be provided as separate services. The monitoring/logging/billing services 107 may communicate with the security manager 150 to allow the security manager 150 to determine the appropriate security mechanisms and policies to be used for executing the various program codes on the virtual compute system 110.

In some embodiments, the worker manager 140 may perform health checks on the instances and containers managed by the worker manager 140 (e.g., those in the active pool 140A). For example, the health checks performed by the worker manager 140 may include determining whether the instances and the containers managed by the worker manager 140 have any issues of (1) misconfigured networking and/or startup configuration, (2) exhausted memory, (3) corrupted file system, (4) incompatible kernel, and/or any other problems that may impair the performance of the instances and the containers. In one embodiment, the worker manager 140 performs the health checks periodically (e.g., every 5 minutes, every 30 minutes, every hour, every 24 hours, etc.). In some embodiments, the frequency of the health checks may be adjusted automatically based on the result of the health checks. In other embodiments, the frequency of the health checks may be adjusted based on user requests. In some embodiments, the worker manager 140 may perform similar health checks on the instances and/or containers in the warming pool 130A. The instances and/or the containers in the warming pool 130A may be managed either together with those instances and containers in the active pool 140A or separately. In some embodiments, in the case where the health of the instances and/or the containers in the warming pool 130A is managed separately from the active pool 140A, the warming pool manager 130, instead of the worker manager 140, may perform the health checks described above on the instances and/or the containers in the warming pool 130A.

The security manager 150 manages the security of program code executed for incoming requests to execute user code on the virtual compute system 110. For example, the security manager 150 may communicate with the frontend 120, the warming pool manager 130, the worker manager 140, and/or the auxiliary services 106 to configure, monitor, and manage the security settings used for various program codes executed on the virtual compute system 110. Although the security manager 150 is illustrated as a distinct component within the virtual compute system 110, part or all of the functionalities of the security manager 150 may be performed by the frontend 120, the warming pool manager 130, the worker manager 140, and/or the auxiliary services 106. For example, the security manager 150 may be implemented entirely within one of the other components of the virtual compute system 110 or in a distributed manner across the other components of the virtual compute system 110. In the example of FIG. 1, the security manager 150 includes security management data 150A. The security management data 150A may include data including any security policies specified by the users or determined by the security manager 150 for managing the security of program code on the virtual compute system 110, which are described below in greater detail.

As discussed above, the request itself may specify the security policy, including security settings and parameters to be used for executing the program code associated with the request. For example, certain users of the virtual compute system 110 may be trusted and thus the virtual compute system 110 may provide the capability for such users to customize security settings associated with functions in their program code to enable the flexibility offered by executing the program code under less strict security requirements. The request may also specify configuration data usable to enable the program code to communicate with an auxiliary service during execution by the virtual compute system 110. For example, certain users of the virtual compute system 110 may wish to execute certain program code on the virtual compute system 110 that still has the ability to communicate with the user's virtual private cloud or other network-based service in a secured manner. The request may also specify one or more trusted credentials to be used in association with the program code or a portion thereof. For example, certain program code may include “trusted” portions which require the use of a trusted credential (e.g., a secured login associated with the user) during execution, which may present a possible increased security risk if such trusted portions were to be compromised. Program code may also include other portions involving a different level of trust which may not require the use of a trusted credential (e.g., the code may involve a standard file conversion process which may not require any particular credential to be invoked). Thus, it may be possible to split program code into a first portion having a first level of trust and a second portion having a second level of trust using multiple containers with varying levels of security associated with each. After such a request has been processed and a virtual machine instance has been assigned to the user associated with the request, the security manager 150 may configure the virtual machine instance according to the security policy, configuration data, and/or trusted credential information to enable the program code to be executed on the virtual machine instance in a secure or trusted manner. In some embodiments the trusted credential may be managed and/or maintained by the virtual compute system 110 or one of its subsystems, while in other embodiments the trusted credential may be managed and/or maintained by a first or third party credential management system and provided to the virtual compute system 110 on a case by case basis.

In some embodiments, the security manager 150 may, instead of creating a new container and allocating the specified amount of resources to the container, locate an existing container having the specified security settings and cause the program code to be executed in the existing container.

After a container has been created or located, the program code associated with the request is executed in the container. The amount of resources allocated to the container (e.g., requested by the user) and/or the amount of resources actually utilized by the program code may be logged (e.g., by the monitoring/logging/billing services 107 and/or the security manager 150) for further analysis. For example, the logged information may include the amount of memory, the amount of CPU cycles, the amount of network packets, and the amount of storage actually used by the program during one or more executions of the program code in the container. Additionally, the logged information may include any security-related activity performed during execution of the program code (e.g., inbound or outbound network connections made, auxiliary services contacted, trusted credentials which were utilized, etc.), resource utilization, error rates, latency, and any errors or exceptions encountered during the execution of the program code. In some embodiments, any security data which appears suspect (e.g., unauthorized network connections made, unauthorized interaction with an auxiliary service, potential compromise of a trusted credential, and the like) are tagged with a special marking and further analyzed by the security manager 150.

In some embodiments, the security manager 150 may create, or have access to, multiple classes of users, and apply different rules for different classes of users. For example, for more sophisticated users, more control may be given (e.g., control over individual security parameters), whereas for other users, they may be allowed to control only a single representative parameter, and other parameters may be adjusted based on the representative parameter.

In some embodiments, the security manager 150 may, based on the information logged by the monitoring/logging/billing services 107 and/or the security manager 150, provide some guidance to the user as to what the user may do to improve the security of the program code or to reduce risks associated with executing the program code on the virtual compute system 110. For example, the security manager 150 may provide to the user, after seeing repeated occurrences of potential or apparent security breaches, an indication that the user appears to be consistently setting a security parameter too high for running a particular user code. For example, the security parameter may contribute to a higher security risk based on a number of factors. In general, the indication may suggest different settings, configurations, or categorizations for various security parameters. In some embodiments, such an indication is provided to the user after a threshold number of security issues, errors, exceptions, or other telling conditions (e.g., increased latency, unauthorized accesses, etc.) have been processed by the security manager 150. The security manager 150 may provide the indication via any notification mechanism including email, Simple Notification Service (“SNS”), Short Message Service (“SMS”), etc.

In some embodiments, the security manager 150 may utilize code-specific characteristics to improve the security parameters for executing individual program codes. For example, program codes handling image processing might not require a trusted credential, whereas program codes handling databases might require a trusted credential in order to grant permission to access or update the databases. Such code-specific characteristics may be maintained by the security manager 150 and the security policies of individual program codes may be adjusted accordingly.

The security mechanisms described herein may be used in any combination. For example, in one embodiment, a user may specify configuration data for a program code to communicate with an auxiliary service. Such communication may involve the use of a trusted credential (e.g., to login to an account at the auxiliary service associated with the user). Thus, the user may further wish to have the program code executed by two or more containers (e.g., at least one container with a first level of trust, which executes any program code involving communication with the auxiliary service using the trusted credential and another container with a second level of trust which executes other program code without involving communication with the auxiliary service). In another embodiment, the user may provide a security policy in association with program code which also involves communication with an auxiliary service. The user may wish to specify security parameters associated with how the program code executes and interacts with the auxiliary service. In another embodiment, the user may provide a security policy in association with program code which also involves execution of the program code using a multiplicity of containers (e.g., containers having different levels of trust). Thus, the user may want to enable multiple containers to communicate with each other during execution and specify how via the security policy and parameters.

FIG. 2 depicts a general architecture of a computing system (referenced as security manager 150) that manages the virtual machine instances in the virtual compute system 110. The general architecture of the security manager 150 depicted in FIG. 2 includes an arrangement of computer hardware and software modules that may be used to implement aspects of the present disclosure. The security manager 150 may include many more (or fewer) elements than those shown in FIG. 2. It is not necessary, however, that all of these generally conventional elements be shown in order to provide an enabling disclosure. As illustrated, the security manager 150 includes a processing unit 190, a network interface 192, a computer readable medium drive 194, an input/output device interface 196, all of which may communicate with one another by way of a communication bus. The network interface 192 may provide connectivity to one or more networks or computing systems. The processing unit 190 may thus receive information and instructions from other computing systems or services via the network 104. The processing unit 190 may also communicate to and from memory 180 and further provide output information for an optional display (not shown) via the input/output device interface 196. The input/output device interface 196 may also accept input from an optional input device (not shown).

The memory 180 may contain computer program instructions (grouped as modules in some embodiments) that the processing unit 190 executes in order to implement one or more aspects of the present disclosure. The memory 180 generally includes RAM, ROM and/or other persistent, auxiliary or non-transitory computer-readable media. The memory 180 may store an operating system 184 that provides computer program instructions for use by the processing unit 190 in the general administration and operation of the security manager 150. The memory 180 may further include computer program instructions and other information for implementing aspects of the present disclosure. For example, in one embodiment, the memory 180 includes a user interface unit 182 that generates user interfaces (and/or instructions therefor) for display upon a computing device, e.g., via a navigation and/or browsing interface such as a browser or application installed on the computing device. In addition, the memory 180 may include and/or communicate with one or more data repositories (not shown), for example, to access user program codes and/or libraries.

In addition to and/or in combination with the user interface unit 182, the memory 180 may include a program code security policy unit 186 and an auxiliary service and inter-instance interface unit 188 that may be executed by the processing unit 190. In one embodiment, the user interface unit 182, program code security policy unit 186, and auxiliary service and inter-instance interface unit 188 individually or collectively implement various aspects of the present disclosure, e.g., monitoring and logging the execution of program codes on the virtual compute system 110, determining the need for adjusting the security settings for particular instances, containers, and/or requests, etc. as described further below.

The program code security policy unit 186 monitors execution of user code on the virtual compute system 110 and provides containers according to security policies and security mechanisms for executing the user code. As described herein, security policies may be user-specified and provided at the time a request is received by the virtual compute system 110, or at a time prior to execution of the program code such as when the user registers the program code for execution by the virtual compute system 110. Security policy information may be stored at the security management data 150A, for example to facilitate faster access and processing of requests which require a particular security policy to be applied. The security policy information may also be stored with the program code, such as the storage service 108, and accessed at the time the program code is accessed to be loaded onto a container.

The auxiliary service and inter-instance interface unit 188 provide and manage capabilities related to securely allowing containers to interact with one or more auxiliary services (e.g., via virtual private cloud (“VPC:”) tunneling or similar network communication) or with each other (e.g., via inter-process communication (“IPC”) tunneling or similar network communication). Such communications may need to be closely monitored and activity logged in order to identify suspicious network activity that may indicate a security breach. If suspicious activity for a container is identified the auxiliary service and inter-instance interface unit 188 may send a message to the worker manager 140 to shut the container down to minimize any further security breach activity. The auxiliary service and inter-instance interface unit 188 may also send a notification to the user that a particular program code may have been involved in suspicious activity and suggest that the user may need to change the security policy, configuration data, and/or trusted credentials associated with the program code to avoid further security breaches. In some instances the auxiliary service and inter-instance interface unit 188 may, after repeated security breaches (actual or suspected), prevent the program code from being loaded and executed on a container until the user has addressed the issue.

While the program code security policy unit 186 and the auxiliary service and inter-instance interface unit 188 are shown in FIG. 2 as part of the security manager 150, in other embodiments, all or a portion of the program code security policy unit 186 and the auxiliary service and inter-instance interface unit 188 may be implemented by other components of the virtual compute system 110 and/or another computing device. For example, in certain embodiments of the present disclosure, another computing device in communication with the virtual compute system 110 may include several modules or components that operate similarly to the modules and components illustrated as part of the security manager 150.

Turning now to FIG. 3, a routine 300 implemented by one or more components of the virtual compute system 110 (e.g., the security manager 150) will be described. Although routine 300 is described with regard to implementation by the security manager 150, one skilled in the relevant art will appreciate that alternative components may implement routine 300 or that one or more of the blocks may be implemented by a different component or in a distributed manner.

At block 302 of the illustrative routine 300, the security manager 150 receives a request to execute program code. Alternatively, the security manager 150 receives a request from the worker manager 140 of FIG. 1 to determine appropriate security settings for executing the program code associated with an incoming request received and processed by the frontend 120. For example, the frontend 120 may process the request received from the user computing devices 102 or the auxiliary services 106, and forward the request to the worker manager 140 after authenticating the user and determining that the user is authorized to access the specified user code. The worker manager 140 may then forward the request to the security manager 150. As discussed above, the request may include data or metadata that indicates the program code to be executed, the language in which the program code is written, the user associated with the request, and/or the computing resources (e.g., memory, etc.) to be reserved for executing the program code. The request may also include data or metadata that indicates a user-specified security policy. The user-specified security policy may indicate one or more security parameters by which the program code is to be executed. For example, the security parameters may include one or more of: a processing duration limit, a CPU utilization limit, a disk space or other memory limit, a parameter to enable a transmission control protocol (“TCP”) socket connection, a parameter to enable an inbound or an outbound network connection to the container, a parameter to enable the container to communicate with an auxiliary service (such as a virtual private cloud), a parameter to enable the container to communicate with a second container contained on the selected virtual machine instance, a parameter to enable the container to communicate with a second container contained on a second virtual machine instance, and a list of access-restricted functions which the container is permitted to execute in association with the program code.

Next, at block 304, the security manager 150 determines a user-specified security policy based on the request to execute program code. For example, the security manager 150 may receive the security policy with the request as described above. In another scenario, the security manager 150 may access the security policy, for example from the security management data 150A or loaded from the storage service 108. The security policy may relax or modify one or more restraints imposed by the security manager 150 in conjunction with execution of the program code. For example, the security policy may specify that program code loaded on and executed by a container may be allowed to establish inbound or outbound network connections in order to facilitate execution of other program code, such as program code on another container on the virtual machine instance containing the container, program code on another container on a different virtual machine instance, or program code on an auxiliary service. The security policy may further specify whether use of a native code library and other code is allowed in conjunction with execution of the program code.

At block 306, the worker manager 140 acquires compute capacity based on the information indicated in the request, based at least in part on the user-specified security policy. For example, the security policy may specify a user-preferred duration for execution of the program code, and the compute capacity may be acquired for the duration. In another example, the security policy may specify that the program code is permitted to make outbound TCP socket connections, and the compute capacity may be acquired in order to allow outbound TCP socket connections. In some embodiments, the compute capacity comprises a container that is configured to service the code execution request. As discussed herein, the container may be acquired from the active pool 140A or the warming pool 130A. One way in which the compute capacity may be acquired is described in greater detail with respect to FIG. 4 of U.S. application Ser. No. 14/502,810, titled “LOW LATENCY COMPUTATIONAL CAPACITY PROVISIONING,” filed on Sep. 30, 2014, which was previously incorporated by reference in its entirety above. The container may be acquired based on the security policy such that the worker manager 140 can determine whether a container in the active pool 140A or the warming pool 130A is available and configured with the same security policy associated with the program code to be executed for the request. If a similarly-configured container is available, or at least one which is configured in a way that agrees with the security policy, that container may be acquired to service the request.

At block 308, the security manager 150 or the worker manager 140 causes the user code to be executed using the compute capacity and according to the user-specified security policy. For example, the worker manager 140 may send the address of the container assigned to the request to the frontend 120 so that the frontend 120 can proxy the code execution request to the address. In some embodiments, the address may be temporarily reserved by the worker manager 140 and the address and/or the container may automatically be released after a specified time period elapses. In some embodiments, the address and/or the container may automatically be released after the user code has finished executing in the container.

While the routine 300 of FIG. 3 has been described above with reference to blocks 302-308, the embodiments described herein are not limited as such, and one or more blocks may be omitted, modified, or switched without departing from the spirit of the present disclosure.

Turning now to FIG. 4, a routine 400 implemented by one or more components of the virtual compute system 110 (e.g., the security manager 150) will be described. Although routine 400 is described with regard to implementation by the security manager 150, one skilled in the relevant art will appreciate that alternative components may implement routine 400 or that one or more of the blocks may be implemented by a different component or in a distributed manner.

At block 402 of the illustrative routine 400, the virtual compute system 110 receives program code and configuration data for interfacing with an auxiliary service. For example, the user, such as the developer of the program code, may provide associated configuration data that specifies how the program code may initiate a connection or otherwise communicate with the auxiliary service during execution of the program code. The configuration data may include, for example, a network address and a login credential associated with an account on the auxiliary service, wherein the account is associated with the user registering the program code with the virtual compute system. Thus, when the program code is executed by the virtual compute system the network address and login credential may be used to connect or “tunnel” to the auxiliary service. As an example, the user may wish to configure program code to tunnel to an auxiliary service, such as a virtual private cloud, to provide data such as a notification, log data, a status report, and so on. In another embodiment, the configuration data may include a credential and a file system mount point. The file system mount point may, for example, indicate or specify how to access a file system which stores a plurality of program codes accessed by the virtual compute system 110.

Next, at block 404, the worker manager 140 receives a request to execute program code, such as the program code previously received by the virtual compute system 110 as described at block 402. For example, the block 404 may be similar to the block 302 of FIG. 3. The request may include or specify configuration data to enable the program code to interface with the auxiliary service, or the worker manager 140 and/or the security manager 150 may determine that the program code is associated with configuration data (for example, by accessing the security management data 150A or data 108A to determine if there is any configuration data associated with the program code).

At block 406, the worker manager 150 determines whether there exists an instance in the active pool 130A that is currently assigned to the user associated with the request and has been configured to enable, support, or allow interfacing with the auxiliary service. For example, one of the instances may have previously executed the program code in a container created thereon, and the container may since have been terminated, but the program code may still remain on the instance (e.g., in an instance code cache). If the worker manager 140 determines that there is such an instance, the routine 400 proceeds to block 412, described below. On the other hand, if the worker manager 140 determines that there is no such instance, the routine 400 proceeds to block 408.

At block 408 the worker manager 140 obtains a new instance from the warming pool 130A or from the warming pool manager 130. At block 410, the worker manager 140 configures the obtained instance to interface with the auxiliary service.

Once the obtained instance has been configured at block 410 or acquired from the active pool 140A at block 406, the routine 400 proceeds to block 412 where the worker manager 140 causes the request to be processed using either a new or a preconfigured container. Before a new container is created, the worker manager 140 may determine whether the instance has resources sufficient to handle the request.

While the routine 400 of FIG. 4 has been described above with reference to blocks 402-412, the embodiments described herein are not limited as such, and one or more blocks may be omitted, modified, or switched without departing from the spirit of the present disclosure.

Turning now to FIG. 5, a routine 500 implemented by one or more components of the virtual compute system 110 (e.g., the security manager 150) will be described. Although routine 500 is described with regard to implementation by the security manager 150, one skilled in the relevant art will appreciate that alternative components may implement routine 500 or that one or more of the blocks may be implemented by a different component or in a distributed manner.

At block 502 of the illustrative routine 500, the worker manager 140 receives a request to execute program code. For example, the block 502 may be similar to the block 302 of FIG. 3. The request may include or indicate a trusted credential to be used by at least some of the program code during execution. In one embodiment, the trusted credential may be previously registered by the user with the program code and accessed, for example from the security management data 150A or data 108, to determine whether the request to execute program code involves use of a trusted credential. Configuration data associated with the program code may also be accessed and used by the security manager 150 to determine whether and which portions of the program code are to be executed using the trusted credential.

At block 504, determines whether there exists an instance in the active pool 130A that is currently assigned to the user associated with the request and has been loaded with the program code. For example, one of the instances may have previously executed the program code in a container created thereon, and the container may since have been terminated, but the program code may still remain on the instance (e.g., in an instance code cache). If the worker manager 140 determines that there is such an instance, the routine 500 proceeds to block 508, described below. On the other hand, if the worker manager 140 determines that there is no such instance, the routine 500 proceeds to block 506.

At block 506, the worker manager 140 obtains a new instance from the warming pool 130A or from the warming pool manager 130.

At block 508, the worker manager 140 or the security manager 150 creates a first container on the obtained instance. The first container may be created and configured to execute a first portion of the program code using the trusted credentials associated with the request to execute the program code.

At block 510, the worker manager 140 or the security manager 150 creates a second container on the obtained instance. The second container may be created and configured to execute a second portion of the program code without using or involving the trusted credentials associated with the request to execute the program code. The second container may be configured to communication with the first container, for example via an inter-process communication (“IPC”) protocol. The IPC protocol may include, for example, one of a socket pair, a pipe, a named pipe, a shared memory on the virtual machine instance, or a message queue. For example, the first container may be configured to send inter-process communications to the second container to request processing of the second portion of the program code on-demand. Although the example described with reference to the routine 500 involves two portions of the program code, any number of portions may be determined and a corresponding number of respective containers may be created to execute respective portions using respective credentials having different levels of trust. In some cases the first and the second containers may be configured in a master-slave relationship, such that the second container containing the second portion of less trusted program code may only be executed responsive to requests received from the first container. In some cases the first and second containers may be configured in a sibling relationship, each executing its respective program code independently of the other but so as to separate processes involving trusted credentials from processes involving less trusted code.

At block 512, the worker manager 140 causes the request to be processed using the first and second containers. In some cases, the first and second portions of the program code may be executed simultaneously and in parallel. In some cases, the second portion of the program code may only be executed in response to requests received by the second container from the first container.

While the routine 500 of FIG. 5 has been described above with reference to blocks 502-512, the embodiments described herein are not limited as such, and one or more blocks may be omitted, modified, or switched without departing from the spirit of the present disclosure.

With reference to FIG. 6, a security mechanism which involves a virtual machine instance interfacing with an auxiliary service according to an example embodiment, such as the embodiment of FIG. 1, is illustrated. In the example of FIG. 6, the instance 157 is configured to process incoming code execution requests associated with a particular program code. The instance 157 is shown communicating with one or more auxiliary services 106 and the instance provisioning service 109 over the network 104. For example, the instance 157 may initially communicate with the instance provisioning service 109 during the provisioning and configuration state, and subsequently communicate directly with an auxiliary service 106. The security manager 150 may be configured to manage and secure this connection to prevent interference from nefarious third parties.

With reference to FIG. 7, a security mechanism which involves executing program code in portions associated with different levels of trust according to an example embodiment, such as the embodiment of FIG. 1, is illustrated. In FIG. 7, instance 156 is configured to process incoming code execution requests associated with a particular program code. Instance 156 includes a container 156A, which has been loaded with a first portion of the program code having a first trust level; and a container 156B which has been loaded with a second portion of the program code having a second trust level. Container 156A is shown as being in direct communication with container 156B. For example, container 156A may send a request to container 156B to execute the second portion of the code without the need to pass any trusted or secure credential information to container 156B. Container 156B may process the request received from container 156A and optionally provide a response upon its completion.

It will be appreciated by those skilled in the art and others that all of the functions described in this disclosure may be embodied in software executed by one or more physical processors of the disclosed components and mobile communication devices. The software may be persistently stored in any type of non-volatile storage.

Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.

Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art. It will further be appreciated that the data and/or components described above may be stored on a computer-readable medium and loaded into memory of the computing device using a drive mechanism associated with a computer readable storage medium storing the computer executable components such as a CD-ROM, DVD-ROM, or network interface. Further, the component and/or data can be included in a single device or distributed in any manner. Accordingly, general purpose computing devices may be configured to implement the processes, algorithms, and methodology of the present disclosure with the processing and/or execution of the various data and/or components described above.

It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims.

Claims

1. A system, comprising: one or more processors; andone or more memories, the one or more memories having stored thereon instructions, which, when executed by the one or more processors, configure the one or more processors to at least: receive a first request to register a program code associated with an identifier for execution in response to a subsequent user code execution request identifying the program code using the identifier, wherein the execution occurs on a virtual machine instance identified in response to the user code execution request;receive a second request to execute the program code previously registered in response to the first request, the second request including the identifier associated with the program code to be executed in response to the second request and information to be used to execute the program code;subsequent to receiving the second request to execute the program code, identify a first virtual machine instance that satisfies a condition for executing the program code;subsequent to receiving the first request to register the program code and receiving the second request to execute the program code, cause the program code associated with the identifier to be loaded from a storage system associated with the program code onto a container associated with the first virtual machine instance that satisfies the condition for executing the program code; andcause, using the information included in the second request, the program code to be executed in the container associated with the first virtual machine instance.
2. The system of claim 1, wherein the information included in the second request specifies a credential usable to execute the program code, wherein the instructions, when executed by the one or more processors, further configure the one or more processors to cause the program code to be executed based at least in part on the credential included in the second request.
3. The system of claim 1, wherein the information included in the second request specifies one or more arguments to the program code, wherein the instructions, when executed by the one or more processors, further configure the one or more processors to cause the program code to be executed based at least in part on the one or more arguments to the program code.
4. The system of claim 1, wherein the second request is a Hypertext Transfer Protocol (HTTP) request that includes the identifier associated with the program code and the information to be used to execute the program code.
5. The system of claim 1, wherein the second request to execute the program code is associated with a timeout period after which the second request is to be terminated.
6. The system of claim 1, wherein the first virtual machine instance is configured with a language runtime associated with a programming language associated with the program code prior to the receipt of the second request, and the information included in the second request comprises an indication of the programming language, wherein the instructions, when executed by the one or more processors, further configure the one or more processors to identify the first virtual machine instance based at least in part on the indication of the programming language included in the second request.
7. The system of claim 1, wherein the first virtual machine instance is configured with an operating system compatible with the program code prior to the receipt of the second request, and the information included in the second request comprises an indication of the operating system, wherein the instructions, when executed by the one or more processors, further configure the one or more processors to identify the first virtual machine instance based at least in part on the indication of the operating system included in the second request.
8. The system of claim 1, wherein the instructions, when executed by the one or more processors, further configure the one or more processors to: determine that the program code has finished executing according to the information included in the second request; andupon determining that the program code has finished executing, release a set of computing resources allocated to the container.
9. A computer-implemented method comprising: receiving a first request to register a program code associated with an identifier for execution in response to a subsequent user code execution request identifying the program code using the identifier, wherein the execution occurs on a virtual machine instance identified in response to the user code execution request;receiving a second request to execute the program code previously registered in response to the first request, the second request including the identifier associated with the program code to be executed in response to the second request and information to be used to execute the program code;subsequent to receiving the second request to execute the program code, identifying a first virtual machine instance that satisfies a condition for executing the program code;subsequent to receiving the first request to register the program code and receiving the request to execute the program code, loading the program code associated with the identifier from a storage system associated with the program code onto a container associated with the first virtual machine instance that satisfies the condition for executing the program code; andexecuting, using the information included in the second request, the program code in the container associated with the first virtual machine instance.
10. The computer-implemented method of claim 9, wherein the information included in the second request specifies a credential usable to execute the program code, the method further comprising executing the program code based at least in part on the credential included in the second request.
11. The computer-implemented method of claim 9, wherein the container is created on the virtual machine instance in response to receiving the second request.
12. The computer-implemented method of claim 9, wherein the information included in the second request specifies one or more arguments to the program code, the method further comprising executing the program code based at least in part on the one or more arguments to the program code.
13. The computer-implemented method of claim 9, wherein the second request is a Hypertext Transfer Protocol (HTTP) request that includes the identifier associated with the program code and the information to be used to execute the program code.
14. The computer-implemented method of claim 9, wherein the second request to execute the program code is associated with a timeout period after which the second request is to be terminated, the method further comprising terminating the second request based at least in part on expiration of the timeout period.
15. The computer-implemented method of claim 9, wherein satisfying the condition for execution the program code comprises having a language runtime or an operating system associated with the program code loaded on the first virtual machine instance.
16. The computer-implemented method of claim 9, further comprising identifying the first virtual machine instance from a pool of available virtual machine instances, wherein only a subset, and not all, of the available virtual machine instances in the pool satisfies the condition for executing the program code.
17. Non-transitory physical computer storage storing instructions that, when executed by one or more computing devices, configure the one or more computing devices to at least: receive a first request to register a program code associated with an identifier for execution in response to a subsequent user code execution request identifying the program code using the identifier, wherein the execution occurs on a virtual machine instance identified in response to the user code execution request;receive a second request to execute the program code previously registered in response to the first request, the second request including the identifier associated with the program code to be executed in response to the second request and information to be used to execute the program code;subsequent to receiving the second request to execute the program code, identify a first virtual machine instance that satisfies a condition for executing the program code;subsequent to receiving the first request to register the program code and receiving the second request to execute the program code, cause the program code associated with the identifier to be loaded from a storage system associated with the program code onto a container associated with the first virtual machine instance; andcause, using the information included in the second request, the program code to be executed in the container associated with the first virtual machine instance.
18. The non-transitory physical computer storage of claim 17, wherein the information included in the second request specifies a credential usable to execute the program code, the instructions, when executed by the one or more computing devices, further configuring the one or more computing devices to cause the program code to be executed based at least in part on the credential included in the second request.
19. The non-transitory physical computer storage of claim 17, wherein the information included in the second request specifies one or more arguments to the program code, the instructions, when executed by the one or more computing devices, further configuring the one or more computing devices to cause the program code to be executed based at least in part on the one or more arguments to the program code.
20. The non-transitory physical computer storage of claim 17, wherein the second request is a Hypertext Transfer Protocol (HTTP) request that includes the identifier associated with the program code and the information to be used to execute the program code.

CROSS-REFERENCE TO OTHER APPLICATIONS

This application is a continuation of U.S. application Ser. No. 15/676,777, filed Aug. 14, 2017 and titled “SECURITY PROTOCOLS FOR LOW LATENCY EXECUTION OF PROGRAM CODE,” which is a continuation of U.S. application Ser. No. 14/613,735, filed Feb. 4, 2015 and titled “SECURITY PROTOCOLS FOR LOW LATENCY EXECUTION OF PROGRAM CODE,” the disclosures of which are hereby incorporated by reference in their entirety. The present application's Applicant previously filed the following U.S. patent applications: Application No.Title14/502,589MESSAGE-BASED COMPUTATION REQUESTSCHEDULING14/502,810LOW LATENCY COMPUTATIONAL CAPACITYPROVISIONING14/502,714AUTOMATIC MANAGEMENT OF LOWLATENCY COMPUTATIONAL CAPACITY14/502,992THREADING AS A SERVICE14/502,648PROGRAMMATIC EVENT DETECTION ANDMESSAGE GENERATION FOR REQUESTSTO EXECUTE PROGRAM CODE14/502,741PROCESSING EVENT MESSAGES FOR USERREQUESTS TO EXECUTE PROGRAM CODE14/502,620DYNAMIC CODE DEPLOYMENT ANDVERSIONING14/613,688SECURITY PROTOCOLS FOR LOW LATENCYEXECUTION OF PROGRAM CODE14/613,723SECURITY PROTOCOLS FOR LOW LATENCYEXECUTION OF PROGRAM CODE The disclosures of the above-referenced applications are hereby incorporated by reference in their entirety.

US Referenced Citations (866)

Number	Name	Date	Kind
4949254	Shorter	Aug 1990	A
5283888	Dao et al.	Feb 1994	A
5835764	Platt et al.	Nov 1998	A
5970488	Crowe et al.	Oct 1999	A
5983197	Enta	Nov 1999	A
6237005	Griffin	May 2001	B1
6260058	Hoenninger et al.	Jul 2001	B1
6385636	Suzuki	May 2002	B1
6463509	Teoman et al.	Oct 2002	B1
6501736	Smolik et al.	Dec 2002	B1
6523035	Fleming et al.	Feb 2003	B1
6549936	Hirabayashi	Apr 2003	B1
6708276	Yarsa et al.	Mar 2004	B1
7036121	Casabona et al.	Apr 2006	B1
7308463	Taulbee et al.	Dec 2007	B2
7340522	Basu et al.	Mar 2008	B1
7360215	Kraiss et al.	Apr 2008	B2
7558719	Donlin	Jul 2009	B1
7577722	Khandekar et al.	Aug 2009	B1
7590806	Harris et al.	Sep 2009	B2
7665090	Tormasov et al.	Feb 2010	B1
7707579	Rodriguez	Apr 2010	B2
7730464	Trowbridge	Jun 2010	B2
7774191	Berkowitz et al.	Aug 2010	B2
7823186	Pouliot	Oct 2010	B2
7831464	Nichols et al.	Nov 2010	B1
7870153	Croft et al.	Jan 2011	B2
7886021	Scheifler et al.	Feb 2011	B2
7949677	Croft et al.	May 2011	B2
7954150	Croft et al.	May 2011	B2
8010679	Low et al.	Aug 2011	B2
8010990	Ferguson et al.	Aug 2011	B2
8024564	Bassani et al.	Sep 2011	B2
8046765	Cherkasova et al.	Oct 2011	B2
8051180	Mazzaferri et al.	Nov 2011	B2
8051266	DeVal et al.	Nov 2011	B2
8065676	Sahai et al.	Nov 2011	B1
8065682	Baryshnikov et al.	Nov 2011	B2
8095931	Chen et al.	Jan 2012	B1
8127284	Meijer et al.	Feb 2012	B2
8146073	Sinha	Mar 2012	B2
8166304	Murase et al.	Apr 2012	B2
8171473	Lavin	May 2012	B2
8201026	Bornstein et al.	Jun 2012	B1
8209695	Pruyne et al.	Jun 2012	B1
8219987	Vlaovic et al.	Jul 2012	B1
8296267	Cahill et al.	Oct 2012	B2
8321554	Dickinson	Nov 2012	B2
8321558	Sirota et al.	Nov 2012	B1
8336079	Budko et al.	Dec 2012	B2
8352608	Keagy et al.	Jan 2013	B1
8387075	McCann et al.	Feb 2013	B1
8392558	Ahuja et al.	Mar 2013	B1
8402514	Thompson et al.	Mar 2013	B1
8417723	Lissack et al.	Apr 2013	B1
8429282	Ahuja	Apr 2013	B1
8448165	Conover	May 2013	B1
8479195	Adams et al.	Jul 2013	B2
8490088	Tang	Jul 2013	B2
8555281	Van Dijk et al.	Oct 2013	B1
8560699	Theimer et al.	Oct 2013	B1
8566835	Wang et al.	Oct 2013	B2
8601323	Tsantilis	Dec 2013	B2
8613070	Borzycki et al.	Dec 2013	B1
8615589	Adogla et al.	Dec 2013	B1
8631130	Jackson	Jan 2014	B2
8667471	Wintergerst et al.	Mar 2014	B2
8677359	Gavage et al.	Mar 2014	B1
8694996	Cawlfield et al.	Apr 2014	B2
8700768	Benari	Apr 2014	B2
8719415	Sirota et al.	May 2014	B1
8725702	Raman et al.	May 2014	B1
8756322	Lynch	Jun 2014	B1
8756696	Miller	Jun 2014	B1
8763091	Singh et al.	Jun 2014	B1
8769519	Leitman et al.	Jul 2014	B2
8793676	Quinn et al.	Jul 2014	B2
8799236	Azari et al.	Aug 2014	B1
8799879	Wright et al.	Aug 2014	B2
8806468	Meijer et al.	Aug 2014	B2
8806644	McCorkendale et al.	Aug 2014	B1
8819679	Agarwal et al.	Aug 2014	B2
8825863	Hansson et al.	Sep 2014	B2
8825964	Sopka et al.	Sep 2014	B1
8839035	Dimitrovich et al.	Sep 2014	B1
8850432	Mcgrath et al.	Sep 2014	B2
8869300	Singh et al.	Oct 2014	B2
8874952	Tameshige et al.	Oct 2014	B2
8904008	Calder et al.	Dec 2014	B2
8966495	Kulkarni	Feb 2015	B2
8972980	Banga et al.	Mar 2015	B2
8990807	Wu et al.	Mar 2015	B2
8997093	Dimitrov	Mar 2015	B2
9002871	Bulkowski et al.	Apr 2015	B2
9021501	Li et al.	Apr 2015	B2
9027087	Ishaya et al.	May 2015	B2
9038068	Engle et al.	May 2015	B2
9052935	Rajaa	Jun 2015	B1
9086897	Oh et al.	Jul 2015	B2
9086924	Barsness et al.	Jul 2015	B2
9092837	Bala et al.	Jul 2015	B2
9098528	Wang	Aug 2015	B2
9104477	Kodialam et al.	Aug 2015	B2
9110732	Forschmiedt et al.	Aug 2015	B1
9110770	Raju et al.	Aug 2015	B1
9111037	Nalis et al.	Aug 2015	B1
9112813	Jackson	Aug 2015	B2
9116733	Banga et al.	Aug 2015	B2
9141410	Leafe et al.	Sep 2015	B2
9146764	Wagner	Sep 2015	B1
9152406	De et al.	Oct 2015	B2
9164754	Pohlack	Oct 2015	B1
9183019	Kruglick	Nov 2015	B2
9195520	Turk	Nov 2015	B2
9208007	Harper et al.	Dec 2015	B2
9218190	Anand et al.	Dec 2015	B2
9223561	Orveillon et al.	Dec 2015	B2
9223966	Satish et al.	Dec 2015	B1
9250893	Blahaerath et al.	Feb 2016	B2
9268586	Voccio et al.	Feb 2016	B2
9298633	Zhao et al.	Mar 2016	B1
9317689	Aissi	Apr 2016	B2
9323556	Wagner	Apr 2016	B2
9361145	Wilson et al.	Jun 2016	B1
9405582	Fuller et al.	Aug 2016	B2
9411645	Duan et al.	Aug 2016	B1
9413626	Reque et al.	Aug 2016	B2
9417918	Chin et al.	Aug 2016	B2
9430290	Gupta et al.	Aug 2016	B1
9436555	Dornemann et al.	Sep 2016	B2
9461996	Hayton et al.	Oct 2016	B2
9471775	Wagner et al.	Oct 2016	B1
9471776	Gu et al.	Oct 2016	B2
9483335	Wagner et al.	Nov 2016	B1
9489227	Oh et al.	Nov 2016	B2
9497136	Ramarao et al.	Nov 2016	B1
9501345	Lietz et al.	Nov 2016	B1
9514037	Dow et al.	Dec 2016	B1
9537788	Reque et al.	Jan 2017	B2
9563613	Dinkel et al.	Feb 2017	B1
9575798	Terayama et al.	Feb 2017	B2
9588790	Wagner et al.	Mar 2017	B1
9594590	Hsu	Mar 2017	B2
9596350	Dymshyts et al.	Mar 2017	B1
9600312	Wagner et al.	Mar 2017	B2
9613127	Rus et al.	Apr 2017	B1
9626204	Banga et al.	Apr 2017	B1
9628332	Bruno, Jr. et al.	Apr 2017	B2
9635132	Lin et al.	Apr 2017	B1
9652306	Wagner et al.	May 2017	B1
9652617	Evans et al.	May 2017	B1
9654508	Barton et al.	May 2017	B2
9661011	Van Horenbeeck et al.	May 2017	B1
9678773	Wagner et al.	Jun 2017	B1
9678778	Youseff	Jun 2017	B1
9703681	Taylor et al.	Jul 2017	B2
9715402	Wagner et al.	Jul 2017	B2
9720661	Gschwind et al.	Aug 2017	B2
9720662	Gschwind et al.	Aug 2017	B2
9727725	Wagner et al.	Aug 2017	B2
9733967	Wagner et al.	Aug 2017	B2
9760387	Wagner et al.	Sep 2017	B2
9760443	Tarasuk-Levin et al.	Sep 2017	B2
9767271	Ghose	Sep 2017	B2
9785476	Wagner et al.	Oct 2017	B2
9787779	Frank et al.	Oct 2017	B2
9798831	Chattopadhyay et al.	Oct 2017	B2
9811363	Wagner	Nov 2017	B1
9811434	Wagner	Nov 2017	B1
9817695	Clark	Nov 2017	B2
9830175	Wagner	Nov 2017	B1
9830193	Wagner et al.	Nov 2017	B1
9830449	Wagner	Nov 2017	B1
9864636	Patel et al.	Jan 2018	B1
9898393	Moorthi et al.	Feb 2018	B2
9910713	Wisniewski et al.	Mar 2018	B2
9921864	Singaravelu et al.	Mar 2018	B2
9928108	Wagner et al.	Mar 2018	B1
9929916	Subramanian et al.	Mar 2018	B1
9930103	Thompson	Mar 2018	B2
9930133	Susarla et al.	Mar 2018	B2
9952896	Wagner et al.	Apr 2018	B2
9977691	Marriner et al.	May 2018	B2
9979817	Huang et al.	May 2018	B2
9983982	Kumar et al.	May 2018	B1
10002026	Wagner	Jun 2018	B1
10013267	Wagner et al.	Jul 2018	B1
10042660	Wagner et al.	Aug 2018	B2
10048974	Wagner et al.	Aug 2018	B1
10061613	Brooker et al.	Aug 2018	B1
10067801	Wagner	Sep 2018	B1
10102040	Marriner et al.	Oct 2018	B2
10108443	Wagner et al.	Oct 2018	B2
10139876	Lu et al.	Nov 2018	B2
10140137	Wagner	Nov 2018	B2
10146635	Chai et al.	Dec 2018	B1
10162655	Tuch et al.	Dec 2018	B2
10162672	Wagner et al.	Dec 2018	B2
10162688	Wagner	Dec 2018	B2
10191861	Steinberg	Jan 2019	B1
10193839	Tandon et al.	Jan 2019	B2
10198298	Bishop et al.	Feb 2019	B2
10203990	Wagner et al.	Feb 2019	B2
10248467	Wisniewski et al.	Apr 2019	B2
10255090	Tuch et al.	Apr 2019	B2
10277708	Wagner et al.	Apr 2019	B2
10303492	Wagner et al.	May 2019	B1
10331462	Varda et al.	Jun 2019	B1
10346625	Anderson et al.	Jul 2019	B2
10353678	Wagner	Jul 2019	B1
10353746	Reque et al.	Jul 2019	B2
10360025	Foskett et al.	Jul 2019	B2
10360067	Wagner	Jul 2019	B1
10365985	Wagner	Jul 2019	B2
10387177	Wagner et al.	Aug 2019	B2
10402231	Marriner et al.	Sep 2019	B2
10423158	Hadlich	Sep 2019	B1
10437629	Wagner et al.	Oct 2019	B2
10445140	Sagar et al.	Oct 2019	B1
10459822	Gondi	Oct 2019	B1
10503626	Idicula et al.	Dec 2019	B2
10528390	Brooker et al.	Jan 2020	B2
10531226	Wang et al.	Jan 2020	B1
10552193	Wagner et al.	Feb 2020	B2
10552442	Lusk et al.	Feb 2020	B1
10564946	Wagner et al.	Feb 2020	B1
10572375	Wagner	Feb 2020	B1
10592269	Wagner et al.	Mar 2020	B2
10608973	Kuo et al.	Mar 2020	B2
10615984	Wang	Apr 2020	B1
10623476	Thompson	Apr 2020	B2
10637817	Kuo et al.	Apr 2020	B2
10649749	Brooker et al.	May 2020	B1
10649792	Kulchytskyy et al.	May 2020	B1
10650156	Anderson et al.	May 2020	B2
10686605	Chhabra et al.	Jun 2020	B2
10691498	Wagner	Jun 2020	B2
10713080	Brooker et al.	Jul 2020	B1
10719367	Kim et al.	Jul 2020	B1
10725752	Wagner et al.	Jul 2020	B1
10725826	Sagar et al.	Jul 2020	B1
10733085	Wagner	Aug 2020	B1
10754701	Wagner	Aug 2020	B1
10776091	Wagner et al.	Sep 2020	B1
10776171	Wagner et al.	Sep 2020	B2
10817331	Mullen et al.	Oct 2020	B2
10824484	Wagner et al.	Nov 2020	B2
10831898	Wagner	Nov 2020	B1
10846117	Steinberg	Nov 2020	B1
10853112	Wagner et al.	Dec 2020	B2
10853115	Mullen et al.	Dec 2020	B2
10884722	Brooker et al.	Jan 2021	B2
10884787	Wagner et al.	Jan 2021	B1
10884802	Wagner et al.	Jan 2021	B2
10884812	Brooker et al.	Jan 2021	B2
10891145	Wagner et al.	Jan 2021	B2
10915371	Wagner et al.	Feb 2021	B2
10942795	Yanacek et al.	Mar 2021	B1
10949237	Piwonka et al.	Mar 2021	B2
10956185	Wagner	Mar 2021	B2
11010188	Brooker et al.	May 2021	B1
11016815	Wisniewski et al.	May 2021	B2
11099870	Brooker et al.	Aug 2021	B1
11099917	Hussels et al.	Aug 2021	B2
11115404	Siefker et al.	Sep 2021	B2
11119809	Brooker et al.	Sep 2021	B1
11119813	Kasaragod	Sep 2021	B1
11119826	Yanacek et al.	Sep 2021	B2
11126469	Reque et al.	Sep 2021	B2
11132213	Wagner et al.	Sep 2021	B1
11146569	Brooker et al.	Oct 2021	B1
11159528	Siefker et al.	Oct 2021	B2
11188391	Sule	Nov 2021	B1
11190609	Siefker et al.	Nov 2021	B2
11243819	Wagner	Feb 2022	B1
11243953	Wagner et al.	Feb 2022	B2
11263034	Wagner et al.	Mar 2022	B2
20010044817	Asano et al.	Nov 2001	A1
20020120685	Srivastava et al.	Aug 2002	A1
20020172273	Baker et al.	Nov 2002	A1
20030071842	King et al.	Apr 2003	A1
20030084434	Ren	May 2003	A1
20030149801	Kushnirskiy	Aug 2003	A1
20030191795	Bernardin et al.	Oct 2003	A1
20030208569	O'Brien et al.	Nov 2003	A1
20030229794	James, II et al.	Dec 2003	A1
20040003087	Chambliss et al.	Jan 2004	A1
20040019886	Berent et al.	Jan 2004	A1
20040044721	Song et al.	Mar 2004	A1
20040049768	Matsuyama et al.	Mar 2004	A1
20040098154	McCarthy	May 2004	A1
20040158551	Santosuosso	Aug 2004	A1
20040205493	Simpson et al.	Oct 2004	A1
20040249947	Novaes et al.	Dec 2004	A1
20040268358	Darling et al.	Dec 2004	A1
20050027611	Wharton	Feb 2005	A1
20050044301	Vasilevsky et al.	Feb 2005	A1
20050120160	Plouffe et al.	Jun 2005	A1
20050132167	Longobardi	Jun 2005	A1
20050132368	Sexton et al.	Jun 2005	A1
20050149535	Frey et al.	Jul 2005	A1
20050193113	Kokusho et al.	Sep 2005	A1
20050193283	Reinhardt et al.	Sep 2005	A1
20050237948	Wan et al.	Oct 2005	A1
20050257051	Richard	Nov 2005	A1
20050262183	Colrain et al.	Nov 2005	A1
20050262512	Schmidt et al.	Nov 2005	A1
20060010440	Anderson et al.	Jan 2006	A1
20060015740	Kramer	Jan 2006	A1
20060031448	Chu et al.	Feb 2006	A1
20060036941	Neil	Feb 2006	A1
20060080678	Bailey et al.	Apr 2006	A1
20060123066	Jacobs et al.	Jun 2006	A1
20060129684	Datta	Jun 2006	A1
20060155800	Matsumoto	Jul 2006	A1
20060168174	Gebhart et al.	Jul 2006	A1
20060184669	Vaidyanathan et al.	Aug 2006	A1
20060200668	Hybre et al.	Sep 2006	A1
20060212332	Jackson	Sep 2006	A1
20060218601	Michel	Sep 2006	A1
20060242647	Kimbrel et al.	Oct 2006	A1
20060242709	Seinfeld et al.	Oct 2006	A1
20060248195	Toumura et al.	Nov 2006	A1
20060259763	Cooperstein et al.	Nov 2006	A1
20060288120	Hoshino et al.	Dec 2006	A1
20070033085	Johnson	Feb 2007	A1
20070050779	Hayashi	Mar 2007	A1
20070094396	Takano et al.	Apr 2007	A1
20070101325	Bystricky et al.	May 2007	A1
20070112864	Ben-Natan	May 2007	A1
20070130341	Ma	Jun 2007	A1
20070174419	O'Connell et al.	Jul 2007	A1
20070180449	Croft et al.	Aug 2007	A1
20070180450	Croft et al.	Aug 2007	A1
20070180493	Croft et al.	Aug 2007	A1
20070186212	Mazzaferri et al.	Aug 2007	A1
20070192082	Gaos et al.	Aug 2007	A1
20070192329	Croft et al.	Aug 2007	A1
20070198656	Mazzaferri et al.	Aug 2007	A1
20070199000	Shekhel et al.	Aug 2007	A1
20070220009	Morris et al.	Sep 2007	A1
20070226700	Gal et al.	Sep 2007	A1
20070240160	Paterson-Jones	Oct 2007	A1
20070255604	Seelig	Nov 2007	A1
20080028409	Cherkasova et al.	Jan 2008	A1
20080052401	Bugenhagen et al.	Feb 2008	A1
20080052725	Stoodley et al.	Feb 2008	A1
20080082977	Araujo et al.	Apr 2008	A1
20080104247	Venkatakrishnan et al.	May 2008	A1
20080104608	Hyser et al.	May 2008	A1
20080115143	Shimizu et al.	May 2008	A1
20080126110	Haeberle et al.	May 2008	A1
20080126486	Heist	May 2008	A1
20080127125	Anckaert et al.	May 2008	A1
20080147893	Marripudi et al.	Jun 2008	A1
20080189468	Schmidt et al.	Aug 2008	A1
20080195369	Duyanovich et al.	Aug 2008	A1
20080201568	Quinn et al.	Aug 2008	A1
20080201711	Amir Husain	Aug 2008	A1
20080209423	Hirai	Aug 2008	A1
20080244547	Wintergerst et al.	Oct 2008	A1
20080288940	Adams et al.	Nov 2008	A1
20080307098	Kelly	Dec 2008	A1
20090006897	Sarsfield	Jan 2009	A1
20090013153	Hilton	Jan 2009	A1
20090018892	Grey et al.	Jan 2009	A1
20090025009	Brunswig et al.	Jan 2009	A1
20090034537	Colrain et al.	Feb 2009	A1
20090055810	Kondur	Feb 2009	A1
20090055829	Gibson	Feb 2009	A1
20090070355	Cadarette et al.	Mar 2009	A1
20090077569	Appleton et al.	Mar 2009	A1
20090125902	Ghosh et al.	May 2009	A1
20090158275	Wang et al.	Jun 2009	A1
20090158407	Nicodemus et al.	Jun 2009	A1
20090177860	Zhu et al.	Jul 2009	A1
20090183162	Kindel et al.	Jul 2009	A1
20090193410	Arthursson et al.	Jul 2009	A1
20090198769	Keller et al.	Aug 2009	A1
20090204960	Ben-yehuda et al.	Aug 2009	A1
20090204964	Foley et al.	Aug 2009	A1
20090222922	Sidiroglou et al.	Sep 2009	A1
20090271472	Scheifler et al.	Oct 2009	A1
20090288084	Astete et al.	Nov 2009	A1
20090300151	Friedman et al.	Dec 2009	A1
20090300599	Piotrowski	Dec 2009	A1
20090307430	Bruening et al.	Dec 2009	A1
20100023940	Iwamatsu et al.	Jan 2010	A1
20100031274	Sim-Tang	Feb 2010	A1
20100031325	Maigne et al.	Feb 2010	A1
20100036925	Haffner	Feb 2010	A1
20100037031	DeSantis et al.	Feb 2010	A1
20100058342	Machida	Mar 2010	A1
20100058351	Yahagi	Mar 2010	A1
20100064299	Kacin et al.	Mar 2010	A1
20100070678	Zhang et al.	Mar 2010	A1
20100070725	Prahlad et al.	Mar 2010	A1
20100083048	Calinoiu et al.	Apr 2010	A1
20100083248	Wood et al.	Apr 2010	A1
20100094816	Groves, Jr. et al.	Apr 2010	A1
20100106926	Kandasamy et al.	Apr 2010	A1
20100114825	Siddegowda	May 2010	A1
20100115098	De Baer et al.	May 2010	A1
20100122343	Ghosh	May 2010	A1
20100131936	Cheriton	May 2010	A1
20100131959	Spiers et al.	May 2010	A1
20100186011	Magenheimer	Jul 2010	A1
20100198972	Umbehocker	Aug 2010	A1
20100199285	Medovich	Aug 2010	A1
20100257116	Mehta et al.	Oct 2010	A1
20100257269	Clark	Oct 2010	A1
20100269109	Cartales	Oct 2010	A1
20100299541	Ishikawa et al.	Nov 2010	A1
20100312871	Desantis et al.	Dec 2010	A1
20100325727	Neystadt et al.	Dec 2010	A1
20100329149	Singh et al.	Dec 2010	A1
20100329643	Kuang	Dec 2010	A1
20110004687	Takemura	Jan 2011	A1
20110010690	Howard et al.	Jan 2011	A1
20110010722	Matsuyama	Jan 2011	A1
20110023026	Oza	Jan 2011	A1
20110029970	Arasaratnam	Feb 2011	A1
20110029984	Norman et al.	Feb 2011	A1
20110040812	Phillips	Feb 2011	A1
20110055378	Ferris et al.	Mar 2011	A1
20110055396	DeHaan	Mar 2011	A1
20110055683	Jiang	Mar 2011	A1
20110078679	Bozek et al.	Mar 2011	A1
20110099204	Thaler	Apr 2011	A1
20110099551	Fahrig et al.	Apr 2011	A1
20110131572	Elyashev et al.	Jun 2011	A1
20110134761	Smith	Jun 2011	A1
20110141124	Halls et al.	Jun 2011	A1
20110153541	Koch et al.	Jun 2011	A1
20110153727	Li	Jun 2011	A1
20110153838	Belkine et al.	Jun 2011	A1
20110154353	Theroux et al.	Jun 2011	A1
20110173637	Brandwine et al.	Jul 2011	A1
20110179162	Mayo et al.	Jul 2011	A1
20110184993	Chawla et al.	Jul 2011	A1
20110225277	Freimuth et al.	Sep 2011	A1
20110231680	Padmanabhan et al.	Sep 2011	A1
20110247005	Benedetti et al.	Oct 2011	A1
20110258603	Wisnovsky et al.	Oct 2011	A1
20110265067	Schulte et al.	Oct 2011	A1
20110265069	Fee et al.	Oct 2011	A1
20110265164	Lucovsky	Oct 2011	A1
20110271276	Ashok et al.	Nov 2011	A1
20110276945	Chasman et al.	Nov 2011	A1
20110276963	Wu et al.	Nov 2011	A1
20110296412	Banga et al.	Dec 2011	A1
20110314465	Smith et al.	Dec 2011	A1
20110321033	Kelkar et al.	Dec 2011	A1
20110321051	Rastogi	Dec 2011	A1
20120011496	Shimamura	Jan 2012	A1
20120011511	Horvitz et al.	Jan 2012	A1
20120016721	Weinman	Jan 2012	A1
20120041970	Ghosh et al.	Feb 2012	A1
20120054744	Singh et al.	Mar 2012	A1
20120060207	Mardikar et al.	Mar 2012	A1
20120072762	Atchison et al.	Mar 2012	A1
20120072914	Ota	Mar 2012	A1
20120072920	Kawamura	Mar 2012	A1
20120079004	Herman	Mar 2012	A1
20120096271	Ramarathinam et al.	Apr 2012	A1
20120096468	Chakravorty et al.	Apr 2012	A1
20120102307	Wong	Apr 2012	A1
20120102333	Wong	Apr 2012	A1
20120102481	Mani et al.	Apr 2012	A1
20120102493	Allen et al.	Apr 2012	A1
20120110155	Adlung et al.	May 2012	A1
20120110164	Frey et al.	May 2012	A1
20120110570	Jacobson et al.	May 2012	A1
20120110588	Bieswanger et al.	May 2012	A1
20120131379	Tameshige et al.	May 2012	A1
20120144290	Goldman et al.	Jun 2012	A1
20120166624	Suit et al.	Jun 2012	A1
20120173709	Li et al.	Jul 2012	A1
20120192184	Burckart et al.	Jul 2012	A1
20120197795	Campbell et al.	Aug 2012	A1
20120197958	Nightingale et al.	Aug 2012	A1
20120198442	Kashyap et al.	Aug 2012	A1
20120198514	McCune et al.	Aug 2012	A1
20120204164	Castanos et al.	Aug 2012	A1
20120209947	Glaser et al.	Aug 2012	A1
20120222038	Katragadda et al.	Aug 2012	A1
20120233464	Miller et al.	Sep 2012	A1
20120254193	Chattopadhyay et al.	Oct 2012	A1
20120324236	Srivastava et al.	Dec 2012	A1
20120331113	Jain et al.	Dec 2012	A1
20130014101	Ballani et al.	Jan 2013	A1
20130042234	DeLuca et al.	Feb 2013	A1
20130054804	Jana et al.	Feb 2013	A1
20130054927	Raj et al.	Feb 2013	A1
20130055262	Lubsey et al.	Feb 2013	A1
20130061208	Tsao et al.	Mar 2013	A1
20130061212	Krause et al.	Mar 2013	A1
20130061220	Gnanasambandam et al.	Mar 2013	A1
20130067484	Sonoda et al.	Mar 2013	A1
20130067494	Srour et al.	Mar 2013	A1
20130080641	Lui et al.	Mar 2013	A1
20130091387	Bohnet et al.	Apr 2013	A1
20130097601	Podvratnik et al.	Apr 2013	A1
20130111032	Alapati et al.	May 2013	A1
20130111469	B et al.	May 2013	A1
20130124807	Nielsen	May 2013	A1
20130132942	Wang	May 2013	A1
20130132953	Chuang et al.	May 2013	A1
20130139152	Chang et al.	May 2013	A1
20130139166	Zhang et al.	May 2013	A1
20130145354	Bruening et al.	Jun 2013	A1
20130151587	Takeshima et al.	Jun 2013	A1
20130151648	Luna	Jun 2013	A1
20130151684	Forsman et al.	Jun 2013	A1
20130152047	Moorthi et al.	Jun 2013	A1
20130167147	Corrie et al.	Jun 2013	A1
20130179574	Calder et al.	Jul 2013	A1
20130179881	Calder et al.	Jul 2013	A1
20130179894	Calder et al.	Jul 2013	A1
20130179895	Calder et al.	Jul 2013	A1
20130185719	Kar et al.	Jul 2013	A1
20130185729	Vasic et al.	Jul 2013	A1
20130191924	Tedesco	Jul 2013	A1
20130198319	Shen	Aug 2013	A1
20130198743	Kruglick	Aug 2013	A1
20130198748	Sharp et al.	Aug 2013	A1
20130198763	Kunze et al.	Aug 2013	A1
20130205092	Roy et al.	Aug 2013	A1
20130219390	Lee et al.	Aug 2013	A1
20130227097	Yasuda et al.	Aug 2013	A1
20130227534	Ike et al.	Aug 2013	A1
20130227563	McGrath	Aug 2013	A1
20130227641	White et al.	Aug 2013	A1
20130227710	Barak et al.	Aug 2013	A1
20130232190	Miller et al.	Sep 2013	A1
20130232480	Winterfeldt et al.	Sep 2013	A1
20130239125	Iorio	Sep 2013	A1
20130246944	Pandiyan et al.	Sep 2013	A1
20130262556	Xu et al.	Oct 2013	A1
20130263117	Konik et al.	Oct 2013	A1
20130274006	Hudlow et al.	Oct 2013	A1
20130275376	Hudlow et al.	Oct 2013	A1
20130275958	Ivanov et al.	Oct 2013	A1
20130275969	Dimitrov	Oct 2013	A1
20130275975	Masuda et al.	Oct 2013	A1
20130283141	Stevenson et al.	Oct 2013	A1
20130283176	Hoole et al.	Oct 2013	A1
20130290538	Gmach et al.	Oct 2013	A1
20130291087	Kailash et al.	Oct 2013	A1
20130297964	Hegdal et al.	Nov 2013	A1
20130298183	McGrath et al.	Nov 2013	A1
20130311650	Brandwine et al.	Nov 2013	A1
20130326506	McGrath et al.	Dec 2013	A1
20130326507	McGrath et al.	Dec 2013	A1
20130339950	Ramarathinam et al.	Dec 2013	A1
20130346470	Obstfeld et al.	Dec 2013	A1
20130346946	Pinnix	Dec 2013	A1
20130346952	Huang et al.	Dec 2013	A1
20130346964	Nobuoka et al.	Dec 2013	A1
20130346987	Raney et al.	Dec 2013	A1
20130346994	Chen et al.	Dec 2013	A1
20130347095	Barjatiya et al.	Dec 2013	A1
20140007097	Chin et al.	Jan 2014	A1
20140019523	Heymann et al.	Jan 2014	A1
20140019735	Menon et al.	Jan 2014	A1
20140019965	Neuse et al.	Jan 2014	A1
20140019966	Neuse et al.	Jan 2014	A1
20140040343	Nickolov et al.	Feb 2014	A1
20140040857	Trinchini et al.	Feb 2014	A1
20140040880	Brownlow et al.	Feb 2014	A1
20140047437	Wu et al.	Feb 2014	A1
20140058871	Marr et al.	Feb 2014	A1
20140059209	Alnoor	Feb 2014	A1
20140059226	Messerli et al.	Feb 2014	A1
20140059552	Cunningham et al.	Feb 2014	A1
20140068568	Wisnovsky	Mar 2014	A1
20140068608	Kulkarni	Mar 2014	A1
20140068611	McGrath et al.	Mar 2014	A1
20140073300	Leeder et al.	Mar 2014	A1
20140081984	Sitsky et al.	Mar 2014	A1
20140082165	Marr et al.	Mar 2014	A1
20140082201	Shankari et al.	Mar 2014	A1
20140101643	Inoue	Apr 2014	A1
20140101649	Kamble et al.	Apr 2014	A1
20140108722	Lipchuk et al.	Apr 2014	A1
20140109087	Jujare et al.	Apr 2014	A1
20140109088	Dournov et al.	Apr 2014	A1
20140129667	Ozawa	May 2014	A1
20140130040	Lemanski	May 2014	A1
20140137110	Engle et al.	May 2014	A1
20140173614	Konik et al.	Jun 2014	A1
20140173616	Bird et al.	Jun 2014	A1
20140180862	Certain et al.	Jun 2014	A1
20140189677	Curzi et al.	Jul 2014	A1
20140189704	Narvaez et al.	Jul 2014	A1
20140201735	Kannan et al.	Jul 2014	A1
20140207912	Thibeault	Jul 2014	A1
20140214752	Rash et al.	Jul 2014	A1
20140215073	Dow et al.	Jul 2014	A1
20140229221	Shih et al.	Aug 2014	A1
20140229942	Wiseman et al.	Aug 2014	A1
20140245297	Hackett	Aug 2014	A1
20140279581	Devereaux	Sep 2014	A1
20140280325	Krishnamurthy et al.	Sep 2014	A1
20140282418	Wood et al.	Sep 2014	A1
20140282559	Verduzco et al.	Sep 2014	A1
20140282615	Gavage et al.	Sep 2014	A1
20140282629	Gupta et al.	Sep 2014	A1
20140283045	Brandwine et al.	Sep 2014	A1
20140289286	Gusak	Sep 2014	A1
20140298295	Overbeck	Oct 2014	A1
20140304246	Helmich et al.	Oct 2014	A1
20140304698	Chigurapati et al.	Oct 2014	A1
20140304815	Maeda	Oct 2014	A1
20140317617	O'Donnell	Oct 2014	A1
20140337953	Banatwala et al.	Nov 2014	A1
20140344457	Bruno, Jr. et al.	Nov 2014	A1
20140344736	Ryman et al.	Nov 2014	A1
20140359093	Raju et al.	Dec 2014	A1
20140365781	Dmitrienko et al.	Dec 2014	A1
20140372489	Jaiswal et al.	Dec 2014	A1
20140372533	Fu et al.	Dec 2014	A1
20140380085	Rash et al.	Dec 2014	A1
20150033241	Jackson et al.	Jan 2015	A1
20150039891	Ignatchenko et al.	Feb 2015	A1
20150040229	Chan et al.	Feb 2015	A1
20150046926	Kenchammana-Hosekote et al.	Feb 2015	A1
20150046971	Huh et al.	Feb 2015	A1
20150052258	Johnson et al.	Feb 2015	A1
20150058914	Yadav	Feb 2015	A1
20150067019	Balko	Mar 2015	A1
20150067830	Johansson et al.	Mar 2015	A1
20150074659	Madsen et al.	Mar 2015	A1
20150074661	Kothari et al.	Mar 2015	A1
20150074662	Saladi et al.	Mar 2015	A1
20150081885	Thomas et al.	Mar 2015	A1
20150095822	Feis et al.	Apr 2015	A1
20150106805	Melander	Apr 2015	A1
20150120928	Gummaraju et al.	Apr 2015	A1
20150121391	Wang	Apr 2015	A1
20150134626	Theimer et al.	May 2015	A1
20150135287	Medeiros et al.	May 2015	A1
20150142747	Zou	May 2015	A1
20150142952	Bragstad et al.	May 2015	A1
20150143374	Banga et al.	May 2015	A1
20150143381	Chin et al.	May 2015	A1
20150146716	Olivier et al.	May 2015	A1
20150154046	Farkas et al.	Jun 2015	A1
20150161384	Gu et al.	Jun 2015	A1
20150163231	Sobko et al.	Jun 2015	A1
20150178019	Hegdal et al.	Jun 2015	A1
20150178110	Li et al.	Jun 2015	A1
20150186129	Apte et al.	Jul 2015	A1
20150188775	Van Der Walt et al.	Jul 2015	A1
20150199218	Wilson et al.	Jul 2015	A1
20150205596	Hiltegen et al.	Jul 2015	A1
20150227598	Hahn et al.	Aug 2015	A1
20150229645	Keith et al.	Aug 2015	A1
20150235144	Gusev et al.	Aug 2015	A1
20150242225	Muller et al.	Aug 2015	A1
20150254248	Burns et al.	Sep 2015	A1
20150256621	Noda et al.	Sep 2015	A1
20150261578	Greden et al.	Sep 2015	A1
20150264014	Budhani et al.	Sep 2015	A1
20150269494	Kardes et al.	Sep 2015	A1
20150271280	Zhang et al.	Sep 2015	A1
20150289220	Kim et al.	Oct 2015	A1
20150309923	Iwata et al.	Oct 2015	A1
20150319160	Ferguson et al.	Nov 2015	A1
20150324174	Bromley et al.	Nov 2015	A1
20150324182	Barros et al.	Nov 2015	A1
20150324229	Valine	Nov 2015	A1
20150332048	Mooring et al.	Nov 2015	A1
20150332195	Jue	Nov 2015	A1
20150334173	Coulmeau et al.	Nov 2015	A1
20150350701	Lemus et al.	Dec 2015	A1
20150356294	Tan et al.	Dec 2015	A1
20150363181	Alberti et al.	Dec 2015	A1
20150363304	Nagamalla et al.	Dec 2015	A1
20150370560	Tan et al.	Dec 2015	A1
20150370591	Tuch et al.	Dec 2015	A1
20150370592	Tuch et al.	Dec 2015	A1
20150371244	Neuse et al.	Dec 2015	A1
20150378762	Saladi et al.	Dec 2015	A1
20150378764	Sivasubramanian et al.	Dec 2015	A1
20150378765	Singh et al.	Dec 2015	A1
20150379167	Griffith et al.	Dec 2015	A1
20160011901	Hurwitz et al.	Jan 2016	A1
20160012099	Tuatini et al.	Jan 2016	A1
20160019081	Chandrasekaran et al.	Jan 2016	A1
20160019082	Chandrasekaran et al.	Jan 2016	A1
20160019536	Ortiz et al.	Jan 2016	A1
20160021112	Katieb	Jan 2016	A1
20160026486	Abdallah	Jan 2016	A1
20160048606	Rubinstein et al.	Feb 2016	A1
20160070714	D'Sa et al.	Mar 2016	A1
20160072727	Leafe et al.	Mar 2016	A1
20160077901	Roth et al.	Mar 2016	A1
20160092320	Baca	Mar 2016	A1
20160092493	Ko et al.	Mar 2016	A1
20160098285	Davis et al.	Apr 2016	A1
20160100036	Lo et al.	Apr 2016	A1
20160103739	Huang et al.	Apr 2016	A1
20160110188	Verde et al.	Apr 2016	A1
20160117163	Fukui et al.	Apr 2016	A1
20160117254	Susarla et al.	Apr 2016	A1
20160119289	Jain et al.	Apr 2016	A1
20160124665	Jain et al.	May 2016	A1
20160124978	Nithrakashyap et al.	May 2016	A1
20160140180	Park et al.	May 2016	A1
20160150053	Janczuk et al.	May 2016	A1
20160188367	Zeng	Jun 2016	A1
20160191420	Nagarajan et al.	Jun 2016	A1
20160203219	Hoch et al.	Jul 2016	A1
20160212007	Alatorre et al.	Jul 2016	A1
20160226955	Moorthi et al.	Aug 2016	A1
20160282930	Ramachandran et al.	Sep 2016	A1
20160285906	Fine et al.	Sep 2016	A1
20160292016	Bussard et al.	Oct 2016	A1
20160294614	Searle et al.	Oct 2016	A1
20160306613	Busi et al.	Oct 2016	A1
20160315910	Kaufman	Oct 2016	A1
20160350099	Suparna et al.	Dec 2016	A1
20160357536	Firlik et al.	Dec 2016	A1
20160364265	Cao et al.	Dec 2016	A1
20160364316	Bhat et al.	Dec 2016	A1
20160371127	Antony et al.	Dec 2016	A1
20160371156	Merriman	Dec 2016	A1
20160378449	Khazanchi et al.	Dec 2016	A1
20160378547	Brouwer et al.	Dec 2016	A1
20160378554	Gummaraju et al.	Dec 2016	A1
20170004169	Merrill et al.	Jan 2017	A1
20170041144	Krapf et al.	Feb 2017	A1
20170041309	Ekambaram et al.	Feb 2017	A1
20170060615	Thakkar et al.	Mar 2017	A1
20170060621	Whipple et al.	Mar 2017	A1
20170068574	Cherkasova et al.	Mar 2017	A1
20170075749	Ambichl et al.	Mar 2017	A1
20170083381	Cong et al.	Mar 2017	A1
20170085447	Chen et al.	Mar 2017	A1
20170085502	Biruduraju	Mar 2017	A1
20170085591	Ganda et al.	Mar 2017	A1
20170093684	Jayaraman et al.	Mar 2017	A1
20170093920	Ducatel et al.	Mar 2017	A1
20170134519	Chen et al.	May 2017	A1
20170147656	Choudhary et al.	May 2017	A1
20170149740	Mansour et al.	May 2017	A1
20170161059	Wood et al.	Jun 2017	A1
20170177854	Gligor et al.	Jun 2017	A1
20170188213	Nirantar et al.	Jun 2017	A1
20170221000	Anand	Aug 2017	A1
20170230262	Sreeramoju et al.	Aug 2017	A1
20170230499	Mumick et al.	Aug 2017	A1
20170249130	Smiljamic et al.	Aug 2017	A1
20170264681	Apte et al.	Sep 2017	A1
20170272462	Kraemer et al.	Sep 2017	A1
20170286143	Wagner et al.	Oct 2017	A1
20170286187	Chen et al.	Oct 2017	A1
20170308520	Beahan, Jr. et al.	Oct 2017	A1
20170315163	Wang et al.	Nov 2017	A1
20170329578	Iscen	Nov 2017	A1
20170346808	Anzai et al.	Nov 2017	A1
20170353851	Gonzalez et al.	Dec 2017	A1
20170364345	Fontoura et al.	Dec 2017	A1
20170371720	Basu et al.	Dec 2017	A1
20170371724	Wagner et al.	Dec 2017	A1
20170372142	Bilobrov	Dec 2017	A1
20180004555	Ramanathan et al.	Jan 2018	A1
20180004556	Marriner et al.	Jan 2018	A1
20180004575	Marriner et al.	Jan 2018	A1
20180046453	Nair et al.	Feb 2018	A1
20180046482	Karve et al.	Feb 2018	A1
20180060132	Maru et al.	Mar 2018	A1
20180060221	Yim et al.	Mar 2018	A1
20180060318	Yang et al.	Mar 2018	A1
20180067841	Mahimkar	Mar 2018	A1
20180067873	Pikhur et al.	Mar 2018	A1
20180069702	Ayyadevara et al.	Mar 2018	A1
20180081717	Li	Mar 2018	A1
20180089232	Spektor et al.	Mar 2018	A1
20180095738	Dürkop et al.	Apr 2018	A1
20180121245	Wagner et al.	May 2018	A1
20180121665	Anderson et al.	May 2018	A1
20180129684	Wilson et al.	May 2018	A1
20180143865	Wagner et al.	May 2018	A1
20180150339	Pan et al.	May 2018	A1
20180152401	Tandon et al.	May 2018	A1
20180152405	Kuo et al.	May 2018	A1
20180152406	Kuo et al.	May 2018	A1
20180192101	Bilobrov	Jul 2018	A1
20180225096	Mishra et al.	Aug 2018	A1
20180239636	Arora et al.	Aug 2018	A1
20180253333	Gupta	Sep 2018	A1
20180268130	Ghosh et al.	Sep 2018	A1
20180275987	Vandeputte	Sep 2018	A1
20180285101	Yahav et al.	Oct 2018	A1
20180300111	Bhat et al.	Oct 2018	A1
20180314845	Anderson et al.	Nov 2018	A1
20180316552	Subramani Nadar et al.	Nov 2018	A1
20180341504	Kissell	Nov 2018	A1
20180365422	Callaghan et al.	Dec 2018	A1
20180375781	Chen et al.	Dec 2018	A1
20190004866	Du et al.	Jan 2019	A1
20190028552	Johnson, II et al.	Jan 2019	A1
20190043231	Uzgin et al.	Feb 2019	A1
20190072529	Andrawes et al.	Mar 2019	A1
20190073430	Webster	Mar 2019	A1
20190079751	Foskett et al.	Mar 2019	A1
20190108058	Wagner et al.	Apr 2019	A1
20190140831	De Lima Junior et al.	May 2019	A1
20190141015	Nellen	May 2019	A1
20190147085	Pal et al.	May 2019	A1
20190155629	Wagner et al.	May 2019	A1
20190171423	Mishra et al.	Jun 2019	A1
20190171470	Wagner	Jun 2019	A1
20190179678	Banerjee et al.	Jun 2019	A1
20190179725	Mital et al.	Jun 2019	A1
20190180036	Shukla	Jun 2019	A1
20190188288	Holm et al.	Jun 2019	A1
20190196884	Wagner	Jun 2019	A1
20190227849	Wisniewski et al.	Jul 2019	A1
20190235848	Swiecki et al.	Aug 2019	A1
20190238590	Talukdar et al.	Aug 2019	A1
20190250937	Thomas et al.	Aug 2019	A1
20190268152	Sandoval et al.	Aug 2019	A1
20190286475	Mani	Sep 2019	A1
20190286492	Gulsvig Wood et al.	Sep 2019	A1
20190303117	Kocberber et al.	Oct 2019	A1
20190311115	Lavi et al.	Oct 2019	A1
20190318312	Foskett et al.	Oct 2019	A1
20190324813	Bogineni et al.	Oct 2019	A1
20190361802	Li et al.	Nov 2019	A1
20190363885	Schiavoni et al.	Nov 2019	A1
20190384647	Reque et al.	Dec 2019	A1
20190391834	Mullen et al.	Dec 2019	A1
20190391841	Mullen et al.	Dec 2019	A1
20200007456	Greenstein et al.	Jan 2020	A1
20200026527	Xu et al.	Jan 2020	A1
20200028936	Gupta et al.	Jan 2020	A1
20200057680	Marriner et al.	Feb 2020	A1
20200065079	Kocberber et al.	Feb 2020	A1
20200073770	Mortimore, Jr. et al.	Mar 2020	A1
20200073987	Perumala et al.	Mar 2020	A1
20200081745	Cybulski et al.	Mar 2020	A1
20200104198	Hussels et al.	Apr 2020	A1
20200104378	Wagner et al.	Apr 2020	A1
20200110691	Bryant et al.	Apr 2020	A1
20200120120	Cybulski	Apr 2020	A1
20200136933	Raskar	Apr 2020	A1
20200153897	Mestery et al.	May 2020	A1
20200167208	Floes et al.	May 2020	A1
20200192646	Yerramreddy et al.	Jun 2020	A1
20200192707	Brooker et al.	Jun 2020	A1
20200213151	Srivatsan et al.	Jul 2020	A1
20200327236	Pratt et al.	Oct 2020	A1
20200366587	White et al.	Nov 2020	A1
20200412707	Siefker et al.	Dec 2020	A1
20200412720	Siefker et al.	Dec 2020	A1
20200412825	Siefker et al.	Dec 2020	A1
20210081233	Mullen et al.	Mar 2021	A1
20210117534	Maximov et al.	Apr 2021	A1
20210157645	Yanacek et al.	May 2021	A1
20210232415	Wagner et al.	Jul 2021	A1
20210389963	Wagner	Dec 2021	A1
20220004423	Brooker et al.	Jan 2022	A1
20220012083	Brooker et al.	Jan 2022	A1

Foreign Referenced Citations (66)

Number	Date	Country
2975522	Aug 2016	CA
1341238	Mar 2002	CN
101002170	Jul 2007	CN
101267334	Sep 2008	CN
101345757	Jan 2009	CN
101496005	Jul 2009	CN
101627388	Jan 2010	CN
101640700	Feb 2010	CN
102420846	Apr 2012	CN
103098027	May 2013	CN
103384237	Nov 2013	CN
103731427	Apr 2014	CN
104243479	Dec 2014	CN
105122243	Dec 2015	CN
112513813	Mar 2021	CN
2663052	Nov 2013	EP
3201762	Aug 2017	EP
3254434	Dec 2017	EP
3356938	Aug 2018	EP
3201768	Dec 2019	EP
3811209	Apr 2021	EP
3814895	May 2021	EP
3857375	Aug 2021	EP
2002287974	Oct 2002	JP
2006-107599	Apr 2006	JP
2007-080161	Mar 2007	JP
2007-538323	Dec 2007	JP
2010-026562	Feb 2010	JP
2011-065243	Mar 2011	JP
2011-233146	Nov 2011	JP
2011257847	Dec 2011	JP
2013-156996	Aug 2013	JP
2014-525624	Sep 2014	JP
2017-534107	Nov 2017	JP
2017-534967	Nov 2017	JP
2018-503896	Feb 2018	JP
2018-512087	May 2018	JP
2018-536213	Dec 2018	JP
10-357850	Oct 2002	KR
WO 2008114454	Sep 2008	WO
WO 2009137567	Nov 2009	WO
WO 2012039834	Mar 2012	WO
WO 2012050772	Apr 2012	WO
WO 2013106257	Jul 2013	WO
WO 2015078394	Jun 2015	WO
WO 2015108539	Jul 2015	WO
WO 2015149017	Oct 2015	WO
WO 2016053950	Apr 2016	WO
WO 2016053968	Apr 2016	WO
WO 2016053973	Apr 2016	WO
WO 2016090292	Jun 2016	WO
WO 2016126731	Aug 2016	WO
WO 2016164633	Oct 2016	WO
WO 2016164638	Oct 2016	WO
WO 2017059248	Apr 2017	WO
WO 2017112526	Jun 2017	WO
WO 2017172440	Oct 2017	WO
WO 2018005829	Jan 2018	WO
WO 2018098443	May 2018	WO
WO 2018098445	May 2018	WO
WO 2020005764	Jan 2020	WO
WO 2020006081	Jan 2020	WO
WO 2020069104	Apr 2020	WO
WO 2020123439	Jun 2020	WO
WO 2020264431	Dec 2020	WO
WO 2021108435	Jun 2021	WO

Non-Patent Literature Citations (139)

Entry
Tim Dornemann; On-Demand Resource Provisioning for BPEL Workflows Using Amazon's Elastic Compute Cloud; 2009; (Year: 2009).
Anonymous: “Docker run reference”, Dec. 7, 2015, XP055350246, Retrieved from the Internet: URL:https://web.archive.org/web/20151207111702/https:/docs.docker.com/engine/reference/run/[retrieved on Feb. 28, 2017].
Adapter Pattern, Wikipedia, https://en.wikipedia.org/w/index.php?title=Adapter_pattern&oldid=654971255, [retrieved May 26, 2016], 6 pages.
Amazon, “AWS Lambda: Developer Guide”, Retrieved from the Internet, Jun. 26, 2016, URL : http://docs.aws.amazon.com/lambda/ latest/dg/lambda-dg.pdf, 346 pages.
Amazon, “AWS Lambda: Developer Guide”, Retrieved from the Internet, 2019, URL : http://docs.aws.amazon.com/lambda/ latest/dg/lambda-dg.pdf, 521 pages.
Balazinska et al., Moirae: History-Enhanced Monitoring, Published: 2007, 12 pages.
Ben-Yehuda et al., “Deconstructing Amazon EC2 Spot Instance Pricing”, ACM Transactions on Economics and Computation 1.3, 2013, 15 pages.
Bhadani et al., Performance evaluation of web servers using central load balancing policy over virtual machines on cloud, Jan. 2010, 4 pages.
CodeChef Admin discussion web page, retrieved from https://discuss.codechef.com/t/what-are-the-memory-limit-and-stack-size-on-codechef/14159, 2019.
CodeChef IDE web page, Code, Compile & Run, retrieved from https://www.codechef.com/ide, 2019.
Czajkowski, G., and L. Daynes, Multitasking Without Compromise: A Virtual Machine Evolution 47(4a):60-73, ACM SIGPLAN Notices—Supplemental Issue, Apr. 2012.
Das et al., Adaptive Stream Processing using Dynamic Batch Sizing, 2014, 13 pages.
Deis, Container, 2014, 1 page.
Dombrowski, M., et al., Dynamic Monitor Allocation in the Java Virtual Machine, JTRES '13, Oct. 9-11, 2013, pp. 30-37.
Dynamic HTML, Wikipedia page from date Mar. 27, 2015, retrieved using the WayBackMachine, from https://web.archive.org/web/20150327215418/https://en.wikipedia.org/wiki/Dynamic_HTML, 2015, 6 pages.
Espadas, J., et al., A Tenant-Based Resource Allocation Model for Scaling Software-as-a-Service Applications Over Cloud Computing Infrastructures, Future Generation Computer Systems, vol. 29, pp. 273-286, 2013.
Han et al., Lightweight Resource Scaling for Cloud Applications, 2012, 8 pages.
Hoffman, Auto scaling your website with Amazon Web Services (AWS)—Part 2, Cardinalpath, Sep. 2015, 15 pages.
http://discuss.codechef.com discussion web page from date Nov. 11, 2012, retrieved using the WayBackMachine, from https://web.archive.org/web/20121111040051/http://discuss.codechef.com/questions/2881 /why-are-simple-java-programs-using-up-so-much-space, 2012.
https://www.codechef.com code error help page from Jan. 2014, retrieved from https://www.codechef.com/JAN14/status/ERROR,va123, 2014.
http://www.codechef.com/ide web page from date Apr. 5, 2015, retrieved using the WayBackMachine, from https://web.archive.org/web/20150405045518/http://www.codechef.com/ide, 2015.
Kamga et al., Extended scheduler for efficient frequency scaling in virtualized systems, Jul. 2012, 8 pages.
Kato, et al. “Web Service Conversion Architecture of the Web Application and Evaluation”; Research Report from Information Processing Society, Apr. 3, 2006 with Machine Translation.
Kazempour et al., AASH: an asymmetry-aware scheduler for hypervisors, Jul. 2010, 12 pages.
Kraft et al., 10 performance prediction in consolidated virtualized environments, Mar. 2011, 12 pages.
Krsul et al., “VMPlants: Providing and Managing Virtual Machine Execution Environments for Grid Computing”, Supercomputing, 2004. Proceedings of the ACM/IEEESC 2004 Conference Pittsburgh, PA, XP010780332, Nov. 6-12, 2004, 12 pages.
Meng et al., Efficient resource provisioning in compute clouds via VM multiplexing, Jun. 2010, 10 pages.
Merkel, “Docker: Lightweight Linux Containers for Consistent Development and Deployment”, Linux Journal, vol. 2014 Issue 239, Mar. 2014, XP055171140, 16 pages.
Monteil, Coupling profile and historical methods to predict execution time of parallel applications. Parallel and Cloud Computing, 2013, <hal-01228236, pp. 81-89.
Nakajima, J., et al., Optimizing Virtual Machines Using Hybrid Virtualization, SAC '11, Mar. 21-25, 2011, TaiChung, Taiwan, pp. 573-578.
Qian, H., and D. Medhi, et al., Estimating Optimal Cost of Allocating Virtualized Resources With Dynamic Demand, ITC 2011, Sep. 2011, pp. 320-321.
Sakamoto, et al. “Platform for Web Services using Proxy Server”; Research Report from Information Processing Society, Mar. 22, 2002, vol. 2002, No. 31.
Shim (computing), Wikipedia, https://en.wikipedia.org/w/index.php?title+Shim_(computing)&oldid+654971528, [retrieved on May 26, 2016], 2 pages.
Stack Overflow, Creating a database connection pool, 2009, 4 pages.
Tan et al., Provisioning for large scale cloud computing services, Jun. 2012, 2 pages.
Tange, “GNU Parallel: The Command-Line Power Tool”, vol. 36, No. 1, Jan. 1, 1942, pp. 42-47.
Vaghani, S.B., Virtual Machine File System, ACM SIGOPS Operating Systems Review 44(4):57-70, Dec. 2010.
Vaquero, L., et al., Dynamically Scaling Applications in the cloud, ACM SIGCOMM Computer Communication Review 41 (1):45-52, Jan. 2011.
Wang et al., “Improving utilization through dynamic VM resource allocation in hybrid cloud environment”, Parallel and Distributed V Systems (ICPADS), IEEE, 2014. Retrieved on Feb. 14, 2019, Retrieved from the internet: URL<https://ieeexplore.ieee.org/stamp/stamp.jsp?tp-&arnumber±7097814, 8 pages.
Wikipedia “API” pages from date Apr. 7, 2015, retrieved using the WayBackMachine from https://web.archive.org/web/20150407191158/https://en.wikipedia.org/wiki/Application_programming_interface.
Wikipedia List_of_HTTP status_codes web page, retrieved from https://en.wikipedia.org/wiki/List_of_HTTP status_codes, 2019.
Wikipedia Recursion web page from date Mar. 26, 2015, retrieved using the WayBackMachine, from https://web.archive.org/web/20150326230100/https://en .wikipedia.org/wiki/Recursion_(computer_science), 2015.
Wikipedia subroutine web page, retrieved from https://en.wikipedia.org/wiki/Subroutine, 2019.
Wu et al., HC-Midware: A Middleware to Enable High Performance Communication System Simulation in Heterogeneous Cloud, Association for Computing Machinery, Oct. 20-22, 2017, 10 pages.
Yamasaki et al. “Model-based resource selection for efficient virtual cluster deployment”, Virtualization Technology in Distributed Computing, ACM, Nov. 2007, pp. 1-7.
Yue et al., AC 2012-4107: Using Amazon EC2 in Computer and Network Security Lab Exercises: Design, Results, and Analysis, 2012, American Society for Engineering Education 2012.
Zheng, C., and D. Thain, Integrating Containers into Workflows: A Case Study Using Makeflow, Work Queue, and Docker, VTDC '15, Jun. 15, 2015, Portland, Oregon, pp. 31-38.
International Search Report and Written Opinion in PCT/US2015/052810 dated Dec. 17, 2015.
International Preliminary Report on Patentability in PCT/US2015/052810 dated Apr. 4, 2017.
Extended Search Report in European Application No. 15846932.0 dated May 3, 2018.
International Search Report and Written Opinion in PCT/US2015/052838 dated Dec. 18, 2015.
International Preliminary Report on Patentability in PCT/US2015/052838 dated Apr. 4, 2017.
Extended Search Report in European Application No. 15847202.7 dated Sep. 9, 2018.
Extended Search Report in European Application No. 19199402.9 dated Mar. 6, 2020.
International Search Report and Written Opinion in PCT/US2015/052833 dated Jan. 13, 2016.
International Preliminary Report on Patentability in PCT/US2015/052833 dated Apr. 4, 2017.
Extended Search Report in European Application No. 15846542.7 dated Aug. 27, 2018.
International Search Report and Written Opinion in PCT/US2015/064071 dated Mar. 16, 2016.
International Preliminary Reporton Patentability in PCT/US2015/064071 dated Jun. 6, 2017.
International Search Report and Written Opinion in PCT/US2016/016211 dated Apr. 13, 2016.
International Preliminary Reporton Patentability in PCT/US2016/016211 dated Aug. 17, 2017.
International Search Report and Written Opinion in PCT/US2016/026514 dated Jun. 8, 2016.
International Preliminary Reporton Patentability in PCT/US2016/026514 dated Oct. 10, 2017.
International Search Report and Written Opinion in PCT/US2016/026520 dated Jul. 5, 2016.
International Preliminary Report on Patentability in PCT/US2016/026520 dated Oct. 10, 2017.
International Search Report and Written Opinion in PCT/US2016/054774 dated Dec. 16, 2016.
International Preliminary Report on Patentability in PCT/US2016/054774 dated Apr. 3, 2018.
International Search Report and Written Opinion in PCT/US2016/066997 dated Mar. 20, 2017.
International Preliminary Report on Patentability in PCT/US2016/066997 dated Jun. 26, 2018.
International Search Report and Written Opinion in PCT/US/2017/023564 dated Jun. 6, 2017.
International Preliminary Report on Patentability in PCT/US/2017/023564 dated Oct. 2, 2018.
International Search Report and Written Opinion in PCT/US2017/040054 dated Sep. 21, 2017.
International Preliminary Report on Patentability in PCT/US2017/040054 dated Jan. 1, 2019.
International Search Report and Written Opinion in PCT/US2017/039514 dated Oct. 10, 2017.
International Preliminary Reporton Patentability in PCT/US2017/039514 dated Jan. 1, 2019.
Extended European Search Report in application No. 17776325.7 dated Oct. 23, 2019.
Office Action in European Application No. 17743108.7 dated Jan. 14, 2020.
Bebenita et al., “Trace-Based Compilation in Execution Environments without Interpreters,” ACM, Copyright 2010, 10 pages.
Bryan Liston, “Ad Hoc Big Data Processing Made Simple with Serverless Map Reduce”, Nov. 4, 2016, Amazon Web Services <https :/laws. amazon .com/bl ogs/compute/ad-hoc-big-data-processi ng-made-si mple-with-serverless-mapred uce >.
Dean et al., “MapReduce: Simplified Data Processing on Large Clusters”, ACM, 2008, pp. 107-113.
Ekanayake et al., “Twister: A Runtime for Iterative MapReduce”, ACM, 2010, pp. 810-818.
Fan et al., Online Optimization of VM Deployment in IaaS Cloud, 2012, 6 pages.
Ha et al., A Concurrent Trace-based Just-In-Time Compiler for Single-threaded JavaScript, utexas.edu (Year: 2009).
Hammoud et al., “Locality-Aware Reduce Task Scheduling for MapReduce”, IEEE, 2011, pp. 570-576.
Huang, Zhe, Danny HK Tsang, and James She. “A virtual machine consolidation framework for mapreduce enabled computing clouds.” 2012 24th International Teletraffic Congress (ITC 24). IEEE, 2012. (Year: 2012).
Kim et al., “MRBench: A Benchmark for Map-Reduce Framework”, IEEE, 2008, pp. 11-18.
Lagar-Cavilla, H. Andres, et al. “Snowflock: Virtual machine cloning as a first-class cloud primitive.” ACM Transactions on Computer Systems (TOCS) 29.1 (2011): 1-45. (Year: 2011).
Lin, “MR-Apriori: Association Rules Algorithm Based on MapReduce”, IEEE, 2014, pp. 141-144.
Search Query Report from IP.com, performed Dec. 2, 2020.
Wood, Timothy, et al. “Cloud Net: dynamic pooling of cloud resources by live WAN migration of virtual machines.” ACM Sigplan Notices 46.7 (2011): 121-132. (Year: 2011).
Yang, The Application of MapReduce in the Cloud Computing:, IEEE, 2011, pp. 154-156.
Zhang et al., VMThunder: Fast Provisioning of Large-Scale Virtual Machine Clusters, IEEE Transactions on Parallel and Distributed Systems, vol. 25, No. 12, Dec. 2014, pp. 3328-3338.
Office Action in Chinese Application No. 201580053106.0, dated Jul. 1, 2020, (English Translation Not Yet Received).
Office Action in Canadian Application No. 2,962,633 dated May 21, 2020.
Office Action in European Application No. 19199402.9 dated Mar. 23, 2021.
Office Action in Japanese Application No. 2017-516160 dated Jan. 15, 2018.
Notice of Allowance in Japanese Application No. 2017-516160 dated May 8, 2018.
Office Action in Canadian Application No. 2,962,631 dated May 19, 2020.
Office Action in Indian Application No. 201717013356 dated Jan. 22, 2021.
Office Action in Japanese Application No. 2017-516168 dated Mar. 26, 2018.
Office Action in Indian Application No. 201717019903 dated May 18, 2020.
Office Action in Australian Application No. 2016215438 dated Feb. 26, 2018.
Notice of Allowance in Australian Application No. 2016215438 dated Nov. 19, 2018.
Office Action in Canadian Application No. 2,975,522 dated Jun. 5, 2018.
Notice of Allowance in Canadian Application No. 2,975,522 dated Mar. 13, 2020.
Office Action in Indian Application No. 201717027369 dated May 21, 2020.
First Examination Report for Indian Application No. 201717034806 dated Jun. 25, 2020.
Office Action in European Application No. 16781265.0 dated Jul. 13, 2020.
Office Action in European Application No. 201817013748 dated Nov. 20, 2020.
Office Action in European Application No. 16823419.3 dated Mar. 12, 2021.
Office Action in European Application No. 17776325.7 dated Apr. 12, 2021.
Office Action in European Application No. 17740533.9 dated May 4, 2021.
Office Action in European Application No. 17743108.7 dated Dec. 22, 2020.
International Search Report and Written Opinion dated Oct. 15, 2019 for International Application No. PCT/US2019/039246 in 16 pages.
International Preliminary Report on Patentability dated Dec. 29, 2020 for International Application No. PCT/US2019/039246 in 8 pages.
International Search Report for Application No. PCT/US2019/038520 dated Aug. 14, 2019.
International Preliminary Report on Patentability for Application No. PCT/US2019/038520 dated Dec. 29, 2020.
International Preliminary Report on Patentability and Written Opinion in PCT/US2019/053123 dated Mar. 23, 2021.
International Search Report and Written Opinion in PCT/US2019/053123 dated Jan. 7, 2020.
International Search Report for Application No. PCT/US2019/065365 dated Mar. 19, 2020.
International Search Report for Application No. PCT/US2020/039996 dated Oct. 8, 2020.
International Search Report for Application No. PCT/US2020/062060 dated Mar. 5, 2021.
Amazon, “AWS Lambda: Developer Guide”, Jun. 26, 2016 Retrieved from the Internet, URL:http://docs.aws.amazon.com/lambda/latest/dg/lambda-dg.pdf, [retrieved on Aug. 30, 2017], 314 pages.
Ryden et al., “Nebula: Distributed Edge Cloud for Data-Intensive Computing”, IEEE, 2014, pp. 491-492.
Search Query Report from IP.com, performed May 27, 2021.
Office Action in Chinese Application No. 202110268031.5, dated Sep. 3, 2021.
Office Action in Canadian Application No. 2,962,633 dated Jun. 18, 2021.
Office Action in European Application No. 19199402.9 dated Dec. 3, 2021 in 4 pages.
Office Action in Canadian Application No. 2,962,631 dated May 31, 2021.
Office Action in Chinese Application No. 201680020768.2 dated May 14, 2021 in 23 pages.
Office Action in Chinese Application No. 201680020768.2 dated Sep. 24, 2021 in 20 pages.
Office Action in Chinese Application No. 2016800562398 dated Jun. 18, 2021.
Office Action in Chinese Application No. 201680072794X dated Jun. 22, 2021.
Office Action in Chinese Application No. 201780022789.2 dated Apr. 28, 2021.
Office Action in Chinese Application No. 2017800451968 dated May 26, 2021.
Office Action in Chinese Application No. 2017800451968 dated Dec. 3, 2021 in 20 pages.
Office Action in Japanese Application No. 2020-572441 dated Dec. 22, 2021 in 8 pages.
International Preliminary Report on Patentability for Application No. PCT/US2019/065365 dated Jun. 8, 2021.
International Preliminary Report on Patentability for Application No. PCT/US2020/039996 dated Jan. 6, 2022.

Related Publications (1)

	Number	Date	Country
	20200341799 A1	Oct 2020	US

Continuations (2)

	Number	Date	Country
Parent	15676777	Aug 2017	US
Child	16778437		US
Parent	14613735	Feb 2015	US
Child	15676777		US

Security protocols for low latency execution of program code

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Disclaimer

Abstract