Formal Reasoning About the Security of Amazon Web Services

  title={Formal Reasoning About the Security of Amazon Web Services},
  author={Byron Cook},
  booktitle={International Conference on Computer Aided Verification},
  • B. Cook
  • Published in
    International Conference on…
    14 July 2018
  • Computer Science
We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community. 

Pre-Deployment Security Assessment for Cloud Services through Semantic Reasoning (Extended Abstract)

This case study shows that Description Logic modeling and inference capabilities can be used to improve the safety of cloud configurations and develops a tool to encode template files into logic in Amazon Web Services' proprietary declarative language.

An OWASP Top Ten Driven Survey on Web Application Protection Methods

The most critical web vulnerabilities according to OWASP Top Ten, their corresponding attacks, and their countermeasures and the application of these countermeasures will guarantee the protection of the WAs against the most severe attacks and prevent several unknown exploits.

Code‐level model checking in the software development workflow at Amazon Web Services

A style of applying symbolic model checking developed over the course of four years at Amazon Web Services is described, finding that it can prove the correctness of industrial low‐level C‐based systems with reasonable effort and predictability.

Code-Level Model Checking in the Software Development Workflow

  • Nathan ChongB. Cook M. Tuttle
  • Computer Science
    2020 IEEE/ACM 42nd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)
  • 2020
This experience report describes a style of applying symbolic model checking developed over the course of four years at Amazon Web Services that can prove the correctness of industrial low-level C-based systems with reasonable effort and predictability.

Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities

This work identifies a security vulnerability that occurs during an upgrade even when the initial and final states of the infrastructure are secure, and shows that those vulnerability are possible in Amazon’s AWS and Google Cloud.

Actions over Core-closed Knowledge Bases

An action language to model mutating actions, that is, actions that change the structural configuration of a given deployment by adding, modifying, or deleting resources, is introduced.

Better Counterexamples for Dafny

An open-source tool is introduced that transforms counterexamples generated by the SMT solver to a more userfriendly format that maps to the Dafny syntax and is suitable for further processing.

A Survey of Practical Formal Methods for Security

The article provides a comprehensive overview of FM and techniques available to system designers of security-critical systems, simplifying the process of choosing the right tool for the task.

CoVeriTeam: On-Demand Composition of Cooperative Verification Systems

CoVeriTeam is a language and tool for on-demand composition of cooperative approaches that provides a systematic and modular way to combine existing tools in order to leverage their full potential.

Scaling static analyses at Facebook

Key lessons for designing static analyses tools deployed to find bugs in hundreds of millions of lines of code.



Continuous Formal Verification of Amazon s2n

This work describes formal verification of s2n, the open source TLS implementation used in numerous Amazon services, and describes the proof itself and the technical decisions that enabled integration into development.

How Amazon web services uses formal methods

Engineers use TLA+ to prevent serious but subtle bugs from reaching production and find ways to reduce the number of bugs in the final product.

Design and validation of a trust-based opportunity-enabled risk management system

This paper presents a methodology called opportunity-enabled risk management (OPPRIM), which supports the decision-making process in access control to remote corporate assets, which relies on a logic-based risk policy model combining estimations of trust, threats and opportunities.

Nagini: A Static Verifier for Python

Nagini is an automated, modular verifier for statically-typed, concurrent Python 3 programs, built on the Viper verification infrastructure, that can verify memory safety, functional properties, termination, deadlock freedom, and input/output behavior.

Continuous Reasoning: Scaling the impact of formal methods

The rationale for continuous reasoning is described, some success cases from within industry are outlined, and directions for work by the scientific community are proposed.

Software Verification and System Assurance

  • J. Rushby
  • Computer Science
    2009 Seventh IEEE International Conference on Software Engineering and Formal Methods
  • 2009
The idea that software may be possibly perfect and that the authors can contemplate its probability of (im)perfection is reviewed and shown how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the probabilistic properties such as reliability that are the targets for system-level assurance.

JaVerT: JavaScript verification toolchain

This work introduces JaVerT, a semi-automatic JavaScript Verification Toolchain, based on separation logic and aimed at the specialist developer wanting rich, mechanically verified specifications of critical JavaScript code.

Reasoning about Probabilistic Defense Mechanisms against Remote Attacks

This paper argues that by representing security notions in this setting as events in probabilistic games, similarly as done with cryptographic security definitions, concrete and asymptotic guarantees can be obtained against realisticattackers.

Model checking boot code from AWS data centers

CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis, and it is proved that the initial boot code running in data centers at Amazon Web Services is memory safe.

The Meaning of Attack-Resistant Programs

This paper introduces a formal notion of partial compliance of a computer program w.r.t a nonexploitability specification and discusses informally why an enhancement to PointGuard complies with the attack-resistance definition.