III imi uiii um uiiig11611111111IIIIII 111111 mi 1111 mi
`I III IIIIIIII
`
`(12) United States Patent
`Veselov et al.
`
`(10) Patent No.: US 11,216,563 B1
`(45) Date of Patent:
`Jan. 4, 2022
`
`(54) SECURITY ASSESSMENT OF VIRTUAL
`COMPUTING ENVIRONMENT USING
`LOGICAL VOLUME IMAGE
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`(71) Applicant: Amazon Technologies, Inc., Seattle,
`WA (US)
`
`(72)
`
`Inventors: Vladimir Veselov, Ashburn, VA (US);
`Aparna Nagargadde, Herndon, VA
`(US); Adrian-Radu Grajdeanu, Great
`Falls, VA (US)
`
`(73) Assignee: Amazon Technologies, Inc., Seattle,
`WA (US)
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 141 days.
`
`Appl. No.: 15/600,554
`
`Filed:
`
`May 19, 2017
`
`Int. Cl.
`G06F 21/00
`G06F 21/57
`H04L 29/06
`G06F 9/455
`(52) U.S. Cl.
`CPC
`
`(2013.01)
`(2013.01)
`(2006.01)
`(2018.01)
`
`G06F 21/577 (2013.01); G06F 9/45558
`(2013.01); H04L 63/1433 (2013.01); G06F
`2009/45587 (2013.01); G06F 2221/034
`(2013.01)
`
`(58) Field of Classification Search
`CPC
` G06F 21/577; G06F 9/45558; G06F
`2009/45587; G06F 2221/034; H04L
`63/1433
`See application file for complete search history.
`
`9/2015 Nagargadde
`9,141,683 B1 *
`2007/0143839 A1* 6/2007 Chen
`
`2011/0126198 A1*
`
`5/2011 Vilke
`
`2012/0054740 A1* 3/2012 Chakraborty
`
`2012/0072968 A1* 3/2012 Wysopal
`
`2013/0024940 A1*
`
`1/2013 Hutchins
`
`G06F 11/1464
`G06F 21/629
`726/17
`G06F 9/54
`718/1
`G06F 9/45558
`718/1
`G06F 11/3612
`726/1
`G06F 9/45558
`726/24
`
`(Continued)
`
`Primary Examiner — Trong H Nguyen
`Assistant Examiner — Michael M Lee
`(74) Attorney, Agent, or Firm — Nicholson De Vos
`Webster & Elliott LLP
`
`ABSTRACT
`(57)
`Systems for performing a security assessment of a target
`computing resource, such as a virtual machine or an instance
`of a virtual machine, include a scanning service that facili-
`tates duplication of all or a portion of the target computing
`resource, and then performs the security assessment on the
`duplicate computing resource to avoid consuming process-
`ing time, processing power, and storage space of the target
`computing resource. A snapshot of the target computing
`resource, containing the data necessary to reproduce the
`portion to be assessed, is captured and used to implement the
`duplicate computing resource in newly allocated resources.
`The snapshot can be an image of a logical volume imple-
`menting the target computing resource. To reproduce a target
`virtual machine, the snapshot may include a configuration
`used to instantiate the target virtual machine; the scanning
`service may implement a duplicate virtual machine that is
`instantiated with the same configuration.
`
`19 Claims, 9 Drawing Sheets
`
`400
`
`RECEIVE COMMAND TO EXECUTE
`ASSESSMENT OF VIRTUAL MACHINE
`
`OBTAIN LOGICAL VOLUME IMAGE
`SNAPSHOT OF TARGET VM
`
`EOUEST PROVISION, BASED ON SNAPSHOT,
`OF NEW VIA FOR ASSESSMENT
`
`VIA MANAGER GENERATES
`ASSESSMENT VM WITH
`IDENTICAL STATE TO TARGET
`VM AT TIME OF SNAPSHOT
`
`RECEIVE ASSESSMENT VM IDENTIFIER
`
`ASSOCIATE ASSESSMENT VM INTTH
`TARGET VM
`
`INSTALL ASSESSMENT AGENT IN
`ASSESSMENT VM
`
`PERFORM ASSESSMENT ON
`ASSESSMENT VII
`
`E/STORE ASSESSMENT REEL
`
`406
`
`408
`
`410
`
`412
`
`4,4
`
`418
`
`WIZ, Inc. EXHIBIT - 1007
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`ZLZ0/£91170H
`8T Z9/T Z190O
`LL0S/6 190O
`S80/T17 -1170H
`£S/TZ190O
`T Sti /T T 190O
`T/8T L
`880S/6 190O
`T/8T L
`ZL0S/6 190O
`T/8T L
`££SS1/6 190O
`T/8T L
`TtSS1/6 190O
`T/9ZL
`LLS/TZI90O
`
`Joulurexa ifq paita *
`
`*TV 880£900/8TN
` XlircH 8TN/£
` issue LTN/OT *TV S0L00£0/LTN
`uNIIID LT OZ/6
`* TV 61717ZLZ0/LTN
`PPIlund 9TN/ZI *TV S£T99£0/9TN
`MID 9T N/6 *TV 6176£8Z0/9TN
` uPIIIsi 9T N/8 * TV T89917Z0/9TN
`
`01111Akplralg 9TN/S *TV Lt£Z£T0/9TN
`
`3131141 ST0Z/ZI *TV 69L8L£0/ST0Z
`
`ST0Z/L
`
`*TV LOZ66i0/ST0Z
`
` nA ST0Z/Z
`
`*TV 6T SZS00/ST0Z
`
`3311.1d £TN/6 *TV ££TL17Z0/£TN
`
`SINHIAIIIDOCE INHIVd *S'Il
`
`palD samaaajall
`
`(90
`
`Z abed
`ig £9S`9Itii SR
`
`

`

`lualud 'S'il
`
`111 £90M11 Sfl
`
`FIG. I
`
`102
`
`132
`
`Assessment
`
`Results
`
`104
`
`Server Computers
`
`142
`
`4*--et
`
`k4
`
`142
`
`144
`
`Virtualization Layer
`
`Environment API
`
`120
`
`>
`
`15 .C
`
`2
`
`146
`
`It
`
`Snapshot
`
`Data
`
`112
`
`112
`
`112
`
`112
`
`112
`
`Computing Resource Service Provider
`
`Scanning Service
`
`110
`
`<08
`
`Storage
`Snapshot
`
`• '
`
`...........
`
`100
`
`130
`
`Confiqs
`Scan
`
`C
`
`

`

`U.S. Patent
`
`Jan. 4, 2022
`
`Sheet 2 of 9
`
`US 11,216,563 B1
`
`20°
`
`130
`
`Scan
`Configs
`
`I
`
`146
`
`RECEIVE COMMAND TO EXECUTE
`ASSESSMENT OF TARGET RESOURCE
`
`1
`
`>i
`
`OBTAIN ASSESSMENT PARAMETERS
`
`OBTAIN SNAPSHOT DATA REPRESENTING
`STATE OF TARGET RESOURCE
`
`GENERATE SCANNABLE VOLUME
`
`PERFORM ASSESSMENT ON SCANNABLE
`VOLUME
`
`132
`
`/-
`
`Assessment <-1
`Results
`
`PROVIDEJSTORE ASSESSMENT RESULTS
`
`202
`
`204
`
`206
`
`208
`
`210
`
`212
`
`FIG. 2
`
`

`

`lualud *S'il
`
`60 £ laatiS
`
`Ill E9S`9IVI I Sil
`
`316
`
`FILES 366A
`
`APPLICATIONS 364A
`
`RUNTIME 362A
`
`OS 360A
`
`FIG. 3A
`
`Test Environment 305
`
`L
`
`308
`
`Assessment
`
`312A
`VM
`
`Hypervisor
`
`317
`
`330
`
`&Oa
`••••••••••
`
`308
`
`.S.......••••••••••••••••
`
`Configs
`Scan /✓
`
`340
`
`Scanning Service
`
`310
`
`302
`
`338
`API
`
`Virtual Computing Environment 304A
`
`306
`
`FILES 366
`
`APPLICATIONS 364
`
`RUNTIME 362
`
`OS 360
`
`308
`
`Volume Image
`
`312
`
`Virtual Mach€ne
`
`Provider 300
`Computing Resource Service
`
`

`

`lualud 'S11
`
`6 JO I Mils
`
`Ill £9S`9LZ`ii Sfl
`
`316
`
`SECURITY AGENT 330
`
`FILES 366A
`
`APPLICATIONS 364A
`
`OS 360A
`
`342
`
`Resources
`
`User
`
`FIG. 3B
`
`Assessment
`
`312E
`VM
`
`330
`
`308
`
`Hypervisor
`
`318
`
`308
`
`306
`
`FILES 366
`
`APPLICATIONS 364
`
`OS 360
`
`312
`
`Virtual Machine
`
`Scanning Service
`
`310
`
`-
`
`338
`API
`-----
`
`Configs
`Scan
`
`340
`
`302
`
` 1
`
`304E
`
`
`
`Service Provider 350
`Computing Resource
`
`

`

`U.S. Patent
`
`Jan. 4, 2022
`
`Sheet 5 of 9
`
`US 11,216,563 B1
`
`400
`
`RECEIVE COMMAND TO EXECUTE
`ASSESSMENT OF VIRTUAL MACHINE
`
`OBTAIN LOGICAL VOLUME IMAGE
`SNAPSHOT OF TARGET VIVI
`
`V
`
`REQUEST PROVISION, BASED ON SNAPSHOT
`OF NEW VM FOR ASSESSMENT
`
`VM MANAGER GENERATES
`ASSESSMENT VM WITH
`IDENTICAL STATE TO TARGET
`VM AT TIME OF SNAPSHOT
`
`-►= RECEIVE ASSESSMENT VIVI IDENTIFIER
`
`ASSOCIATE ASSESSMENT VM WITH
`TARGET VM
`
`INSTALL ASSESSMENT AGENT IN
`ASSESSMENT VM
`
`\?,
`
`402
`
`404
`
`406
`
`408
`
`410
`
`412
`
`PERFORM ASSESSMENT ON
`ASSESSMENT VM
`
`PROVIDE/STORE ASSESSMENT RESULTS
`
`4
`
`414
`
`416
`
`

`

`lualud 'S'il
`
`6 JO 9 pais
`
`Ill £9S`9TZ`TT SR
`
`516
`
`506
`
`1
`
`FIG. 5A
`
`FILES 566A
`
`APPLICATIONS 564A
`
`RUNTIME 562A
`
`OS 560A
`
`508
`
`Test Environment 505
`
`Provisioning Svc
`
`Block Device
`
`517
`
`Scanning Service
`
`510
`
`502
`
`Virtual Computing Environment 504A
`
`FILES 566
`
`APPLICATIONS 564
`
`RUNTIME 562
`
`OS 560
`
`508
`
`Volume Image
`
`512
`
`Virtual Machine
`
`

`

`lualud *S'il
`
`6 JO L Oat's
`
`Ill £9S`9LZ`ii Sfl
`
`508
`
`Hypervisor
`
`518
`
`FIG. 5B
`
`Scanning Service
`
`510
`
`\7
`
`502
`
`A- 516
`
`FILES 566A
`
`APPLICATIONS 564A
`
`RUNTIME 562A
`
`OS 560A
`
`508
`
`Snapshot
`Block-Level
`
`512A
`
`--
`
`Virtual Machine
`
`FILES 566
`
`APPLICATIONS 564
`
`RUNTIME 562
`
`OS 560
`
`550
`
`L
`
`506
`
`Virtual Computing Environment 504B
`
`

`

`U.S. Patent
`
`Jan. 4, 2022
`
`Sheet 8 of 9
`
`US 11,216,563 B1
`
`600
`
`RECEIVE SIGNAL TO EXECUTE
`ASSESSMENT OF VIRTUAL MACHINE
`
`OBTAIN SNAPSHOT OF BLOCK-LEVEL
`STORAGE DEVICE IN TARGET VM
`
`V
`
`REQUEST PROVISION, BASED ON SNAPSHOT,
`OF NEW BLOCK-LEVEL STORAGE DEVICE
`
`PROVISIONING SERVICE
`GENERATES NEW STORAGE
`VOLUME
`
`602
`
`604
`
`606
`
`608
`
`610
`
`612
`
`614
`
`616
`
`IDENTIFY FILE SYSTEM OF SNAPSHOT
`
`MOUNT SNAPSHOT TO NEW STORAGE
`VOLUME AS READ-ONLY FILE SYSTEM
`
`ATTACH NEW STORAGE VOLUME
`TO INSTANCE
`
`PERFORM ASSESSMENT ON NEW
`STORAGE VOLUME
`
`PROVIDE/STORE ASSESSMENT RESULTS
`
`FIG. 6
`
`

`

`U.S. Patent
`
`Jan. 4, 2022
`
`Sheet 9 of 9
`
`US 11,216,563 B1
`
`702 []
`
`700
`
`704
`
`Network
`
`Application
`Server
`
`706
`
`Web
`Server
`
`708
`
`
`
` AAR
`
`Production
`
`Log
`
`User
`information
`
`40:400, .040X0
`
`WOO, 014011 00000 40W 44000.
`
`4400, MOW OM* *KW
`
`710
`
`712
`
`714
`
`716
`
`FIG. 7
`
`

`

`1
`SECURITY ASSESSMENT OF VIRTUAL
`COMPUTING ENVIRONMENT USING
`LOGICAL VOLUME IMAGE
`
`BACKGROUND
`
`Generally described, computing devices utilize a commu-
`nication network, or a series of communication networks, to
`exchange data. Companies and organizations operate com-
`puter networks that interconnect a number of computing
`devices to support operations or provide services to third
`parties. The computing systems may be located in a single
`geographic location or located in multiple, distinct geo-
`graphic locations (e.g., interconnected via private or public
`communication networks). Specifically, data centers or data
`processing centers, herein generally referred to as a "data
`center," may include a number of interconnected computing
`systems to provide computing resources to users of the data
`center. The data centers may be private data centers operated
`on behalf of an organization or public data centers operated
`on behalf, or for the benefit of, the general public.
`To facilitate increased utilization of data center resources,
`virtualization technologies may allow a single physical
`computing device to host one or more instances of virtual
`machines that appear and operate as independent computing
`devices to users of a data center. The single physical
`computing device may create, maintain, delete, or otherwise
`manage virtual machines in a dynamic manner. In some
`scenarios, various computing devices may be associated
`with different combinations of operating systems or operat-
`ing system configurations, virtualized hardware resources,
`and software applications to enable a computing device to
`provide different desired functionalities, or to provide simi-
`lar functionalities more efficiently. Virtual machines may
`themselves be partitioned into multiple isolated virtual sys-
`tems, called "containers." The virtual machine controls
`allocation of resources such as processing power and
`memory, and each container has its own process and net-
`work space in which the container may, for example, execute
`software programs.
`In such a system, a service provider may operate networks
`of systems to provide access to software using varying
`numbers of virtual machine resources. The large numbers of
`customers, end users, virtual machine configurations, soft-
`ware packages, and hardware computing devices invite
`security issues to arise. The service provider may thus
`provide or enable security assessment services that analyze
`the behavior of computing resources to identify vulnerabili-
`ties, bad configurations, and the like.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The detailed description is set forth with reference to the
`accompanying figures. The use of the same reference num-
`bers in different figures indicates similar or identical items or
`features.
`FIG. 1 is a diagram illustrating an example system for
`executing an example security assessment of a virtual com-
`puting environment, in accordance with the present disclo-
`sure;
`FIG. 2 is a flow diagram of an example method for
`executing the security assessment of one or more virtual
`machines in the virtual computing environment;
`FIG. 3A is a diagram illustrating an example system for
`executing a security assessment of a virtual machine using
`a test environment, in accordance with the present disclo-
`sure;
`
`US 11,216,563 B1
`
`2
`FIG. 3B is a diagram illustrating another example system
`for executing an example security assessment of a virtual
`machine, in accordance with the present disclosure;
`FIG. 4 is a flow diagram of another example method for
`5 executing the security assessment of one or more virtual
`machines in the virtual computing environment;
`FIG. 5A is a diagram illustrating another example system
`for executing a security assessment of a virtual machine
`using a test environment, in accordance with the present
`10 disclosure;
`FIG. 5B is a diagram illustrating another example system
`for executing an example security assessment of a virtual
`machine, in accordance with the present disclosure;
`FIG. 6 is a flow diagram of another example method for
`15 executing the security assessment of one or more virtual
`machines in the virtual computing environment; and
`FIG. 7 is a diagram of an environment in which various
`embodiments of the present disclosure can be implemented.
`
`20
`
`DETAILED DESCRIPTION
`
`In various embodiments, including without limitation the
`example embodiments illustrated and described herein, the
`present disclosure provides systems and methods for per-
`25 forming security assessments of virtualized compute
`resources and the hardware computing devices that imple-
`ment them. The presently described systems and methods
`are particularly suited for security assessments performed in
`a data center at any level of abstraction, non-limiting
`30 examples including: block-level storage devices, memory,
`hard disk drives, and other physical volumes; file systems;
`logical volumes and partitions; operating systems and virtual
`file systems; application-specific frameworks; and virtual
`machines and virtual environments implementing virtual
`35 machines. The present disclosure contemplates implemen-
`tation of any suitable security assessment, including security
`assessments that are defined by rules packages, such as
`Common Vulnerabilities and Exposures (CVEs), Center for
`Internet Security (CIS) benchmarks, "best practices" pack-
`40 ages, static or runtime behavior analysis, host configuration
`assessments, and the like.
`The present systems and methods overcome drawbacks of
`existing security assessment systems, such as allocation and
`overuse of processing power, unavailability of resources
`45 services that are part of the assessment, and complexity of
`installation and monitoring of the assessment system. A
`security assessment may involve sending requests and/or
`other information to one or more targets, such as a virtual
`machine, a group of interconnected virtual machines, a
`so container of a virtual machine, a software application, a
`service, a server, a hard disk drive or logical volume, etc.,
`recording how the one or more targets respond, and com-
`paring the response data to security rules to determine
`whether the target is vulnerable. The security of the target
`55 can be evaluated based on how the target(s) respond during
`the assessment. Performing a robust security assessment on
`a target computing device, such as a server, may reduce the
`target computing device's capabilities. For example, a server
`that is the target of a security assessment may not be capable
`60 of responding to a client as quickly as normal, or may not be
`capable of providing content as quickly as possible because
`processor time and memory of the target is used to perform
`the assessment instead of running its normal workload.
`This problem may become more acute when the target of
`65 the security assessment is a service or distributed application
`being provided using a distributed computing environment
`(e.g., a "cloud" computing environment). In such a comput-
`
`

`

`US 11,216,563 B1
`
`3
`ing environment, the physical computing device that pro-
`vides the service or distributed application may change over
`time (including, e.g., the servers hosting the target, network
`address(es) associated with the physical computing devices
`hosting the target, etc.). Additionally, in some cases, the
`service provider (i.e., the entity operating the infrastructure
`used to run the service or distributed application) may
`monitor the use of computing resources; a security assess-
`ment executed using the computing resources may be costly
`monetarily, as well as requiring an extended period of
`downtime. Further exacerbating these problems, some secu-
`rity assessments may evaluate targets or connections that
`exist only within a virtual computing environment (i.e., a
`virtual network effectuated by the service provider), and
`may not be accessible from outside of the virtual computing
`environment. In such cases, the security assessment must be
`performed inside the environment, which may require the
`installation of secure software modules in the target
`resources.
`The present disclosure describes a scanning system and
`associated methods for performing security assessments on
`virtualized reproductions of the computing resource(s) that
`is/are the target of the security assessment. In various
`embodiments, the scanning system obtains, or obtains access
`to, a state of the resource at a point in time (e.g., a
`"snapshot") prior to, or in conjunction with, initiating the
`security assessment. The snapshot may include all of the
`data needed to recreate the state of the computing resource
`within a duplicate, virtual computing resource. For example,
`the target computing resource may be an instance of a virtual
`machine implemented within block-level storage device
`resources allocated to a logical volume. The snapshot may
`be a copy of the state of memory, the state of any devices
`(virtual or physical) allocated to the resource, block-level
`image of the entire logical volume; or, the snapshot may be
`an image of only a portion of the logical volume containing
`the data required to embody an exact copy of the virtual
`machine instance; or the snapshot may simply be a copy of
`certain files of the target computing resource, such as a
`database of software packages installed in a virtual machine.
`The scanning system may then obtain the computing
`resources needed to implement a copy of the virtual machine
`instance, such as by allocating another logical volume from
`available data storage resources. In some embodiments, the
`resources for the duplicate virtual machine instance may be
`within a virtual computing environment of the original
`virtual machine instance, while in certain embodiments the
`duplicate virtual machine instance may be implemented
`outside of the original virtual computing environment, such
`as within an account of the service provider used to perform
`analysis on resources. The scanning system may implement
`the duplicate virtual machine instance in any manner that
`allows the scanning system to perform the desired security
`assessment on the duplicate instance. In one embodiment,
`the scanning system may set up and launch an active virtual
`machine instance in the allocated computing resources, the
`active virtual machine instance having the same configura-
`tion as the original virtual machine instance had at the time
`the snapshot was captured; the system may then perform the
`security assessment on the active virtual machine instance in
`a static or runtime environment. In another embodiments,
`the scanning system may mount the logical volume (or
`transform the snapshot into a data file by identifying the file
`system of the original logical volume and then mount the
`snapshot in the duplicate logical volume) as a hard drive
`with data stored thereon; the system may then perform the
`security assessment on the data at the file system level.
`
`4
`In any case, the snapshot is prepared so that the security
`assessment produces the results that the scanning system
`otherwise would have obtained if the security assessment
`were performed on the original virtual machine instance.
`5 The scanning system may store the assessment results, or
`provide them to an owner or administrator of the virtual
`machine in order to evaluate the vulnerabilities of the target
`resources. The scanning system may then delete the snap-
`shot or alternatively store the snapshot in the account of the
`10 user so that the user can perform additional analysis on the
`snapshot. In some embodiments, the scanning system may
`enable the owner to authorize periodic assessments of the
`target resources via a user interface, and then may obtain and
`analyze snapshots on a scheduled basis. The scanning sys-
`15 tem may perform historical analysis of multiple sequential
`snapshots stored in a database, to identify changes in the
`virtual computing environment that may have caused or
`resolved certain vulnerabilities.
`Referring to FIG. 1, embodiments of the present disclo-
`2o sure may operate within or upon a computing environment
`100 in which users, e.g., developers, customers, administra-
`tors, and other "users" that may hold a "user account" with
`a computing resource service provider 104, may use user
`devices 102 to request and manage allocation of physical
`25 resources of computing devices (e.g., server computers 142)
`as virtual computing resources provided by a network-
`accessible services system 110 allocated within a virtual
`computing environment implemented by the computing
`resource service provider 104. In some embodiments, the
`30 computing resource service provider 104 may provide, or
`otherwise be compatible with, an environment application
`programming interface (API) 120 through which a user
`device 102 can connect to one or more virtual computing
`environments of the computing resource service provider
`35 104. For example, the API 120 may be a web-based interface
`implemented on a web server of the computing resource
`service provider 104 as described further below; one or more
`user interfaces may be transmitted to the user device 102 and
`displayed thereon, enabling the user of the user device 102
`40 to provide settings, commands, software packages, and other
`user input, to the computing resource service provider 104.
`Such user input may be used to configure virtual computing
`environments of the computing resource service provider
`104 that are associated with the user, such as via a user
`45 account; the user may be required to provide credentials and
`be authenticated and authorized to modify its virtual com-
`puting environments and virtual resource allocations via the
`API 120.
`Within the computing environment 100, a scanning ser-
`50 vice 110 in accordance with the present disclosure may
`perform security assessments of one or more physical and/or
`virtual computing resources of the computing resource ser-
`vice provider 104. In some embodiments, the scanning
`service 110 may obtain and analyze snapshot data 146. The
`55 scanning service 110, which may be implemented by physi-
`cal hardware, may be used by the computing resource
`service provider 104 to provide security risk information to
`customers and/or other services of the computing resource
`service provider 104. The scanning service 110 may include
`60 or be implemented on one or more computing devices. In
`some embodiments (e.g., as illustrated in FIG. 3B and
`described below), the scanning service 110 may be a com-
`ponent of the computing resource service provider 104, and
`may be implemented on the server computers 142 described
`65 in detail below. In other embodiments including the example
`of FIG. 1, the scanning service 110 may be implemented on
`one or more computing devices (not shown) outside of the
`
`

`

`US 11,216,563 B1
`
`5
`computing resource service provider 104. The scanning
`service 110 may access the computing resource service
`provider 104, or any associated virtual computing environ-
`ments and/or computing resources, via the API 120 or
`another API. In some embodiments, the scanning service
`110 may use the API 120 to provide user interfaces to the
`user device 102, enabling the user to configure settings of
`the scanning service 110 as described further below.
`The scanning service 110 may be configured to perform
`security assessments and produce assessment results based
`at least in part on snapshot data 146 obtained from customers
`or from services of the computing resource service provider
`104. That is, in some embodiments a user may provide some
`or all of the snapshot data 146 to the scanning service 110,
`such as by uploading (e.g., via the API 120) the snapshot
`data 146 to a data store or data storage service (e.g., snapshot
`storage service 108) accessible by the scanning service 110.
`In other embodiments, a service of the computing resource
`service provider 104 may provide the snapshot data 146 to
`the scanning service 110, or may store the snapshot data 146
`or otherwise make the snapshot data 146 accessible by the
`scanning service 110.
`The physical hardware implementing any of the physical,
`logical, and/or virtual computing resources, the computing
`resource service provider 104, and/or the scanning service
`110, may include one or more server computers. A server
`computer (e.g., server computers 142 implementing the
`virtual machine instances 112) may be any device or equip-
`ment configured to execute instructions for performing data
`computation, manipulation, or storage tasks, such as a
`computer or a server. A server computer may be equipped
`with any needed processing capability including one or more
`processors, such as a central processing unit (CPU), a
`graphics processing unit (GPU) or a digital signal processor
`(DSP), memory, including static and dynamic memory, and
`buses and input and output ports that are compliant with any
`handshaking, communications, or data transfer protocol.
`The physical hardware may also include storage devices,
`such as block-level storage devices, storage disks and tapes,
`networking equipment, and the like.
`A virtualization layer 144 executing on a server computer
`142 may include a bare metal hypervisor or a hosted
`hypervisor. The virtualization layer 144 enables the physical
`hardware to be used to provide computing resources upon
`which one or more virtual machines 112 or other computing
`resources may operate. For example, the virtualization layer
`144 enables a particular virtual machine 312 to access
`physical hardware on the server computer 142 through
`virtual device drivers or other executable code on the virtual
`machine 112. The virtualization layer 144 may include a
`hypervisor or virtualization software and/or hardware. The
`virtualization layer 144 may also include an instance of an
`operating system dedicated to administering the virtual
`machine 112 or other computing resource executing on the
`server computer 142. The virtualization layer 144 may be
`any device, software, or firmware used for providing a
`virtual computing platform and/or virtualized computing
`resources for the virtual machine 112 and/or component
`thereof. The virtualization layer 144 may also receive and
`process API calls from external devices or services. There
`may be multiple virtualization layers 144 of the same or
`different types implemented on a server computer 142, such
`as a dedicated layer 144 for each different type virtual
`machine 112, or for each different virtual computing envi-
`ronment implementing multiple instances of the same or
`different virtual machines. Each virtualization layer 144 may
`include its own networking software stack, responsible for
`
`25
`
`6
`communication with other virtualization layers 144 and, at
`least in some embodiments, also responsible for implement-
`ing network connectivity between the virtual machine 112 or
`other computing resources executing on one server com-
`5 puter 142 and other computing resources present or execut-
`ing on other server computers.
`The virtual computing environments enabled by the vir-
`tualization layer(s) 144 may include various virtual com-
`puter components, such as one or more virtual CPUs, virtual
`10 memory, virtual disk storage, and the like. These virtual
`computer components, and other physical and virtual
`resources, may be discretized into instances of one or more
`virtual machines 112. The virtual machine 112 or compo-
`nents thereof may be provided to the customers, end users,
`15 and/or other services inside or outside of the service pro-
`vider 104. For example, a server computer 142 may host a
`first virtual machine 112 instantiated from a first volume
`image and operated by a first customer and may host a
`second virtual machine 112 instantiated from a second
`20 volume image that is operated by a second customer. Fur-
`ther, the computing resource service provider 104 may use
`one or more of its own virtual machines 112 for supporting
`execution of its applications and providing computing
`resources for such applications.
`The scanning service 110 enables the customers and other
`services of the computing resource service provider 104 to
`manage and operate analysis of various snapshot data 146
`generated based at least in part on computing resources of
`the computing resource service provider 104, such as one or
`30 more virtual machines 112. In some embodiments, a desired
`security assessment may be initiated by receipt of a request.
`For example, a user device 102 may transmit a request to the
`scanning service 110 for a particular security assessment of
`one or more instances of a virtual machine 112. The request
`35 may be an API call including information corresponding to
`the requestor, the user associated with the virtual machine
`112, the on-demand storage service 108, and/or the particu-
`lar virtual machine 112. The scanning service 110 may
`determine the corresponding virtualization layer 144 for the
`40 virtual machine 112 identified by the request and transmit a
`command to the virtualization layer 144 to provide snapshot
`data 146 (or to provide access to snapshot data 146) corre-
`sponding to the virtual machine 112. The virtualization layer
`144 may be configured to obtain the snapshot data 146 and
`45 send it to the scanning service 110 or store the snapshot data
`146 via a snapshot storage service 108. Alternatively, the
`virtualization layer 144 may be configured to, at the expi-
`ration of an interval of time, obtain and store snapshot data
`146 of the virtual machine 112.
`The snapshot data 146 may be point-in time consistent.
`This may require that all writes to the disk are queued until
`a complete copy of the virtual machine 112 may be gener-
`ated. Queuing the writes may cause the writes to disk to be
`deferred or otherwise stalled until generation of the snapshot
`55 is completed. In some embodiments, the snapshot data 146
`may include only modifications to the logical volume and/or
`virtual machine. For example, a customer, since the last
`volume image was generated, may have modified only a
`portion of the logical volume (e.g., 4 blocks of the logical
`60 volume); virtualization layer 144 or another component of
`the computing resource service provider 104 may determine
`the portion of the logical volume and generate snapshot data
`146 based at least in part on the portion of the logical volume
`that has been modified. This may reduce an amount of data
`65 that must be obtained to generate the snapshot data 146 and
`may enable the scanning service 110 to determine a timeline
`or history of modifications to the logical volume and/or
`
`50
`
`

`

`US 11,216,563 B1
`
`7
`virtual machine 112. For example, the scanning service 110
`may use the timeline information to determine in which
`version of a logical volume (e.g., boot volume) a particular
`setting was modified that exposed or repaired a security
`vulnerability.
`In other embodiments, the snapshot data 146 may not
`comprise copies or images of the block-level storage device,
`but instead may contain copies of essential files of the target
`computing resource, the files being required to create a
`reproduction of the target computing resource in the state the
`resource was in at the time the snapshot was created. The
`identification of such files may depend on a type of the target
`computing resource, a type of the security assessment, and
`various properties of the computing resource service pro-
`vider 104. The amount and size of such files may be
`relatively minimal. In one example of reproducing a virtual
`machine for a software application-level CVEs assessment,
`the snapshot may only need to contain a template, such as a
`virtual machine image, from which the virtual machine is
`instantiated, and a copy of the virtual machine package
`manager database, which lists all software packages
`installed on the virtual machine and their configurations.
`In some embodiments the virtualization layer 144 may be
`configured to itself generate the snapshot data 146. In other
`embodiments, a separate process or service of the computing
`resource service provider 104 is used to generate the snap-
`shot data 146. In these embodiments, the "snapshot service"
`generates the snapshot data 146 using computing resources
`of the server computer 142 or a component thereof, and may
`store the snapshot data 146 in one or more storage devices
`of the snapshot storage service 308. The snapshot service
`may be a process or other executable code supported by the
`virtualization layer 144.
`The snapshot storage service 108 may be a group of
`computer sy