Amazon Web Services Inc. said today that it’s open-sourcing two new projects, including a new fuzzing tool for finding vulnerabilities in software and an authorization policy language for controlling application access.

The new tools were announced at the Linux Foundation’s annual Open Source Summit and they both have a security focus. In the case of SnapChange, it’s a new fuzzing tool that enables developers and researchers to experiment with “snapshot fuzzing,” the company said.

Fuzzing is a technique that’s used to discover security issues in software, especially open-source projects. It works by monitoring how a system behaves while processing random data. For example, it might involve mutating a sample JPEG file for an application that renders images, then opening the file within that app. If the app crashes, it could be a sign of an application security issue.

David Nalley, director of open source strategy and marketing at AWS, told SiliconANGLE that SnapChange builds on that concept, enabling a target application to be fuzzed with minimal modifications. He said fuzzing tools are widely used in the industry and have “helped in rooting out hundreds of security vulnerabilities in recent years.”

SnapChange isn’t the only fuzzing tool, but what’s unique about it is that it doesn’t require users to rewrite the underlying Linux kernel or use a modified Kernel-based Virtual Machine, Nalley explained. Rather, it’s designed to work with the stock Linux kernel and stock KVM, thereby lowering the barrier to research, while scaling to dozens of processor cores. “SnapChange will make fuzzing much more efficient,” he said.

According to Nalley, SnapChange wasn’t initially intended to be a standalone project. Rather, it was developed by AWS’ Find & Fix or F2 threat hunting research team, which has a mandate to not only find vulnerabilities but also to try to patch them. “The team had to build a lot of tools to do security research at scale, and this is one of these tools,” he said.

Although AWS has plans to support SnapChange with new features and functionality, Nalley said it hopes to engage with the research community to create a more robust tool in the longer term. “AWS has a vested interest in open-source supply chain security,” Nalley said. “We have a shared destiny around open source.”

The second tool announced today is Cedar, the authorization policy language that’s used by the Amazon Verified Permissions and AWS Verified Access managed services.

Cedar is both an open-source language and a software development kit that can be used for writing and enforcing authorization policies for applications. Using Cedar, developers can control access to resources such as images in a photo-sharing app, compute nodes in a microservices cluster, or components in a workflow automation platform. Its flexibility enables developers to specify fine-grained permissions as Cedar policies, with access requests authorized by calling the Cedar SDK’s authorization engine.

Nalley said Cedar’s policy language is written around the concept of using “automated reasoning” based on mathematical proofs. Automated reasoning goes beyond test-driven development, using math to ensure that policies actually do what the developer wants them to do. According to Nalley, it’s easier to be sure the policies and restrictions are correct if as much as possible is automated. “You can use mathematical proofs that already exist to prove a program will work in a specific way,” he explained.

Although Cedar cannot automate everything with mathematical proofs, it’s useful because it frees up developers to focus on testing only edge cases where policies don’t work.

Nalley said AWS is open-sourcing Cedar primarily for transparency, so developers can see that it works as intended. “We want customers to have faith Cedar works as intended,” he said. “We want people to go play with it, tear it apart.”

Nalley also spoke with theCUBE, SiliconANGLE Media’s livestreaming studio, at this week’s Open Source Summit NA 2023:

With reporting from Robert Hof

Photo: Tony Webster/Flickr