PatentsDB

Security policy analyzer service and satisfiability engine

US2020366707A1 · US · A1

Patent metadata
FieldValue
Publication numberUS-2020366707-A1
Application numberUS-202016985954-A
CountryUS
Kind codeA1
Filing dateAug 5, 2020
Priority dateJun 29, 2017
Publication dateNov 19, 2020
Grant date

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

  1. Title

    What the patent document calls the invention.

  2. Abstract

    A short plain-language summary of the technical disclosure.

  3. Assignees and inventors

    Who owns or filed the patent and who is credited as inventor.

  4. Key dates

    Filing, priority, publication, and grant dates set the timeline.

  5. First independent claim

    The legal scope of protection — read this for what is actually claimed.

  6. CPC / IPC classifications

    Technology tags used to group this patent with similar filings.

  7. Citations and related patents

    Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.

First claim

Opening claim text (preview).

What is claimed is: 1 . A computer-implemented method, comprising: obtaining, from a client of a computing resource service provider, one or more baseline security policies; storing, in a logging system, web application programming interface calls encoding requests to apply security polices usable to grant or deny access to computing resources of the computing resource service provider; selecting a custom logic from a plurality of custom logics to process as a result of detecting an event trigger, wherein the event trigger is detected based at least in part on one or more of the security policies recorded in the logging system being applied; provisioning a set of computing resources to execute the custom logic; executing the custom logic on the set of computing resources by at least: obtaining a first security policy from the logging system; parsing the first securities policy and the one or more baseline security policies to determine one or more propositional logic expressions that can be used to generate a set of constraints, wherein evaluation of the set of constraints indicates whether the first security policy is more permissive than the one or more baseline security policies; and as a result of the first security policy being more permissive than the one or more baseline security policies, logging the first security policy to a storage system; de-provisioning the set of computing resources as a result of executing the custom logic; obtaining the first security policy from the storage system; and presenting the first security policy via a graphical user interface to a privileged user, indicating that the first security policy is more permissive than the one or more baseline policies. 2 . The computer-implemented method of claim 1 , a satisfiability modulo theories (SMT) solver is utilized to determine whether the set of constraints is satisfiable. 3 . The computer-implemented method of claim 2 , wherein the set of constraints generated based at least in part from the one or more propositional logic expressions in accordance with a SMT-LIB Standard. 4 . The computer-implemented method of claim 1 , wherein detecting the event trigger comprises checking whether a security policy was recorded in the logging system during a period of time. 5 . A system, comprising: one or more processors; memory that stores computer-executable instructions that, as a result of execution by the one or more processors, cause the system to: obtain, from a client of a computing resource service provider, a first set of security policies; store, in a logging system, records of web application programming interface calls encoding requests to apply a second set of security polices usable to grant or deny access to computing resources of the computing resource service provider; select a custom logic from a plurality of custom logics to process as a result of detecting an event trigger, wherein the event trigger is detected based at least in part on one or more of the security policies recorded in the logging system being applied; provision a set of computing resources to execute the custom logic; execute the custom logic on the set of computing resources to at least: obtain a first security policy from the logging system; parse the first securities policy and the first set of security policies to determine one or more propositional logic expressions that can be used to generate a set of constraints, wherein evaluation of the set of constraints indicates whether the first security policy is more permissive than the first set of security policies; and as a result of the first security policy being more permissive than the first set of security policies, log the first security policy to a storage system; de-provisioning the set of computing resources as a result of executing the custom logic; obtaining the first security policy from the storage system; and present the first security policy via a graphical user interface to a privileged user, indicating that the first security policy is more permissive than the first set of security policies. 6 . The system of claim 5 , wherein a satisfiability modulo theories (SMT) solver is utilized to determine whether the set of constraints is satisfiable. 7 . The system of claim 5 , wherein the set of constraints generated based at least in part from the one or more propositional logic expressions in accordance with a SMT-LIB Standard. 8 . The system of claim 5 , wherein the one or more propositional logic expressions are in accordance with a CVC format or DIMACS format. 9 . The system of claim 5 , wherein privileged user is an administrator. 10 . The system of claim 5 , wherein the first set of security polices includes a world accessible security policy. 11 . The system of claim 5 , wherein the computer-executable instructions include further instructions that, as a result of execution by the one or more processors, cause the system to further present a set of parameters which result in a grant of access when evaluated under the first security policy and result in a denial of access when evaluated under the first set of security policies. 12 . The system of claim 5 , wherein evaluation of the set of constraints results in a result that is more permissible, less permissive, equally permissive, or incomparable. 13 . A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: obtain, from a client of a computing resource service provider, a first set of security policies; store, in a logging system, records of web application programming interface calls encoding requests to apply a second set of security policies usable to grant or deny access to computing resources of the computing resource service provider; select a custom logic from a plurality of custom logics to process as a result of detecting an event trigger, wherein the event trigger is detected based at least in part on one or more of the security policies recorded in the logging system being applied; provision a set of computing resources to execute the custom logic; execute the custom logic on the set of computing resources to at least: obtain a first security policy from the logging system; parse the first securities policy and the first set of security policies to determine one or more propositional logic expressions that can be used to generate a set of constraints, wherein evaluation of the set of constraints indicates whether the first security policy is more permissive than the first set of security policies; and as a result of the first security policy being more permissive than the first set of security policies, log the first security policy to a storage system; de-provision the set of computing resources as a result of executing the custom logic; obtain the first security policy from the storage system; and present the first security policy via a graphical user interface to a privileged user, indicating that the first security policy is more permissive than the first set of security policies. 14 . The non-transitory computer-readable storage medium of claim 13 , wherein the executable instructions that, as a result of being executed, cause the computer system to evaluate the set of constraints using a satisfiability modulo theories (SMT) solver to determine whether the first security policy is more permissive than the first set of security policies. 15 . The non-transitory computer-readable storage medium of claim 13 ,

Assignees

Inventors

Classifications

  • H04L41/0894

    Policy-based network configuration management · CPC title

  • H04L63/1433Primary

    Vulnerability analysis · CPC title

  • H04L63/20Primary

    for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title

  • H04L9/40

    Network security protocols · CPC title

  • G06F21/55

    Detecting local intrusion or implementing counter-measures · CPC title

Patent family

Related publications grouped by family.

View patent family 64739313

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2020366707A1 cover?
Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two sec…
Who is the assignee on this patent?
Amazon Tech Inc
What technology area does this patent fall under?
Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?
Publication date Thu Nov 19 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?
We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).