
Proving security at scale with automated reasoning - werner
https://www.allthingsdistributed.com/2019/05/proving-security-at-scale-with-automated-reasoning.html
======
rgovostes
Microsoft Research has published several papers on the topic of formal
verification of network configurations. In particular, see "Checking Beliefs
in Dynamic Networks" by (coauthors and) Nuno Lopes, who is also to thank for
making sure your compiler's optimizations are valid. Two great ideas involving
practical uses of SMT solvers.

[https://www.microsoft.com/en-us/research/project/network-
ver...](https://www.microsoft.com/en-us/research/project/network-
verification/)

------
jcims
I just wish they would expose more of this to their customers so they can roll
their own rules. GuardDuty and Macie are largely underwhelming in
customizability and have signal-to-noise ratio issues...Config is too scope-
limited to be useful and Trusted Advisor's split between endpoint and service
security seems to be diluting its effectiveness.

~~~
toomuchtodo
AWS ReInforce (security specific AWS conference) kicks off tomorrow. There
might be announcements in regards to these products.

Have you investigated Security Hub by chance?

~~~
jcims
Have a small team going, hoping for the best. Haven’t looked seriously at
Security Hub yet.

~~~
toomuchtodo
If I can be of any help, email in profile. Not looking for work, just want to
help and pay it forward.

------
syn0byte
Well they didn't solve the halting problem so it looks like it's just in-house
AVR. I give it a year before someone utilizes these services as part of an
attack. (Assuming they haven't already.)

~~~
mdaniel
Apologies if it's obvious but what does "AVR" mean in this context?

~~~
sterkekoffie
I believe they mean automatic vulnerability remediation.

------
jawns
> by converting the problem into a logic-based mathematical equation, it can
> be proven with mathematical certainty.

This, of course, assumes that the math is sound.

There's an analogy to unit tests. You can write a unit test for a function,
and the test can pass, but if you've made a mistake in the test itself, it
might give you a false sense of assurance.

I have no doubt that Amazon is very rigorous with this, although if they're
explicitly touting these tools in terms of allowing clients to meet regulatory
compliance obligations, it would be cool to have some sort of third-party
audit of the math.

~~~
bluGill
The difference is if both are sound the math will cover all cases. Your tests
can be sound but miss a special case and thus be wrong. In that sense the math
proof is better because it will catch all special cases.

Note that tests will often catch cases where the math is not sound. Because
you are putting an expected result it is more likely that you have a sound
reason for that expected result even if you cannot express is mathematically.
I recommend you use both: in the real world they cover different areas of the
problem.

