Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliat...
Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and ...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access ...
Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access ...
AWS security: Raising the bar on security
• Secure usage of AWS components
• Amazon Inspector, Amazon CloudWatch, AWS Conf...
AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules,...
AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules,...
AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules,...
AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules,...
Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what ...
Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Godel...
Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel...
Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel...
Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel...
Mechanized reasoning in mathematical logic
• Proofs: 1970s AD — Current
• New: human found and mechanically checked
• Exam...
Mechanized reasoning in mathematical logic
• Proofs: 1970s AD — Current
• New: human found and mechanically checked
• Exam...
Mechanized reasoning in mathematical logic
• Proofs: 2001 AD — Current
• Increasingly mechanically found and mechanically ...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) &&...
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && (x>...
Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && u<3...
Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && u<3...
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
x<y && y<z && x>=z
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
&& !(x<y && y<z && x>=z)
x<y && y<z && x>=z
Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
&& !(x<y && y<z && x>=z)
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}
Making undecidable
problems ...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}
Could this
assert
ever fail?
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i’=i-1
r’=r+x
post conditi...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i’=i-1
r’=r+x
post conditi...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition...
Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven le...
Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what ...
Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what ...
Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and ...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
Demo: tool for reasoning
about VPCs using
techniques for NP-complete
reasoning
Reasoning about networks
• Web service and CLI available in private beta
• Automatically answers queries about customer EC...
Reasoning about networks
• EC2 networking semantics specified in logic
• For example, all possible subtle interactions bet...
Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only S...
Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only S...
Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only S...
Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only S...
Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only S...
EC2 networking concepts supported
Availability Zones
Instances
Internet gateways
Load balancers
NAT instances
NAT gateways...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
Demo: Proving correctness
properties of s2n using
induction and techniques
for NP-complete reasoning
S2N
• Small, fast TLS library
• Rigorously engineered for security
• Open source
• Mechanical reasoning:
• Automated provi...
HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the messa...
HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the messa...
HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the messa...
HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the messa...
HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the messa...
HMAC
hmac h h2 h3 K m = h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ ...
HMAC
hmac h h2 h3 K m = h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ ...
hmac h h2 h3 K m =
h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ 0x36 ...
Intermediate model
High-level
Cryptol
Code
Lower-level
Cryptol
Code
Production
s2n
codeproof proof
”Proof plumbing”: hand-...
Intermediate model
High-level
Cryptol
code
Lower-level
Cryptol
code
Production
s2n
codeproof proof
Incorporates s2n data
s...
Intermediate model
High-level
Cryptol
Code
Lower-level
Cryptol
Code
Production
s2n
codeproof proof
Omits pointer/memory an...
Comparing for all message sizes and splittings
• Key inductive lemmas:
• hmac_update(hmac_update(s,m1),m2)) =
hmac_update(...
Continuous integration
• Proofs replayed automatically in Travis CI
• Proof failure is a build failure
• Average runtime: ...
Demo
Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what ...
Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what ...
Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and ...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to m...
Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access ...
Thank you!
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
Upcoming SlideShare
Loading in …5
×

AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)

4,539 views

Published on

Automatic and semiautomatic mechanical theorem provers are now being used within AWS to find proofs in mathematical logic that establish desired properties of key AWS components. In this session, we outline these efforts and discuss how mechanical theorem provers are used to replay found proofs of desired properties when software artifacts or networks are modified, thus helping provide security throughout the lifetime of the AWS system. We consider these use cases:

Using constraint solving to show that VPCs have desired safety properties, and maintaining this continuously at each change to the VPC

Using automatic mechanical theorem provers to prove that s2n’s HMAC is correct and maintaining this continuously at each change to the s2n source code

Using semi-automatic mechanical theorem provers to prove desired safety properties of protocols and code

Published in: Technology
  • Be the first to comment

AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Byron Cook byron@amazon.com November 29, 2016 SEC401 Automated Formal Reasoning About AWS Systems securing Customers with Mathematical Logic
  2. 2. Shared security model • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented and not vulnerable to side-channel attacks?” • “How do we know that Amazon EC2’s virtualization layer protects against memory corruption-based attacks?” • Secure usage • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I only allowing one instance in my VPC to send outgoing network packets?”
  3. 3. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that Amazon EC2’s virtualization layer protects against memory corruption-based attacks?”
  4. 4. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that Amazon EC2’s virtualization layer protects against memory corruption-based attacks?”
  5. 5. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that Amazon EC2’s virtualization layer protects against memory corruption-based attacks?”
  6. 6. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?”
  7. 7. Shared security model • Helping customers be secure in the cloud • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?”
  8. 8. Shared security model • Helping customers be secure in the cloud • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?”
  9. 9. AWS security: Raising the bar on security • Secure usage of AWS components • Amazon Inspector, Amazon CloudWatch, AWS Config Rules, etc • Tools that apply mechanized reasoning in mathematical logic to provide additional assurance • Securing the cloud • Extensive penetration testing, continuous monitoring, etc • Mechanized reasoning in mathematical logic to provide additional assurance
  10. 10. AWS security: Raising the bar on security • Helping customers be secure in the cloud • Amazon Inspector, AWS Config Rules, etc • Tools that apply mechanized reasoning in mathematical logic to provide additional assurance • Securing the cloud • Extensive penetration testing, continuous monitoring, etc • Mechanized reasoning in mathematical logic to provide additional assurance
  11. 11. AWS security: Raising the bar on security • Helping customers be secure in the cloud • Amazon Inspector, AWS Config Rules, etc • Mechanized reasoning in mathematical logic to provide additional assurance • Securing the cloud • Extensive penetration testing, continuous monitoring, etc • Mechanized reasoning in mathematical logic to provide additional assurance
  12. 12. AWS security: Raising the bar on security • Helping customers be secure in the cloud • Amazon Inspector, AWS Config Rules, etc • Mechanized reasoning in mathematical logic to provide additional assurance • Securing the cloud • Penetration testing, continuous monitoring, compliance certification, etc • Mechanized reasoning in mathematical logic to provide additional assurance
  13. 13. AWS security: Raising the bar on security • Helping customers be secure in the cloud • Amazon Inspector, AWS Config Rules, etc • Mechanized reasoning in mathematical logic to provide additional assurance • Securing the cloud • Penetration testing, continuous monitoring, compliance certification, etc • Mechanized reasoning in mathematical logic to provide additional assurance
  14. 14. Questions answered in this talk • What is “Mechanized reasoning in mathematical logic” ? • What are some examples of what AWS doing in this space?
  15. 15. Mechanized reasoning in mathematical logic • Proofs: 360 BC — 1970s AD • Examples: • Euclid’s Infinitude of Primes • Godel’s incompleteness theorem • Turing’s Halting problem undecidability • Four-color theorem • Odd-order theorem • ….. • ….. • …..
  16. 16. Mechanized reasoning in mathematical logic • Proofs: 360 BC — 1970s AD • Examples: • Euclid’s Infinitude of Primes • Gödel’s incompleteness theorem • Turing’s Halting problem undecidability • Odd-order theorem • ….. • ….. • …..
  17. 17. Mechanized reasoning in mathematical logic • Proofs: 360 BC — 1970s AD • Examples: • Euclid’s Infinitude of Primes • Gödel’s incompleteness theorem • Turing’s Halting problem undecidability • Odd-order theorem • ….. • ….. • ….. Arguments found and checked by humans
  18. 18. Mechanized reasoning in mathematical logic • Proofs: 360 BC — 1970s AD • Examples: • Euclid’s Infinitude of Primes • Gödel’s incompleteness theorem • Turing’s Halting problem undecidability • Odd-order theorem • ….. • ….. • ….. • Harder: finding the argument • Easier: checking the argument
  19. 19. Mechanized reasoning in mathematical logic • Proofs: 1970s AD — Current • New: human found and mechanically checked • Examples: • Euclid’s Infinitude of Primes • Gödel’s Incompleteness theorem • Turing’s Halting problem undecidability • Odd-order theorem • Four-color theorem • ….. • ….. • …..
  20. 20. Mechanized reasoning in mathematical logic • Proofs: 1970s AD — Current • New: human found and mechanically checked • Examples: • ….. • Boeing "Little Bird" helicopter (seL4 OS-based mission computer) • Royal Navy Ship/Helicopter Operating Limits Unit • Lockheed Martin C130J Mission Computers • Rolls Royce Trent Series Health Monitoring Units • AMD K5 floating point square root microcode • Intel CPU arithmetic and logical operations • …..
  21. 21. Mechanized reasoning in mathematical logic • Proofs: 2001 AD — Current • Increasingly mechanically found and mechanically checked • Examples: • …… • …… • Airbus 360 primary flight control software • Paris Metro (RATP) • Bombardier ILLBV950L2 railway interlocking system • Mars Rover data management subsystem • …… • ……
  22. 22. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  23. 23. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  24. 24. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants • P-time = polynomial time = “tractable” • NP-complete = nondeterministic polynomial time = “intractable”
  25. 25. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  26. 26. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  27. 27. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractible problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants Just buzzwords…..
  28. 28. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  29. 29. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  30. 30. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants Just buzzwords…..
  31. 31. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants Example open source tools: Yices, MiniSAT
  32. 32. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants Example open source tools: Yices, MiniSAT Example open source tools: Coq, Jhorn
  33. 33. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  34. 34. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=4, w=3, x=1, y=10, z=5 ? if (w<x && x<y && y<z && (w<u || u<3) && x>=z) error();
  35. 35. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=4, w=3, x=1, y=10, z=5 ? if (w<x && x<y && y<z && (w<u || u<3) && x>=z) error();
  36. 36. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=4, w=3, x=1, y=10, z=5 ? No because w>=x : if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error();
  37. 37. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=4, w=3, x=18, y=10, z=5 ? No because x>=y :
  38. 38. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=4, w=3, x=18, y=10, z=5 ? No because x>=y : if (w<x && x<y && y<z && (w<u || u<3) && x>=z) error();
  39. 39. Example: NP-complete in P-time • What values of u,w,x,y,z would lead to error()? if (w<x && x<y && y<z && (x>=z || u<3) && u>10) error(); • u=?, w=?, x=?, y=?, z=? • SAT: If the variables range over 32-bit integers there are 2^(32*5) possible combinations. • SMT: If the variables range over reals/rationals/integers there are an infinite number of combinations (though still decidable)
  40. 40. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10
  41. 41. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10
  42. 42. Example: NP-complete in P-time w<z && x<y && y<z && u<3 && u>10 w<z && x<y && y<z && x>=z && u>10 w<z && x<y && y<z && (x>=z || u<3) && u>10
  43. 43. Example: NP-complete in P-time w<z && x<y && y<z && u<3 && u>10 w<z && x<y && y<z && x>=z && u>10 w<z && x<y && y<z && u<3 && u>10 w<z && x<y && y<z && x>=z && u>10 w<z && x<y && y<z && (x>=z || u<3) && u>10
  44. 44. Example: NP-complete in P-time w<z && x<y && y<z && u<3 && u>10 w<z && x<y && y<z && x>=z && u>10 w<z && x<y && y<z && u<3 && u>10 w<z && x<y && y<z && x>=z && u>10 w<z && x<y && y<z && (x>=z || u<3) && u>10
  45. 45. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10
  46. 46. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10
  47. 47. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10 x<y && y<z && x>=z
  48. 48. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10 && !(x<y && y<z && x>=z) x<y && y<z && x>=z
  49. 49. Example: NP-complete in P-time w<z && x<y && y<z && (x>=z || u<3) && u>10 && !(x<y && y<z && x>=z)
  50. 50. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  51. 51. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  52. 52. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i--; r=r+x; } assert(r==x*y); }
  53. 53. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i--; r=r+x; } assert(r==x*y); } Making undecidable problems feel decidable in practice
  54. 54. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i--; r=r+x; } assert(r==x*y); } Could this assert ever fail?
  55. 55. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); } Inductive invariant Inductive invariant
  56. 56. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  57. 57. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  58. 58. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); } x,y,r,i A
  59. 59. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  60. 60. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  61. 61. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i>0 condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  62. 62. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i>0 condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); } x,y,r,i A Now we ignore how we got into the loop
  63. 63. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i>0 condition: r==(y-i)*x && i>=0 i’=i-1 r’=r+x post condition: r’==(y-i’)*x && i’>=0 } assert(r==x*y); } x,y,r,i,r’,i’ A Now we ignore how we got into the loop
  64. 64. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { i>0 condition: r==(y-i)*x && i>=0 i’=i-1 r’=r+x post condition: r’==(y-i’)*x && i’>=0 } assert(r==x*y); } x,y,r,i,r’,i’ A Now we ignore how we got into the loop Inductive check
  65. 65. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  66. 66. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  67. 67. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); }
  68. 68. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); } If you have good heuristics for guessing the inductive invariant, the undecidable feels decidable
  69. 69. Example: Induction if (x>=0 && y>=0) { r=0; i=y; while(i>0) { pre condition: r==(y-i)*x && i>=0 i--; r=r+x; post condition: r==(y-i)*x && i>=0 } assert(r==x*y); } This type of bookkeeping can be dealt with using previously discussed techniques for NP- complete problems
  70. 70. Core ideas behind the advances/buzzwords • Making NP-complete problems feel P-time in practice • Conflict-clause driven learning • Back-jumping • Random-restarts • SAT and SAT modulo theories • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants
  71. 71. Questions answered in this talk • What is “Mechanized reasoning in mathematical logic” ? • What are some examples of what is AWS doing in this space?
  72. 72. Questions answered in this talk • What is “Mechanized reasoning in mathematical logic” ? • What are some examples of what is AWS doing in this space?
  73. 73. Shared security model • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented and not vulnerable to side-channel attacks?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” • Secure usage • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I only allowing one instance in my VPC to send outgoing network packets?”
  74. 74. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption based attacks?”
  75. 75. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Demo: tool for reasoning about VPCs using techniques for NP-complete reasoning
  76. 76. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Demo: tool for reasoning about VPCs using techniques for NP-complete reasoning
  77. 77. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Demo: Proving correctness properties of s2n using induction and techniques for NP-complete reasoning
  78. 78. Shared security model Demo: tool for reasoning about VPCs using techniques for NP-complete reasoning
  79. 79. Reasoning about networks • Web service and CLI available in private beta • Automatically answers queries about customer EC2 networking configurations • Queries written in a simple query language • No packets sent; network not actually used • We can reason about networks that have not been deployed yet
  80. 80. Reasoning about networks • EC2 networking semantics specified in logic • For example, all possible subtle interactions between NAT gateways, AZs, ACLs, VPC peering endpoints, load balancers, etc • Considers all possible cases/scenarios • Can prove that there is no way for instance I to reach J • NP-complete queries, usually answered in P-time • Using approaches mentioned previously
  81. 81. Example queries • “Which EC2 instances are accessible from the Internet?” • “From my VPC, can non-bastion instances only SSH to the bastions?” • “Which EC2 instances can access an S3 endpoint?” • “Can instances tagged Public communicate with instances tagged Private?"
  82. 82. Example queries • “Which EC2 instances are accessible from the Internet?” • “From my VPC, can non-bastion instances only SSH to the bastions?” • “Which EC2 instances can access an S3 endpoint?” • “Can instances tagged Public communicate with instances tagged Private?" list: internet-can-ssh-to-instance(Inst).
  83. 83. Example queries • “Which EC2 instances are accessible from the Internet?” • “From my VPC, can non-bastion instances only SSH to the bastions?” • “Which EC2 instances can access an S3 endpoint?” • “Can instances tagged Public communicate with instances tagged Private?" all Src, Dst: instance-has-vpc(Src,byron_vpc) && !atom/instance-tag(Dst, tag-key/Name, tag-value/Bastion) && instance-can-ssh-to-instance(Src,Dst) => atom/instance-tag(Dst,tag-key/Name,tag-value/Bastion)
  84. 84. Example queries • “Which EC2 instances are accessible from the Internet?” • “From my VPC, can non-bastion instances only SSH to the bastions?” • “Which EC2 instances can access an S3 endpoint?” • “Can instances tagged Public communicate with instances tagged Private?" list: ex Src: instance-can-ssh-to-instance(Src,Dst) && atom/instance-tag(InstDest, tag-key/Name, tag-value/S3Endpoint)
  85. 85. Example queries • “Which EC2 instances are accessible from the Internet?” • “From my VPC, can non-bastion instances only SSH to the bastions?” • “Which EC2 instances can access an S3 endpoint?” • “Can instances tagged Public communicate with instances tagged Private?" list: ex Src: instance-can-ssh-to-instance(Src,Dst) && atom/instance-tag(InstDest, tag-key/Name, tag-value/S3Endpoint)
  86. 86. EC2 networking concepts supported Availability Zones Instances Internet gateways Load balancers NAT instances NAT gateways Network ACLs Network interfaces Regions Route tables Security groups Subnets Tags VPC endpoints VPC peering connections VPCs
  87. 87. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?”
  88. 88. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Demo: Proving correctness properties of s2n using induction and techniques for NP-complete reasoning
  89. 89. Shared security model Demo: Proving correctness properties of s2n using induction and techniques for NP-complete reasoning
  90. 90. S2N • Small, fast TLS library • Rigorously engineered for security • Open source • Mechanical reasoning: • Automated proving of correctness of S2N’s HMAC implementation • Proof performed in SAW, see https://saw.galois.com • Proof strategy: NP-complete techniques + Induction • Continuous integration: s2n is re-proved correct at each code checkin
  91. 91. HMAC • Keyed-hash message authentication code • Provides a signature for a message that confirms: • Authenticity: the message was signed by the expected sender • Integrity: the message has not been modified HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
  92. 92. HMAC • Keyed-hash message authentication code • Provides a signature for a message that confirms: • Authenticity: the message was signed by the expected sender • Integrity: the message has not been modified HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) message
  93. 93. HMAC • Keyed-hash message authentication code • Provides a signature for a message that confirms: • Authenticity: the message was signed by the expected sender • Integrity: the message has not been modified HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) derived from key
  94. 94. HMAC • Keyed-hash message authentication code • Provides a signature for a message that confirms: • Authenticity: the message was signed by the expected sender • Integrity: the message has not been modified HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) arbitrary hash function
  95. 95. HMAC • Keyed-hash message authentication code • Provides a signature for a message that confirms: • Authenticity: the message was signed by the expected sender • Integrity: the message has not been modified HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) constants from NIST
  96. 96. HMAC hmac h h2 h3 K m = h2 (okey # split (h (ikey # m))) where k0 = kinit h3 K okey = [kb ^ 0x5C | kb <- k0] ikey = [kb ^ 0x36 | kb <- k0] HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) Cryptol formal specification:
  97. 97. HMAC hmac h h2 h3 K m = h2 (okey # split (h (ikey # m))) where k0 = kinit h3 K okey = [kb ^ 0x5C | kb <- k0] ikey = [kb ^ 0x36 | kb <- k0] HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m)) Cryptol formal specification:
  98. 98. hmac h h2 h3 K m = h2 (okey # split (h (ikey # m))) where k0 = kinit h3 K okey = [kb ^ 0x5C | kb <- k0] ikey = [kb ^ 0x36 | kb <- k0] static int s2n_sslv3_mac_init (struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen) { s2n_hash_algorithm hash_alg = S2N_HASH_NONE ; if (alg == S2N_HMAC_SSLv3_MD5 ) { hash_alg = S2N_HASH_MD5 ; } if (alg == S2N_HMAC_SSLv3_SHA1 ) { hash_alg = S2N_HASH_SHA1 ; } for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] = 0x36; } GUARD(s2n_hash_init (&state->inner_just_key , hash_alg)); GUARD(s2n_hash_update (&state->inner_just_key , key, klen)); GUARD(s2n_hash_update (&state->inner_just_key , state->xor_pad, state->block_size )); for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] = 0x5c; } GUARD(s2n_hash_init (&state->outer, hash_alg)); GUARD(s2n_hash_update (&state->outer, key, klen)); GUARD(s2n_hash_update (&state->outer, state->xor_pad, state->block_size )); /* Copy inner_just_key to inner */ return s2n_hmac_reset (state); } static int s2n_sslv3_mac_digest (struct s2n_hmac_state *state, void *out, uint32_t size) { for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] = 0x5c; } GUARD(s2n_hash_digest (&state->inner, state->digest_pad , state->digest_size )); memcpy_check (&state->inner, &state->outer, sizeof(state->inner)); GUARD(s2n_hash_update (&state->inner, state->digest_pad , state->digest_size )); return s2n_hash_digest (&state->inner, out, size); } int s2n_hmac_init (struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen) { s2n_hash_algorithm hash_alg = S2N_HASH_NONE ; state->currently_in_hash_block = 0; state->digest_size = 0; state->block_size = 64; state->hash_block_size = 64; switch (alg) { case S2N_HMAC_NONE : break; case S2N_HMAC_SSLv3_MD5 : state->block_size = 48; /* Fall through ... */ case S2N_HMAC_MD5 : hash_alg = S2N_HASH_MD5 ; state->digest_size = MD5_DIGEST_LENGTH ; break; case S2N_HMAC_SSLv3_SHA1 : state->block_size = 40; /* Fall through ... */ case S2N_HMAC_SHA1 : hash_alg = S2N_HASH_SHA1 ; state->digest_size = SHA_DIGEST_LENGTH ; break; case S2N_HMAC_SHA224 : hash_alg = S2N_HASH_SHA224 ; state->digest_size = SHA224_DIGEST_LENGTH ; break; case S2N_HMAC_SHA256 : hash_alg = S2N_HASH_SHA256 ; state->digest_size = SHA256_DIGEST_LENGTH ; break; case S2N_HMAC_SHA384 : hash_alg = S2N_HASH_SHA384 ; state->digest_size = SHA384_DIGEST_LENGTH ; state->block_size = 128; state->hash_block_size = 128; break; case S2N_HMAC_SHA512 : hash_alg = S2N_HASH_SHA512 ; state->digest_size = SHA512_DIGEST_LENGTH ; state->block_size = 128; state->hash_block_size = 128; break; default: S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM ); } gte_check(sizeof(state->xor_pad), state->block_size ); gte_check(sizeof(state->digest_pad ), state->digest_size ); state->alg = alg; if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5 ) { return s2n_sslv3_mac_init (state, alg, key, klen); } GUARD(s2n_hash_init (&state->inner_just_key , hash_alg)); GUARD(s2n_hash_init (&state->outer, hash_alg)); uint32_t copied = klen; if (klen > state->block_size ) { GUARD(s2n_hash_update (&state->outer, key, klen)); GUARD(s2n_hash_digest (&state->outer, state->digest_pad , state->digest_size )); hash_alg = S2N_HASH_SHA256 ; state->digest_size = SHA256_DIGEST_LENGTH ; break; case S2N_HMAC_SHA384 : hash_alg = S2N_HASH_SHA384 ; state->digest_size = SHA384_DIGEST_LENGTH ; state->block_size = 128; state->hash_block_size = 128; break; case S2N_HMAC_SHA512 : hash_alg = S2N_HASH_SHA512 ; state->digest_size = SHA512_DIGEST_LENGTH ; state->block_size = 128; state->hash_block_size = 128; break; default: S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM ); } gte_check(sizeof(state->xor_pad), state->block_size ); gte_check(sizeof(state->digest_pad ), state->digest_size ); state->alg = alg; if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5 ) { return s2n_sslv3_mac_init (state, alg, key, klen); } GUARD(s2n_hash_init (&state->inner_just_key , hash_alg)); GUARD(s2n_hash_init (&state->outer, hash_alg)); uint32_t copied = klen; if (klen > state->block_size ) { GUARD(s2n_hash_update (&state->outer, key, klen)); GUARD(s2n_hash_digest (&state->outer, state->digest_pad , state->digest_size )); memcpy_check (state->xor_pad, state->digest_pad, state->digest_size ); copied = state->digest_size ; } else { memcpy_check (state->xor_pad, key, klen); } for (int i = 0; i < copied; i++) { state->xor_pad[i] ^= 0x36; } for (int i = copied; i < state->block_size ; i++) { state->xor_pad[i] = 0x36; } GUARD(s2n_hash_update (&state->inner_just_key , state->xor_pad, state->block_size )); /* 0x36 xor 0x5c == 0x6a */ for (int i = 0; i < state->block_size; i++) { state->xor_pad[i] ^= 0x6a; } return s2n_hmac_reset (state); } int s2n_hmac_update (struct s2n_hmac_state *state, const void *in, uint32_t size) { /* Keep track of how much of the current hash block is full * * Why the 4294949760 constant in this code? 4294949760 is the * highest 32-bit value that is congruent to 0 modulo all of our * HMAC block sizes, that is also at least 16k smaller than 2^32. It * therefore has no effect on the mathematical result, and no valid * record size can cause it to overflow. * * The value was found with the following python code; * * x = (2 ** 32) - (2 ** 14) * while True: * if x % 40 | x % 48 | x % 64 | x % 128 == 0: * break * x -= 1 * print x * * What it does do however is ensure that the mod operation takes a * constant number of instruction cycles, regardless of the size of * the input. On some platforms, including Intel, the operation can * take a smaller number of cycles if the input is "small". */ state->currently_in_hash_block += (4294949760 + size) % state->hash_block_size ; state->currently_in_hash_block %= state->block_size ; return s2n_hash_update (&state->inner, in, size); } int s2n_hmac_digest (struct s2n_hmac_state *state, void *out, uint32_t size) { if (state->alg == S2N_HMAC_SSLv3_SHA1 || state->alg == S2N_HMAC_SSLv3_MD5 ) { return s2n_sslv3_mac_digest (state, out, size); } GUARD(s2n_hash_digest (&state->inner, state->digest_pad , state->digest_size )); GUARD(s2n_hash_reset (&state->outer)); GUARD(s2n_hash_update (&state->outer, state->xor_pad, state->block_size )); GUARD(s2n_hash_update (&state->outer, state->digest_pad , state->digest_size )); return s2n_hash_digest (&state->outer, out, size); } int s2n_hmac_reset (struct s2n_hmac_state *state) { state->currently_in_hash_block = 0; memcpy_check (&state->inner, &state->inner_just_key , sizeof(state->inner)); return 0; } C HMACCryptol HMAC Proof bridges this gap
  99. 99. Intermediate model High-level Cryptol Code Lower-level Cryptol Code Production s2n codeproof proof ”Proof plumbing”: hand-crafted proof artifact written in Galois language
  100. 100. Intermediate model High-level Cryptol code Lower-level Cryptol code Production s2n codeproof proof Incorporates s2n data structures and APIs
  101. 101. Intermediate model High-level Cryptol Code Lower-level Cryptol Code Production s2n codeproof proof Omits pointer/memory and low- level performance optimizations
  102. 102. Comparing for all message sizes and splittings • Key inductive lemmas: • hmac_update(hmac_update(s,m1),m2)) = hmac_update(s,m1#m2) • hmac_update(s, ””) = s • Proved: • Any sequence of hmac_update calls equivalent to a single call • Single call of specification hmac_update equivalent to implementation hmac_update
  103. 103. Continuous integration • Proofs replayed automatically in Travis CI • Proof failure is a build failure • Average runtime: 15mins • Proof is agnostic to structure of C code, depends on: • Interfaces (arguments and struct layouts) • Function call structure • Easily adapted: • Function body changes → no proof changes likely needed • Interface changes → similarly sized proof changes • Call structure changes → tiny proof changes
  104. 104. Demo
  105. 105. Questions answered in this talk • What is “Mechanized reasoning in mathematical logic” ? • What are some examples of what is AWS doing in this space?
  106. 106. Questions answered in this talk • What is “Mechanized reasoning in mathematical logic” ? • What are some examples of what is AWS doing in this space?
  107. 107. Shared security model • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented and not vulnerable to side-channel attacks?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” • Secure usage • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I only allowing one instance in my VPC to send outgoing network packets?”
  108. 108. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?”
  109. 109. Shared security model • Helping customers be secure in the cloud • “Could my IAM policy allow unintended users access to my Amazon S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Project addressing this topic too
  110. 110. Shared security model • Helping customers be secure in the cloud • “Could my AWS IAM policy allow unintended users access to my S3 bucket?” • “Am I allowing only one instance in my VPC to send outgoing network packets?” • Securing the cloud • “How do we know that the AWS crypto primitives are correctly implemented?” • “How do we know that the Amazon EC2 virtualization layer protects against memory corruption-based attacks?” Project addressing this topic too
  111. 111. Thank you!

×