Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Research Paper Introduction #107 ” Reachability...

cafenero_777
September 30, 2022
Technology
0
95

Research Paper Introduction #107 ” Reachability Analysis for AWS-based Networks”

CAV 2019
https://link.springer.com/chapter/10.1007/978-3-030-25543-5_14

VPC Reachability Analyzerについて
https://aws.amazon.com/jp/blogs/news/new-vpc-insights-analyzes-reachability-and-visibility-in-vpcs/

re:Invent動画
https://www.youtube.com/watch?v=6DX7p-OirGU

cafenero_777

September 30, 2022
Tweet

More Decks by cafenero_777

See All by cafenero_777
#51 “Empowering Azure Storage with RDMA”
cafenero_777
3
370
#49 “Gray Failure: The Achilles’ Heel of Cloud-Scale Systems”
cafenero_777
2
93
#50 “Scalable Hierarchical Aggregation Protocol (SHArP): A Hardware Architecture for Efficient Data Reduction”
cafenero_777
0
72
#33 “Destroying networks for fun (and profit)”
cafenero_777
0
71
#34 “MTPSA: Multi-Tenant Programmable Switches”
cafenero_777
0
38
#37 “Bluebird: High-performance SDN for Bare-metal Cloud Services”
cafenero_777
1
100
#39 “Profiling a warehouse-scale computer”
cafenero_777
0
26
#23 “VFP: A Virtual Switch Platform for Host SDN in the Public Cloud”
cafenero_777
0
190
#24 “Ananta: Cloud Scale Load Balancing”
cafenero_777
0
200

Other Decks in Technology

See All in Technology
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
260
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
310
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
Engineer Career Talk
lycorp_recruit_jp
0
170
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1k
Lambdaと地方とコミュニティ
miu_crescent
2
370
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k

Featured

See All Featured
Become a Pro
speakerdeck
PRO
25
5k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
4 Signs Your Business is Dying
shpigford
180
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Fireside Chat
paigeccino
34
3k
GraphQLとの向き合い方2022年版
quramy
43
13k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
For a Future-Friendly Web
brad_frost
175
9.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Side Projects
sachag
452
42k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k

Transcript

  1. Research Paper Introduction #35 “Reachability Analysis for AWS-based Networks ”

    ௨ࢉ#95 @cafenero_777 2022/03/31 1

  2. Agenda •ର৅࿦จ •֓ཁͱಡ΋͏ͱͨ͠ཧ༝ 1. INTRODUCTION 2. AWS Networking 3. AWS

    Networking Semantics as Logic 4. Usage and Performance 5. Conclusion 2

  3. ର৅࿦จ •Reachability Analysis for AWS-based Networks • J. Backes1, S.

    Bayless14, B. Cook12, C. Dodge1 , A. Gacek1, A.J. Hu4, T. Kahsai1, B. Kocik1, E. Kotelnikov13, J. Kukovec15, S. McLaughlin1, J. Reed6, N. Rungta1, J. Sizemore1, M. Stalzer1, P. Srinivasan1, P. Suboti ́c12, C. Varming1, B. Whaley1 • 1Amazon, 2University College London, 3Chalmers University of Technology, 4University British Columbia, 5TU Wien, 6Semmle Inc • CAV 2019 • VPC Reachability Analyzerʹ͍ͭͯ • re:Inventಈը 3

  4. ֓ཁͱಡ΋͏ͱͨ͠ཧ༝ •֓ཁ • SDNͳNWΠϯϑϥͷઃఆϛε΍ηΩϡϦςΟ੬ऑੑΛਪ࿦ͰࣗಈνΣοΫ͍ͨ͠ • ਪ࿦ΤϯδϯΛ༻͍ͨTiros (NW౸ୡੑਪ࿦πʔϧ)Λ࡞ͬͨ • AWS”Ͱ"࢖ΘΕ͍ͯΔ •ಡ΋͏ͱͨ͠ཧ༝

    • VPCͷNW reachabilityͲ͏΍ͬͯ֬ೝ͢ΔΜͩΖ͏ • ਪ࿦Τϯδϯʁ -> formal veri fi cationͷ૊Έ߹Θͤ 4

  5. Formal Veri fi cation (ܗࣜతݕূ) •Formal Veri fi cationͷ࢖͍ํ •

    ໋୊Λهड़͢Δ • ੍໿Λهड़͢Δ • ιϧό͕ղ͍ͯ͘ΕΔʢॲཧͦͷ΋ͷΛॻ͘ඞཁͳ͠ʣ •Amazon S3ͷઃܭͰ࢖ͬͯΔͷ͸༗໊ •࣮͸VPC Reachability Analyzer΍Amazon InspectorͰ΋ʢόοΫΤϯυͱͯ͠ʣ ࢖ͬͯΔΒ͍͠ɺͱ͍͏ͷ͕ࠓճͷ࿩ 5

  6. solver (ιϧό) •SATιϧό • SATis fi abilityιϧόʢॆ଍Մೳੑʣ • ͋Δ࿦ཧ͕ࣜtrueͱͳΔʢ=৚݅Λຬͨ͢ʣม਺ͷ૊Έ߹Θ͕ͤଘࡏ͢Δ͔ •SMTιϧό

    • Satis fi ability Modulo Theories • SATιϧό + ಛఆυϝΠϯͷ࿦ཧιϧόʢbit vector, จࣈྻɺࢉज़ʣͷ૊Έ߹Θͤ 6

  7. 1. INTRODUCTION •AWS • compute, storage, analyticsΛఏڙ • 30Λ௒͑ΔԾ૝NWػೳ •

    NWઃఆͷਖ਼͠͞ʢྫɿPCI-DSSͷ؂ࠪʣ • accurate, automated, scalable͕ඞཁ •Tiros • ༷ʑͳܗࣜ෼ੳ (formal analysis/model checking)Λ༻͍ͨਪ࿦Τϯδϯ • AWS NW৘ใ (semantics)Λ࿦ཧʹม׵ (encoding)ͯ͠࢖͏ • ੩తղੳɻ࣮ࡍʹύέοτ͸౤͛ͳ͍ʢϓϩʔϒ΍pentest΋࢖Θͳ͍ʣɻϦϦʔεલʹղੳͰ͖Δɻ 7

  8. 2. AWS Networking •ߏ੒ྫ • ػೳ: Subnet/Routing, LB/NAT/ACL • ςφϯτ෼཭

    (VPC) • ENI (Elastic Network Interface) • Internet Gateway •࣭໰ɿinternet͔ΒsshͰ͖ΔVM͸ଘࡏ͢Δ͔ʁ • pubic, VPC/subnet಺, peering/transit-GWͳͲͷҧ͍Λߟྀͨ͠ਪ࿦͕ඞཁ 8

  9. 3. AWS Networking Semantics as Logic •Tiros: AWS NWΛϞσϧԽɾܗࣜ෼ੳʢ੩తղੳʣͯ͠reachabilityΛ֬ೝ •

    ܗࣜ࢓༷ (ઃఆ)ɿRT/FW/LB (Ͳ͏΍ͬͯύέοτసૹ͢Δ͔) • NWͷঢ়ଶʢsnapshot/runtimeʣɿτϙϩδɾΠϯελϯεɾαϒωοτ, routing table • Datalogιϧό (Sou ff l è), SMTιϧό (MonoSAT), Ұ֊ఆཧূ໌(Vampire)ͷ࠷େ3ͭΛ ಠཱͯ͠࢖͏ 9

  10. Datalogιϧό (Souf fl è) •ܗࣜ࢓༷ (encoding) • NWϞσϧɿDatalogઅ (ϙʔτ, IPv4

    address/subnetΛҙຯ͢Δbit vectorΛ༻͍Δ)ͷηοτ • ࢓༷ɿVPC networkͷ50λΠϓɺ200ज़ޙɺ240Ҏ্ͷϧʔϧʹରԠ • ྫ • canSshTunnel (I1 , I2 ) ˡ canSsh (I1 , I2 ). • canSshTunnel (I1 , I2 ) ˡ canSshTunnel (I1 , I3 ) ∧ canSshTunnel (I3 , I2 ). •AWS NWߏ੒ʢεφοϓγϣοτʣͷهड़ • ఆ਺ɿinstance1234, subnetweb • ϑΝΫτɿhasSubnet(instance1234, subnetweb) • ྫ • q(I)ˡ hasSubnet(I,subnetweb)∧ hasTag(I, tagbastion). // webαϒωοτʹbastionλά͕෇͍͍ͯΔΠϯελϯεI͕͍Δ͔ʁ • r(I,E) ˡ hasEni(I,E)∧isPublicIP(Address)∧ reachPublicTcpUdp(diringress, proto6, E, port22, Adress, port40000). 10 ࢓༷ Ϟσϧ ҙຯɿ canSsh(): ௚઀sshͰ͖Δ canSshTunnel(): sshΛܦ༝ͯ͠(ssh౿Έ୆తͳɻsshτϯωϧͰ)Ͱ͖Δ ҙຯɿ bastionλά͕෇͍͍ͯΔΠϯελϯεI͕webαϒωοτʹ͋Δɺͱ͍͏ઃఆ͔ʁ ΠϯελϯεIʹ~~~ͷ৚݅ͰϦʔνͰ͖Δʢ৚͕݅ଘࡏ͢Δʣ͔ʁ

  11. SMT Encoding •ܗࣜ࢓༷ (encoding): ̎ͭΛར༻ • άϥϑɿNWίϯϙʔωϯτͷܨ͕Γ • ύέοτϔομɿsrc/dstΞυϨεɺϙʔτ •

    node: Πϯελϯε, NWΠϯλʔϑΣʔεɺsubnet, rib, gw • edge (u, v): u, v͕ؒtraversableͳΒ͹ਅ • ྫ୊ • edge(Eni-a,Subnet-web) // Eni-aͱsubnet-webϊʔυͱͷؒΛҙຯ • fi g.3ͷ੍໿ (constrains)Λ෇͚Δ͜ͱͰɺ”ͦͷύέοτͷ௨৴ͷ޲͖”Λදݱ •MonoSAT: ༗ݶάϥϑૄ௨ੑΛαϙʔτ͢ΔSMTιϧό • start-nodeͱend-nodeΛάϥϑʹ઀ଓͯ͠reach(start, end)Λܭࢉ • ྫɿstart: Πϯλʔωοτʹ઀ଓɺend: EC2Πϯελϯεʹ઀ଓɺύέοτϔομ͸22port/tcp • ૄ௨ੑͷΈ֬ೝͰ͖Δ 11

  12. First-order encoding •ଟ߲ࣜͷҰ֊هड़࿦ཧ (many-sorted fi rst order logic problem )ͷࣗಈఆཧূ

    ໌ͱͯ͠ղ͘ • ͪΐͬͱԿݴͬͯΔͷ͔෼͔Βͣɺɺɺ •Vampireͱ͍͏ιϧόΛ࢖ͬͨ • ੑೳ͕ग़ͳ͔ͬͨͨΊޙड़ͷੑೳൺֱʹ΋࢖ΘΕͣɻɻɻ 12

  13. 4. Usage and Performance (1/4) •Amazon Inspector • Tirosϕʔε: Sou

    ff l e ́ͱMonoSATΛར༻ • 2018/12ʹ10kݸͷϥϯμϜͳNWߏ੒ͰධՁ • Sou ffl e ́: 4.1s@best, 5.1s@50%ile, 5.5s@99%, 45.1s@worst • 2k ~ 7k fact • MonoSAT: 0.8s@best, 1.39s@50%, 1.79s@90%, 2.6s@worst • 2k ~ 17k અ 13 https://aws.amazon.com/jp/inspector/

  14. 4. Usage and Performance (2/4) •Scalability tests: • ΫΤϦɿΠϯλʔωοτ͔ΒΞΫηεՄೳͳVPCΠϯελϯε΁ͷશͯͷ ύεͷྻڍ

    • MonoSATͱSou ffl e ͕́εέʔϥϒϧͰ͋Δ • 100kΠϯελϯε͸৯͑ͳ͍ • ߏ੒ʹΑͬͯ͸ٯస͢Δ (benchmark-2) • Sou ff l é͸81s, MonoSAT͸3600s • feasible paths (edge)͕ଟ͗͢Δߏ੒ͩͬͨͷͰάϥϑతʹ͕ෆར 14 Fig.4. ࣮ઢ͕Sou ffl é, ഁઢ͕MonoSAT benchmark-N͸ߏ੒ͷҧ͍ʢʁʣ

  15. 4. Usage and Performance (3/4) •PCIίϯϓϥΠΞϯεͷࣗಈԽ • AWSαʔϏε͸AWSαʔϏε͕ඞཁʢྫɿAWS lambda͸EC2΍NWػೳͷ্Ͱಈ࡞ʣ •

    AWSࣗ਎ͷPCI DSSίϯϓϥΠΞϯεΛ௨ͨ͢ΊʹTirosΛར༻ • PCI DSSཁ݅ʢҙ༁ʣ • 1.2: untrusted͔ΒͷඞཁͰͳ͍௨৴Λશͯڋ൱ • 1.3.1: from internet to DMZ಺IP΁ͷ௨৴੍ݶ(ingress) • 1.3.2: from internet to DMZ͢Δ࣌͸DMZ಺IPΛ࢖͏ • 1.3.4: DB͸DMZ͔Β෼཭͞Εͨprivate IPྖҬʹஔ͘ • 1.3.7a: ໌ࣔతʹpermit͞Εͨ௨৴Ҏ֎͸ɺ಺෦/֎෦͔Βͷ௨৴Λdeny 15

  16. 4. Usage and Performance (4/4) •ΧελϜΞϓϦέʔγϣϯ • ސ٬ͱڠۀͯ͠ΧελϜϝΠυͳιϦϡʔγϣϯΛ࡞Δ • Bridgewater

    Associates / AWS Professional Services • ৽ͨͳෆมྔʢσʔλྲྀग़ܦ࿏͕ແ͍͜ͱͷอূʣͷߏஙͳͲ 16

  17. 5. Conclusion •AWSωοτϫʔΫͷηϚϯςΟΫεΛ࿦ཧԽ͠ɺνΣοΫΛγεςϜԽ •Tiros: Amazon Inspectorʹ૊Έࠐ·Ε͍ͯΔ •ίϯϓϥΠΞϯεରԠͷͨΊɺAWSϢʔβ΍AWSࣗ਎ʹܧଓར༻͞ΕΔ 17

  18. ׬૸ͨ͠ײ૝ •೉͍͠ʢ೉͍͠ʣ • ࣮ફTLA+Λ൒෼͙Β͍΍͙ͬͯͨΒ͍ͷ෇͚ম͖ਕͰ΍͚Ͳͨ͠ • ιϧόͷ֦ுͷ࿩Λ͞ΕΔͱશવ෼͔Βͳ͍ʢΞϧΰϦζϜɾ਺ֶʣ •Ͱ΋Network Veri fi cation͸ڵຯ͋Δ

    • NSDIͰ΋ඞͣ1ηογϣϯ͋Δ •࣮ࡍʹ͋Δ؆୯ͳ໰୊Λݟ͚ͭͯղ͍ͯΈ͍ͨ 18

  19. ࢀߟจݙ •ຊ࿦จͷղઆ • https://logmi.jp/tech/articles/326116 •SAT/SMTιϧόͷ࢓૊Έ • https://www.slideshare.net/sakai/satsmt •Datalog ʹೖ໳͢Δ •

    https://t-keita.hatenadiary.jp/entry/2020/11/18/021034 19

  20. EoP 20