Formal reasoning about the security of amazon web services

We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community

Thoughts about using Constraint Solvers in Action

SMT solvers power many automated security analysis tools today. Nevertheless, a smooth integration of SMT solvers into programs is still a challenge that lead to different approaches for doing it the right way. In this paper, we review the state of the art for interacting with constraint solvers. Based on the different ideas found in literature we deduce requirements for a constraint solving service simplifying the integration challenge. We identify that for some of those ideas, it is required to run large scale experiments for evaluating some of the ideas behind the requirements empirically. We show that the platform is capable of running such an experiment for the case of measuring the impacts of seeds on the solver runtime

The development and deployment of formal methods in the UK

UK researchers have made major contributions to the technical ideas underpinning formal approaches to the specification and development of computer systems. Perhaps as a consequence of this, some of the significant attempts to deploy theoretical ideas into practical environments have taken place in the UK. The authors of this paper have been involved in formal methods for many years and both have tracked a significant proportion of the whole story. This paper both lists key ideas and indicates where attempts were made to use the ideas in practice. Not all of these deployment stories have been a complete success and an attempt is made to tease out lessons that influence the probability of long-term impact.Comment: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessibl

Improving Cloud Governance by Increasing Observability

Rise in popularity of Cloud computing has introduced new challenges for IT-governance. The multitude of different services and possible configurations Cloud providers offer can make it hard to get a comprehensive overview of the environment. To successfully govern an organisations Cloud environment it is important to be able to easily make accurate and reliable observations of the environments state, security, and changes to the configurations. This thesis takes a look into the research literature to find out what kinds of risks have been identified in governing the Cloud environment and ways to mitigate them. One of the latest advancements in improving the Cloud governance is the introduction of automated formal reasoning tools for configuration analysis. One customer case where multiple vendors are building services on multiple cloud accounts is used as an example. Architecture for application, security, and audit log collection, indexing, and monitoring is described. Special attention is given to the identity and access management requirements. The thesis concludes with the assessment of the selected approach and tools and services used to implement it. Some alternative solutions, possible improvements, and further development to the implementation are considered

Code-level model checking in the software development workflow at Amazon Web Services

This article describes a style of applying symbolic model checking developed over the course of four years at Amazon Web Services (AWS). Lessons learned are drawn from proving properties of numerous C‐based systems, for example, custom hypervisors, encryption code, boot loaders, and an IoT operating system. Using our methodology, we find that we can prove the correctness of industrial low‐level C‐based systems with reasonable effort and predictability. Furthermore, AWS developers are increasingly writing their own formal specifications. As part of this effort, we have developed a CI system that allows integration of the proofs into standard development workflows and extended the proof tools to provide better feedback to users. All proofs discussed in this article are publicly available on GitHub

Checking Trustworthiness of Probabilistic Computations in a Typed Natural Deduction System

In this paper we present the probabilistic typed natural deduction calculus TPTND, designed to reason about and derive trustworthiness properties of probabilistic computational processes, like those underlying current AI applications. Derivability in TPTND is interpreted as the process of extracting $n$ samples of possibly complex outputs with a certain frequency from a given categorical distribution. We formalize trust for such outputs as a form of hypothesis testing on the distance between such frequency and the intended probability. The main advantage of the calculus is to render such notion of trustworthiness checkable. We present a computational semantics for the terms over which we reason and then the semantics of TPTND, where logical operators as well as a Trust operator are defined through introduction and elimination rules. We illustrate structural and metatheoretical properties, with particular focus on the ability to establish under which term evolutions and logical rules applications the notion of trustworhtiness can be preserved

Parameter Synthesis for Markov Models

Markov chain analysis is a key technique in reliability engineering. A practical obstacle is that all probabilities in Markov models need to be known. However, system quantities such as failure rates or packet loss ratios, etc. are often not---or only partially---known. This motivates considering parametric models with transitions labeled with functions over parameters. Whereas traditional Markov chain analysis evaluates a reliability metric for a single, fixed set of probabilities, analysing parametric Markov models focuses on synthesising parameter values that establish a given reliability or performance specification $\varphi$. Examples are: what component failure rates ensure the probability of a system breakdown to be below 0.00000001?, or which failure rates maximise reliability? This paper presents various analysis algorithms for parametric Markov chains and Markov decision processes. We focus on three problems: (a) do all parameter values within a given region satisfy $\varphi$?, (b) which regions satisfy $\varphi$ and which ones do not?, and (c) an approximate version of (b) focusing on covering a large fraction of all possible parameter values. We give a detailed account of the various algorithms, present a software tool realising these techniques, and report on an extensive experimental evaluation on benchmarks that span a wide range of applications.Comment: 38 page