公开(公告)号：US20250016057A1

公开(公告)日：2025-01-09

申请号：US18892128

申请日：2024-09-20

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L41/12 ,  H04L12/46 ,  H04L41/02 ,  H04L41/50 ,  H04L43/0811 ,  H04L67/02

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US20210377126A1

公开(公告)日：2021-12-02

申请号：US17400057

申请日：2021-08-11

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US10757128B2

公开(公告)日：2020-08-25

申请号：US15637227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Neha Rungta ,  Catherine Dodge ,  Jeff Puchalski ,  Carsten Varming

IPC: G06F21/57 ,  G06F21/60 ,  H04L29/06 ,  H04L12/24 ,  G06F21/55

Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

公开(公告)号：US10652266B1

公开(公告)日：2020-05-12

申请号：US15907870

申请日：2018-02-28

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

公开(公告)号：US20180145879A1

公开(公告)日：2018-05-24

申请号：US15359500

申请日：2016-11-22

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US12126495B2

公开(公告)日：2024-10-22

申请号：US17400057

申请日：2021-08-11

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46 ,  H04L41/02 ,  H04L41/12 ,  H04L41/50 ,  H04L43/0811 ,  H04L67/02

CPC classification number: H04L41/12 ,  H04L12/4641 ,  H04L41/024 ,  H04L41/50 ,  H04L43/0811 ,  H04L67/02

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US11095523B2

公开(公告)日：2021-08-17

申请号：US16672120

申请日：2019-11-01

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Catherine Dodge ,  Sean McLaughlin

IPC: H04L12/24 ,  H04L12/46 ,  H04L12/26 ,  H04L29/08

Abstract: A virtual network verification service for provider networks that leverages a declarative logic programming language to allow clients to pose queries about their virtual networks as constraint problems; the queries may be resolved using a constraint solver engine. Semantics and logic for networking primitives of virtual networks in the provider network environment may be encoded as a set of rules according to the logic programming language; networking security standards and/or client-defined rules may also be encoded in the rules. A description of a virtual network may be obtained and encoded. A constraint problem expressed by a query may then be resolved for the encoded description according to the encoded rules using the constraint solver engine; the results may be provided to the client.

公开(公告)号：US10922423B1

公开(公告)日：2021-02-16

申请号：US16015114

申请日：2018-06-21

Applicant: Amazon Technologies, Inc.

Inventor： Neha Rungta ,  Kasper Søe Luckow ,  Andrew Jude Gacek ,  Carsten Varming ,  John Cook

IPC: G06F21/60 ,  G06F21/44

Abstract: A security policy analyzer service of a computing resource service provider performs evaluations of security policies provided by the service provider's users, to determine whether the security policies are valid, satisfiable, accurate, and/or sufficiently secure. The service may compare the user-provided policy to a stored or best-practices policy to begin the evaluation, translating encoded security permissions into propositional logic formulae that can be compared to determine which policy is more permissive. The service determines values of the parameters in a request for access to a computing resource based on the policy comparison, and generates request contexts using the values. The service uses the request contexts to generate one or more comparative policies that are then used iteratively as the second policy in the comparison to the user-provided policy, in order to produce additional request contexts that represent allow/deny “edge cases” along the borders of policy permission statements.

公开(公告)号：US20190007443A1

公开(公告)日：2019-01-03

申请号：US15637227

申请日：2017-06-29

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Neha Rungta ,  Catherine Dodge ,  Jeff Puchalski ,  Carsten Varming

IPC: H04L29/06 ,  H04L12/24 ,  G06F21/55

Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

公开(公告)号：US11750642B1

公开(公告)日：2023-09-05

申请号：US17887803

申请日：2022-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/10 ,  H04L63/1441 ,  H04L63/20

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.