Patents by Inventor Carsten Varming
Carsten Varming has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11757886Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.Type: GrantFiled: December 11, 2020Date of Patent: September 12, 2023Assignee: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Patent number: 11616800Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.Type: GrantFiled: August 5, 2020Date of Patent: March 28, 2023Assignee: Amazon Technologies, Inc.Inventors: John Cook, Neha Rungta, Catherine Dodge, Jeff Puchalski, Carsten Varming
-
Patent number: 11509730Abstract: Techniques are described for generating a specification of security-relevant behavior associated with web services of a cloud provider network. Source code or software development artifacts associated with an implementation of a web service is obtained, where the source code of software development artifacts include an implementation of a request handler for an action of the service. The request handler includes a request authorization component, e.g., which may involve interaction with an identity and access management service of the cloud provider network to authenticate and authorize requests and may further rely upon one or more authorization contexts included in the requests received by the request handler. An interprocedural data flow analyzer is used to analyze a model representation of the bytecode to identify and generate specifications of authorization patterns associated with the request handler.Type: GrantFiled: December 11, 2020Date of Patent: November 22, 2022Assignee: Amazon Technologies, Inc.Inventors: Daniel George Peebles, Carsten Varming, Neha Rungta, Zhen Zhang
-
Patent number: 11483317Abstract: A policy auditing service can be implemented, in accordance with at least one embodiment that obtains a set of parameters that indicates a snapshot of a policy configuration for an account, a query, and a security policy. The security policy may encode a security requirement or invariant. The policy auditing system may determine states that can be reached via mutative operations (e.g., role assumption) and use a policy analyzer service to determine whether assuming a role results in a grant of access that is at least as permissive as the security policy of the set of parameters.Type: GrantFiled: November 30, 2018Date of Patent: October 25, 2022Assignee: Amazon Technologies, Inc.Inventors: Pauline Virginie Bolignano, John Byron Cook, Andrew Jude Gacek, Kasper Luckow, Neha Rungta, Cole Schlesinger, Ian Sweet, Carsten Varming
-
Patent number: 11483350Abstract: Techniques for intent-based governance are described. For example, in some instances a method of receiving an indication of a change involving of one or more of code, a policy, a network configuration, or a governance requirement rule impacting a resource in a provider network for an account that is to be analyzed using one or more governance requirement rules; determining one or more governance requirement rules to evaluate for compliance after the update; evaluating the determined one or more governance requirement rules for compliance using one or more reasoning engines according to one or more policies; and making a result of the evaluating available to a user provides such governance.Type: GrantFiled: March 29, 2019Date of Patent: October 25, 2022Assignee: Amazon Technologies, Inc.Inventors: Pauline Virginie Bolignano, Tyler Bray, John Byron Cook, Andrew Jude Gacek, Kasper Søe Luckow, Andrea Nedic, Neha Rungta, Cole Schlesinger, Carsten Varming
-
Patent number: 11394661Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).Type: GrantFiled: September 23, 2020Date of Patent: July 19, 2022Assignee: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Andrew Jude Gacek, Daniel George Peebles, Carsten Varming
-
Publication number: 20220191206Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.Type: ApplicationFiled: December 11, 2020Publication date: June 16, 2022Applicant: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Publication number: 20220191205Abstract: Methods, systems, and computer-readable media for analysis of role reachability with transitive tags are disclosed. An access control analyzer determines a graph comprising a plurality of nodes and one or more edges. The nodes represent roles in a provider network hosting resources. The roles are associated with access control policies granting or denying access to individual resources. One or more of the access control policies grant or deny access based (at least in part) on one or more key-value attributes. The access control analyzer determines, based (at least in part) on a role reachability analysis of the graph, whether a first role can assume a second role using one or more role assumption steps for a particular state of the one or more attributes. The one or more attributes may comprise one or more transitive attributes that persist during the one or more role assumption steps.Type: ApplicationFiled: December 11, 2020Publication date: June 16, 2022Applicant: Amazon Technologies, Inc.Inventors: John Byron Cook, Neha Rungta, Carsten Varming, Daniel George Peebles, Daniel Kroening, Alejandro Naser Pastoriza
-
Publication number: 20220094643Abstract: Techniques are described for using compositional reasoning techniques to perform role reachability analyses relative to collections of user accounts and roles of a cloud provider network. Delegated role-based resource management generally is a method for controlling access to resources in cloud provider networks and other distributed systems. Many cloud provider networks, for example, implement identity and access management subsystems using this approach, where the concept of “roles” is used to specify which resources can be accessed by people, software, or (recursively) by other roles. An abstraction of the role reachability analysis is provided that can be used as input to a model-checking application to reason about such role reachability questions (e.g., which roles of an organization are reachable from other roles).Type: ApplicationFiled: September 23, 2020Publication date: March 24, 2022Inventors: John Byron COOK, Neha RUNGTA, Andrew Jude GACEK, Daniel George PEEBLES, Carsten VARMING
-
Patent number: 11232015Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.Type: GrantFiled: May 1, 2020Date of Patent: January 25, 2022Assignee: Amazon Technologies, Inc.Inventors: Juan Rodriguez Hortala, Neha Rungta, Mark R. Tuttle, Serdar Tasiran, Michael Tautschnig, Andrea Nedic, Carsten Varming, John Byron Cook, Sean McLaughlin
-
Patent number: 11093641Abstract: A document anonymization system transforms structured documents, such as security policies, that contain user-specific and other sensitive data, producing encoded logic problems in the format or language of one or more constraint solvers; the logic problems do not contain any of the sensitive data. The system may perform a one- or two-stage anonymization process: in a first stage, the electronic document is analyzed according to its document type to identify parameters likely to contain sensitive data, and the associated values are replaced with arbitrary values; in a second stage, after the anonymized electronic document is converted into logic formulae representing the data, the system performs replacements of string constants in the logic formulae with arbitrary strings to further anonymize the sensitive data.Type: GrantFiled: December 13, 2018Date of Patent: August 17, 2021Assignee: Amazon Technologies, Inc.Inventors: Michael William Whalen, Carsten Varming, Neha Rungta, Andrew Judge Gacek, Murphy Berzish
-
Patent number: 11017107Abstract: A security assessment system of a computing resource service provider performs security analyses of virtual resource instances, such as virtual machine instances and virtual data store instances, to verify that certain invariable security requirements are satisfied by the instances' corresponding configurations; these analyses are performed before the instances are provisioned and deployed. If the security checks, which can be selected by the administrator of the resources, fail, the requested resources are denied deployment. Notifications identifying the faulty configuration(s) may be send to the administrative user. A template for launching virtual resource instances may be transformed into an optimized template for performing the pre-deployment security checks, such as by storing information needed to perform the checks within the optimized template itself.Type: GrantFiled: March 6, 2018Date of Patent: May 25, 2021Assignee: Amazon Technologies, Inc.Inventors: Neha Rungta, Pauline Virginie Bolignano, Catherine Dodge, Carsten Varming, John Cook, Rajesh Viswanathan, Daryl Stephen Cooke, Santosh Kalyankrishnan
-
Patent number: 10977111Abstract: A constraint solver service of a computing resource service provider performs evaluations of logic problems provided by the service provider's users and/or services by deploying a plurality of constraint solvers to concurrently evaluate the logic problem. Each deployed solver has, or is configured with, different characteristics and/or capabilities than the other solvers; thus, the solvers can have varying execution times and ways of finding a solution. The service may control execution of the solvers using virtual computing resources, such as by installing and configuring a solver to execute in a software container instance. The service receives solver results and delivers them according to a solution strategy such as “first received” to reduce latency or “check for agreement” to validate the solution. An interface allows the provider of the logic problem to select and configure solvers, issue commands and modifications during solver execution, select the solution strategy, and receive the solution.Type: GrantFiled: August 28, 2018Date of Patent: April 13, 2021Assignee: Amazon Technologies, Inc.Inventors: Neha Rungta, Temesghen Kahsai Azene, Pauline Virginie Bolignano, Kasper Soe Luckow, Sean McLaughlin, Catherine Dodge, Andrew Jude Gacek, Carsten Varming, John Byron Cook, Daniel Schwartz-Narbonne, Juan Rodriguez Hortala
-
Patent number: 10922423Abstract: A security policy analyzer service of a computing resource service provider performs evaluations of security policies provided by the service provider's users, to determine whether the security policies are valid, satisfiable, accurate, and/or sufficiently secure. The service may compare the user-provided policy to a stored or best-practices policy to begin the evaluation, translating encoded security permissions into propositional logic formulae that can be compared to determine which policy is more permissive. The service determines values of the parameters in a request for access to a computing resource based on the policy comparison, and generates request contexts using the values. The service uses the request contexts to generate one or more comparative policies that are then used iteratively as the second policy in the comparison to the user-provided policy, in order to produce additional request contexts that represent allow/deny “edge cases” along the borders of policy permission statements.Type: GrantFiled: June 21, 2018Date of Patent: February 16, 2021Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Neha Rungta, Kasper Søe Luckow, Andrew Jude Gacek, Carsten Varming, John Cook
-
Publication number: 20200366707Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.Type: ApplicationFiled: August 5, 2020Publication date: November 19, 2020Inventors: John Cook, Neha Rungta, Catherine Dodge, Jeff Puchalski, Carsten Varming
-
Publication number: 20200314145Abstract: Techniques for intent-based governance are described. For example, in some instances a method of receiving an indication of a change involving of one or more of code, a policy, a network configuration, or a governance requirement rule impacting a resource in a provider network for an account that is to be analyzed using one or more governance requirement rules; determining one or more governance requirement rules to evaluate for compliance after the update; evaluating the determined one or more governance requirement rules for compliance using one or more reasoning engines according to one or more policies; and making a result of the evaluating available to a user provides such governance.Type: ApplicationFiled: March 29, 2019Publication date: October 1, 2020Inventors: Pauline Virginie BOLIGNANO, Tyler BRAY, John Byron COOK, Andrew Jude GACEK, Kasper Søe LUCKOW, Andrea NEDIC, Neha RUNGTA, Cole SCHLESINGER, Carsten VARMING
-
Patent number: 10757128Abstract: Security policies may be utilized to grant or deny permissions related to the access of computing resources. Two or more security policies may be compared to determine whether the policies are equivalent, whether one security is more permissive than another, and more. In some cases, it may be possible to identify whether there exists a security permission that is sufficient to determine two security policies lack equivalency. Propositional logics may be utilized in the evaluation of security policies.Type: GrantFiled: June 29, 2017Date of Patent: August 25, 2020Assignee: Amazon Technologies, Inc.Inventors: John Cook, Neha Rungta, Catherine Dodge, Jeff Puchalski, Carsten Varming
-
Publication number: 20200257611Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.Type: ApplicationFiled: May 1, 2020Publication date: August 13, 2020Inventors: Juan Rodriguez HORTALA, Neha RUNGTA, Mark R. TUTTLE, Serdar TASIRAN, Michael TAUTSCHNIG, Andrea NEDIC, Carsten VARMING, John Byron COOK, Sean MCLAUGHLIN
-
Patent number: 10664379Abstract: A method for verifying source code for a program includes determining that a new version of the source code is available. One or more verification tools are determined to use for verification of the new version of the source code from a verification specification associated with the source code. A plurality of verification tasks to perform for the verification of the new version of the source code are automatically determined from the verification specification associated with the source code. The plurality of verification tasks for the new version of the source code are automatically performed using the one or more verification tools. A determination is then made as to whether the new version of the source code is verified.Type: GrantFiled: September 5, 2018Date of Patent: May 26, 2020Assignee: AMAZON TECHNOLOGIES, INC.Inventors: Juan Rodriguez Hortala, Neha Rungta, Mark R. Tuttle, Serdar Tasiran, Michael Tautschnig, Andrea Nedic, Carsten Varming, John Byron Cook, Sean McLaughlin
-
Patent number: 10630695Abstract: Requests of a computing system may be monitored. A request associated with the application of a policy may be identified and a policy verification routine may be invoked. The policy verification routine may detect whether the policy of the request is more permissive than a reference policy and perform a mitigation routine in response to determining that the policy of the request is more permissive than the reference policy. Propositional logics may be utilized in the evaluation of policies.Type: GrantFiled: June 29, 2017Date of Patent: April 21, 2020Assignee: Amazon Technologies, Inc.Inventors: John Cook, Neha Rungta, Catherine Dodge, Jeff Puchalski, Carsten Varming