Research Paper Introduction #35 “Reachability Analysis for AWS-based Networks ” ௨ࢉ#95 @cafenero_777 2022/03/31 1

Agenda •ର৅࿦จ •֓ཁͱಡ΋͏ͱͨ͠ཧ༝ 1. INTRODUCTION 2. AWS Networking 3. AWS Networking Semantics as Logic 4. Usage and Performance 5. Conclusion 2

ର৅࿦จ •Reachability Analysis for AWS-based Networks • J. Backes1, S. Bayless14, B. Cook12, C. Dodge1 , A. Gacek1, A.J. Hu4, T. Kahsai1, B. Kocik1, E. Kotelnikov13, J. Kukovec15, S. McLaughlin1, J. Reed6, N. Rungta1, J. Sizemore1, M. Stalzer1, P. Srinivasan1, P. Suboti ́c12, C. Varming1, B. Whaley1 • 1Amazon, 2University College London, 3Chalmers University of Technology, 4University British Columbia, 5TU Wien, 6Semmle Inc • CAV 2019 • VPC Reachability Analyzerʹ͍ͭͯ • re:Inventಈը 3

֓ཁͱಡ΋͏ͱͨ͠ཧ༝ •֓ཁ • SDNͳNWΠϯϑϥͷઃఆϛε΍ηΩϡϦςΟ੬ऑੑΛਪ࿦ͰࣗಈνΣοΫ͍ͨ͠ • ਪ࿦ΤϯδϯΛ༻͍ͨTiros (NW౸ୡੑਪ࿦πʔϧ)Λ࡞ͬͨ • AWS”Ͱ"࢖ΘΕ͍ͯΔ •ಡ΋͏ͱͨ͠ཧ༝ • VPCͷNW reachabilityͲ͏΍ͬͯ֬ೝ͢ΔΜͩΖ͏ • ਪ࿦Τϯδϯʁ -> formal veri fi cationͷ૊Έ߹Θͤ 4

Formal Veri fi cation (ܗࣜతݕূ) •Formal Veri fi cationͷ࢖͍ํ • ໋୊Λهड़͢Δ • ੍໿Λهड़͢Δ • ιϧό͕ղ͍ͯ͘ΕΔʢॲཧͦͷ΋ͷΛॻ͘ඞཁͳ͠ʣ •Amazon S3ͷઃܭͰ࢖ͬͯΔͷ͸༗໊ •࣮͸VPC Reachability Analyzer΍Amazon InspectorͰ΋ʢόοΫΤϯυͱͯ͠ʣ ࢖ͬͯΔΒ͍͠ɺͱ͍͏ͷ͕ࠓճͷ࿩ 5

solver (ιϧό) •SATιϧό • SATis fi abilityιϧόʢॆ଍Մೳੑʣ • ͋Δ࿦ཧ͕ࣜtrueͱͳΔʢ=৚݅Λຬͨ͢ʣม਺ͷ૊Έ߹Θ͕ͤଘࡏ͢Δ͔ •SMTιϧό • Satis fi ability Modulo Theories • SATιϧό + ಛఆυϝΠϯͷ࿦ཧιϧόʢbit vector, จࣈྻɺࢉज़ʣͷ૊Έ߹Θͤ 6

1. INTRODUCTION •AWS • compute, storage, analyticsΛఏڙ • 30Λ௒͑ΔԾ૝NWػೳ • NWઃఆͷਖ਼͠͞ʢྫɿPCI-DSSͷ؂ࠪʣ • accurate, automated, scalable͕ඞཁ •Tiros • ༷ʑͳܗࣜ෼ੳ (formal analysis/model checking)Λ༻͍ͨਪ࿦Τϯδϯ • AWS NW৘ใ (semantics)Λ࿦ཧʹม׵ (encoding)ͯ͠࢖͏ • ੩తղੳɻ࣮ࡍʹύέοτ͸౤͛ͳ͍ʢϓϩʔϒ΍pentest΋࢖Θͳ͍ʣɻϦϦʔεલʹղੳͰ͖Δɻ 7

2. AWS Networking •ߏ੒ྫ • ػೳ: Subnet/Routing, LB/NAT/ACL • ςφϯτ෼཭ (VPC) • ENI (Elastic Network Interface) • Internet Gateway •࣭໰ɿinternet͔ΒsshͰ͖ΔVM͸ଘࡏ͢Δ͔ʁ • pubic, VPC/subnet಺, peering/transit-GWͳͲͷҧ͍Λߟྀͨ͠ਪ࿦͕ඞཁ 8

3. AWS Networking Semantics as Logic •Tiros: AWS NWΛϞσϧԽɾܗࣜ෼ੳʢ੩తղੳʣͯ͠reachabilityΛ֬ೝ • ܗࣜ࢓༷ (ઃఆ)ɿRT/FW/LB (Ͳ͏΍ͬͯύέοτసૹ͢Δ͔) • NWͷঢ়ଶʢsnapshot/runtimeʣɿτϙϩδɾΠϯελϯεɾαϒωοτ, routing table • Datalogιϧό (Sou ff l è), SMTιϧό (MonoSAT), Ұ֊ఆཧূ໌(Vampire)ͷ࠷େ3ͭΛ ಠཱͯ͠࢖͏ 9

Datalogιϧό (Souf fl è) •ܗࣜ࢓༷ (encoding) • NWϞσϧɿDatalogઅ (ϙʔτ, IPv4 address/subnetΛҙຯ͢Δbit vectorΛ༻͍Δ)ͷηοτ • ࢓༷ɿVPC networkͷ50λΠϓɺ200ज़ޙɺ240Ҏ্ͷϧʔϧʹରԠ • ྫ • canSshTunnel (I1 , I2 ) ˡ canSsh (I1 , I2 ). • canSshTunnel (I1 , I2 ) ˡ canSshTunnel (I1 , I3 ) ∧ canSshTunnel (I3 , I2 ). •AWS NWߏ੒ʢεφοϓγϣοτʣͷهड़ • ఆ਺ɿinstance1234, subnetweb • ϑΝΫτɿhasSubnet(instance1234, subnetweb) • ྫ • q(I)ˡ hasSubnet(I,subnetweb)∧ hasTag(I, tagbastion). // webαϒωοτʹbastionλά͕෇͍͍ͯΔΠϯελϯεI͕͍Δ͔ʁ • r(I,E) ˡ hasEni(I,E)∧isPublicIP(Address)∧ reachPublicTcpUdp(diringress, proto6, E, port22, Adress, port40000). 10 ࢓༷ Ϟσϧ ҙຯɿ canSsh(): ௚઀sshͰ͖Δ canSshTunnel(): sshΛܦ༝ͯ͠(ssh౿Έ୆తͳɻsshτϯωϧͰ)Ͱ͖Δ ҙຯɿ bastionλά͕෇͍͍ͯΔΠϯελϯεI͕webαϒωοτʹ͋Δɺͱ͍͏ઃఆ͔ʁ ΠϯελϯεIʹ~~~ͷ৚݅ͰϦʔνͰ͖Δʢ৚͕݅ଘࡏ͢Δʣ͔ʁ

SMT Encoding •ܗࣜ࢓༷ (encoding): ̎ͭΛར༻ • άϥϑɿNWίϯϙʔωϯτͷܨ͕Γ • ύέοτϔομɿsrc/dstΞυϨεɺϙʔτ • node: Πϯελϯε, NWΠϯλʔϑΣʔεɺsubnet, rib, gw • edge (u, v): u, v͕ؒtraversableͳΒ͹ਅ • ྫ୊ • edge(Eni-a,Subnet-web) // Eni-aͱsubnet-webϊʔυͱͷؒΛҙຯ • fi g.3ͷ੍໿ (constrains)Λ෇͚Δ͜ͱͰɺ”ͦͷύέοτͷ௨৴ͷ޲͖”Λදݱ •MonoSAT: ༗ݶάϥϑૄ௨ੑΛαϙʔτ͢ΔSMTιϧό • start-nodeͱend-nodeΛάϥϑʹ઀ଓͯ͠reach(start, end)Λܭࢉ • ྫɿstart: Πϯλʔωοτʹ઀ଓɺend: EC2Πϯελϯεʹ઀ଓɺύέοτϔομ͸22port/tcp • ૄ௨ੑͷΈ֬ೝͰ͖Δ 11

First-order encoding •ଟ߲ࣜͷҰ֊هड़࿦ཧ (many-sorted fi rst order logic problem )ͷࣗಈఆཧূ ໌ͱͯ͠ղ͘ • ͪΐͬͱԿݴͬͯΔͷ͔෼͔Βͣɺɺɺ •Vampireͱ͍͏ιϧόΛ࢖ͬͨ • ੑೳ͕ग़ͳ͔ͬͨͨΊޙड़ͷੑೳൺֱʹ΋࢖ΘΕͣɻɻɻ 12

4. Usage and Performance (1/4) •Amazon Inspector • Tirosϕʔε: Sou ff l e ́ͱMonoSATΛར༻ • 2018/12ʹ10kݸͷϥϯμϜͳNWߏ੒ͰධՁ • Sou ffl e ́: 4.1s@best, 5.1s@50%ile, 5.5s@99%, 45.1s@worst • 2k ~ 7k fact • MonoSAT: 0.8s@best, 1.39s@50%, 1.79s@90%, 2.6s@worst • 2k ~ 17k અ 13 https://aws.amazon.com/jp/inspector/

4. Usage and Performance (2/4) •Scalability tests: • ΫΤϦɿΠϯλʔωοτ͔ΒΞΫηεՄೳͳVPCΠϯελϯε΁ͷશͯͷ ύεͷྻڍ • MonoSATͱSou ffl e ͕́εέʔϥϒϧͰ͋Δ • 100kΠϯελϯε͸৯͑ͳ͍ • ߏ੒ʹΑͬͯ͸ٯస͢Δ (benchmark-2) • Sou ff l é͸81s, MonoSAT͸3600s • feasible paths (edge)͕ଟ͗͢Δߏ੒ͩͬͨͷͰάϥϑతʹ͕ෆར 14 Fig.4. ࣮ઢ͕Sou ffl é, ഁઢ͕MonoSAT benchmark-N͸ߏ੒ͷҧ͍ʢʁʣ

4. Usage and Performance (3/4) •PCIίϯϓϥΠΞϯεͷࣗಈԽ • AWSαʔϏε͸AWSαʔϏε͕ඞཁʢྫɿAWS lambda͸EC2΍NWػೳͷ্Ͱಈ࡞ʣ • AWSࣗ਎ͷPCI DSSίϯϓϥΠΞϯεΛ௨ͨ͢ΊʹTirosΛར༻ • PCI DSSཁ݅ʢҙ༁ʣ • 1.2: untrusted͔ΒͷඞཁͰͳ͍௨৴Λશͯڋ൱ • 1.3.1: from internet to DMZ಺IP΁ͷ௨৴੍ݶ(ingress) • 1.3.2: from internet to DMZ͢Δ࣌͸DMZ಺IPΛ࢖͏ • 1.3.4: DB͸DMZ͔Β෼཭͞Εͨprivate IPྖҬʹஔ͘ • 1.3.7a: ໌ࣔతʹpermit͞Εͨ௨৴Ҏ֎͸ɺ಺෦/֎෦͔Βͷ௨৴Λdeny 15

4. Usage and Performance (4/4) •ΧελϜΞϓϦέʔγϣϯ • ސ٬ͱڠۀͯ͠ΧελϜϝΠυͳιϦϡʔγϣϯΛ࡞Δ • Bridgewater Associates / AWS Professional Services • ৽ͨͳෆมྔʢσʔλྲྀग़ܦ࿏͕ແ͍͜ͱͷอূʣͷߏஙͳͲ 16

5. Conclusion •AWSωοτϫʔΫͷηϚϯςΟΫεΛ࿦ཧԽ͠ɺνΣοΫΛγεςϜԽ •Tiros: Amazon Inspectorʹ૊Έࠐ·Ε͍ͯΔ •ίϯϓϥΠΞϯεରԠͷͨΊɺAWSϢʔβ΍AWSࣗ਎ʹܧଓར༻͞ΕΔ 17

׬૸ͨ͠ײ૝ •೉͍͠ʢ೉͍͠ʣ • ࣮ફTLA+Λ൒෼͙Β͍΍͙ͬͯͨΒ͍ͷ෇͚ম͖ਕͰ΍͚Ͳͨ͠ • ιϧόͷ֦ுͷ࿩Λ͞ΕΔͱશવ෼͔Βͳ͍ʢΞϧΰϦζϜɾ਺ֶʣ •Ͱ΋Network Veri fi cation͸ڵຯ͋Δ • NSDIͰ΋ඞͣ1ηογϣϯ͋Δ •࣮ࡍʹ͋Δ؆୯ͳ໰୊Λݟ͚ͭͯղ͍ͯΈ͍ͨ 18

ࢀߟจݙ •ຊ࿦จͷղઆ • https://logmi.jp/tech/articles/326116 •SAT/SMTιϧόͷ࢓૊Έ • https://www.slideshare.net/sakai/satsmt •Datalog ʹೖ໳͢Δ • https://t-keita.hatenadiary.jp/entry/2020/11/18/021034 19

EoP 20