sign in sign up
<<
Home , Amazon S3, Formal methods

Editor: Tim Menzies North Carolina State University REDIRECTIONS [email protected]

One-Click

John Backes, Pauline Bolignano, Byron Cook, Andrew Gacek, Kasper Søe Luckow, Neha Rungta, Martin Schaef, Cole Schlesinger, Rima Tanash, Carsten Varming, and Michael Whalen

FORMAL METHODS ARE mathe- tools for the of we discuss the trend of constructing matically based approaches for speci- those models. practical and scalable cloud-based fying, building, and reasoning about With the cloud, much of this has formal methods and how they can . Despite 50 years of research changed. Descriptions of cloud ser- easily be used by customers—some- and development, formal methods vices provide accurate models of the times with a single operation for one- have had only limited impact in in- system. That is to say, the appli- click formal methods. dustry. While we have seen success cation program interfaces () of in such domains as microprocessor cloud services are computer-readable The Classical Approach design and aerospace (e.g., proofs contracts that establish and govern (Where Formal Verification of properties for helicopter how the system behaves. In many Was Hard) control systems1), we have not seen cases, these models are amenable to Figure 1 shows a simplified, three- wide adoption of formal methods for formal analysis at scale.2 Most im- tier web application for uploading large and complex systems, such as portantly, since those models are uti- pictures developed in a traditional web services, industrial automation, lized by a large user community, it is (noncloud) environment. The web tier or enterprise support software. now economically feasible to build has two REST resources: One of the key difficulties when the tools needed to verify them. proving the security, safety, and The larger cloud providers are • the Login API for users to au- robustness of these systems is the rapidly developing and applying for- thenticate with the service problem of finding system architec- mal method tools. At Web • the Upload API to upload new ture models necessary for analysis. Services (AWS), for example, we have pictures to the website. Proving the system at its lowest level used cloud models to construct large- of detail is intractable, and, thus, we scale automated reasoning tools The app tier consists of four mi- must reason at higher levels of ab- that can prove whether or not access croservices that interact with each straction. If written by hand, these controls meet governance rules and other through a standardized API. models are expensive to build and whether networks are properly The Auth Service processes authori- hard to keep up to date with imple- secured. These tools are used mil- zation requests; the Session Service mentations. Another problem is lions of times daily and help AWS tracks stateful data relevant to the that the size of the potential user customers manage the security of user’s current visit to the website; community and the business value their accounts. the Upload Service receives photos have typically not justified the cre- This is the beginning of an era in from the user and stores them for ation of scalable and easy-to-use which security, compliance, avail- future retrieval; and the Thumbnail ability, durability, and safety proper- Service creates thumbnails for the

Digital Object Identifier 10.1109/MS.2019.2930609 ties can be proven about large-scale photos in the data store. The data Date of current version: 22 October 2019 architectures. In this short column, tier has three : Auth DB for

0740-7459/19©2019IEEE NOVEMBER/DECEMBER 2019 | IEEE SOFTWARE 61 REDIRECTIONS REDIRECTIONS

involves reasoning about network Web Tier App Tier Data Tier reachability, access control, Check and, potentially, permis- Post Credentials sions, depending on how the Photo Auth Service Login API Auth DB Store is implemented. We are rea- Create soning simultaneously about both Session low-level implementation details and Session Service higher-level architectural design. To reason end to end, we must ei- Verify Retrieve ther build new mechanisms and tools Session Session User Session DB Post over a combined ­semantic model Upload Service Upload API Save or determine how to decompose prop- Photo erties such that results from existing Trigger tools can be soundly combined. Also, Thumbnail Service for any model we build, we must check Photo Store Save that it matches the behavior of the de- Thumbnail ployed system. Finally, maintaining and scaling the model as components FIGURE 1. The architecture of a three-tier web application. are added or changed is a daunting and often-neglected task. authorization credentials, User Ses- diversity of technologies compos- A New Approach (in the Cloud, sion DB for user sessions, and Photo ing the system makes it challenging Where Formal Verification Store for user photos and thumbnails to verify these end-to-end require- Works Well) on the website. ments. At the very least, we have Now consider the example from Fig- Imagine that we want to prove to consider the following: ure 1 in the cloud. Cloud least-privilege access to resources providers, such as AWS, give custom- for the system. Toward this goal, we • Network controls: These are ers a comprehensive set of system would have to prove the following used to guard the compute nodes services and features that are easy to requirements: in each tier. Typically, controls plug in to each other. We will keep the are enforced through the use of same services in the app tier and use 1. Only the Auth Service shall ac- hardware or software firewalls, the provided database and storage fa- cess the Auth DB. which block packets from re- cilities from AWS for the data tier. As 2. The Auth Service shall not write stricted Protocol (IP) we did before, imagine we are aim- to Auth DB. (For simplicity, we addresses and/or port ranges. ing to prove least-privilege access to assume that users are added to • File system permissions: These resources of the system. In the cloud the authentication database us- are employed to control and del- context, the proof in this example boils ing an external mechanism.) egate user access to local data. down entirely to reasoning about poli- 3. Resources in the web tier shall • Database credentials: These cies. This is because AWS defines a not directly access databases in are utilized to restrict access to policy language that allows customers the data tier. a set of privileged users, e.g., to configure access control across all 4. The Thumbnail Service shall developers. services and resources, including APIs, access only the Photo Store (no • Cryptographic keys: These are compute instances, databases, alarms, other databases) and shall write used to protect user credentials logs, and metrics. This policy language only to the thumbnail portion of in the databases. governs access to all of the components the Photo Store. in Figure 1. A common language allows We also must reason about combi- us to reason about all of the disparate In a noncloud computing envi- nations of these access control mech- components and soundly compose ronment, the problem is that the anisms. For example, requirement 4 the results, with no additional effort.

62 IEEE SOFTWARE | WWW.COMPUTER.ORG/SOFTWARE | @IEEESOFTWARE REDIRECTIONS

{ "Constraints": { "Statement": [ "Actions": [ "s3:PutObject" ], … "NotResources": [ { "arn:aws:s3:::website-photo-store/thumbnails/*" "Effect": "Allow", ] "Action": "s3:GetObject", } "Resource": "arn:aws:s3:::website-photo-store/photos/*" }, "Constraints": { { "Actions": [ "s3:GetObject" ], "Effect": "Allow", "NotResources": [ "Action": "s3:PutObject", "arn:aws:s3:::website-photo-store/thumbnails/*" "Resource": "arn:aws:s3:::website-photo-store/thumbnails/*" "arn:aws:s3:::website-photo-store/photos/*" }, ] { } "Effect": "Allow", "Action": "lambda:InvokeFunction", "Constraints": { "Resource": "Actions": [ "dynamodb:*" ] "arn:aws:lambda:us-east-1:111122223333:function:CompressImage" } }, … (b) ] } { "Principal": "arn:aws:iam::123456789012:role/Thumbnail", (a) "Action": "s3:GetObject", "Resource": "arn:aws:s3:::website-photo-store/backups/" } (c)

FIGURE 2. The policies and constraints in Zelkova: (a) a small portion of the access control policy for the Thumbnail Service from Figure 1, (b) three constraints representing violations of requirement 4, and (c) a representative violation report.

Also, the cost of creating the analysis is with theories that allow reasoning as well as any read request outside of amortized across all of the platform’s about richer data, such as unbounded the thumbnail and photo directory or users, so we can invest in scalable and integers or real numbers. Zelkova any access to a DynamoDB database accurate analyses. uses the theories of strings, regular (which contains the Auth and User Figure 2(a) shows a policy for the expressions, bit vectors, and integer Sessions databases). Thumbnail Service. In this example, comparisons. The SMT models gen- In the example involving Fig- we have implemented the Photo Store erated by Zelkova can be analyzed ure 2(a) and (b), if there were no further using Amazon Simple Storage Service by several efficient back-end tools. Allow statements on Amazon S3 (Amazon S3) and the Auth and User Sessions databases in Amazon Dy- namoDB. The access control policy in Figure 2(a) determines the access rights for the Thumbnail Service. The We can now use automated first statement allows the service to reasoning to provide inexpensive and read files from the photo directory. The second and third statements al- provable assurance to customers. low the Thumbnail Service to write to the thumbnail directory and invoke an external function to compress images. At AWS, we have developed the Suppose we wish to verify require- resources, the tool would return a Zelkova tool3 to prove properties ment 4 of the policy in Figure 2(a). valid; it is not possible for the thumb- across examples like that in Figure 1. We write constraints representing nail account to read files from other Zelkova encodes access control poli- violations of this requirement, as locations in Amazon S3. Suppose, cies and properties into satisfiability shown in Figure 2(b). Informally, the however, that the policy had an addi- modulo theories (SMT) . SMT constraints state that any write re- tional statement that allowed reading is a language for checking proposi- quest outside of the thumbnail direc- from the website-photo-store/back- tional logic satisfiability extended tory of the Photo Store is a violation, ups directory. In this case, the result

NOVEMBER/DECEMBER 2019 | IEEE SOFTWARE 63 REDIRECTIONS

JOHN BACKES is a senior software MARTIN SCHAEF is a at development engineer with the Amazon Security. His research Inspector service team at Amazon Web focuses on large-scale program analysis infra- Services, where he is the lead developer for structure. Contact him at [email protected]. the Tiros service, which performs semantic analysis of networks. Contact him at [email protected].

PAULINE BOLIGNANO is a software COLE SCHLESINGER is a senior engineer at Amazon Web Services. Her research applied scientist at Amazon Web Services. focuses on providing quality assurance to His research interests include programming customers through the verification of the various languages and formal methods with a focus aspects of software and system development. on building domain-specific models Contact her at pln@amazon. supporting automated verification. Contact him at [email protected]. ABOUT THE AUTHORS THE ABOUT

BYRON COOK is a professor of computer sci- RIMA TANASH is the lead security engineer with ence at University College London and director of the Amazon Security Hub service team, where she Automated Reasoning at Amazon. Contact him applies automated reasoning technologies to audit at [email protected]. various access configurations. Her research inter- ests include data privacy using . Contact her at [email protected].

ANDREW GACEK is an applied scien- CARSTEN VARMING is a senior software tist with the Automated Reasoning Group engineer with the Automated Reasoning at Amazon Web Services. His research Group at Amazon Web Services. His research interests include developing and applying interests include automated formal verification at scale. paradigms, logic, , and Contact him at [email protected]. program analysis at scale. Contact him at [email protected].

KASPER SØE LUCKOW is a software MICHAEL WHALEN is a principal applied development engineer with the Automated scientist and leader of the Proof Platforms team Reasoning Group at Amazon Web Services. His at Amazon Web Services. His research interests research interests include program analysis and include scaling formal verification tools and their automated verification at scale. Contact him at application to industrial problems. Contact him [email protected]. at [email protected].

NEHA RUNGTA is a principal applied scientist and the leader of the Formal Services team at Amazon Web Services. Her research interests include improving the customer experience in the cloud through the use of formal verification. Contact her at [email protected].

64 IEEE SOFTWARE | WWW.COMPUTER.ORG/SOFTWARE | @IEEESOFTWARE REDIRECTIONS

would be an invalid, and Zelkova Tiros,4 part of Amazon Inspector, that common corporate gover- would report a violation involving the uses the model provided by Amazon nance policies are followed. constraint shown in Figure 2(c). Elastic Compute Cloud (Amazon It is possible to customize Zelkova EC2) network configurations to per- for a variety of workflows. First, one form proofs of network reachability ore generally, we can now may use the tool as a preventative without generating any network traf- use automated reasoning control. These controls serve as gate- fic. For example, a customer may M to provide inexpensive keepers in an automated workflow, check whether there exists any pub- and provable assurance to customers. enforcing a set of checks that, if unsuc- lic IP address on the Internet that We expect that this trend of building cessful, halt the workflow. As part of can access a local database server. practical and scalable formal methods the pipeline, Zelkova controls ensure Unlike packet-scanning approaches, in the cloud will lead to environments that only compliant access control pol- Tiros will find any such access path where security, compliance, availabil- icies are created and attached to pro- and does not add load to the net- ity, durability, and safety properties duction resources. It is also possible to work. Other examples where we can be proved about large-scale sys- use Zelkova for detective (i.e., audit- will investigate the common cloud tems. For more information, check ing) and responsive (i.e., monitoring model to perform proofs include the out our Amazon Provable Security and alarming) controls. Such controls Internet of Things (IoT) (AWS IoT webpage at https://aws.amazon.com/ dynamically monitor, analyze, and re- Core), build and deploy (AWS Cod- security/provable-security. spond to events in the cloud, includ- eStar), infrastructure as code (AWS ing configuration changes, and can CloudFormation), logging (AWS References be equipped with Zelkova checks to CloudTrail), monitoring (Amazon 1. D. Cofer et al., “A formal approach detect policy compliance violations. CloudWatch), and machine-learning to constructing secure air vehicle In the case of a violation, several op- frameworks (Amazon SageMaker). software,” Computer, vol. 51, no. 11, tions are available. A notification email pp. 14–23, 2018. can be generated and sent to the user, One-Click Formal Methods— 2. B. Cook, “Formal reasoning about or the system can revert to a known Try It Out! the security of Amazon Web Ser- good state. We have constructed the Zelkova vices,” in Proc. Federated Logic In practice, Zelkova is used millions and Tiros tools so that this technol- Conference (FLoC), 2018. doi: of times a day by both internal and ex- ogy is available at the click of a but- 10.1007/978-3-319-96145-3_3. ternal customers, supporting preventa- ton (or check of a checkbox). 3. J. Backes et al., “Semantic-based Au- tive, detective, and reactive controls, tomated Reasoning for AWS Access and 99% of all Zelkova proofs com- • In Amazon S3 Block Public Policies using SMT,” in Proc. Formal plete in 160 ms or lower. Zelkova is cur- Access, when creating a stor- Methods in Computer-Aided Design rently integrated within AWS services, age bucket, the creation page (FMCAD), 2018. doi: 10.23919/ including Amazon S3, AWS Config, includes a checkbox to deny pub- FMCAD.2018.8602994. AWS IoT Device Defender, Amazon lic access to the bucket. If this 4. J. Backes et al., “Reachability Macie, AWS Trusted Advisor, and Am- option is selected, Zelkova will analysis for AWS networks,” in azon GuardDuty. External customers, safeguard a policy, disallowing Proc. Computer Aided Verifica- ranging from the financial industry to modifications that would allow tion, July 2019, pp. 231–241. doi: compliance regulators, use Zelkova to public access. 10.1007/978-3-030-25543-5_14. ensure that their access control policies • In Amazon Inspector, by en- are compliant with corporate gover- abling network reachability nance rules. checks, Tiros will prove which servers are publicly accessible. Opportunities for Formal Methods • In AWS Config, which assesses Access all your IEEE Computer in a Cloud Environment and audits resource configura- Society subscriptions at Formal methods in the cloud are used tion, enabling certain managed computer.org/mysubscriptions for more than just access control. rules will use Zelkova to ensure

NOVEMBER/DECEMBER 2019 | IEEE SOFTWARE 65