Search

EP-4579561-B1 - SECURE WORKFLOWS THAT ENHANCE DATA SECURITY USING SANDBOXES HOSTED BY TRUSTED EXECUTION ENVIRONMENTS

EP4579561B1EP 4579561 B1EP4579561 B1EP 4579561B1EP-4579561-B1

Inventors

  • RATH, Nikolaus

Dates

Publication Date
20260513
Application Date
20221230

Claims (15)

  1. A computer-implemented method comprising: receiving (320; 420), from a client device, a digital component request (125) comprising a set of data; in response to receiving the digital component request (125): identifying (325; 425) multi-stage workflows (240) associated with content platforms; executing (340; 445), by a trusted execution environment, TEE, (205) of a server, one or more stages of each multi-stage workflow in a separate sandbox environment, wherein each multi-stage workflow comprises one or more customizable stages and is configured to generate output data comprising selection parameters for candidate digital components based on at least a portion of the set of data, and wherein the sandbox environment prevents code of the multi-stage workflow from transmitting user data from the server; and receiving (450) the output data from the sandbox environment for each multi-stage workflow; selecting (355; 455), by the computer, a digital component based on at least a portion of the output data from each multi-stage workflow (240); and providing (360; 460), by the server, the selected digital component to the client device for presentation to a user of the client device.
  2. The computer-implemented method of claim 1, wherein the selection parameters generated by each multi-stage workflow for candidate digital components comprises, for each candidate digital component, a metric that reflects relevance of the candidate digital component to the digital component request.
  3. The computer-implemented method of claim 1 or 2, wherein the selection parameters generated by each multi-stage workflow for candidate digital components comprises, for each candidate digital component, an amount that will be provided to a publisher of a resource if the candidate digital component is displayed with the resource.
  4. The computer-implemented method of any preceding claim, wherein the sandbox environment comprises a virtual machine.
  5. The computer-implemented method of any preceding claim, wherein each stage of each multi-stage workflow is executed in a separate sandbox environment.
  6. The computer-implemented method of any one of claims 1 to 5, wherein all of the stages of a given multi-stage workflow of the multi-stage workflow are executed in a single sandbox environment.
  7. The computer-implemented method of any one of claims 1 to 5, wherein each stage of each multi-stage workflow that involves sensitive user data is executed in a sandbox environment.
  8. The computer-implemented method of any preceding claim, wherein the digital component request comprises contextual data and user data.
  9. The computer-implemented method of claim 8, comprising: sending, to a content platform, a context-based digital component request comprising the contextual data; and receiving, from the content platform, digital components selected based on the contextual data.
  10. The computer-implemented method of claim 9, wherein selecting, by the server, a digital component based on at least a portion of the output data from each multi-stage workflow (240) comprises selecting the digital component from a set of candidate digital components comprising (i) the digital components selected based on the contextual data and (ii) the digital components for which selection parameters were output by each multi-stage workflow.
  11. The computer-implemented method of any preceding claim, further comprising: providing, by the TEE (205), a signature of code for the TEE (205).
  12. The computer-implemented method of any preceding claim, wherein identifying the one or more multi-stage workflows comprises receiving a revised version of a default workflow from a particular content platform, the method further comprising: executing the revised version of the default workflow using an envelope that provides a limited set of communication Application Programming Interfaces, APIs, that limit the communications of the revised version of the default workflow with external components.
  13. A system (500) comprising: one or more processors (510); and one or more storage devices (530) storing instructions that, when executed by the one or more processors, cause the one or more processors to carry out the method of any preceding claim.
  14. A computer readable medium carrying instructions that, when executed by one or more processors (510), cause the one or more processors to carry out the method of any one of claims 1 to 13.
  15. A computer program product comprising instructions which, when executed by a computer (500), cause the computer to carry out the steps of the method of any of claims 1 to 13.

Description

TECHNICAL FIELD This specification relates to secure processing using sandboxes and trusted execution environments. BACKGROUND Data security is vital for computing systems connected to public networks, such as the Internet. Computer systems are often protected from unauthorized access and data breaches using network security technologies, such as firewalls. A virtual machine provides an emulated version of a computer system. A virtual machine can include emulated processing units (e.g., a central processing unit (CPU)), memory, network interfaces, and/or other computing components. A trusted execution environment (TEE) provides a secure environment for computation and is sometimes implemented as a secure area of a main processor. A TEE guarantees that code and data loaded inside the TEE are protected with respect to integrity and confidentiality. Integrity indicates that unauthorized entities cannot alter data within the TEE, and confidentiality indicates that unauthorized entities cannot read data within the TEE. US2020228880A1 describes, in accordance with the abstract, dynamically generating an advertisement in a video stream. Video stream content associated with a video stream for a user device is received. Video analytics data is obtained for the video stream content. An advertisement to be generated and inserted into the video stream content is then selected based on the scene recognized in the video stream content and an advertisement template for generating the selected advertisement is obtained. US2022172183A1 describes, in accordance with the abstract, methods and systems for providing a framework to integrate third-party logic into electronic transaction processing workflow. US9596132B1 describes, in accordance with the abstract, a virtual sandbox environment to enable a publisher to publish rules for supplemental content, such as third party advertising displayed on a page or other grouping of content from the publisher. EP 3736718 A1 discloses a system to prevent data of a client from leaking to untrusted parties in a multiparty computation environment. According to one embodiment, in response to a request received at a gateway (e.g., a non-bypassable gateway) of a server from a user device of a user over a network to process user data by an execution service, the system sanitizes the user data by scanning the user data for malicious code. SUMMARY This specification describes technologies related to securely performing workflows that enable non-disclosed and otherwise proprietary customization of the stages of the workflow in ways that prevent other parties from accessing the customization. A workflow is a set of executable stages through which a unit of work passes from initiation to completion. The technologies include performing workflows in isolated environments, e.g., in virtual machines, that provide secure sandboxes while still supporting full-function workflows. The techniques can further include constraints on inputs to and/or outputs from workflows or portions thereof to maintain user privacy, prevent access to confidential customizations, and enhance system integrity. One aspect features receiving, from a client device, a digital component request that can include a set of data. In response to receiving the digital component request, one or more multi-stage workflows can be identified, each multi-stage workflow of the one or more multi-stage workflow (i) being configured to select digital components from candidate digital components of multiple content platforms and (ii) including one or more customizable stages. In addition, for each particular multi-stage workflow of the one or more multi-stage workflows, the following operations can be performed. A trusted execution environment of the server can initiate a sandbox environment for executing at least one or more stages of the particular multi-stage workflow. The one or more stages of the particular multi-stage workflow can be executed within the sandbox environment, and the sandbox environment can prevent the code of the multi-stage workflow from transmitting user data from the server. The output data can be received from the particular multi-stage workflow by the server and from the trusted execution environment. A digital component can be selected by the server based on at least a portion of the output data from the particular multi-stage workflows. The digital component can be provided by the server to the client device for presentation to the user of the client device. One or more of the following features can be included. The sandbox can be a virtual machine and/or can include a virtual machine. Executing within the sandbox environment, the particular multi-stage workflow can include: (i) for each customizable stage of the particular multi-stage workflow, initiating, by the trusted execution environment, a corresponding sandbox environment in which code of the stage is executed to generate output data for use in one or more oth