Continuous Formal Verification of Amazon s2n

Abstract: We describe formal verification of s2n, the open source TLS implementation used in numerous Amazon services. A key aspect of this proof infrastructure is continuous checking, to ensure that properties remain proven during the lifetime of the software. At each change to the code, proofs are automatically re-established with little to no interaction from the developers. We describe the proof itself and the technical decisions that enabled integration into development.

“…As discussed previously, we have found that it is important to focus on continuous verification: it is not enough to simply prove the correctness of a protocol or system once, what we need is to continuously prove the desired property during the lifetime of the system [24]. This matches reports from elsewhere in industry where formal verification is being applied, e.g.…”

“…For example, in 2017 alone the security team used deductive theorem provers or model checking tools to reason about cryptographic protocols/systems (e.g. [24]), hypervisors, boot-loaders/BIOS/firmware (e.g. [27]), garbage collectors, and network designs.…”

“…In many cases we use formal verification tools continuously to ensure that security is implemented as designed, e.g. [24]. In this scenario, whenever changes and updates to the service/feature are developed, the verification tool is reexecuted automatically prior to the deployment of the new version.…”

Formal Reasoning About the Security of Amazon Web Services

“…As discussed previously, we have found that it is important to focus on continuous verification: it is not enough to simply prove the correctness of a protocol or system once, what we need is to continuously prove the desired property during the lifetime of the system [24]. This matches reports from elsewhere in industry where formal verification is being applied, e.g.…”

“…For example, in 2017 alone the security team used deductive theorem provers or model checking tools to reason about cryptographic protocols/systems (e.g. [24]), hypervisors, boot-loaders/BIOS/firmware (e.g. [27]), garbage collectors, and network designs.…”

“…In many cases we use formal verification tools continuously to ensure that security is implemented as designed, e.g. [24]. In this scenario, whenever changes and updates to the service/feature are developed, the verification tool is reexecuted automatically prior to the deployment of the new version.…”

Formal Reasoning About the Security of Amazon Web Services

“…Amazon s2n is an implementation of the Transport Level Security protocol which is in widespread use in Amazon's data centers. Amazon have, in a collaboration with Galois, proven strong security properties of key components of s2n [19]. For example, they establish that the s2n implementation of HMAC implements a pseudorandom function.…”

“…• The specifications themselves are the subject of significant design and proof work, connecting several levels of specs by reasoning in the Coq proof assistant and the Cryptol tool from Galois, some done in [19] and some building on separate work [4]. • The code is small: just over 550 lines of C.…”

Continuous Reasoning

Code‐level model checking in the software development workflow at Amazon Web Services