Automatic and semiautomatic mechanical theorem provers are now being used within AWS to find proofs in mathematical logic that establish desired properties of key AWS components. In this session, we outline these efforts and discuss how mechanical theorem provers are used to replay found proofs of desired properties when software artifacts or networks are modified, thus helping provide security throughout the lifetime of the AWS system. We consider these use cases: Using constraint solving to show that VPCs have desired safety properties, and maintaining this continuously at each change to the VPC Using automatic mechanical theorem provers to prove that s2n’s HMAC is correct and maintaining this continuously at each change to the s2n source code Using semi-automatic mechanical theorem provers to prove desired safety properties of protocols and code

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Byron Cook
byron@amazon.com
November 29, 2016
SEC401
Automated Formal Reasoning About AWS Systems
securing Customers with Mathematical Logic

2. Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and not vulnerable to side-channel attacks?”
• “How do we know that Amazon EC2’s virtualization layer protects
against memory corruption-based attacks?”
• Secure usage
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I only allowing one instance in my VPC to send outgoing
network packets?”

3. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that Amazon EC2’s virtualization layer protects
against memory corruption-based attacks?”

4. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that Amazon EC2’s virtualization layer protects
against memory corruption-based attacks?”

5. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that Amazon EC2’s virtualization layer protects
against memory corruption-based attacks?”

6. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”

7. Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”

8. Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”

9. AWS security: Raising the bar on security
• Secure usage of AWS components
• Amazon Inspector, Amazon CloudWatch, AWS Config Rules, etc
• Tools that apply mechanized reasoning in mathematical logic to
provide additional assurance
• Securing the cloud
• Extensive penetration testing, continuous monitoring, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance

10. AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules, etc
• Tools that apply mechanized reasoning in mathematical logic to
provide additional assurance
• Securing the cloud
• Extensive penetration testing, continuous monitoring, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance

11. AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance
• Securing the cloud
• Extensive penetration testing, continuous monitoring, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance

12. AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance
• Securing the cloud
• Penetration testing, continuous monitoring, compliance certification,
etc
• Mechanized reasoning in mathematical logic to provide additional
assurance

13. AWS security: Raising the bar on security
• Helping customers be secure in the cloud
• Amazon Inspector, AWS Config Rules, etc
• Mechanized reasoning in mathematical logic to provide additional
assurance
• Securing the cloud
• Penetration testing, continuous monitoring, compliance certification,
etc
• Mechanized reasoning in mathematical logic to provide additional
assurance

14. Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what AWS doing in this space?

15. Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Godel’s incompleteness theorem
• Turing’s Halting problem undecidability
• Four-color theorem
• Odd-order theorem
• …..
• …..
• …..

16. Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel’s incompleteness theorem
• Turing’s Halting problem undecidability
• Odd-order theorem
• …..
• …..
• …..

17. Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel’s incompleteness theorem
• Turing’s Halting problem undecidability
• Odd-order theorem
• …..
• …..
• …..
Arguments found and
checked by humans

18. Mechanized reasoning in mathematical logic
• Proofs: 360 BC — 1970s AD
• Examples:
• Euclid’s Infinitude of Primes
• Gödel’s incompleteness theorem
• Turing’s Halting problem undecidability
• Odd-order theorem
• …..
• …..
• …..
• Harder: finding
the argument
• Easier: checking
the argument

19. Mechanized reasoning in mathematical logic
• Proofs: 1970s AD — Current
• New: human found and mechanically checked
• Examples:
• Euclid’s Infinitude of Primes
• Gödel’s Incompleteness theorem
• Turing’s Halting problem undecidability
• Odd-order theorem
• Four-color theorem
• …..
• …..
• …..

20. Mechanized reasoning in mathematical logic
• Proofs: 1970s AD — Current
• New: human found and mechanically checked
• Examples:
• …..
• Boeing "Little Bird" helicopter (seL4 OS-based mission computer)
• Royal Navy Ship/Helicopter Operating Limits Unit
• Lockheed Martin C130J Mission Computers
• Rolls Royce Trent Series Health Monitoring Units
• AMD K5 floating point square root microcode
• Intel CPU arithmetic and logical operations
• …..

21. Mechanized reasoning in mathematical logic
• Proofs: 2001 AD — Current
• Increasingly mechanically found and mechanically checked
• Examples:
• ……
• ……
• Airbus 360 primary flight control software
• Paris Metro (RATP)
• Bombardier ILLBV950L2 railway interlocking system
• Mars Rover data management subsystem
• ……
• ……

22. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

23. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

24. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
• P-time = polynomial time = “tractable”
• NP-complete = nondeterministic polynomial time
= “intractable”

25. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

26. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

27. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractible problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
Just buzzwords…..

28. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

29. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

30. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
Just buzzwords…..

31. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
Example open source
tools: Yices, MiniSAT

32. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
Example open source
tools: Yices, MiniSAT
Example open source
tools: Coq, Jhorn

33. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

34. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=4, w=3, x=1, y=10, z=5 ?
if (w<x && x<y && y<z && (w<u || u<3) && x>=z)
error();

35. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=4, w=3, x=1, y=10, z=5 ?
if (w<x && x<y && y<z && (w<u || u<3) && x>=z)
error();

36. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=4, w=3, x=1, y=10, z=5 ?
No because w>=x :
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();

37. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=4, w=3, x=18, y=10, z=5 ?
No because x>=y :

38. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=4, w=3, x=18, y=10, z=5 ?
No because x>=y :
if (w<x && x<y && y<z && (w<u || u<3) && x>=z)
error();

39. Example: NP-complete in P-time
• What values of u,w,x,y,z would lead to error()?
if (w<x && x<y && y<z && (x>=z || u<3) && u>10)
error();
• u=?, w=?, x=?, y=?, z=?
• SAT: If the variables range over 32-bit integers there are 2^(32*5)
possible combinations.
• SMT: If the variables range over reals/rationals/integers there are an
infinite number of combinations (though still decidable)

40. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10

41. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10

42. Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && (x>=z || u<3) && u>10

43. Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && (x>=z || u<3) && u>10

44. Example: NP-complete in P-time
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && u<3 && u>10
w<z && x<y && y<z && x>=z && u>10
w<z && x<y && y<z && (x>=z || u<3) && u>10

45. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10

46. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10

47. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
x<y && y<z && x>=z

48. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
&& !(x<y && y<z && x>=z)
x<y && y<z && x>=z

49. Example: NP-complete in P-time
w<z && x<y && y<z && (x>=z || u<3) && u>10
&& !(x<y && y<z && x>=z)

50. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

51. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

52. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}

53. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}
Making undecidable
problems feel decidable
in practice

54. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i--;
r=r+x;
}
assert(r==x*y);
}
Could this
assert
ever fail?

55. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}
Inductive invariant
Inductive invariant

56. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

57. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

58. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}
x,y,r,i
A

59. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

60. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

61. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

62. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}
x,y,r,i
A
Now we ignore how
we got into the loop

63. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i’=i-1
r’=r+x
post condition: r’==(y-i’)*x && i’>=0
}
assert(r==x*y);
}
x,y,r,i,r’,i’
A
Now we ignore how
we got into the loop

64. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
i>0 condition: r==(y-i)*x && i>=0
i’=i-1
r’=r+x
post condition: r’==(y-i’)*x && i’>=0
}
assert(r==x*y);
}
x,y,r,i,r’,i’
A
Now we ignore how
we got into the loop
Inductive check

65. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

66. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

67. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}

68. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}
If you have good heuristics
for guessing the inductive
invariant, the undecidable
feels decidable

69. Example: Induction
if (x>=0 && y>=0) {
r=0;
i=y;
while(i>0) {
pre condition: r==(y-i)*x && i>=0
i--;
r=r+x;
post condition: r==(y-i)*x && i>=0
}
assert(r==x*y);
}
This type of bookkeeping can
be dealt with using previously
discussed techniques for NP-
complete problems

70. Core ideas behind the advances/buzzwords
• Making NP-complete problems feel P-time in practice
• Conflict-clause driven learning
• Back-jumping
• Random-restarts
• SAT and SAT modulo theories
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants

71. Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what is AWS doing in this space?

72. Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what is AWS doing in this space?

73. Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and not vulnerable to side-channel attacks?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
• Secure usage
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I only allowing one instance in my VPC to send outgoing
network packets?”

74. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption based attacks?”

75. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Demo: tool for reasoning
about VPCs using
techniques for NP-complete
reasoning

76. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Demo: tool for reasoning
about VPCs using
techniques for NP-complete
reasoning

77. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Demo: Proving correctness
properties of s2n using
induction and techniques
for NP-complete reasoning

78. Shared security model
Demo: tool for reasoning
about VPCs using
techniques for NP-complete
reasoning

79. Reasoning about networks
• Web service and CLI available in private beta
• Automatically answers queries about customer EC2
networking configurations
• Queries written in a simple query language
• No packets sent; network not actually used
• We can reason about networks that have not been deployed yet

80. Reasoning about networks
• EC2 networking semantics specified in logic
• For example, all possible subtle interactions between NAT
gateways, AZs, ACLs, VPC peering endpoints, load balancers,
etc
• Considers all possible cases/scenarios
• Can prove that there is no way for instance I to reach J
• NP-complete queries, usually answered in P-time
• Using approaches mentioned previously

81. Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only SSH to
the bastions?”
• “Which EC2 instances can access an S3 endpoint?”
• “Can instances tagged Public communicate with instances
tagged Private?"

82. Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only SSH to
the bastions?”
• “Which EC2 instances can access an S3 endpoint?”
• “Can instances tagged Public communicate with instances
tagged Private?"
list: internet-can-ssh-to-instance(Inst).

83. Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only SSH to
the bastions?”
• “Which EC2 instances can access an S3 endpoint?”
• “Can instances tagged Public communicate with instances
tagged Private?"
all Src, Dst:
instance-has-vpc(Src,byron_vpc) &&
!atom/instance-tag(Dst, tag-key/Name, tag-value/Bastion) &&
instance-can-ssh-to-instance(Src,Dst)
=>
atom/instance-tag(Dst,tag-key/Name,tag-value/Bastion)

84. Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only SSH to
the bastions?”
• “Which EC2 instances can access an S3 endpoint?”
• “Can instances tagged Public communicate with instances
tagged Private?"
list:
ex Src:
instance-can-ssh-to-instance(Src,Dst) &&
atom/instance-tag(InstDest, tag-key/Name, tag-value/S3Endpoint)

85. Example queries
• “Which EC2 instances are accessible from the Internet?”
• “From my VPC, can non-bastion instances only SSH to
the bastions?”
• “Which EC2 instances can access an S3 endpoint?”
• “Can instances tagged Public communicate with instances
tagged Private?"
list:
ex Src:
instance-can-ssh-to-instance(Src,Dst) &&
atom/instance-tag(InstDest, tag-key/Name, tag-value/S3Endpoint)

86. EC2 networking concepts supported
Availability Zones
Instances
Internet gateways
Load balancers
NAT instances
NAT gateways
Network ACLs
Network interfaces
Regions
Route tables
Security groups
Subnets
Tags
VPC endpoints
VPC peering connections
VPCs

89. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”

90. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Demo: Proving correctness
properties of s2n using
induction and techniques
for NP-complete reasoning

91. Shared security model
Demo: Proving correctness
properties of s2n using
induction and techniques
for NP-complete reasoning

92. S2N
• Small, fast TLS library
• Rigorously engineered for security
• Open source
• Mechanical reasoning:
• Automated proving of correctness of S2N’s HMAC implementation
• Proof performed in SAW, see https://saw.galois.com
• Proof strategy: NP-complete techniques + Induction
• Continuous integration: s2n is re-proved correct at each code
checkin

93. HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the message was signed by the expected sender
• Integrity: the message has not been modified
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))

94. HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the message was signed by the expected sender
• Integrity: the message has not been modified
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
message

95. HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the message was signed by the expected sender
• Integrity: the message has not been modified
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
derived from key

96. HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the message was signed by the expected sender
• Integrity: the message has not been modified
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
arbitrary hash function

97. HMAC
• Keyed-hash message authentication code
• Provides a signature for a message that confirms:
• Authenticity: the message was signed by the expected sender
• Integrity: the message has not been modified
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
constants from NIST

98. HMAC
hmac h h2 h3 K m = h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ 0x36 | kb <- k0]
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
Cryptol formal specification:

99. HMAC
hmac h h2 h3 K m = h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ 0x36 | kb <- k0]
HMAC(K, m) = H((K0 ⊕ opad)‖H((K0 ⊕ipad)‖m))
Cryptol formal specification:

100. hmac h h2 h3 K m =
h2 (okey # split (h (ikey # m)))
where
k0 = kinit h3 K
okey = [kb ^ 0x5C | kb <- k0]
ikey = [kb ^ 0x36 | kb <- k0]
static int s2n_sslv3_mac_init (struct s2n_hmac_state *state,
s2n_hmac_algorithm alg, const void *key,
uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE ;
if (alg == S2N_HMAC_SSLv3_MD5 ) {
hash_alg = S2N_HASH_MD5 ;
}
if (alg == S2N_HMAC_SSLv3_SHA1 ) {
hash_alg = S2N_HASH_SHA1 ;
}
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_init (&state->inner_just_key , hash_alg));
GUARD(s2n_hash_update (&state->inner_just_key , key, klen));
GUARD(s2n_hash_update (&state->inner_just_key , state->xor_pad,
state->block_size ));
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x5c;
}
GUARD(s2n_hash_init (&state->outer, hash_alg));
GUARD(s2n_hash_update (&state->outer, key, klen));
GUARD(s2n_hash_update (&state->outer, state->xor_pad, state->block_size ));
/* Copy inner_just_key to inner */
return s2n_hmac_reset (state);
}
static int s2n_sslv3_mac_digest (struct s2n_hmac_state *state, void *out,
uint32_t size)
{
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] = 0x5c;
}
GUARD(s2n_hash_digest (&state->inner, state->digest_pad ,
state->digest_size ));
memcpy_check (&state->inner, &state->outer, sizeof(state->inner));
GUARD(s2n_hash_update (&state->inner, state->digest_pad ,
state->digest_size ));
return s2n_hash_digest (&state->inner, out, size);
}
int s2n_hmac_init (struct s2n_hmac_state *state, s2n_hmac_algorithm alg,
const void *key, uint32_t klen)
{
s2n_hash_algorithm hash_alg = S2N_HASH_NONE ;
state->currently_in_hash_block = 0;
state->digest_size = 0;
state->block_size = 64;
state->hash_block_size = 64;
switch (alg) {
case S2N_HMAC_NONE :
break;
case S2N_HMAC_SSLv3_MD5 :
state->block_size = 48;
/* Fall through ... */
case S2N_HMAC_MD5 :
hash_alg = S2N_HASH_MD5 ;
state->digest_size = MD5_DIGEST_LENGTH ;
break;
case S2N_HMAC_SSLv3_SHA1 :
state->block_size = 40;
/* Fall through ... */
case S2N_HMAC_SHA1 :
hash_alg = S2N_HASH_SHA1 ;
state->digest_size = SHA_DIGEST_LENGTH ;
break;
case S2N_HMAC_SHA224 :
hash_alg = S2N_HASH_SHA224 ;
state->digest_size = SHA224_DIGEST_LENGTH ;
break;
case S2N_HMAC_SHA256 :
hash_alg = S2N_HASH_SHA256 ;
state->digest_size = SHA256_DIGEST_LENGTH ;
break;
case S2N_HMAC_SHA384 :
hash_alg = S2N_HASH_SHA384 ;
state->digest_size = SHA384_DIGEST_LENGTH ;
state->block_size = 128;
state->hash_block_size = 128;
break;
case S2N_HMAC_SHA512 :
hash_alg = S2N_HASH_SHA512 ;
state->digest_size = SHA512_DIGEST_LENGTH ;
state->block_size = 128;
state->hash_block_size = 128;
break;
default:
S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM );
}
gte_check(sizeof(state->xor_pad), state->block_size );
gte_check(sizeof(state->digest_pad ), state->digest_size );
state->alg = alg;
if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5 ) {
return s2n_sslv3_mac_init (state, alg, key, klen);
}
GUARD(s2n_hash_init (&state->inner_just_key , hash_alg));
GUARD(s2n_hash_init (&state->outer, hash_alg));
uint32_t copied = klen;
if (klen > state->block_size ) {
GUARD(s2n_hash_update (&state->outer, key, klen));
GUARD(s2n_hash_digest (&state->outer, state->digest_pad ,
state->digest_size ));
hash_alg = S2N_HASH_SHA256 ;
state->digest_size = SHA256_DIGEST_LENGTH ;
break;
case S2N_HMAC_SHA384 :
hash_alg = S2N_HASH_SHA384 ;
state->digest_size = SHA384_DIGEST_LENGTH ;
state->block_size = 128;
state->hash_block_size = 128;
break;
case S2N_HMAC_SHA512 :
hash_alg = S2N_HASH_SHA512 ;
state->digest_size = SHA512_DIGEST_LENGTH ;
state->block_size = 128;
state->hash_block_size = 128;
break;
default:
S2N_ERROR(S2N_ERR_HMAC_INVALID_ALGORITHM );
}
gte_check(sizeof(state->xor_pad), state->block_size );
gte_check(sizeof(state->digest_pad ), state->digest_size );
state->alg = alg;
if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5 ) {
return s2n_sslv3_mac_init (state, alg, key, klen);
}
GUARD(s2n_hash_init (&state->inner_just_key , hash_alg));
GUARD(s2n_hash_init (&state->outer, hash_alg));
uint32_t copied = klen;
if (klen > state->block_size ) {
GUARD(s2n_hash_update (&state->outer, key, klen));
GUARD(s2n_hash_digest (&state->outer, state->digest_pad ,
state->digest_size ));
memcpy_check (state->xor_pad, state->digest_pad, state->digest_size );
copied = state->digest_size ;
} else {
memcpy_check (state->xor_pad, key, klen);
}
for (int i = 0; i < copied; i++) {
state->xor_pad[i] ^= 0x36;
}
for (int i = copied; i < state->block_size ; i++) {
state->xor_pad[i] = 0x36;
}
GUARD(s2n_hash_update (&state->inner_just_key , state->xor_pad,
state->block_size ));
/* 0x36 xor 0x5c == 0x6a */
for (int i = 0; i < state->block_size; i++) {
state->xor_pad[i] ^= 0x6a;
}
return s2n_hmac_reset (state);
}
int s2n_hmac_update (struct s2n_hmac_state *state, const void *in, uint32_t size)
{
/* Keep track of how much of the current hash block is full
*
* Why the 4294949760 constant in this code? 4294949760 is the
* highest 32-bit value that is congruent to 0 modulo all of our
* HMAC block sizes, that is also at least 16k smaller than 2^32. It
* therefore has no effect on the mathematical result, and no valid
* record size can cause it to overflow.
*
* The value was found with the following python code;
*
* x = (2 ** 32) - (2 ** 14)
* while True:
* if x % 40 | x % 48 | x % 64 | x % 128 == 0:
* break
* x -= 1
* print x
*
* What it does do however is ensure that the mod operation takes a
* constant number of instruction cycles, regardless of the size of
* the input. On some platforms, including Intel, the operation can
* take a smaller number of cycles if the input is "small".
*/
state->currently_in_hash_block += (4294949760 + size) % state->hash_block_size ;
state->currently_in_hash_block %= state->block_size ;
return s2n_hash_update (&state->inner, in, size);
}
int s2n_hmac_digest (struct s2n_hmac_state *state, void *out, uint32_t size)
{
if (state->alg == S2N_HMAC_SSLv3_SHA1 || state->alg == S2N_HMAC_SSLv3_MD5 ) {
return s2n_sslv3_mac_digest (state, out, size);
}
GUARD(s2n_hash_digest (&state->inner, state->digest_pad ,
state->digest_size ));
GUARD(s2n_hash_reset (&state->outer));
GUARD(s2n_hash_update (&state->outer, state->xor_pad, state->block_size ));
GUARD(s2n_hash_update (&state->outer, state->digest_pad ,
state->digest_size ));
return s2n_hash_digest (&state->outer, out, size);
}
int s2n_hmac_reset (struct s2n_hmac_state *state)
{
state->currently_in_hash_block = 0;
memcpy_check (&state->inner, &state->inner_just_key , sizeof(state->inner));
return 0;
}
C HMACCryptol HMAC
Proof bridges this gap

101. Intermediate model
High-level
Cryptol
Code
Lower-level
Cryptol
Code
Production
s2n
codeproof proof
”Proof plumbing”: hand-crafted
proof artifact written in Galois
language

102. Intermediate model
High-level
Cryptol
code
Lower-level
Cryptol
code
Production
s2n
codeproof proof
Incorporates s2n data
structures and APIs

103. Intermediate model
High-level
Cryptol
Code
Lower-level
Cryptol
Code
Production
s2n
codeproof proof
Omits pointer/memory and low-
level performance optimizations

104. Comparing for all message sizes and splittings
• Key inductive lemmas:
• hmac_update(hmac_update(s,m1),m2)) =
hmac_update(s,m1#m2)
• hmac_update(s, ””) = s
• Proved:
• Any sequence of hmac_update calls equivalent to a single call
• Single call of specification hmac_update equivalent to
implementation hmac_update

105. Continuous integration
• Proofs replayed automatically in Travis CI
• Proof failure is a build failure
• Average runtime: 15mins
• Proof is agnostic to structure of C code, depends on:
• Interfaces (arguments and struct layouts)
• Function call structure
• Easily adapted:
• Function body changes → no proof changes likely needed
• Interface changes → similarly sized proof changes
• Call structure changes → tiny proof changes

107. Demo

108. Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what is AWS doing in this space?

109. Questions answered in this talk
• What is “Mechanized reasoning in mathematical logic” ?
• What are some examples of what is AWS doing in this space?

110. Shared security model
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented and not vulnerable to side-channel attacks?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
• Secure usage
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I only allowing one instance in my VPC to send outgoing
network packets?”

111. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”

112. Shared security model
• Helping customers be secure in the cloud
• “Could my IAM policy allow unintended users access to my Amazon
S3 bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Project addressing this topic
too

113. Shared security model
• Helping customers be secure in the cloud
• “Could my AWS IAM policy allow unintended users access to my S3
bucket?”
• “Am I allowing only one instance in my VPC to send outgoing
network packets?”
• Securing the cloud
• “How do we know that the AWS crypto primitives are correctly
implemented?”
• “How do we know that the Amazon EC2 virtualization layer protects
against memory corruption-based attacks?”
Project addressing this topic
too

114. Thank you!