EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in a telephone interview with Mr. Michael Saizan, Reg. # 65,013, on 06/16/2022.

This listing of claims will replace all prior versions of claims:
1.	(Currently amended)  A system, comprising:
one or more computing devices of a virtualized computing service;
wherein the one or more computing devices include instructions that upon execution on or across one or more processors cause the one or more computing devices to:
launch a compute instance at a virtualization host, wherein a portion of memory of the virtualization host is allocated to the compute instance;
segregate a first subset of the portion of memory for a first child isolated run-time environment of the compute instance, wherein direct network communications with any other endpoints outside the virtualization host are prohibited from the first child isolated run-time environment, and wherein the first subset of the portion of memory is inaccessible from programs running outside the first child isolated run-time environment;
establish a communication intermediary process within the compute instance for interactions with the first child isolated run-time environment; 
cause an attestation of a configuration of the first child isolated run-time environment to be initiated by a security manager established at a virtualization management component of the virtualization host that is external to the compute instance;
provide via the communication intermediary process, to one or more destinations, (a) a result of the attestation and (b) an indication of an identity of the security manager; 
determine that the result of the attestation has been accepted;
obtain, at the first child isolated run-time environment of the compute instance, an encrypted security artifact transferred from an established encrypted channel via [[a]]the communication intermediary process
perform, at the first child isolated run-time environment, one or more computations using the security artifact and the first subset of the portion of memory.

2.	(Original) The system as recited in claim 1, wherein the one or more computing devices include further instructions that upon execution on or across one or more processors further cause the one or more computing devices to:
determine, based at least in part on a parameter of a launch request for the compute instance, that the first child isolated run-time environment is to be established within the compute instance.

3.	(Original) The system as recited in claim 1, wherein the one or more computing devices include further instructions that upon execution on or across one or more processors further cause the one or more computing devices to:
determine, based at least in part on a programmatic request received after the compute instance is launched, that the first child isolated run-time environment is to be established within the compute instance.

4.	(Original) The system as recited in claim 1, wherein configuration settings of the first child isolated run-time environment do not permit input/output (I/O) operations to or from persistent storage.

5.	(Original) The system as recited in claim 1, wherein the one or more computing devices include further instructions that upon execution on or across one or more processors further cause the one or more computing devices to:
instantiate a second child isolated run-time environment of the compute instance at the virtualization host, wherein a second subset of the portion of memory is segregated for exclusive use from the second child isolated run-time environment.

6.	(Currently amended)  A method, comprising:
performing, at one or more computing devices:
assigning, by a hypervisor of a virtualization host, for exclusive use by an isolated run-time environment set up at the virtualization host, a subset of a portion of resources of the virtualization host allocated to a parent compute instance of the isolated run-time environment, wherein direct network communications with any other endpoints outside the virtualization host are prohibited from the isolated run- time environment, and wherein the subset of the portion of resources is inaccessible from programs running outside the isolated run-time environment;
establishing a communication intermediary process within the parent compute instance for interactions with the isolated run-time environment;
providing via the communication intermediary process, to one or more endpoints, (a) a result of a configuration analysis of the isolated run-time environment and (b) an indication of an identity of a security manager, wherein the configuration analysis of the isolated run-time environment of the parent compute instance is performed by [[a]]the security manager of the hypervisor that is external to the parent compute instance or another component that is external to the parent compute instance; 
obtaining, at the isolated run-time environment of the parent compute instance, subsequent to an acceptance of the result of the configuration analysis, an encrypted application security artifact transferred from an established encrypted channel via [[a]]the communication intermediary process(a) the communication intermediary process and (b) other programs running at the parent compute instance; and
performing, at the isolated run-time environment, one or more computations using the application security artifact and the subset of the portion of resources.

7.	(Original) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
determining, based at least in part on a parameter of a launch request for the parent compute instance, that the isolated run-time environment is to be established within the parent compute instance.

	8.	(Original) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
determining, based at least in part on a programmatic request received after the parent compute instance is launched, that the isolated run-time environment is to be established within the parent compute instance.

9.	(Previously presented) The method as recited in claim 6, wherein configuration settings of the isolated run-time environment do not permit network communications between the isolated run-time environment and any other endpoints external to the isolated run-time environment.

10.	(Original) The method as recited in claim 6, wherein configuration settings of the isolated run-time environment do not permit input/output (I/O) operations to or from persistent storage.

11.	(Previously presented) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
instantiating, at the parent compute instance, the communication intermediary process configured to utilize a local communication channel to communicate with the isolated run-time environment.

12.	(Original) The method as recited in claim 11, wherein utilizing the local communication channel comprises writing to one or more buffers of shared memory.

13.	(Original) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
obtaining, via a programmatic interface, an indication of a program to be run in the isolated run-time environment to perform the one or more computations; and
causing an executable version of the program to be launched within the isolated run-time environment.

14.	(Original) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
causing, based at least in part on a lifetime parameter setting, one or more programs of the isolated run-time environment to be terminated.

15.	(Original) The method as recited in claim 6, further comprising performing, at the one or more computing devices:
collecting one or more metrics of the isolated run-time environment;
in response to detecting that the one or more metrics meet a migration criterion, 
causing the parent compute instance to be migrated to another virtualization host; and
assigning, for exclusive use from the isolated run-time environment after the migration of the parent compute instance, another subset of resources allocated to the migrated parent compute instance at the other virtualization host, wherein the other subset of resources includes a different amount of memory than was assigned to the isolated run-time environment prior to the migration.

16.	(Currently amended) A virtualization host of a network-accessible computing service, comprising:
one or more processors; and
a memory; 
wherein the memory comprises instructions that when executed on or across the one or more processors:
segregate, for an isolated run-time environment of a compute instance of the virtualization host, a subset of a portion of resources of the virtualization host allocated to the compute instance, wherein direct network communications with any other endpoints outside the virtualization host are prohibited from the isolated run-time environment, and wherein the subset of the portion of resources is inaccessible from programs running outside the isolated run-time environment; 
instantiate, within the compute instance launched by a hypervisor of the virtualization host, [[an]]the isolated run-time environment;[[,]]
establish a communication intermediary process within the compute instance for interactions with the isolated run-time environment;
provide, via the communication intermediary process, (a) a result of a configuration analysis of the isolated run-time environment and (b) an indication of an identity of a security manager, wherein the configuration analysis of the isolated run-time environment of the compute instance is performed by the security manager of the hypervisor that is external to the compute instance;
obtain, at the isolated run-time environment of the compute instance, subsequent to an acceptance of the result of the configuration analysis, an encrypted application security artifact transferred from an established encrypted channel via [[a]]the communication intermediary process(a) the communication intermediary process and (b) other programs running at the parent compute instance; and
perform, at the isolated run-time environment, one or more computations using the application security artifact and the subset of the portion of resources.

17.	(Original) The virtualization host as recited in claim 16, wherein the memory comprises further instructions that when executed on or across the one or more processors:
store configuration settings of the isolated run-time environment, wherein the configuration settings do not permit network communications between the isolated run-time environment and endpoints external to the isolated run-time environment.

18.	(Original) The virtualization host as recited in claim 16, wherein the memory comprises further instructions that when executed on or across the one or more processors:
store configuration settings of the isolated run-time environment, wherein the configuration settings do not permit access to persistent storage from the isolated run-time environment.

19.	(Previously presented) The virtualization host as recited in claim 16, wherein the memory comprises further instructions that when executed on or across the one or more processors:
instantiate, at the compute instance, the communication intermediary configured to utilize a local communication channel to communicate with the isolated run-time environment.

20.	(Original) The virtualization host as recited in claim 16, wherein the memory comprises further instructions that when executed on or across the one or more processors:
de-configure, based at least in part on a lifetime parameter, the isolated run-time environment.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZUJIA XU whose telephone number is (571)272-0954. The examiner can normally be reached M-F 9:00-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571) 272-3756. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MENG AI T AN/Supervisory Patent Examiner, Art Unit 2195                                                                                                                                                                                                        

/Z.X./Examiner, Art Unit 2195