undefined | Better HN

0 pointssudhirj2y ago0 comments

Trust in AWS and Nitro HyperVisor system is taken for granted here, if that’s what you mean. We don’t necessarily examine AWS’s code or hardware, we’ll just have to take their word for it.

Which is what we and our customers do already, when we run our workloads on it.

We know this is a problem, but this is where we’re ok with drawing the line. If you’ve seen Reflections on Trusting Trust you’ll know we have to draw the line somewhere.

0 comments

Veserv2y ago

Do they provide any third party certifications with teeth, legally binding guarantees, or contractual guarantees supporting the claims you are relying on?

sudhirjOP2y ago

Not right now, no. From what I've seen from our previous suppliers (HSMs from Thales) no one will take on liability (if that's what you mean). The trust instead relies on the FIPS-140 certification process - certified devices are sold as-is.

In the case of the cloud I haven't seen FIPS certification of any of the internal systems from cloud providers yet.

This need for certification needs to be balanced against usability - it's relatively easier to certify a hardware design that has no compute, or a physically isolated CPU and memory like a SEE Machine, but it's also much less useful.

We prefer general purpose machines that have the same strength barriers that we already know are being deployed to protect customers from each other, that are being probed and tested all day every day both by AWS internally and by bad actors trying to steal other people's data. The lack of known pending exploits, continuous patching by AWS and being battle tested on a massive scale is more important to us than a FIPS certification at this point. Although if AWS managed to get FIPS to certify the Nitro system it would be a big plus.

Veserv2y ago

Thank you for the replies. It helps confirm my belief that AWS is just peddling the same security bullshit as everybody else and people keep falling for it.

Literally everybody has been promising general purpose machine isolation for decades and basically every one of them has failed. Actually designing such a system is a extraordinary claim demanding extraordinary evidence. Actual standards that can actually distinguish such a property such as the Common Criteria at EAL 6 and 7 require rigorous verification work such as formal proofs of correctness to actually positively assert such properties. It is ridiculous that people keep believing such claims without any guarantees, verifications, or audits when everything uncertified is so catastrophically bad at achieving isolation.

To quote Theo de Raadt:

“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.“

2 more replies

j / k navigate · click thread line to collapse

0 comments

Veserv2y ago

Do they provide any third party certifications with teeth, legally binding guarantees, or contractual guarantees supporting the claims you are relying on?

sudhirjOP2y ago

In the case of the cloud I haven't seen FIPS certification of any of the internal systems from cloud providers yet.

Veserv2y ago

Thank you for the replies. It helps confirm my belief that AWS is just peddling the same security bullshit as everybody else and people keep falling for it.

To quote Theo de Raadt:

You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.“

2 more replies

j / k navigate · click thread line to collapse