Reachability Analysis for AWS-Based Networks

Introduction

• Tiros
  • 使用现成的自动定理证明工具对使用AWS API构建的虚拟网络进行正式分析
  • Tiros将AWS网络概念的语义编码为逻辑，然后使用各种推理引擎来验证与安全相关的属性
  • 可以使用的工具：Souffle ́, MonoSAT, and Vampire
  • 静态执行分析
  • SMT encoding ： similar in design to Anteater and ConfigChecker
    • Anteater：SAT-based bounded model checking
    • ConfigChecker：BDD-based fixed-point model checking
  • Datalog approach：similar to Batfish and SyNET

AWS Networking

AWS Networking Semantics as Logic

• the model of the network
  • formal specification —— formalizes the semantics of the AWS networking components
    • 路由表如何从子网引导流量
    • 防火墙在安全组中应用规则的顺序
    • 负载平衡器如何路由流量
  • snapshopt —— 网络拓扑和细节
    • 特定VPC（或一组VPC）中的实例、子网及其路由表列表
• 为了回答可访问性问题，Tiros将形式规范、快照和查询合并到表示答案的公式中
  • the Datalog solver Souffle ́ [17],
  • the SMT solver MonoSAT [3], finite graph reachability（reachability questions）
  • the first-order theorem prover Vampire [23] （无法很好地缩放被放弃）

Datalog Encoding

• specification
  • 描述VPC中网络组件语义的类型、谓词、常量和规则
    • 50 types, 200 predicates, and over 240 rules.
    • Example：semantics of SSH tunneling
      • An instance can SSH tunnel to another instance iff it can either SSH to it directly, or through a chain of intermediate instances.
        
• snapshot
  • constants and facts —— configuration of a specific AWS network
    • constants —— $typ{e}_{id}$
  • Example：the snapshot of a network with an instance with id 1234 in a subnet with id web
    • constants —— $nstanc{e}_{1234},subne{t}_{web}$
    • fact —— h a s S u b n e t ( i n s t a n c e 1234 , s u b n e t w e b ) hasSubnet(instance_{1234},subnet_{web}) hasSubnet(instance