Received 1 November 2023, accepted 19 November 2023, date of publication 7 December 2023,

date of current version 15 December 2023.

Digital Object Identifier 10.1109/ACCESS.2023.3340690

Analyzing Component Composability of Cloud

Security Configurations
KANDASAMY MUNIASAMY 1 , ROHIT CHADHA 2, PRASAD CALYAM 2, (Senior Member,
IEEE), AND M. SETHUMADHAVAN 1
1 TIFAC CORE in Cyber Security, Amrita Vishwa Vidyapeetham, Amritanagar, Coimbatore, Tamil Nadu 641112, India
2 Department of Electrical Engineering and Computer Science, University of Missouri, Columbia, MO 65211, USA
Corresponding author: Kandasamy Muniasamy ([email protected])
The work of Rohit Chadha was supported in part by Grant NSF CNS 1553548 and Grant NSF SHF 1900924.

ABSTRACT Security is a major concern when building large-scale computer systems. Cloud services have
made it easier to provision large-scale systems on demand over the Internet. While the cloud service providers
provide the required building blocks such as compute units, database servers, and storage, customers are
still responsible for securely combining these systems to satisfy their organization’s security policy. The
secure development and operation of such large-scale systems present technical challenges. Composing a
larger system using components with known security properties that satisfy a given security policy without
re-analyzing the individual components is a difficult problem. In this study, we attempted to analyze the
composability of components from a security perspective using first-order predicate logic. We posit that if
we build a system using individual components that satisfy a security policy, the composed system will be
sound with regard to that policy. Additionally, the methodology can be used to identify drifts or violations
during future changes in the system by running checks during the system release cycles for continuous
verification.

INDEX TERMS Cloud security, composability, formal analysis, policy-based verification.

I. INTRODUCTION In a distributed system as complex as AWS, one can design

Though cloud computing offered by major players, such as a secure Virtual Private Cloud (VPC) system composed of
Amazon with Amazon Web Services (AWS) and Microsoft building blocks in various ways. Not all designs would
Azure, has replaced traditional data centers for big and small exhibit the desired security properties. A misstep in security
companies, security remains a major responsibility for cus- design is disastrous and costly for any organization. Like
tomers. AWS, for example, presents a shared responsibility the discipline of programming, where programming with
model whereby Amazon is responsible for the security of mathematical rigor yields programs of desired quality,
the cloud, and each customer is responsible for security correctness, simplicity, and elegance, proper use of security
in the cloud [1]. AWS provides security building blocks abstractions is needed for composing cloud systems.
such as Identity and Access Management (IAM), Security We consider a sample application deployed in a VPC
Groups, and Continuous Monitoring. However, customers (Figure 1) that consists of a database, several compute
are responsible for securing their AWS accounts and their instances, and a load balancer. This simple example is a
applications from common security threats through not only model of how large-scale systems such as video conferencing
the better design of their applications but also securely services and credit card processing systems are deployed.
composing their operational systems with those building This VPC has three subnets, two private and one public.
blocks. Instances in the private subnet are not publicly addressable.
The public subnet has an application load balancer that end
users connect to using HTTPS over port 443. It also has a
The associate editor coordinating the review of this manuscript and bastion host that provides Secure Shell (SSH) access to the
approving it for publication was Giovanni Pau . compute instances in the private subnet. Web-based access to
2023 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License.
VOLUME 11, 2023 For more information, see https://creativecommons.org/licenses/by/4.0/ 139935
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
FIGURE 1. A sample VPC.
the VPC resources is controlled by the Identity and Access
Management (IAM) framework provided by AWS. Larger
systems utilize several VPCs and many building blocks, such
as those used in this sample application, in addition to other
AWS components.
The fundamental difficulty with operational security in the
cloud is due to the improper and insecure configuration of
components [2], the selection of components with properties
inconsistent with the rest of the system, and the lack of near-
real-time evaluation and detection of offending components.
In a public cloud environment, under the shared responsibility
model, each customer is responsible for ensuring security in
their operating environment. Although individual customers
may follow certain best practices for building their system in
the cloud using the building blocks from providers, there are
no formal ways to ensure the security assurance of the overall
system. Trust in cloud providers and process rigor cannot be
substituted for sound practices that link the design of a system
with analysis and evaluation in the ever-changing security
landscape. Thus, securely composing a system will remain
elusive without sound modeling and evaluation approaches
that can provide proof of the desired outcome. To aid
customers in building systems securely in the cloud, we pose
a composability problem and a method to solve it. We state
the problem of how to compose a larger system that satisfies a
given security policy using individual components and ensure
that such a system remains secure during its lifetime. To this
end, we answer two central questions regarding this problem:
• How do we compose a system securely using the
existing building blocks provided by cloud service
providers?
• How do we verify that the composed system is ‘‘sound’’?
That is, the security properties always satisfy the given
security policy.
We use mathematical logic to represent the security properties
of the individual components and network semantics. The
empirical security policies are coded as rules. We can then
reason about these representations to prove that the composed
system is sound from the given security policy perspective.
We use this approach to discuss the sample application’s
compositional security. Our incremental approach can be
scaled to larger systems as more components are added.
Because the security properties of cloud-based components
139936
can be automatically constructed using APIs, this model
can be applied to any public cloud and on-premise systems
that support APIs. The formal reasoning supported by
the model can make useful predictions during the initial
design as well as during the evolution of the system.
Finally, practitioners can easily understand mathematical
logic without any learning curve, and the barrier to adoption
is minimal. We connect technical and operational validity
by developing a formal methodology, implementing our
approach, and experimenting with real-life AWS systems
consisting of 60 VPCs with thousands of resources spread
over multiple regions. We automated the generation of
logical statements that describe the configuration of VPC
resources. We coded the axioms that describe the behavior
of the system components and security policies as logical
implications. We then analyzed the combined knowledge
base to identify components that compose and the ones that
are non-compliant with regard to security policies.
The remainder of this paper is organized into seven
sections. Section II covers the related research. Section III
discusses our approach to representing the security properties
of components and security policies. Section IV presents
the implementation of the proposed approach for a sample
application. Section V discusses the experimental results and
scalability of the approach. Section VI identifies the study’s
limitations and future research directions. Finally, section VII
concludes this paper.
II. RELATED RESEARCH
The early use of formal methods dates back to the 80s when
researchers studied the security of access control models such
as Lampson, Bell-LaPadula, and Biba. This was followed by
efforts to prove the correctness of operating system kernels
and authentication protocols [3]. The 90s saw the increasing
adoption of model checking in hardware verification to
complement simulation, the use of notations such as Z
and TLA+ for software specification, and the evolution
of tools and their use in partial analysis in specification
and verification [4], [5]. With the widespread use of cloud
systems and the increased focus on thwarting cyber threats,
formal methods are finding a niche again. Engineers at
Amazon Web Services have used formal specification and
model checking using TLA+ since 2011 to help solve
difficult design problems in critical systems as complexity
and scale increase [6]. In a multi-tenant cloud platform,
each customer’s operating environment for their applications
is built from the building blocks offered by the providers
and should be verifiably secure from common threats.
In our work, we gather the security properties of cloud
system building blocks, such as storage, compute units (i.e.,
virtualized hosts), and databases, and check them against a
security policy to ensure that there is no contradiction using
first-order logic to prove composability.
The Hookup theorem, based on the ‘‘restrictiveness’’ prop-
erty [7], and conditional composability, based on conditional
non-dependency [8], are rigid and cannot be easily applied to
VOLUME 11, 2023
K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
practical large-scale systems. The composition proposed for
cryptographic protocols by Canetti et al [9] does not work for
general system composition.
AWS uses automated reasoning tools to verify the network
reachability of resources in Virtual Private Networks (VPCs)
[10]. The tools used include Vampire, MonoSAT, and Soufflé,
which formalize network semantics into logic and perform
reasoning to answer network configuration and reachability
questions. Examples include identifying any resources that
are tagged ‘Bastion’ or any compute instances that are
reachable from the Internet using the Secure Shell (SSH)
protocol.
Microsoft Azure has developed a tool to validate network
connectivity policies automatically [11]. The tool can check
selected properties of policies, such as whether some traffic
is permitted or denied, and compare two policies to identify
drifts. The tool uses bit-vectors to encode policies and the
theorem prover Z3 as the underlying solver.
These tools use logic to answer questions on the configu-
ration that return a list or questions on reachability that return
yes/no. Reference [12] postulates an approach for security
vulnerability management in systems by representing the
vulnerabilities in a system and corrective actions as a SAT
problem. Reference [13] describes an automated SMT-based
approach to prevent published vulnerabilities in components
used in a composite cloud service. Our research focuses on
representing the security properties of individual components
and verifying whether they hold good in conjunction as well
as satisfy a given set of security policy statements of an
organization to prove the composability of those components.
Although [10], [11], [12], and [13] have made good progress
in applying formal methods to answer questions on net-
work reachability, security configurations, and vulnerability
remediation, these do not address the general composability
of components with respect to a security policy. Our work
builds on utilizing the security property representation to
verify whether a given set of components can be composed
to assemble a larger system, focusing primarily on platform
components such as compute units, databases, and network
elements, which are the fundamental building blocks of a
cloud-based system.
III. REPRESENTATION OF SYSTEMS AND PROPERTIES
We require a simple and elegant notation to express the
properties of systems, problems, and proofs. Notations based
on mathematical symbols with a vocabulary much smaller
than that of a natural language can be easily combined
into expressions and manipulated using rules to produce
new expressions. Propositional Logic and First-Order Logic
(FOL) have been used extensively to represent knowledge
about the world and reason with that knowledge. One of the
major strengths of logical representation is expressiveness.
We use FOL, specifically Prolog, for the representation and
reasoning for our problem domain. Other choices include
C.A.R. Hoare’s Communicating Sequential Processes (CSP)
VOLUME 11, 2023
[14], TLA+ by Leslie Lamport [15], Portunes Algebra [16],
Vampire [18] and Datalog with Soufflé [19]. We preferred to
use Prolog because it is well known and has a better chance
of adoption given that people in academia and industry
are familiar with it. This section briefly introduces FOL
and discusses the representation of security and network
properties for a sample application.
A. A SHORT INTRODUCTION TO FOL
FOL uses terms, variables, constants, functions, and predi-
cates as its main elements. The signature of the FOL formula
is defined as follows:
X
= ⟨F, P, arr⟩
where F and P are disjoint sets of function and predicate
symbols, and arr is an arity function: F ∪ P → N giving the
number of parameters for F and P. A term can be an object,
a variable, a constant, or a function. A predicate p(t1 , . . . , tn )
is an atomic formula (atoms for short) where each ti is a term.
Predicates with zero arity are treated as propositions; hence,
the FOL subsumes propositional logic. Predicates capture the
properties of objects and their relationship as in
placement(computer_c1, vpc1, subnet1)
where the relationship indicates that computer c1 is in
subnet1 of vpc1. Logical connectives such as conjunc-
tion (∧), disjunction (∨), negation (¬), and quantification
(universal (∀) and existential (∃)) produce formulas. If a
quantifier does not cover a variable in a formula, it is free;
otherwise, it is bound. The use of variables helps compactly
represent knowledge. A formula or a term is called ground
if it has no occurrence of variables. Henceforth, facts will be
ground formulas in a FOL signature. The logical implications
are if-then rules. Quantified variables, predicates, logical
connectives, and implications are combined into expressive
formulas.
Reasoning is done by asserting facts and then deducing
new facts using implications. A definite clause is a general-
ized implication of the form [20]:
(p1 ∧ · · · ∧ pk ) → q.
All the free variables in a definite clause are assumed to be
universally quantified across the clause. If q is a propositional
symbol, a predicate, or a logical constant such as false, then
it is known as a Horn clause. An example is:
likes(X , Y ) ∧ likes(Y , X ) → buddies(X , Y ).
This implies that if X and Y like each other, they are buddies,
assuming the domain of discourse to be people. When
combined with facts likes (alice, bob) and likes
(bob, alice), we obtain a new assertion buddies
(alice, bob).
We use many-sorted FOL to represent the VPC resources
as liberal relations. We explain the sorts, predicates, and their
arguments used in the modeling later in subsection III-C.
139937
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
Interested readers are referred to [21] for comprehensive
review of FOL.
B. PROLOG
To reason using facts and implications automatically, we use
a programming language. Prolog is the most widely used
logic programming language and follows the FOL style.
Implications in FOL are represented as rules in Prolog and
are valid Horn clauses. For example, an implication:
male(X ) ∧ child(X , Y ) → son(X , Y )
(X is male, and X is the child of Y implies X is the son of Y)
is represented in Prolog as follows:
son(X , Y ) : − male(X ), child(X , Y ).
The variables in the Prolog rules are implicitly universally
quantified. A Prolog program comprises facts and rules.
Given a knowledge base of facts and rules, we can pose
queries that are predicates with or without variables that
return yes or no answers or all objects for which the query
evaluates to true. For example, on starting the Prolog program
that has loaded the knowledge base of facts corresponding to
the predicates male(·) and child(·) and the above rule, one
can pose two types of queries:
• A query that returns yes or no as to whether someone is a
son of a given parent, as in ?- son(bob, john). The query
may return a true or false answer based on whether the
goal is evaluated to be true or false.
• A list query that returns the names of all sons of parent
john, as in ?- son(X , john). Variable X is implicitly
existentially qualified to mean returning at least one
object that evaluates this goal to be true. Prolog returns
all objects that satisfy the query using backtracking and
unification.
C. REPRESENTING AWS VPC RESOURCES AS LOGICAL
STATEMENTS
We briefly introduce the AWS VPC and explain our
methodology for representing VPC resources as logical
statements. The sample application (Figure 1 on Page
139936) is representative of typical two-tier architectures
with load balancers, where the incoming traffic is distributed
evenly to the back-end servers (i.e., compute units) that
connect to a database. The load balancer is in an external-
facing subnet, whereas the back-end servers and the database
are in internal subnets that are private and are not open to
the Internet. Operations team members who need to access
the servers will utilize Secure Shell (SSH) via a bastion
host, which could be either open to the Internet or to their
Company’s VPN IP address range that passes traffic to
the destination servers. In a distributed Video Conferencing
application, for example, the initial interaction of the user is
with such a system where the user’s credentials and meeting
identifiers will be validated by the back-end servers utilizing
the profile data of users stored in the databases and then
139938
redirected to the media servers where the meeting itself will
be hosted in a geographical location closest to the user.
1) AWS VPC
To establish the security context for our sample application
(Figure 1 on Page 139936), we briefly describe the VPC
concept in AWS. A VPC is a service that allows customers to
launch AWS resources in a logically isolated virtual network
that they define. An account may contain multiple VPC
instances. One can specify an IP address range for the VPC,
specify subnets (which are a range of IP addresses from the
main block) that are public and private, and use multiple
layers of security using Route Tables, Security Groups,
and Network Access Control Lists (NACL). A route table
specifies the VPC-level routing that is allowed, such as the
connection to the Internet via the Internet Gateway, peering
with other VPCs, and traffic between subnets. Security
groups in AWS explicitly define allowed traffic flows, often
specified as a tuple (protocol, port or port range, source IP).
Only explicitly specified traffic patterns are allowed. The
other flows are denied by default. In addition to the default
security group at the VPC level, the resources in the VPC,
such as the compute units and databases, will have associated
security groups. The NACL at the VPC subnet level controls
traffic to or from a subnet according to the inbound and
outbound rules. Security groups and NACLs offer ‘defense
in depth’ protection for VPC resources. These equivalent
Software Defined Networking (SDN) constructs act as virtual
firewalls to protect the network and resources.
2) VPC RESOURCES AS LOGICAL STATEMENTS
We now describe the modeling of the VPC construct and
its resources as many-sorted structures to build a knowledge
base (KB) of logical statements representing our sample
application [17].
We list the sorts that are used in our modeling to describe
the attributes of the system resources in Table 1.
The sort visibility_attribute is a set with
two values, private and public. This attribute denotes
whether the resource is public-facing or internal to the
VPC. The direction_attribute is a set with two
values ingress and egress and denotes a resource’s traffic
direction. The protocolnum_attribute is a set of
integers {6, 17, 1, −1}. 6 denotes TCP, 17 denotes
udp, 1 denotes icmp and −1 denotes all protocols. The
protocol_attribute is a set of protocol names {tcp,
udp, icmp, −1} where −1 denotes all protocols. The
permission_attribute is a set of two values, allow
and deny. The encryption_attribute is a set of two
values, encrypted and unencrypted.
We describe the predicates used in our implementation
over these sorts as follows. Table 2 presents the predicate
names and their arguments.
• The predicate vpc describes the VPC construct,
a logically isolated network in an AWS account in a
specific region with an IP address block. The sorts
VOLUME 11, 2023
K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
TABLE 1. Predicate argument names and their sorts.
TABLE 2. Predicates and their arguments.
involved are inferred from the table 1. VpcId refers
to unique identifiers for VPCs in an AWS account,
IPAddressBlock refers to the non-intersecting IP
address blocks in the CIDR notation (a.b.c.d/n,
where a - d are octets and n is the number of consecutive
leading 1-bits from left to right in the subnet mask)
for the individual VPCs in an account, AccountId
refers to the unique numeric account Ids in AWS and
AWSRegion refers to the names of the AWS regions.
VOLUME 11, 2023
In the knowledge base, we will have several instances
of the relation vpc, one each for a VPC with a unique
ID, the corresponding IP address block, and the AWS
region name for a given AWS account where the VPC is
created.
• The predicate subnet describes a subnet within a VPC
identified by a unique subnet ID with the corresponding
IP address block and whether the subnet is public (i.e.,
Internet-facing) or private (internal-facing).
• The predicate nacl describes the Network Access
Control List (NACL) associated with the VPC and
its subnets. A VPC will have one or more NACLs,
but a subnet can be associated with only one NACL.
nacl_association associates a NACL with the
VPC and a subnet. AclId is a unique identifier for a
NACL in a region, AclAssocId is a unique identifier
that associates a NACL with a VPC and a subnet in it,
Direction indicates whether the traffic is ingress or
egress, RuleNo is an integer, and ProtocolNo identi-
fies the transport protocol. SourceIPAddress is the
IP address of the source where traffic originates from
in CIDR notation, FromPort and ToPort denote
the starting and ending port numbers respectively, and
Permission denotes whether the traffic is allowed or
denied.
• The predicate secgroup describes the Security
Group construct that enforces allowed traffic flows for
AWS resources such as compute units and databases.
SgName is a string, SgId is a unique identi-
fier for the security group, Direction is one of
(ingress, egress), (RuleNo) is the security group rune
number, Protocol identifies the transport protocol,
FromPort and ToPort are the starting and ending
port numbers. SourceIPAddress is the IP address
of the source where traffic originates from in CIDR
notation, and Description is a string.
• The predicate compute describes a compute unit.
InstanceName is a set of strings that may be used
to identify virtual machine instances, InstanceId
is a unique ID created by AWS to identify a vir-
tual machine instance, EncryptionStatus denotes
whether or not the virtual machine has its disk drives
encrypted, ModelName refers to one of the supported
compute types in AWS and PublicOrPrivate
indicates whether the compute unit is public-facing
or internal. Additionally, a compute unit’s placement
in a subnet of a VPC and its association with a
security group are described by placement and
secgrp_association predicates.
• The predicate rds describes a database unit. RdsName
is a string, EncryptionStatus indicates whether
the database is encrypted or not, and RdsType is
a string that represents the type of database such as
Postgres, and Aurora-MySQL. An rds relation will
have one or more associated placement relations
depending on how many subnets the RDS is created in as
139939
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

well as one or more secgrp_association relations compute ( " compute_name " , " c o m p u t e _ i d " ,
connecting it to the associated security groups. unencrypted , " r5_2xlarge " , public ) .
• The predicate alb describes a load balancer. AlbName r d s ( " rds_name " , e n c r y p t e d , " p o s t g r e s " ) .
is a string, and AlbType is a string and refers to the p l a c e m e n t ( " compute_name " , " c o m p u t e _ i d " ,
type of load balancer, such as a network or application. compute , " v p c _ i d " , " s u b n e t _ i d " ) .
Similar to compute and rds predicates, alb relation p l a c e m e n t ( " r d s _ n a m e " , " r d s _ i d " , rdms , "
will have one or more associated placement relations vpc_id " , " subnet_id " ) .
depending on how many subnets the alb is created in as subnet ( " vpc_id " , " subnet_id " , ip
well as one or more secgrp_association relations (10 ,136 ,214 ,0/23) , public ) .
connecting it to the associated security groups.
The first fact describes a compute unit named compute_unit
• The predicate placement describes a resource’s
with an id compute_id. The second fact describes the
placement in a subnet within a VPC. Here, the
database unit named rds_name. The placement facts for
ResourceType will refer to VPC resources compute, rds,
the compute unit and the rds unit associate them with their
or alb, and the ResourceName and ResourceId
corresponding subnets where these resources are created.
will be the corresponding name and id for the resource,
The subnet fact describes the subnet configuration with id
respectively and SubnetId is the identifier of the
subnet_id.
subnet the resource is created in.
A resource is public if it is created in a public subnet.
• The predicate secgrp_association describes an
Expressing this behavior as an axiom requires us to describe a
association between a VPC resource and a security
system predicate isPublic and an implication statement in
group that governs traffic into and out of the resource.
terms of the resource predicates placement and subnet.
Here, the ResourceName and ResourceId will be
We express this as follows:
the name and identifier for the resource associated with
placement(X , _, _, _, Y ), subnet(_, Y , _, public) →
the security group with the name SgName and identifier
isPublic(X ).
SgId.
2) SECURITY POLICIES
D. COMPOSABILITY VERIFICATION MODELING
Once we have the knowledge base of the system, we can
1) KNOWLEDGE BASE
verify whether the components in the system satisfy the
The set P consists of all resource configuration predicates
security policies set by the administrators. For our study,
above (See Table 2). We assume, in addition to resource
we assume a set SPred of security policy goal predicates.
predicates, a set S of system predicates is used to describe
Each element of the set SPred is a predicate, spi , whose
certain behaviors or specifications of the system. Each
sorts we will leave unspecified since these depend upon the
element of the set S is a predicate, si , whose sorts we will
application. We represent security policies themselves as a
leave unspecified since these depend upon the application.
set SP of logical implication statements using the resource
We describe the system behavior using the resource config-
configuration and system predicates we described earlier and
uration predicates, and the system predicates as axioms that
security policy goal predicates. These security policies are of
are FOL implications. These axioms are of the form:
the form:
p1 (T˜1 ) ∧ · · · ∧ pk (T˜k ) → si (T̃ )
p1 (T˜1 ) ∧ · · · ∧ pk (T˜k ) ∧ s1 (T˜1′ ) ∧ · · · ∧ sn (T˜n′ ) → spi (T̃ )
where p1 , . . . , pk belong to P, si is a predicate in set S
where p1 . . . pk are the resource predicates, s1 . . . sn are the
and T̃ is a tuple of variables or constants of sorts described
system predicates, and T̃ is a tuple of variables or constants
in Table 1. These implications are axioms that are system-
of sorts, as explained before and spi is a security policy goal
dependent. Intuitively, we use these axioms to define certain
predicate in the set SPred.
characteristics, such as what it means for a VPC resource
Definition 2: Given a knowledge base KB = (P, S, A),
to be public or private based on network placement. Now,
a set of security policy statements SP, a security policy goal
we formally define Knowledge Base.
predicate spi (T̃ ) ∈ SPred, and T̃ a tuple of constants and
Definition 1: A Knowledge Base (KB) is a triple (P, S, A)
variables, ? − KB ∪ SP, spi (T̃ ) returns a set of assignments
consisting of a set of resource configuration predicates P, a set
Assn_Set to variables in T̃ such that for each assignment
of system predicates S, and a set of system behavioral axioms
ρ ∈ Assn_Set,
A of the form:
• KB ∪ SP |H spi (T̃ /ρ), where T̃ /ρ is interpreted as ρ
p1 (T˜1 ) ∧ · · · ∧ pk (T˜k ) → si (T̃ ). applied to T̃ .
In case T̃ consists of only constants, it returns true if KB ∪
We explain the KB contents with an example.
SP |H spi (T̃ ) and false otherwise.
Example 1: Consider the following facts using the
Remark 1: When we encode the above query in Prolog,
resource configuration predicates for a compute unit and a
false may be returned if Prolog finds no assignments or if
relational database unit.

139940 VOLUME 11, 2023

K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
Prolog is not able to prove that KB ∪ SP |H spi (T̃ ) in the case
T̃ consists of only constants. Thus, a false output by Prolog
is distinct from the logical false, and care must be taken to
interpret it.
Given a goal predicate, say, composableCompute
pertaining to compute units, ? − KB ∪ SP,
composableCompute(X̃ ) will return a set of assign-
ments to X, which are the compute units that satisfy
the security policy on the configuration requirements
such as encryption, network placement, open ports, etc.
The remaining compute units do not compose securely
with regard to this policy, and those units could be
obtained using the negative goal predicate expression: ? −
KB ∪ SP, compute(X̃ ), not(composableCompute(X̃ )). We
explain this using the following example.
Example 2: Suppose we have the following system
axioms that describe system characteristics regarding the
encryption of a compute unit and placement in a private
subnet. An underscore denotes a don’t care value.
compute(X , _, Y , _, _) ∧ Y = encrypted →
encrypted(X ).
placement(X , _, _, _, Y ) ∧ subnet(_, Y , _, private) →
isPrivate(X ).
Assume we have a composableCompute goal pred-
icate defined in a security policy SP using the above
system predicates and the resource predicate compute:
compute(X , _, _, _, _) ∧ encrypted(X ) ∧ isPrivate(X ) →
composableCompute(X ).
The query: ? − KB ∪ SP, composableCompute(X )
will return all compute units that are encrypted and created
in a private subnet.
The query:
? − KB ∪ SP, compute(X , _, _, _, _),
not(composableCompute(X ))
will return the compute units that do not satisfy the policy.
IV. IMPLEMENTATION OF OUR APPROACH FOR A
SAMPLE APPLICATION
A. USING PROLOG TO REPRESENT THE FACTS AND
BEHAVIORS OF SYSTEM COMPONENTS
Using the predicates described above, we represent the
ground facts regarding a VPC and its resources using Prolog.
We describe the salient security properties of the components
using atomic formulas (i.e., Prolog facts). For example,
a compute unit is described by the following predicates:
compute ( i n s t a n c e _ n a m e , i n s t a n c e _ i d ,
encrypted , private) ,
that describes the compute unit.
placement ( instance_name , instance_id ,
compute , v p c _ i d , s u b n e t _ i d ) ,
which describes the network placement for the compute unit,
such as the subnet in which it is created and the vpc for the
subnet, and
VOLUME 11, 2023
s e c g r p _ a s s o c i a t i o n ( instance_name ,
i n s t a n c e _ i d , sg_name , s g _ i d ) ,
which associates with the security group that specifies the
ingress and egress rules for the compute unit.
Using rules in Prolog, we represent the characteristics or
behaviors that are FOL implications. An example is whether
a compute unit is encrypted. An underscore (_) denotes the
do not care values in the following statement:
e n c r y p t e d (X) :− compute (X, _ , Y, _ , _ ) ,
Y = encrypted .
This rule is equivalent to the logical statement:
compute(X , _, Y , _, _) ∧ Y = encrypted →
encrypted(X ). The consequent of the implication becomes
the head of the Prolog rule, and the antecedents are in the
body of the rule. The head and the body are separated by:-.
Another example of a behavior or a specification is to
specify if a resource is accessible over the Internet using the
Secure Shell protocol. The rule:
canSSHFromInternet(X) :- compute(X, _,_,
_, public), secgrp_association(X, _, Y,
_), secgroup(Y, _,ingress, _, _,
Fromport, Toport, ip(0,0,0,0/0), _),
Fromport \= null, between(Fromport,
Toport, 22),
states that one can access a compute unit using SSH if the
compute unit is public-facing and is associated with a security
group that permits ingress traffic on port 22. These general
rules are unlikely to change from one system to another for a
cloud provider.
We generated the knowledge base of logical statements
for the sample application using the model described
in Section III. The proposed implementation approach is
illustrated in (Figure 2). The inference model comprises two
components. The first is the knowledge base of the security
properties of the components in the system, which is an AWS
VPC in this example. These properties are ground atomic
formulas, which are Prolog facts in our implementation
corresponding to the individual component configurations in
the VPC. Additionally, we added network properties that are
common to all VPCs, such as what is meant by a component
that is public facing (i.e., open to the Internet), the reachability
of one component to the other, and so on. These properties are
system behavioral axioms. We automated the generation of
Prolog facts corresponding to the component configurations
using a bash shell program that utilized AWS’ Command Line
Interface (CLI) [23]. This program operates at an account
level to generate Prolog facts for all VPCs in that account
or individually for a given VPC through a command line
argument containing VPC_id [22]. The network properties
are coded manually as Prolog rules, which are implication
statements in the FOL. These facts and rules form the
knowledge base. The Security Policy is a set of Prolog
rules that we code manually because this can vary from
organization to organization and can be found in policy and
139941
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

that VPC. AWS CLI, written in the Python programming

language, is used to query AWS services from command line
shells (such as bash, zsh, and tcsh on Linux and macOS, and
command prompt and PowerShell on Windows). The basic
structure of the command is [22]:
aws <command> <subcommand > [ o p t i o n s and
parameters ] .
For example, to get information about the compute units in a
FIGURE 2. Proposed implementation. VPC, the CLI command used is:
aws ec2 describe-instances [options and
parameters]
procedure documents in unstructured ways. The knowledge A sample set of options and parameters could be:
base and the Policy statements were fed to the Swi-Prolog -- filter Name=vpc-id,Values=<actual vpc
interpreter for policy checking. id>,
that filters out EC2 instances for a VPC with a given ID. The
B. AUTOMATIC GENERATION OF THE KNOWLEDGE BASE option:
FOR A VPC
--query 'Reservations[*].Instances[*].
In AWS, an application is deployed in a VPC for network { Instance:InstanceId,
isolation. A distributed application may be deployed in Subnet:SubnetId, Tags:Tags,
multiple VPCs in the same region as well as in different SecurityGroups:SecurityGroups,
regions and peered together if direct connectivity (i.e., using PrivateIpAddress:PrivateIpAddress,
private IP addresses) between them is needed. Each region PublicIpAddress:PublicIpAddress,
is a separate geographical area, such as us-west-2 (Oregon), InstanceType:InstanceType,
us-east-1 (Virginia), or eu-west-1 (Ireland). Each region BlockDeviceMappings:BlockDevice
will have multiple availability zones for redundancy. Each Mappings }'
availability zone comprises one or more discrete data centers --output json
[24]. A distributed application is designed and deployed with
specifies the parameters and the output format.
‘strong cohesion and loose coupling’ by having subsystems
We implemented a bash shell program that used AWS CLI
with different functionalities in their own VPCs and then
to gather configuration details and encoded them as Prolog
replicated to other regions for high availability. Certain
facts. The program can be run on any system that supports a
subsystems will be centralized in one or two regions for
bash shell. The credential required to run the program is an
disaster recovery and failover, and other subsystems will
access key and a secret access key pair. The program can fetch
be deployed in different regions for proximity to users.
the configurations for all VPCs in a region or a single VPC of
For example, in a Video Conferencing Service that is used
interest based on the argument passed at run time. We discuss
globally, an application layer that identifies and authenticates
the implementation details in the next two subsections.
users can be deployed in their own VPCs in two regions.
The application layer routes users to the media subsystem
C. GATHERING VPC CONFIGURATION
deployed in a region geographically closest to the users. The
The information about a VPC is queried using the command:
media layer is deployed in several regions worldwide for
high availability and reduced latency. However, each region’s aws ec2 describe-vpcs --vpc-ids vpcId
individual subsystem design and composition are the same The response is returned as a JSON object such as:
except for the IP address assignment, which will vary from {
region to region. "Vpcs": [
From a composability perspective, if an individual sub- {
system composition is sound in one VPC, we can infer that "CidrBlock": "10.0.0.0/16",
such a composition will be sound in every VPC with a "State": "available",
similar configuration. Similarly, if the connectivity between "VpcId": "vpc-id",
subsystems is sound in a region (for example, in the case of "OwnerId": "acct-id",
the application layer and media layer subsystems in the Video "CidrBlockAssociationSet": [
Conferencing system discussed above), we can draw the same { ... }
conclusion for other regions without having to repeat the ],
analysis. "Tags": [
To draw composability reasoning for a subsystem deployed { ... }
in a VPC with regard to a given security policy, we must ]
gather logical statements about each component deployed in }

139942 VOLUME 11, 2023

K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

] The MapPublicIpOnLaunch attribute indicates whether

} a subnet is private or public. We encode these as the following
We encode this configuration in Prolog as: Prolog facts:
s u b n e t ( " vpc−i d " , " s u b n e t −i d 1 " , i p
vpc ( " vpc−i d " , i p ( 1 0 , 2 2 , 1 2 , 0 / 2 2 ) , " a c c t −
(10 ,1 ,0/24) , public ) .
i d " , us−west −2) .
s u b n e t ( " vpc−i d " , " s u b n e t −i d 2 " , i p
The fact vpc describes the VPC by its ID, its CIDR (10 ,0 ,0 ,0/24) , private) .
block, the AWS account ID, and the region it is created in. A network access control list (NACL) acts as a firewall for the
The parameters vpc-id and acct-id are the actual identifiers VPC that controls traffic in and out of the subnets. Multiple
returned in the JSON response, and us-west-2 is the AWS subnets can be associated with a NACL entry identified by
region where the VPC is located and is passed on as a an id, but each subnet can be associated with only a single
configuration parameter for the shell program. We represent NACL entry. NACL entries are evaluated in order of priority
the IP addresses in the CIDR notation as ip(a, b, c, d)/n, according to the rule number from low to high preference
where a - d are octets corresponding to the IP address and n order. The default-deny rule will apply if none of the NACL
is the number of bits in the subnet mask. We use this notation entries matches. We fetch the NACL configuration using the
to easily match the IP addresses and check whether a given CLI command:
IP address is in the CIDR block using Prolog.
aws ec2 describe-network-acls --filter
Similarly, we fetch salient VPC configurations, such as
``Name-=vpc-id, Values=vpcId''.
subnets, network access control lists (NACL), and security
The response is an array of NACL entries as JSON objects.
groups, and encode them as Prolog statements as explained
A NACL entry has a NACL id, an association id with each
below:
subnet to which the NACL applies, and a set of ingress and
A subnet is a range of IP addresses in a single availability
egress rules. A sample is provided below. Please note that
zone. Resources such as compute units and databases are
we have masked the suffix of various ids that are in hex
deployed in a subnet. The AWS CLI command:
and replaced it with a placeholder ‘id1’. JSON format does
aws ec2 describe-subnets --filters not allow comments. We have included the comments for
"Name-=vpc-id, Values=vpcId" explanatory purposes only.
returns a JSON array such as: {
{ "NetworkAcls": [
"Subnets": [ {
{ "Associations": [
"AvailabilityZone": {
"us-west-2b", "NetworkAclAssociationId":
"CidrBlock": "10.0.1.0/24", "acl-id1",
"MapPublicIpOnLaunch": true, "NetworkAclId": "acl-id1",
"SubnetId": "subnet-id1", "SubnetId": "subnet-id1"
"VpcId": "vpc-id", },
"OwnerId": "acct-id", { ..... }
"Tags": [ ],
], "Entries": [// Egress Ingress rules
"SubnetArn": "subnet arn" {// Permits SSH traffic to the
}, Internet
{ "CidrBlock": "0.0.0.0/0",
"AvailabilityZone": "Egress": true,
"us-west-2a", "PortRange": {
"CidrBlock": "10.0.0.0/24", "From": 22,
"MapPublicIpOnLaunch": false, "To": 22
"SubnetId": "subnet-id2", },
"VpcId": "vpc-id", "Protocol": "6",
"OwnerId": "acct-id", "RuleAction": "allow",
"Tags": [ "RuleNumber": 200
], },
"SubnetArn": "subnet arn" {// Default deny rule
} "CidrBlock": "0.0.0.0/0",
] "Egress": true,
} "Protocol": "-1",

VOLUME 11, 2023 139943

 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

"RuleAction": "deny", subnet level and provide an extra layer of protection if the
"RuleNumber": 1000 security groups are overly permissive.
},
s e c g r o u p ( " sg−name " , " sg−i d " , i n g r e s s , 0 ,
{ // Permits SSH traffic from
tcp , 0 , 65535 , i p ( a , b , c , d / 3 2 ) , n u l l )
subnets
.
"CidrBlock": "10.0.1.0/24",
s e c g r o u p ( " sg−name " , " sg−i d " , i n g r e s s , 2 ,
"Egress": false,
t c p , 2 2 , 2 2 , i p (w, x , y . z / 3 2 ) , n u l l ) .
"PortRange": {
s e c g r o u p ( " sg−name " , " sg−i d " , e g r e s s , 0 ,
"From": 22,
−1, 0 , 6 5 5 3 5 , i p ( 0 , 0 , 0 , 0 / 0 ) , n u l l ) .
"To": 22
}, The fact secgroup uses the following schema:
"Protocol": "6",
s e c g r o u p ( name , i d , i n g r e s s / e g r e s s , r u l e
"RuleAction": "allow",
t y p e , p r o t o c o l ( t c p , udp , e t c , . ) ,
"RuleNumber": 200
from p o r t , t o ~ p o r t , s o u r c e /
},
d e s t i n a t i o n , and d e s c r i p t i o n ) .
{ ..... }
], For example,
"IsDefault": false,
s e c g r o u p ( l a u n c h −w i z a r d −2 , " sg −0
"NetworkAclId": "acl-id1",
e37d454d98079623 " , i n g r e s s , 0 , t c p ,
"Tags": [
22 , 22 , ip ( 0 , 0 , 0 , 0 / 0 ) , n u l l )
{
"Key": "BILLING", specifies that ingress access from the Internet (0.0.0.0/0) to
"Value": "RD" port 22 (SSH) is allowed.
},
< more tags > D. REPRESENTATION OF VPC RESOURCES
] The fact compute describes a compute unit with its instance
}, name, instance ID, encrypted or unencrypted volume used,
< more associations > type or model of the unit, and whether it is public or
] private. The fact placement describes the vpc and the
} subnet in which the compute unit is created, and the fact
The corresponding Prolog facts are: secgrp_association relates the security group name
and the security group ID with the unit.
n a c l _ a s s o c i a t i o n ( " vpc−i d " , " a c l a s s o c −i d 1
" , " a c l −i d 1 " , " s u b n e t −i d 1 " ) . s e c g r p _ a s s o c i a t i o n ( " i n s t a n c e −name " , "
n a c l ( " vpc−i d " , " a c l −i d 1 " , e g r e s s , 2 0 0 , i n s t a n c e −i d " , " sg−name " , " sg−i d " ) .
6 , 22 , 22 , ip ( 0 , 0 , 0 , 0 / 0 ) , allow ) . compute ( " i n s t a n c e −name " , " i n s t a n c e −i d " ,
n a c l ( " vpc−i d " , " a c l −i d 1 " , i n g r e s s , 2 0 0 , unencrypted , " c5_2xlarge " , private ) .
6 , 22 , 22 , ip ( 1 0 . 0 . 1 . 0 / 2 4 ) , allow ) . p l a c e m e n t ( " i n s t a n c e −name " , " i n s t a n c e −i d "
n a c l ( " vpc−i d " , " a c l −i d 1 " , e g r e s s , 1 0 0 0 , , compute , " vpc−i d " , " s u b n e t −i d 1 " ) .
−1, −1, −1, i p ( 0 , 0 , 0 , 0 / 0 ) , deny ) .
The fact alb describes a load balancer by its name
The fact nacl_association describes the relationship and type, such as ‘application’ or ‘network’. The fact
between the subnets and the NACL groups in a VPC. The placement connects the vpc and the subnets the load
fact nacl describes a nacl entry by the vpc-id it is associated balancer is associated with.
with, the acl ID, the rule type - ingress or egress, the rule
a l b ( " a l b −name " , a p p l i c a t i o n ) .
number, the protocol (such as TCP as identified by the
p l a c e m e n t ( " l b −name " , " lbname−i d . e l b . us−
numeral 6), beginning port number, ending port number, the
west −2. amazonaws . com " , a l b , " vpc−i d " ,
source IP address, and the action, allow or deny.
" s u b n e t −i d 1 " ) .
Similarly, we encoded the Prolog facts corresponding to
p l a c e m e n t ( " l b −name " , " lbname−i d . e l b . us−
the security groups based on the responses for the correspond-
west −2. amazonaws . com " , a l b , " vpc−i d " ,
ing CLI commands. In addition to NACLs, security groups
" s u b n e t −i d 2 " ) .
are associated with resources in the VPC. While NACLs
p l a c e m e n t ( " l b −name " , " lbname−i d . e l b . us−
support ‘allow’ and ‘deny’ rules, security groups only support
west −2. amazonaws . com " , a l b , " vpc−i d " ,
‘allow’ rules. NACLs are stateless, and return traffic has to
" s u b n e t −i d 3 " ) .
be permitted by explicit rules, unlike security groups where
return traffic is automatically permitted. Because NACLs are The fact rds describes the rds instance by its name,
at the subnet level, the rules apply to all resources at this whether encrypted at rest or not, and the type of

139944 VOLUME 11, 2023

K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
TABLE 3. Sample VPC configuration.
TABLE 4. Sample VPC resource configuration.
database - MySQL, Postgres, and so on. Similar to the
fact compute, there is an associated placement fact that
describes the vpc and subnet in which the rds instance is
created, and a secgrp_association fact that connects
it with its security group name and its ID.
r d s ( " r d s −name " , e n c r y p t e d , " p o s t g r e s " ) .
p l a c e m e n t ( " r d s −name " , " db−r e s o u r c e i d " ,
rdms , " vpc−i d " , " s u b n e t −i d 1 " ) .
p l a c e m e n t ( " r d s −name " , " db−r e s o u r c e i d " ,
rdms , " vpc−i d " , " s u b n e t −i d 2 " ) .
s e c g r p _ a s s o c i a t i o n ( " r d s −name " , " db−
r e s o u r c e i d " , " sg−name " , " sg−i d " ) .
Prolog facts for our sample VPC (Figure 1) and its
resources are presented in Tables 3 and 4. The resources
considered are compute units, a bastion host, a load balancer,
and a relational database. We have substituted placeholders
for the actual resource names and resource IDs. In the next
subsection, we discuss how we use Prolog rules to represent
the semantics of network properties and security policies.
As discussed above, the facts are automatically created from
the AWS account using a shell program and AWS CLI.
E. REPRESENTATION OF NETWORK PROPERTIES
We represent the network properties in the form of rules.
The properties are generic and are based on the schema we
decided on for the security properties of the components in
VOLUME 11, 2023
subsections IV-C and IV-D. For example, a resource is public
if it is created in a public-facing subnet. A compute unit is
accessible from the Internet via SSH if the unit is public
and has an associated security group that permits the SSH
protocol.
i s P u b l i c (X) :− p l a c e m e n t (X, _ , _ , _ , Y) ,
s u b n e t ( _ , Y, _ , p u b l i c ) .
i s P r i v a t e (X) :− p l a c e m e n t (X, _ , _ , _ , Y) ,
s u b n e t ( _ , Y, _ , p r i v a t e ) .
A resource X is public if it is in a subnet Y, which is public.
c a n S S H F r o m I n t e r n e t (X) :− i s P u b l i c (X) ,
s e c g r p _ a s s o c i a t i o n (X, _ , Y, _ ) ,
s e c g r o u p (Y, _ , i n g r e s s , _ , −1, n u l l ,
null , ip (0 ,0 ,0 ,0/0) , _ ) .
c a n S S H F r o m I n t e r n e t (X) :− i s P u b l i c (X) ,
s e c g r p _ a s s o c i a t i o n (X, _ , Y, _ ) ,
s e c g r o u p (Y, _ , i n g r e s s , _ , t c p ,
FromPort , T o P o r t , i p ( 0 , 0 , 0 , 0 / 0 ) , _
),
F r o m P o r t \ = n u l l , b e t w e e n ( FromPort ,
ToPort , 22) .
The first SSH rule handles a security group that opens all
ports (indicated by null) pertaining to all protocols (indicated
by -1) to the Internet and includes TCP port 22. The second
rule explicitly checks whether the TCP port 22 is within the
specified range.
F. REPRESENTATION OF SECURITY POLICIES IN PROLOG
Security policies can be rules or facts that specify required
conditions. For example, encryption at rest for compute and
database instances is coded as:
e n c r y p t e d (X) :− compute (X, _ , Y, _ , _ ) ,
Y = encrypted .
r d s E n c r y p t i o n A t R e s t (X) :− r d s (X, Y, _ ) , Y
= encrypted .
Similarly, traffic to standard ports such as TCP ports 22, 80,
and 443 can be specified, and the security groups that permit
traffic to other ports can be identified using the following rule:
n o n C o m p l i a n t S e c G r o u p ( ID ) :− s e c g r o u p ( ID ,
_ , i n g r e s s , _ , _ , X, _ , i p
( 0 , 0 , 0 , 0 / 0 ) , _ ) , n o t ( memberchk (X,
[443 , 80 , 2 2 ] ) ) .
The following policy rules specify the conditions for the
composability of EC2 instances and database instances.
composableCompute (X) :− e n c r y p t e d (X) , (
i s P r i v a t e (X) ;
( n o t ( c a n S S H F r o m I n t e r n e t (X) ) ,
s e c g r p _ a s s o c i a t i o n (X, _ , Y, _ ) ,
n o t ( n o n C o m p l i a n t S e c G r o u p (Y) ) ) ) .
composableRDS (X) :− r d s E n c r y p t i o n A t R e s t (
X) , i s P r i v a t e (X) .
139945
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
The compute composability rule requires an instance to
use only encrypted disk storage, to be in a private subnet or
not publicly reachable over SSH, and not have TCP ports
open to the Internet other than the standard ports permitted
by the policy. The rds composability requires the rds instance
to be encrypted at rest and to be in a private subnet. If we
apply these two rules to the facts in Tables 3 and 4, none of
the compute units will satisfy the composability conditions
because all of them are in public subnets, but the rds instance
will be composable because it is in a private subnet and is
encrypted.
G. VULNERABILITIES IDENTIFIABLE FROM COMPONENT
CONFIGURATIONS
While AWS provides building blocks, it is still left to
the customers to configure them securely under the shared
responsibility model. For example, one can launch a compute
unit but could configure it in the following insecure ways:
• Use the elastic block storage without encryption, leaving
the information stored in the volume available for cloud
providers to access.
• Set up the compute unit to be Internet-facing with SSH
ports open, leaving it discoverable on the Internet for
password brute forcing and other attacks.
• Expose the services to the Internet directly without a
load balancer for hackers to be able to fingerprint the
services running on the compute instance for planning
attacks based on published vulnerabilities.
Similarly, one can launch a database instance without
encryption at rest and with a public IP address, making it
susceptible to password attacks and eventual data breaches.
We consider these two categories of vulnerabilities arising
from misconfigurations in this paper. This can be expanded
to include improper handling of access key/secret key pairs,
not enabling multi-factor authentication for users, not using
the right TLS protocol versions for protecting data in transit,
etc.
The security policies are designed to detect and address
vulnerabilities. While we can identify the components that
are composable with regards to a given policy, we can also
enumerate the ones that do not compose using the negative
goal predicate. For example, if a compute unit does not satisfy
the goal predicate encrypted(X) for compute units, then
we can infer that there is a vulnerability due to the lack of
encryption at rest for the elastic block storage. Similarly,
we can identify compute units that are in the public subnet
and hence will be discoverable for brute force attacks.
Example 3: Given a KB of compute units, we can list the
compute units that are not encrypted or in a public subnet
using the following queries. An underscore denotes don’t care
values.
compute(X , _, _, _, _), not(encrypted(X )).
compute(X , _, _, _, _), not(isPrivate(X )).
Example 4: Another example is the composability rule
for database instances. We can identify vulnerable database
instances using the negative predicate goal as follows:
139946
rds(X , _, _), not(composableRDS(X )).
Any values returned for X will denote database instances
that are either not encrypted or public-facing.
We presented an approach to building the KB of security
properties of individual components as logical facts, repre-
senting security policies as rules and reasoning about them to
verify whether the facts satisfy the policies. This approach is
general and can be applied to large distributed systems such
as banking and financial or video conferencing applications
because these systems are built using components such as
VPCs, compute units, and databases, which are the basic
building blocks. There will be several thousands of similar
facts for such systems. Resource configuration facts and
system behavior rules can be added to the framework
we discussed for more components, such as queuing,
notification, and identity and access management. Security
policy rules can be coded based on the application domain and
verified using the properties of the individual components to
prove the soundness of the composition.
H. VERIFYING THE SECURITY POLICY STATEMENTS
The components compose securely if and only if every
statement in the security policy is satisfied by the combined
model of the components. For example, if we want to
verify the security policy that all compute units should have
their EBS volumes encrypted, the statement is posed as a
query: encrypted(X). Prolog returns the compute units with
encrypted EBS volumes. Similarly, assume a security policy
where all compute units and database instances must be in
private subnets as specified in the statement:
i s P r i v a t e (X) , ( compute (X, _ , _ , _ , _ ) ; r d s (X,
_ , _) ) .
When issuing this query, X will be instantiated to the compute
units and rds instances in the private subnet, and the query will
succeed.
Thus, composable building blocks such as compute units
and database instances can be assembled from a given VPC
configuration and network properties. Two such sample rules
are composableCompute and composableRDS presented
in subsection IV-E.
V. PERFORMANCE EVALUATION AND COMPOSITION AS
A WAY TO SCALE
We implemented our prototype using a bash script and AWS
Command Line Interface to fetch the configuration of VPCs
in the AWS account and the compute, rds, and load balancer
resources contained within it and translate them into Prolog
facts as we described in section IV on Page 139941. The
program is general and can be run on any AWS account
using an access key and a secret access key pair. The program
enumerates through VPC-level network configurations such
as subnets, network access control lists (NACLs), security
groups, and resources such as compute units and database
instances and their attributes. The configuration information
is written as Prolog facts in a file. We manually verified
VOLUME 11, 2023
K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
TABLE 5. Time taken for KB generation (s).
the program output using the AWS resource configuration
information for subnets, NACLs, security groups, compute
units, load balancers, and RDS instances to ensure the
correctness of the mapping. Network properties, such as
canSSHFromInternet and Security Policies, are coded as
Prolog rules manually. The program includes the required
Prolog libraries and the rules file in the output file, so the Swi-
Prolog (swipl) interpreter can be directly invoked to process
it. KB generation was tested using the bash script and AWS
CLI on a MacBook Pro running macOS Monterey version
12.5 with a 2.6GHz 6-Core Intel Core i7 processor and 16GB
of memory. The statistics for generating the KB for a VPC
with 423 resources and their corresponding 1561 facts are
shown in table 5. The CLI takes 1 - 3 seconds to return the
resource information in the JSON format. More time is spent
parsing and generating facts about the security groups and
compute units. We use the jq utility to parse and extract
data elements from JSON documents. Multiple invocations of
jq contribute to the increased time spent processing security
groups and computing unit information.
We experimented with the knowledge base generation
program on larger AWS systems, iterating through every
AWS region in an account, and then within each region, every
VPC and gathered the resource configuration information
at the VPC level. The seven KBs we generated from AWS
accounts consisted of 520 to 27,305 facts corresponding to
5 to 60 VPCs, as shown in Table 7. The running time to
generate the KBs roughly corresponds to the per-fact elapsed
time listed in Table 5.
We used Swi-Prolog version 8.2.4 on a MacBook Pro for
the study. When the Prolog KB with policy rules outlined
in subsection IV-F on Page 139945 was run in Swi-Prolog,
we measured the elapsed time for the typical composition
rules. We used the time predicate to measure the number
of inferences involved in a goal and the average time taken
based on 10,000 executions of the goal. For example, for
the goal composableRDS(X ), the number of inferences was
four, and the elapsed time was 4 µs to return one answer. For
the list query, composableRDSList(), that returns 11 of the
12 composable RDS instances from our KB of 6,722 facts,
the number of inferences was 102, and the elapsed time was
55 µs. The one RDS instance that was not returned in the
results was due to the instance not using encryption at rest,
which violated the security policy. The results are presented
VOLUME 11, 2023
TABLE 6. Execution time for verification - DB instances (time in µs).
TABLE 7. Execution time for verification - compute instances (µs).
in Table 6. The average time taken per RDS instance is 4
to 5.5 µs.
Similarly, for the goal composableCompute(X ), the
number of inferences was four, and the time taken
was 5 µs to return a single answer, whereas, for
composableComputeList(X ), the average response time
for a compute instance varies from 6.63 µs to 12.43 µs
depending on the amount of backtracking involved during
processing. The results are presented in Table 7 for various
counts of compute instances in a real-life system we
experimented with. As shown in Figure 3, the average
response time increases as the number of compute units
increases due to search cost. The average number of
inferences decreases slightly as the number of compute units
increases, but this could be impacted by the increased amount
of backtracking if there are more non-compliant compute
units. Figure 4 shows that as the number of facts increases
in the KB, the average response time per result returned
increases due to increased search cost. This aligns with the
average response time trend in Figure 3 since the compute
units contribute to the facts more significantly than the RDS
instances. Overall, we conclude that the response time range
of 5 to 12.43 µs per component is acceptable in practical
systems where security policy evaluation is conducted as a
background activity during an initial design of the system and
when there are changes to the system during release cycles,
unlike online transaction processing involving users.
We further analyzed the response time and the number
of inferences for the subgoals in the composability rule for
compute units:
composableCompute (X) :− e n c r y p t e d (X) , (
i s P r i v a t e (X) ;
( n o t ( c a n S S H F r o m I n t e r n e t (X) ) ,
s e c g r p _ a s s o c i a t i o n ( _ , X, Y, _ ) ,
n o t ( n o n C o m p l i a n t S e c G r o u p (Y) ) ) ) .
139947
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

TABLE 8. Comparison of response time for the combined goal and the
conditions in the body of the rule (µs).

FIGURE 3. Average response time in µs and number of inferences Vs

number of compute units involved.

FIGURE 5. Analysis of response times for subconditions.

TABLE 9. Comparison of inferences for the combined goal and the

FIGURE 4. Average response time in µs Vs total number of facts involved. conditions in the body of the rule.

c o m p o s a b l e C o m p u t e L i s t ( L ) :−
f i n d a l l (X, composableCompute (X) , Y) ,
s o r t (Y, L ) .
We measured the average response times and the number
of inferences based on 10,000 executions for each of the
conditions in the body of the rule, encrypted, isPrivate, the
not conditions:
( n o t ( c a n S S H F r o m I n t e r n e t (X) ) ,
s e c g r p _ a s s o c i a t i o n ( _ , X, Y, _ ) , n o t (
n o n C o m p l i a n t S e c G r o u p (Y) ) ) ,
as well as the OR (isPrivate; not conditions) combination.
The sum of splits is the sum of the results for encrypted and
the OR condition. The results are presented in Table 8 and
Figure 5.
We can conclude from this analysis that the sum of
response times of individual conditions in the body is roughly
equal to that of the overall goal except in the case where
there is more backtracking due to individual subgoal failures
that increase the overall average response time, whereas the
response time of individual subgoals without the influence of FIGURE 6. Analysis of average inferences for subconditions.
other subgoals are lower.
Similarly, we analyzed the Inferences for the overall goal
and the conditions in the body of the rule and have presented We observe that there is a constant overhead when the
the results in Table 9 and Figure 6. number of compute units in the result is smaller, which

139948 VOLUME 11, 2023

K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
TABLE 10. Average response time (µs) and inferences for the
non-compliant compute units.
FIGURE 7. Average response time in µs and inferences to retrieve
non-compliant compute units in the System.
increases the average number of inferences but decreases as
the number increases. The result set where more instances
do not satisfy the goal, there is more backtracking, which
increases the number of inferences. The general pattern of
response time and inferences remains consistent for both the
combined goal and the subgoals and is linear.
We also studied the response time and average number of
inferences for retrieving the list of compute units that do not
conform to the security policy and hence are vulnerable to
common attacks explained in subsection IV-G on Page 12.
This list complements the list of composable compute units
and is useful information for the operations personnel to
remediate them to comply with the security policy. The
results are presented in Table 10 and Figure 7.
Practitioners can concentrate on just getting the list of
non-compliant components in a system to address the issues
and then, for double checking, perform a compliance check to
ensure that all components are returned in the composability
query.
A. EXTENSIBILITY OF THE PROLOG FRAMEWORK
While Prolog is not efficient for number crunching and rep-
resenting complex data structures and lacks rich input/output
interfaces, its declarative style makes it easy to represent
knowledge as facts and rules, and the built-in backtrack-
ing, pattern matching, and recursion make it suitable for
searching through the KB, returning all possible results and
writing compact and understandable programs for symbolic
computation.
VOLUME 11, 2023
Our framework is extensible to add additional components
and the corresponding facts and rules and requires declaring
the arity of the new predicates at the beginning of the KB file.
B. COMPOSITION AS A WAY TO SCALE
When the security properties of individual components are
known, they can be analyzed for conformance with a given
security policy. When combining such components to form a
larger system, we do not have to re-analyze them individually
but perform a quick check on the combined set of properties.
Thus, composing a system using components with known
security properties is a practical method for building large-
scale systems. Given a set of security policy statements, any
component that satisfies these is a composable construct.
A larger system built using such composable constructs
would offer sound assurance from a security perspective.
If a component c1 ’s security properties entail a security
policy SP (Pc1 |H SP) and another component c2 ’s
security properties also entail the same policy (Pc2 |H SP)
individually, then the combined system consisting of c1 and
c2 entails the policy P (Pc1 ∩ Pc2 |H SP). We extend this
to c1 , . . . , cn as (∩ni=1 Pci ) |H SP). Though the knowledge
base of security properties of components is the union of the
statements, semantically, the model shrinks as we add more
facts and rules due to the implied conjunction.
C. EXTENSION TO LARGE SCALE SYSTEM COMPOSITION
Large-scale systems utilize several AWS regions worldwide.
Each region uses multiple availability zones for redundancy.
When a software system is deployed in such distributed
environments, the deployment is standardized with templates
using AWS cloudformation or terraform software tools.
The configuration of the system in each region in terms
of VPCs and the topology of the application with load
balancers, compute units, database servers, and the associated
security groups are templatized. This way, a larger distributed
system is built using the building blocks deployed in each
region utilizing multiple availability zones. Our approach
automatically converts the security groups and network
access control lists of such building blocks into equivalent
Prolog statements. The statements can then be verified
against the organization’s security policy. If the statements
satisfy the security policy in one region, the combined system
will also satisfy the same policy because of the identical
configuration of the system in the other regions. As a double-
check, verification per region can still be performed.
1) CONTINUOUS VERIFICATION
Security is not a point in time but a continuous process. While
VPC configurations and individual resource configurations
change during the application life cycle from release to
release, the security policies to be satisfied are comparatively
static. During each release cycle, the VPC configuration
can be gathered, versioned, and analyzed against security
policies. Thus, one can evaluate how configurations change or
139949
 K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations
FIGURE 8. Security policy verification framework.
drift over a period of time. The framework shown in Figure 8
can be automated for DevSecOps.
VI. LIMITATIONS OF THE STUDY AND FUTURE WORK
Our study covers a few cloud infrastructure components that
are most prevalent in practical systems. To make the approach
more practical, we should extend our implementation to cover
all relevant infrastructure components, including server-less
computes known as Lambdas, Queuing, Notification, and
Logging frameworks. We map the component configuration
into logical statements using a schema that we think is
sufficiently expressive to prove if the configuration satisfies
a given security policy. We can add additional features of
the components to the facts, such as backup retention and
replication in the case of databases. Additionally, security
teams generally write security policy statements in natural
language. Translating them into Prolog facts and rules
requires manual work unless a powerful natural language
processing approach is used in automation. We used a shell
script and AWS Command Line Interface to automate the
generation of Prolog facts corresponding to the configuration
of the chosen components. For flexibility and better perfor-
mance, this could be done in a language such as Java and
made more generic to handle other cloud platforms such
as Microsoft Azure and Google Cloud Platform. Although
we provided the necessary logical framework for the study,
we need to extend the formalism to be more general.
A. FUTURE WORK
KB generation will be implemented using a high-level
language for portability. This framework can be incorporated
into a cloud system, as in Figure 8. The KB generator
and updater can run in the AWS account as a Lambda,
and the knowledge base can be stored in a database
such as a DynamoDB indexed by the pair (region, VPC).
To continuously update the facts when changes occur in the
VPC resources, a Lambda function can be invoked when
change notifications occur via a Simple Notification Service
(SNS) and Simple Queue Service (SQS). Resource changes
can be gathered and added to the KB in a version-controlled
manner. The policy checker run in another Lambda function
139950
can be triggered by the same notification to analyze if there
are violations in near real-time. Automatic remediation can
also roll back the changes and notify stakeholders. The
configurations of individual resources become composable
constructs for an organization’s security policy. Standard
terraform or cloudformation templates can be developed for
these components with known security properties to compose
new systems guaranteed to satisfy the organization’s policies.
VII. CONCLUSION
Although composability is a hard problem, identifying the
components that satisfy a given security policy to compose
a larger system is of practical importance, particularly in
cloud environments. We presented a framework using FOL
to analyze the composability of components and identify the
composable constructs that satisfy a given security policy.
Our approach focused on the composability of components
from a security policy perspective. We applied our method to
analyze the virtual private cloud in AWS by translating the
configuration information into Prolog facts and combining
them with rules representing the policies and network
properties. We could show the components that satisfy a
given policy and those that do not. We posit that assembling
a large-scale system with composable constructs - compute
units, databases, and perimeter security nodes such as bastion
hosts, ensures that the combined system will satisfy the
overall security policy without re-analyzing the components
after the system is built. This study can be extended to create
composable constructs, assemble a large-scale system using
those constructs, and re-validate when the system changes to
identify and correct drifts.
REFERENCES
[1] Amazon Web Services. (2023). AWS Shared Responsibility. [Online].
Available: https://aws.amazon.com/compliance/shared-responsibility-
model/
[2] The Open Worldwide Application Security Project. OWASP Top 10.
Accessed: Nov. 26, 2023. [Online]. Available: https://owasp.org/www-
project-top-ten/
[3] J. M. Wing, ‘‘A symbiotic relationship between formal methods and
security,’’ in Proc. Comput. Secur., Dependability, Assurance, Needs
Solutions, Williamsburg, VA, USA, 1998, pp. 26–38.
[4] E. M. Clarke and J. M. Wing, ‘‘Formal methods: State of the art and future
directions,’’ ACM Comput. Surveys, vol. 28, no. 4, pp. 626–643, Dec. 1996.
[5] L. Lamport, ‘‘The temporal logic of actions,’’ ACM Trans. Program. Lang.
Syst., vol. 16, no. 3, pp. 872–923, May 1994.
[6] C. Newcombe, T. Rath, F. Zhang, B. Munteanu, M. Brooker, and
M. Deardeuff, ‘‘How Amazon uses formal methods,’’ Commun. ACM,
vol. 58, no. 4, pp. 66–73, Apr. 2015.
[7] D. McCullough, ‘‘A hookup theorem for multilevel security,’’ IEEE Trans.
Softw. Eng., vol. 16, no. 6, pp. 563–568, Jun. 1990.
[8] J. A. McDermid and Q. Shi, ‘‘Secure composition of systems,’’ in Proc.
8th Annu. Comput. Secur. Appl. Conf., San Antonio, TX, USA, 1992,
pp. 112–122.
[9] R. Canetti, Y. Dodis, R. Pass, and S. Walfish, ‘‘Universally composable
security with global setup,’’ in Theory of Cryptography (Lecture Notes
in Computer Science), vol. 4392. Berlin, Germany: Springer, 2007,
pp. 61–85, doi: 10.1007/978-3-540-70936-7_4.
[10] J. Backes, S. Bayless, B. Cook, C. Dodge, A. Gacek, A. J. Hu, T. Kahsai,
B. Kocik, E. Kotelnikov, J. Kukovec, and S. McLaughlin, ‘‘Reachability
analysis for AWS-based networks,’’ in Computer Aided Verification
Lecture Notes in Computer Science), vol. 11562, Cham, Switzerland:
Springer, 2019, pp. 231–241, doi: 10.1007/978-3-030-25543-5_14.
VOLUME 11, 2023
K. Muniasamy et al.: Analyzing Component Composability of Cloud Security Configurations

[11] K. Jeyaraman, N. Bjorner, G. Outhred, and C. Haufman. Accessed: ROHIT CHADHA received the B.Tech. degree in
Nov. 26, 2023. Automated Analysis and Debugging of Network Poli- computer science and engineering from the Indian
cies. [Online]. Available: https://www.microsoft.com/en-us/research/ wp- Institute of Technology, New Delhi, India, in 1997,
content/uploads/2016/02/secguru.pdf and the Ph.D. degree from the Department of
[12] M. Barrére, R. Badonnel, and O. Festor, ‘‘A SAT-based autonomous Mathematics, University of Pennsylvania, in 2003.
strategy for security vulnerability management,’’ in Proc. IEEE Netw. He is currently an Associate Professor with the
Operations Manag. Symp. (NOMS), Krakow, Poland, May 2014, pp. 1–9, Department of Electrical Engineering and Com-
doi: 10.1109/NOMS.2014.6838309.
puter Science, University of Missouri, Columbia,
[13] M. Oulaaffart, R. Badonnel, and C. Bianco, ‘‘An automated SMT-
and the Director of the Mizzou Cybersecurity
based security framework for supporting migrations in cloud composite
services,’’ in Proc. IEEE/IFIP Netw. Operations Manage. Symp., Budapest,
Center. He has held research positions with
Hungary, Apr. 2022, pp. 1–9, doi: 10.1109/NOMS54207.2022.9789768. INRIA, Saclay, France; the University of Illinois at Urbana–Champaign;
[14] C. A. R. Hoare, Communicating Sequential Processes. Upper Saddle River, Instituto Superior Tecnico, Portugal; and the University of Sussex, U.K. His
NJ, USA: Prentice-Hall, 1985. research interest includes formal engineering methods for computer security.
[15] L. Lamport, Specifying Systems: The TLA+ Language and Tools for
Hardware and Software Engineers. Reading, MA, USA: Addison-Wesley,
2002.
[16] M. Dickinson, S. Debroy, P. Calyam, S. Valluripally, Y. Zhang,
R. B. Antequera, T. Joshi, T. White, and D. Xu, ‘‘Multi-cloud performance
and security driven federated workflow management,’’ IEEE Trans. Cloud
Comput., vol. 9, no. 1, pp. 240–257, Mar. 2021.
[17] J. Väänänen. (2014). Many-Sorted Logic. [Online]. Available:
https://docplayer.net/155578006-Many-sorted-logic-jouko-vaananen-
1-2-easllc-july-department-of-mathematics-and-statistics-university-of-
helsinki.html
[18] L. Kovács and A. Voronkov, ‘‘First-order theorem proving and vampire,’’
Computer Aided Verification (Lecture Notes in Computer Science),
vol. 8044, Berlin, Germany: Springer, 2013, pp. 1–35. PRASAD CALYAM (Senior Member, IEEE)
[19] E. Kotelnikov, ‘‘Checking network reachability properties by automated received the M.S. and Ph.D. degrees from the
reasoning in first-order logic,’’ in Automated Theorem Proving With Department of Electrical and Computer Engineer-
Extensions of First-Order Logic. Gothenburg, Sweden: Chalmers Univ. ing, Ohio State University, in 2002 and 2007,
Technology, 2018, ch. 5, pp. 114–131. respectively. He is currently a Full Professor with
[20] D. Sadig. (2018). CS 221 Lecture 16 [Powerpoint Slides]. the Department of Computer Science, University
[Online]. Available: https://web.stanford.edu/class/archive/cs/ of Missouri, Columbia. Previously, he was the
cs221/cs221.1186/lectures/index.html#include=logic1.js&mode=print1pp Research Director with the Ohio Supercomputer
[21] H. B. Enderton, A Mathematical Introduction to Logic, 2nd ed. Amster- Center. His research interests include distributed
dam, The Netherlands: Elsevier, 2001. and cloud computing, computer networking, and
[22] Amazon Web Services. AWS CLI Reference. Accessed: Nov. 26, 2023. cybersecurity.
[Online]. Available: https://docs.aws.amazon.com/cli/latest/reference/
[23] Github. Implementation Source Code. Accessed: Nov. 26, 2023. [Online].
Available: https://github.com/kandamuniasamy2016/composability
[24] Amazon Web Services. Regions and Availability Zones. Accessed:
Nov. 26, 2023. [Online]. Available: https://docs.aws.amazon.com/
managedservices/latest/appguide/cfn-ingest-ex-3-tier.html

KANDASAMY MUNIASAMY received the B.E.

degree in mechanical engineering from the Uni-
versity of Madras, Chennai, India, in 1983,
and the M.S. degree in computer science from
the University of Louisiana, Lafayette, in 1991.
He is currently pursuing the Ph.D. degree in
cyber security with Amrita Vishwa Vidyapeetham,
Coimbatore, Tamil Nadu, India. As a software
professional focused on database APIs and enter-
prise security products and services, he worked
for various companies, including Sybase, Oracle, Netscape, Verisign, and
Symantec. He also leads a security team in Verizon, USA, focusing on the
security of applications hosted in public cloud infrastructures and on-premise
data centers. His research interests include using formal methods to prove the
security of systems and secure composition.
M. SETHUMADHAVAN received the Ph.D.
degree in mathematics from the University of
Calicut, India, in 1997. He is currently a Professor
in mathematics and computer science with Amrita
Vishwa Vidyapeetham, Coimbatore, India. He has
been the Head of the TIFAC-Centre of Relevance
and Excellence in Cyber Security, since 2005.
His research interests include number theory and
cryptology.

VOLUME 11, 2023 139951