Editor: Tim Menzies North Carolina State University REDIRECTIONS [email protected] One-Click Formal Methods John Backes, Pauline Bolignano, Byron Cook, Andrew Gacek, Kasper Søe Luckow, Neha Rungta, Martin Schaef, Cole Schlesinger, Rima Tanash, Carsten Varming, and Michael Whalen FORMAL METHODS ARE mathe- tools for the formal verification of we discuss the trend of constructing matically based approaches for speci- those models. practical and scalable cloud-based fying, building, and reasoning about With the cloud, much of this has formal methods and how they can software. Despite 50 years of research changed. Descriptions of cloud ser- easily be used by customers—some- and development, formal methods vices provide accurate models of the times with a single operation for one- have had only limited impact in in- system. That is to say, the appli- click formal methods. dustry. While we have seen success cation program interfaces (APIs) of in such domains as microprocessor cloud services are computer-readable The Classical Approach design and aerospace (e.g., proofs contracts that establish and govern (Where Formal Verification of security properties for helicopter how the system behaves. In many Was Hard) control systems1), we have not seen cases, these models are amenable to Figure 1 shows a simplified, three- wide adoption of formal methods for formal analysis at scale.2 Most im- tier web application for uploading large and complex systems, such as portantly, since those models are uti- pictures developed in a traditional web services, industrial automation, lized by a large user community, it is (noncloud) environment. The web tier or enterprise support software. now economically feasible to build has two REST resources: One of the key difficulties when the tools needed to verify them. proving the security, safety, and The larger cloud providers are • the Login API for users to au- robustness of these systems is the rapidly developing and applying for- thenticate with the service problem of finding system architec- mal method tools. At Amazon Web • the Upload API to upload new ture models necessary for analysis. Services (AWS), for example, we have pictures to the website. Proving the system at its lowest level used cloud models to construct large- of detail is intractable, and, thus, we scale automated reasoning tools The app tier consists of four mi- must reason at higher levels of ab- that can prove whether or not access croservices that interact with each straction. If written by hand, these controls meet governance rules and other through a standardized API. models are expensive to build and whether networks are properly The Auth Service processes authori- hard to keep up to date with imple- secured. These tools are used mil- zation requests; the Session Service mentations. Another problem is lions of times daily and help AWS tracks stateful data relevant to the that the size of the potential user customers manage the security of user’s current visit to the website; community and the business value their accounts. the Upload Service receives photos have typically not justified the cre- This is the beginning of an era in from the user and stores them for ation of scalable and easy-to-use which security, compliance, avail- future retrieval; and the Thumbnail ability, durability, and safety proper- Service creates thumbnails for the Digital Object Identifier 10.1109/MS.2019.2930609 ties can be proven about large-scale photos in the data store. The data Date of current version: 22 October 2019 architectures. In this short column, tier has three databases: Auth DB for 0740-7459/19©2019IEEE NOVEMBER/DECEMBER 2019 | IEEE SOFTWARE 61 REDIRECTIONS REDIRECTIONS involves reasoning about network Web Tier App Tier Data Tier reachability, database access control, Check and, potentially, file system permis- Post Credentials sions, depending on how the Photo Auth Service Login API Auth DB Store is implemented. We are rea- Create soning simultaneously about both Session low-level implementation details and Session Service higher-level architectural design. To reason end to end, we must ei- Verify Retrieve ther build new mechanisms and tools Session Session User Session DB Post over a combined semantic model Upload Service Upload API Save or determine how to decompose prop- Photo erties such that results from existing Trigger tools can be soundly combined. Also, Thumbnail Service for any model we build, we must check Photo Store Save that it matches the behavior of the de- Thumbnail ployed system. Finally, maintaining and scaling the model as components FIGURE 1. The architecture of a three-tier web application. are added or changed is a daunting and often-neglected task. authorization credentials, User Ses- diversity of technologies compos- A New Approach (in the Cloud, sion DB for user sessions, and Photo ing the system makes it challenging Where Formal Verification Store for user photos and thumbnails to verify these end-to-end require- Works Well) on the website. ments. At the very least, we have Now consider the example from Fig- Imagine that we want to prove to consider the following: ure 1 in the cloud. Cloud computing least-privilege access to resources providers, such as AWS, give custom- for the system. Toward this goal, we • Network controls: These are ers a comprehensive set of system would have to prove the following used to guard the compute nodes services and features that are easy to requirements: in each tier. Typically, controls plug in to each other. We will keep the are enforced through the use of same services in the app tier and use 1. Only the Auth Service shall ac- hardware or software firewalls, the provided database and storage fa- cess the Auth DB. which block packets from re- cilities from AWS for the data tier. As 2. The Auth Service shall not write stricted Internet Protocol (IP) we did before, imagine we are aim- to Auth DB. (For simplicity, we addresses and/or port ranges. ing to prove least-privilege access to assume that users are added to • File system permissions: These resources of the system. In the cloud the authentication database us- are employed to control and del- context, the proof in this example boils ing an external mechanism.) egate user access to local data. down entirely to reasoning about poli- 3. Resources in the web tier shall • Database credentials: These cies. This is because AWS defines a not directly access databases in are utilized to restrict access to policy language that allows customers the data tier. a set of privileged users, e.g., to configure access control across all 4. The Thumbnail Service shall developers. services and resources, including APIs, access only the Photo Store (no • Cryptographic keys: These are compute instances, databases, alarms, other databases) and shall write used to protect user credentials logs, and metrics. This policy language only to the thumbnail portion of in the databases. governs access to all of the components the Photo Store. in Figure 1. A common language allows We also must reason about combi- us to reason about all of the disparate In a noncloud computing envi- nations of these access control mech- components and soundly compose ronment, the problem is that the anisms. For example, requirement 4 the results, with no additional effort. 62 IEEE SOFTWARE | WWW.COMPUTER.ORG/SOFTWARE | @IEEESOFTWARE REDIRECTIONS { "Constraints": { "Statement": [ "Actions": [ "s3:PutObject" ], … "NotResources": [ { "arn:aws:s3:::website-photo-store/thumbnails/*" "Effect": "Allow", ] "Action": "s3:GetObject", } "Resource": "arn:aws:s3:::website-photo-store/photos/*" }, "Constraints": { { "Actions": [ "s3:GetObject" ], "Effect": "Allow", "NotResources": [ "Action": "s3:PutObject", "arn:aws:s3:::website-photo-store/thumbnails/*" "Resource": "arn:aws:s3:::website-photo-store/thumbnails/*" "arn:aws:s3:::website-photo-store/photos/*" }, ] { } "Effect": "Allow", "Action": "lambda:InvokeFunction", "Constraints": { "Resource": "Actions": [ "dynamodb:*" ] "arn:aws:lambda:us-east-1:111122223333:function:CompressImage" } }, … (b) ] } { "Principal": "arn:aws:iam::123456789012:role/Thumbnail", (a) "Action": "s3:GetObject", "Resource": "arn:aws:s3:::website-photo-store/backups/" } (c) FIGURE 2. The policies and constraints in Zelkova: (a) a small portion of the access control policy for the Thumbnail Service from Figure 1, (b) three constraints representing violations of requirement 4, and (c) a representative violation report. Also, the cost of creating the analysis is with theories that allow reasoning as well as any read request outside of amortized across all of the platform’s about richer data, such as unbounded the thumbnail and photo directory or users, so we can invest in scalable and integers or real numbers. Zelkova any access to a DynamoDB database accurate analyses. uses the theories of strings, regular (which contains the Auth and User Figure 2(a) shows a policy for the expressions, bit vectors, and integer Sessions databases). Thumbnail Service. In this example, comparisons. The SMT models gen- In the example involving Fig- we have implemented the Photo Store erated by Zelkova can be analyzed ure 2(a) and (b), if there were no further using Amazon Simple Storage Service by several efficient back-end tools. Allow statements on Amazon S3 (Amazon S3) and the Auth and User Sessions databases in Amazon Dy- namoDB. The access control policy in Figure 2(a) determines the access rights for the Thumbnail Service. The We can now use automated first statement allows the service to reasoning to provide inexpensive and read files from the photo directory. The second and third statements al- provable assurance to customers. low the Thumbnail Service to write to the thumbnail directory and invoke an external function to compress images. At AWS, we have developed the Suppose we wish to verify require- resources, the tool would return a Zelkova tool3 to prove properties ment 4 of the policy in Figure 2(a). valid; it is not possible for the thumb- across examples like that in Figure 1.