With the enormous attack surface of cloud providers like AWS, Azure, and GCP, why aren't there moresecurity problems? Data breaches and cyber attacks occur daily . How do you explain the unreasonable effectiveness of cloud security?
Google has an ebook on their security approach; Microsoft has some web pages . Both are the equivalent of that person who is disgustingly healthy and you ask them how they do it and they say "I don't know. I just eat right, exercise, and get plenty of sleep." Not all that useful. Most of us want a hack, a trick to good health. Who wants to eat right?
I'm sure Amazon also eats right, exercises, and gets plenty of sleep (probably not the people who work there), but AWS also has a secret that when that disgustingly healthy person starts talking about at a party, you just can't help to lean in and listen.
What's the trick to 6-pack security? Proving systems correct . Does your datacenter do that? I didn't think so. AWS does.
Dr. Byron Cook gave an enthusiastic talk on Formal Reasoning about the Security of Amazon Web Service . He's clearly excited about finally applying his research in a real-world setting. This is the trojan horse the FloC (Federated Logic Conference) community has been waiting for. It's almost as if he's a FLoC guy working at AWS rather than an AWS guy giving a FLoC talk.
The main take-aways for me were:
AWS has made a big bet on Automated Reasoning to increase cloud security. Provable cloud security is an accelerator for AWS adoption. Customers want and like it. Testing more is meaningless―soundness is key. Soundness means they understand the semantics of a policy language and then use constraint solving, which is sound, to prove it. This is the future of security and most of us have no idea how to live in it. As good as all this work is, it's still a band-aid on a 20th century software production process. For us to achieve reliable security, human driven programming shouldnot be long for this brave new world.Here's a gloss of some of the main points of this enlightening talk:
Introduction Bio : Dr. Byron Cook is Director of Automated Reasoning at Amazon Web Services and Professor of Computer Science at University College London. Prior to joining Amazon, Byron was known for his contributions to the Terminator/T2 termination prover, BioModelAnalyzer, SLAM, and Microsoft’s Static Driver Verifier. Dr. Cook left academia and took a job at AWS with the idea of creating a formal methods revolution in cloud security. He wanted to create a major step change, to really change the game. Now it has been four years. **spoilers** He succeeded. Formal methods have arrived and are no longer irrelevant. AWS YoY revenue growth is ~45%. Planned Availability Zone growth is 55% YoY. Planned growth in geographic regions is 22% YoY. Services, features, developers, and customers are growing exponentially, so the cloud and security are interesting and important areas of research. The keys to the AWS success story are agility and security based on rapid feature development from customer feedback and data. To increase cloud security AWS has made a big bet on Automated Reasoning. There's a difference between security in the cloud and of the cloud . In the cloud customers need to securely setup identity configurations, access policies, virtual networks, code, etc. Of the cloud means making virtualization, encryption, protocols, hardware, compliance, etc. all secure. It's called a Shared Responsibiltity Model . Security Of the Cloud AWS using formal methods started quietly in 2014 with a pilot project. The game plan was: Find security problems where we can help. Apply new or existing tools. Collaborate share ideas, code, data with the community Deliver value to AWS and our customers when things go well Add problems to "research questions" bucket when they fail Repeat AWS is perfect place to merge theory with practice. Overly theoretical people don't know what to work on and overly practical people don't know what they are doing. Pre-launch protocol proof engagements are now growing exponentially. After initial developer skepticism, it's gaining acceptance internally. Quote from an influential AWS employee: "The world thought this formal verification stuff was snake oil and would never be practical, but you have proved them wrong."The AWS security team performs formal security reviews of all features/services, e.g. 1,430 services/features in 2017, a 41% year-over-year increase from 2016. Mitigations to security risks that are developed during these security reviews are documented as a part of the security review process. Another important activity within AWS is ensuring that the cloud infrastructure stays secure after launch, especially as the system is modified incrementally by developers.
In 2017 alone the security team used deductive theorem provers or model checking tools to reason about cryptographic protocols/systems, hypervisors, boot-loaders/BIOS/firmware, garbage collec- tors, and network designs. Overall, formal verification engagements within the AWS security team increased 76% year-over-year in 2017, and found 45% more pre-launch security findings year-over-year in 2017. Formal reasoning about the security of the cloud has two activities: secure design and secure operation. Secure design: AppSec (application security) review and compliance certification plan/automation. For an AppSec review you build a threat model, decide on mitigation strategies for threats, worry about compliance (ITAR, PCI, FIPs, FedRAMP, etc). Secure operation: you need to maintain security in the field while it's running. Things happen, for example, a researcher finds a problem in open source code that you're using, so you have to decide if this is a problem for you, ask if you've built enough mitigations. Every aspect of formal reasoning has a formal constraint solving component. Security protocols. In AWS large fleets of machines share secrets with each other and try to keep their state up to date using security protocols that are hard to get right. In AWS they try to prove those protocols correct via reduction of the protocol to proofs in VCC . Customers love that they are doing formal verification. Customers actually s