公开(公告)号：US20240179182A1

公开(公告)日：2024-05-30

申请号：US18070349

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Michael W. HICKS ,  John Holman KASTNER ,  Emina TORLAK ,  Richard Matthew MCCUTCHEN ,  Darin MCADAMS ,  Neha RUNGTA ,  Aaron Joseph ELINE ,  Joseph Wallace CUTLER ,  Eleftherios IOANNIDIS

IPC: H04L9/40

CPC classification number: H04L63/20

Abstract: A system and method for authorization policy validation. A validator takes as input an authorization policy to be analyzed and a schema that specifies entity types and their attributes, types of entity parents in an entity hierarchy, and which entity types can be used with which actions. The validator checks that the policy conforms to the schema. If the check passes, then the policy is guaranteed to be free of both type errors and attribute access errors for any input that conforms to the schema.

公开(公告)号：US20240179181A1

公开(公告)日：2024-05-30

申请号：US18070321

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Emina TORLAK ,  Darin MCADAMS ,  Neha RUNGTA ,  Michael W. HICKS ,  Craig Ryan DISSELKOEN ,  Aaron Joseph ELINE ,  John Holman KASTNER ,  Kyle HEADLEY ,  Anwar MAMAT ,  Richard Matthew MCCUTCHEN ,  Andrew Marshall WELLS ,  Kesha Hanne HIETALA ,  Shaobo HE ,  Mark Edward STALZER ,  Julian LOVELOCK

IPC: H04L9/40

CPC classification number: H04L63/20 ,  H04L63/104

Abstract: A system and method for authorization policy evaluation. Authorization policies are authored in a general-purpose authorization language. An evaluation engine is used in a provider network by application developers to manage access within their applications based on fine-grained permissions. The policy language combines elements of role-based and attributed-based access control within an intuitive syntax and efficient evaluation strategy. The policy syntax separates role-based expressions of a policy from attribute-based expressions of the policy.

公开(公告)号：US20240179188A1

公开(公告)日：2024-05-30

申请号：US18070371

申请日：2022-11-28

Applicant: Amazon Technologies, Inc.

Inventor： Emina TORLAK ,  Kyle HEADLEY ,  Michael W. HICKS ,  Neha RUNGTA ,  Andrew Marshall WELLS

IPC: H04L9/40

CPC classification number: H04L63/205 ,  H04L63/104

Abstract: A system and method for authorization policy analysis. A policy analyzer answers first-order questions about authorization policies by reducing the policies to Satisfiability modulo theories (SMT). Input to the analyzer includes a policy to be analyzed and a schema for that policy. If the policy passes strict validation against the schema, then the analyzer symbolically evaluates the policy to encode its semantics as an SMT expression. The SMT expression is used for formulate a desired query about policy behavior such as, for example, if there is any input on which two policies both evaluate to true. The reduction to SMT produces a quantifier-free formula in a combination of decidable theories to support large scale deployments. This reduction is achieved by focusing the analysis on policies that pass strict validation, rather than attempting to analyze arbitrary policies.