- Fuzzing is a software testing technique commonly employed to identify security vulnerabilities, particularly in open-source software projects. The system operates by observing its behavior during the processing of random data.
- According to Nalley, while there are several fuzzing tools available, what sets SnapChange apart is that it doesn’t necessitate the rewriting of the underlying Linux kernel or using a modified Kernel-based Virtual Machine.
Recently, Amazon Web Services Inc. announced the release of two new open-source projects. The first project is a fuzzing tool designed to identify software vulnerabilities. The second project is an authorization policy language that regulates application access.
During the annual Open Source Summit held by the Linux Foundation, two new tools were announced with a primary focus on security. SnapChange is a novel fuzzing tool that facilitates experimentation with “snapshot fuzzing,” according to the company’s statement. This tool is designed to assist developers and researchers in their endeavors.
Fuzzing is a software testing technique commonly employed to identify security vulnerabilities, particularly in open-source projects. The system operates by observing its behavior during the processing of random data. An instance of this could entail the alteration of a sample JPEG file intended for utilization in an image rendering application, followed by accessing the file within the abovementioned application. An application security concern may be present during an application crash.
According to David Nalley, the Director of Open Source Strategy and Marketing at AWS, SnapChange expands on this idea and allows for minimal changes to the target application to fuzz it. Nalley said that fuzzing tools are utilized widely in the industry and have “helped in rooting out hundreds of security vulnerabilities in recent years.”
According to Nalley, while there are several fuzzing tools available, what sets SnapChange apart is that it doesn’t necessitate the rewriting of the underlying Linux kernel or using a modified Kernel-based Virtual Machine. Instead, it is intended to work with the standard Linux kernel and stock KVM, which makes it more accessible for research purposes and allows it to scale up to many processor cores. Nalley added, “SnapChange will make fuzzing much more efficient.”
As per Nalley, SnapChange was not meant to be an independent project from the beginning. Instead, it was created by AWS’ Find and amp; Fix (F2) threat-hunting research team, whose responsibility is to identify and attempt to fix vulnerabilities. He added, “The team had to build a lot of tools to do security research at scale, and this is one of these tools.”
Nalley stated that while AWS plans to enhance SnapChange with additional capabilities and functionalities, the company is also looking to collaborate with the research community to develop a more powerful and versatile tool. Nalley stated, “AWS has a vested interest in open-source supply chain security. We have a shared destiny around open source.”
Recently, AWS announced Cedar, a policy language used by Amazon Verified Permissions and AWS Verified Access managed services to manage authorization policies.
Cedar is a software development kit and an open-source language that enables developers to write and enforce application authorization policies. With Cedar, developers can control access to resources like images, compute nodes, or components in workflow automation. The language allows developers to specify detailed permissions as the Cedar SDK’s authorization engine authorizes Cedar policies and access requests.
Nalley stated that Cedar’s policy language is based on “automated reasoning” that relies on mathematical proofs. This approach goes beyond the traditional test-driven development method, which uses math to guarantee that policies achieve the desired outcomes. Nalley believes that automating as much as possible makes it easier to ensure that policies and limitations are accurate.
He justified by saying, “You can use mathematical proofs that already exist to prove a program will work in a specific way.”
While Cedar’s policy language cannot automate everything with mathematical proofs, it still offers value by allowing developers to concentrate on testing edge cases where policies might not work.
According to Nalley, the main reason for AWS to open-source Cedar is transparency. By making the code available to the public, developers can verify that Cedar works as expected and provide feedback to improve the tool. Nalley also added, “We want customers to have faith Cedar works as intended. We want people to go play with it, tear it apart.”