公开(公告)号：US11418532B1

公开(公告)日：2022-08-16

申请号：US16842496

申请日：2020-04-07

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06 ,  H04L9/40

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

公开(公告)号：US11232015B2

公开(公告)日：2022-01-25

申请号：US16864713

申请日：2020-05-01

Applicant: Amazon Technologies, Inc.

Inventor： Juan Rodriguez Hortala ,  Neha Rungta ,  Mark R. Tuttle ,  Serdar Tasiran ,  Michael Tautschnig ,  Andrea Nedic ,  Carsten Varming ,  John Byron Cook ,  Sean McLaughlin

IPC: G06F9/44 ,  G06F11/36 ,  G06F9/54 ,  G06F8/65 ,  G06F9/50

Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.

公开(公告)号：US10652266B1

公开(公告)日：2020-05-12

申请号：US15907870

申请日：2018-02-28

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

公开(公告)号：US20200073783A1

公开(公告)日：2020-03-05

申请号：US16122676

申请日：2018-09-05

Applicant: Amazon Technologies, Inc.

Inventor： Juan Rodriguez Hortala ,  Neha Rungta ,  Mark R. Tuttle ,  Serdar Tasiran ,  Michael Tautschnig ,  Andrea Nedic ,  Carsten Varming ,  John Byron Cook ,  Sean McLaughlin

IPC: G06F11/36 ,  G06F9/50 ,  G06F8/65 ,  G06F9/54

Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.

公开(公告)号：US09904527B1

公开(公告)日：2018-02-27

申请号：US15236116

申请日：2016-08-12

Applicant: Amazon Technologies, Inc.

Inventor： Konrad Jan Miller ,  Michael Tautschnig

IPC: G06F9/45 ,  G06F9/445 ,  G06F9/44

CPC classification number: G06F8/443 ,  G06F8/60 ,  G06F8/71

Abstract: Based on source code analysis of an API-invoker program, an expendable set of source code sections of an API-implementer program is identified. The expendable set corresponds to operations which are not expected to be performed on behalf of the API-invoker program at a particular computing environment. An optimized binary version of the API-implementer program is generated, which does not include executable code corresponding to the expendable set. The optimized binary version is transmitted to the computing environment for deployment.

公开(公告)号：US11750642B1

公开(公告)日：2023-09-05

申请号：US17887803

申请日：2022-08-15

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  Neha Rungta ,  John Cook ,  Pauline Virginie Bolignano ,  Todd Granger MacDermid ,  Oksana Tkachuk

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/10 ,  H04L63/1441 ,  H04L63/20

Abstract: This disclosure describes techniques for automating a system-level security review of a network-based service. The techniques may include generating and utilizing a machine-readable threat model to identify system-level security threats to the network-based service. The network-based service may be scanned upon being provisioned in a service-provider network, and the machine-readable threat model may be generated based on results of the scan. The machine-readable threat model may represent components of the network-based service, system-level security constraints configured to identify system-level security threats to the service, and mitigations to remedy violations to the system-level security constraints. The network-based service may be continuously, or periodically, scanned to identify changes in the network-based service. The techniques further include updating the machine-readable threat model to account for the detected changes to the network-based service, and analyzing the updated machine-readable threat model to determine whether the changes to the network-based service violate a system-level security constraint.

公开(公告)号：US11494285B1

公开(公告)日：2022-11-08

申请号：US17038044

申请日：2020-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Norbert Manthey ,  Michael Tautschnig

IPC: G06F11/36 ,  G06N20/00

Abstract: Techniques for static code analysis tool and configuration recommendation via codebase analysis are described. Multiple codebases are tested using multiple static analysis tools and corresponding configurations, and a machine learning model is trained based on the results and characteristics of the codebases. Users may provide a codebase to be analyzed and job preferences indicating what characteristics of static analysis they desire, the codebase may be analyzed to generate input data for the model, and the model may identify one or more similar testing runs. These candidate runs may be filtered and/or ordered based on the user's stated job preferences, and the resulting tools and configurations associated with these runs may be returned to the user or used to perform static analysis of the user's codebase.

公开(公告)号：US11200144B1

公开(公告)日：2021-12-14

申请号：US15696056

申请日：2017-09-05

Applicant: Amazon Technologies, Inc.

Inventor： John Cook ,  Kalpana Gondi ,  Michael Tautschnig

IPC: G06F11/36

Abstract: Methods, systems, and computer-readable media for refinement of static analysis of program code are disclosed. A report is received. The report was generated using initial static analysis of program code. The report indicates a plurality of warnings regarding the program code, at least some of which represent potential flaws, and the warnings are associated with a plurality of segments of the program code. Additional analysis of the segments of program code is performed. The additional analysis differs at least in part from the initial static analysis. Based at least in part on the additional analysis, at least some of the warnings are determined to represent false positives.

公开(公告)号：US10769250B1

公开(公告)日：2020-09-08

申请号：US15794757

申请日：2017-10-26

Applicant: Amazon Technologies, Inc.

Inventor： Michael Tautschnig ,  John Cook

IPC: G06F21/00 ,  G06F21/12 ,  G06F8/41 ,  G06F11/34 ,  G06F8/71 ,  G06F8/75

Abstract: Techniques for targeted security monitoring using semantic behavioral change analysis are described. A mutation monitor can use a code repository to generate a build of a software project prior to a code commit and another build after the code commit. An instruction-difference between the builds can be generated and used to perform a change impact analysis to identify control-flow and data dependencies changed as a result of the code commit. A semantic difference can be generated by annotating a syntactic difference for the code commit based on the identified control-flow and data dependency changes to allow for the behavioral changes to be easily shown to a user. Security impact analysis can be performed on parts of the software impacted by the code commit to quickly determine the security impacts introduced by the code commit.

公开(公告)号：US10664379B2

公开(公告)日：2020-05-26

申请号：US16122676

申请日：2018-09-05

Applicant: Amazon Technologies, Inc.

Inventor： Juan Rodriguez Hortala ,  Neha Rungta ,  Mark R. Tuttle ,  Serdar Tasiran ,  Michael Tautschnig ,  Andrea Nedic ,  Carsten Varming ,  John Byron Cook ,  Sean McLaughlin

IPC: G06F9/44 ,  G06F11/36 ,  G06F9/54 ,  G06F8/65 ,  G06F9/50

Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.