AWS open sources fuzzing tool SnapChange and policy-based access control language Cedar
Amazon Web Services (AWS) has launched two new open source projects today, a move designed in part to address concerns around software supply chain security.
With the likes of SolarWinds and Log4J thrusting software supply chain security into the public consciousness these past few years, there has been a concerted effort to invest greater resources in protecting everyone from governments and hospitals to corporations and beyond from bad actors seeking to exploit weaknesses in the software they use.
In the U.S., President Biden issued an executive order back in 2021 outlining various measures designed to counter such threats, leading Big Tech to launch various initiatives to show that they’re being at least a little proactive. For example, companies including Amazon, Google and Microsoft last year pledged $30 million to bolster open source software security.
In the wake of this executive order, however, the U.S. National Institute of Standards and Technology (NIST) also issued guidelines for software verification with so-called “fuzzing” recommended as part of its minimum standards for software testing.
Fuzzing, or fuzz testing as it’s also called, is a way of continuously testing software’s robustness by throwing random or invalid data at a program to see how it responds. This can be an effective way of finding flaws automatically, before it can be exploited in the wild.
And it’s against that backdrop that AWS is open sourcing SnapChange.
Going open source
Announced at Open Source Summit North America today, SnapChange is the first fruits of an internal team that AWS dubs Find & Fix.
This team constitutes full-time security researchers tasked with finding and fixing bugs in critical open source software, who then share their findings with the relevant project maintainer. AWS says it can also work with the maintainers to provide working patches.
SnapChange started as an experimental fuzzing tool, but now it’s being made available for anyone to use via GitHub. While traditional fuzzers are effective at finding bugs in software, SnapChange is all about “snapshot” fuzzing, which is a more advanced incarnation that uses virtualization technologies such as emulators for more granular execution on hard-to-reach code.
This also echoes moves made by its cloud rivals including Google, which previously open sourced its ClusterFuzz fuzzing tool followed by ClusterFuzzLite. Microsoft also open sourced a fuzzing platform called OneFuzz back in 2020.
Elsewhere, AWS recently created a new authorization policy language called Cedar that’s concerned with defining access permissions in software, allowing developers to write policies that stipulate permissions at a granular level. With Cedar, companies can control access to specific resources such as photos inside a photo-sharing app, or specific nodes in a microservices cluster.
As of today, the Cedar SDK is available on GitHub with the promise of bringing transparency into Cedar development (“there’s no security through obscurity”), as well as allowing any third-party entity to make their own contributions.