AWS Open Sources Security Tools
VANCOUVER, British Columbia — At the Linux Foundation Open Source Summit North America, Amazon Web Services (AWS) made not one, but two, important open source security announcements. First, the company is open sourcing its Cedar policy language and authorization engine. This tool allows developers to set intricate policy permissions within their applications that are separate from their application logic. The other, Snapchange, is an experimental venture into the potential of the Linux’s kernel’s built-in virtual machine program, KVM, for snapshot fuzzing.
Cedar is already used by the Amazon Verified Permissions (AVP), and AWS Verified Access managed services. It’s both a language and a software development kit (SDK) for building and enforcing application authorization policies. With Cedar, programmers can control access to resources such as data, compute nodes in a cluster, or workflow automation components, AWS claims it’s very flexible, and developers can specify fine-grained permissions with it.
Authorization Models
It also supports popular authorization models. This includes role-based access control (RBAC) and attribute-based access control. As you’d imagine, since AWS already uses it in protection, it underwent a comprehensive verification-guided development process, using automated reasoning to test and prove its safety and correctness properties.
AVP, which uses Cedar to manage permissions in custom applications, offers centralized storage for Cedar policies. This also provides swift processing times and audit capabilities across applications. The newly open sourced Cedar libraries allow for local testing and validation of policies before AVP deployment.
Cedar has been open sourced under Apache License version 2. This includes both the Cedar language specification and SDK. Like what you see and want to add improvements? AWS welcomes contributions to the Cedar-policy GitHub repository and the Cedar Policy Slack Workspace.
Leveraging KVM
Alongside Cedar, Snapchange is an open source project aiming to simplify snapshot-based fuzzing. This Rust framework replays physical memory snapshots to enhance efficiency and simplify the fuzzing of various target types. Snapchange does this by leveraging KVM.
The AWS Find and Fix (F2) open source security research team originally started Snapchange as an experiment. Could KVM be used in snapshot fuzzing? The answer: Yes.
So, Snapchange has evolved into a project for providing a user-friendly platform for developers and researchers to experiment with snapshot fuzzing. Snapchange is available on GitHub under Apache 2.0.
Snapchange is still a work in progress. While the AWS F2 team continues to actively support Snapchange and has plans for new features, they’re inviting the security research community to contribute to its development. The goal is to create a more robust tool over time.
While it’s early days, you can already use Snapchange with the fuzz, trace, coverage, minimize, and project shell utilities. Before getting too excited, keep in mind that Snapchange operates within Linux and requires direct access to the underlying KVM primitives. So while it’s compatible with EC2 bare metal instance types, it won’t work with EC2 virtualized instances. It will also, of course, work in other hardware-based Linux environments. Personally, I’m rather excited by this tool.
