Pre-Deployment Security Assessment for Cloud Services through Semantic Reasoning (Extended Abstract)

Claudia Cauli, Meng Li, Nir Piterman, Oksana Tkachuk
2021 International Workshop on Description Logics  
Over the past ten years, the adoption of cloud services has grown rapidly, leading to the introduction of automated deployment tools to address the scale and complexity of the infrastructure that companies and users deploy. The practice of configuring, deploying, and updating systems resources from source code files is known as Infrastructure as Code (IaC) [17] . In addition to instructions relevant for resource creation, dependencies, and updates, IaC configuration files contain information
more » ... ut settings, dataflow, and access control. Without the aid of automation, ensuring the security of such deployments becomes more and more challenging. In this study, we focus on the first IaC tool ever introduced: Amazon Web Services' CloudFormation. In particular, we investigate the application of description logics to the formalization and reasoning over IaC deployments. We are interested in three aspects: (i) whether proposed cloud IaC configurations comply with security best practices, (ii) how to aid users in building more secure infrastructure before deploying it, and (iii) to what extent formal automated techniques can support manual pre-deployment security reviews. We provide a framework to encode IaC into description logic, and investigate its effectiveness in answering configuration queries and reasoning about dataflow, trust boundaries, and potential issues within the system. Specifically, we test DLs reasoning capabilities to infer new facts about underspecified resources (such as those not included in a given deployment but used by it) and leverage DLs open-world assumption to perform verification and refutation, depending on the property being checked. We formalize additional security knowledge that allows for checking system-level semantic properties; i.e., properties that consider the nature of the cloud environment and more complex reachability over an inferred graph representation of the infrastructure. Formalizing and Encoding Infrastructure as Code According to the IaC paradigm, resources are deployed on the cloud by writing one or more JSON-formatted configuration files, by which users configure settings and communication of the desired instances. Configuration files must validate against the resource specifications [10], which are files prescribing resource properties and their allowed values.
dblp:conf/dlog/CauliLPT21 fatcat:7lkq5nxz2jfpjn5rj722pzvciy