- Supervisor: Robert Lagerström, Pontus Johnson
- Active members:
- External collaborators:
- Foreseeti AB
- Erik Ringdahl
- Max Wällstedt
- Foreseeti AB
- Status: finished 🟠
- Timeline: HT 2019 - HT 2022
Migrating enterprises and business capabilities to cloud platforms like Amazon Web Services (AWS) has become increasingly common. However, securing cloud operations, especially at large scales, can quickly become intractable. Customer-side issues such as service misconfigurations, data breaches, and insecure changes are prevalent. Furthermore, cloud-specific tactics and techniques paired with application vulnerabilities create a large and complex search space. Various solutions and modeling languages for cloud security assessments exist. However, no single one appeared sufficiently cloud-centered and holistic. Many also did not account for tactical security dimensions. This paper, therefore, presents a domain-specific modeling language for AWS environments. When used to model AWS environments, manually or automatically, the language automatically constructs and traverses attack graphs to assess security. Assessments, therefore, require minimal security expertise from the user. The modeling language was primarily tested on four third-party AWS environments through securiCAD Vanguard, a commercial tool built around the AWS modeling language. The language was validated further by measuring performance on models provided by anonymous end users and a comparison with a similar open source assessment tool. As of March 2020, the modeling language could represent essential AWS structures, cloud tactics, and threats. However, the tests highlighted certain shortcomings. Data collection steps, such as planted credentials, and some missing tactics were obvious. Nevertheless, the issues covered by the DSL were already reminiscent of common issues with real-world precedents. Future additions to attacker tactics and addressing data collection should yield considerable improvements.
- Tests against the vulnerable-by-design scenarios provided by CloudGoat.
- First journal article draft.
- First submission-ready journal article.
- First article submission attempt.
- Second journal article draft.
- Second submission-ready journal article.
- Second submission of revised article.
- Published article.
- Update Kudos page.
- Research paper
- DSL for AWS repository - Might be private
- CloudGoat - Test case source
- Archived CloudGoat
- awspx - Similar tool used for comparison
- MAL - Meta Attack Language
- SecuriCAD Vanguard - Powered by the DSL for AWS and MAL
- SecuriCAD Vanguard on AWS
This is a project run by the Software Systems Architecture and Security research group within the Division of Network and Systems Engineering at the Department of Computer Science at the School of Electrical Engineering and Computer Science @ KTH university.
For more of our projects, see the SSAS page at github.com.