{"id":17788512,"url":"https://github.com/roptat/hayha","last_synced_at":"2026-03-15T18:37:52.331Z","repository":{"id":48203211,"uuid":"373220050","full_name":"roptat/hayha","owner":"roptat","description":"Verifying CloudFormation deployments for intra-update sniping vulnerabilities","archived":false,"fork":false,"pushed_at":"2021-10-15T15:24:32.000Z","size":45,"stargazers_count":3,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-27T06:23:37.834Z","etag":null,"topics":["security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/roptat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null}},"created_at":"2021-06-02T15:38:35.000Z","updated_at":"2025-01-29T20:55:11.000Z","dependencies_parsed_at":"2022-09-12T10:42:05.101Z","dependency_job_id":null,"html_url":"https://github.com/roptat/hayha","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roptat%2Fhayha","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roptat%2Fhayha/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roptat%2Fhayha/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roptat%2Fhayha/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/roptat","download_url":"https://codeload.github.com/roptat/hayha/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243809844,"owners_count":20351406,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security"],"created_at":"2024-10-27T10:19:30.385Z","updated_at":"2026-03-15T18:37:47.289Z","avatar_url":"https://github.com/roptat.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Häyhä\n=====\n\nVerifying CloudFormation deployments for intra-update sniping vulnerabilities.\n\nIntra-update sniping vulnerabilities may happen during an update because of\nordering issues between individual component updates.  This tool is designed\nto find and report such issues.\n\nYou can read the academic paper here: http://marksantolucito.com/papers/tacas2021.pdf\n\nInstallation\n------------\n\nInstalling the tool is not necessary in order to run it.\n\n### With Guix\n\nYou can install Häyhä with the [Guix](https://guix.gnu.org) package manager.\nIt can run on any existing Linux distribution, and is guaranteed to not\ninteract with its host distribution. Installing Guix is as simple as running\nthe [installation script](https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh).\nOnce installed, you can run:\n\n```bash\nguix install `guix build -f guix.scm`\n```\n\n### With pip\n\nYou can also install using pip:\n\n```bash\npip install .\n```\n\nDevelopment Environment\n-----------------------\n\nTo develop (and run) Häyhä, you need to install pyyaml.  An easy way to do so\nis by using a Guix environment:\n\n```bash\nguix environment -l guix.scm\n```\n\nYou may also want to install `graphviz` (for the `dot` command) and an image\nviewer.\n\nUsage\n-----\n\nYou should run Häyhä before running an upgrade on your CloudFormation\ninfrastructure.  We suppose that you have a file that describes your\ncurrent infrastructure, as JSON or YAML, and another file that describes your\ntarget (desired new) infrastructure, in one of these formats.\n\nHäyhä needs a one of two commands: `graph` or `check` to run, and one or\ntwo CloudFormation files, in JSON or YAML format.  The usage is the following:\n\n```\nusage: run.py [-h] -i INITIAL [-t TARGET] ACTION\n```\n\nYou can use `-h` to show a short help message.  `ACTION` is one of `graph` or\n`check`.  `-i` is for the initial file (or the only file to consider) and\n`-t` for the target file (the upgrade).\n\n### Graph\n\nHäyhä is able to produce graphs for deployments that shows what a deployment\nlooks like in terms of a dataflow graph.  It will have a gray `web` node\nfrom which requests can be made by users of your infrastructure.  A link\nrepresents the possibility of a request from a node to another.  Red nodes\nrepresent security resources that control the requests to make sure they are\nauthorized (firewall, authorizer, ...).\n\nEach node contains the security level followed (in parenthesis) by the\nname of the resource.\n\nHäyhä can draw two kinds of graph: the graph of a deployment if you only provide\none file (whether initial or target) using the `-i` option or the upgrade graph\nif you provide two files (the initial deployment to the `-i` option and the\ntarget deployment to the `-t` option).\n\nThe upgrade graph represents every possible intermediate state during the\ndeployment of the target infrastructure, but does not take any dependency\ninto account.\n\nThis repository ships with two files, `cloud1.json` and `cloud2.json` that\ncorrespond to two versions of a vulnerable infrastructure.  To run and\nvisualize the output, you can run:\n\n```bash\npython3 run.py graph -i cloud1.json | dot -Tpng -o graph.png\n```\n\nOr for an upgrade graph that shows the vulnerability:\n\n```bash\npython3 run.py graph -i cloud1.json -t cloud2.json | dot -Tpng -o graph.png\n```\n\n### Check\n\nHäyhä is also able to check a planned upgrade of an infrastructure if you give\nit two files, like this:\n\n```bash\npython3 run.py check -i cloud1.json -t cloud2.json\n```\n\nThe output will tell you if a vulnerability is found.\n\n### Possible Warnings\n\nYou might get a warning that some type is not supported.  Unfortunately the\ntool relies on a mapping of types' configuration fields to an internal\nrepresentation.  There are many types of resources that can be used in an\ninfrastructure.  Even though we included the most current type of resources\nin this version, there are still many unsupported types.  In that case, the\ntool completely ignores the resource when building the graphs and checking\nfor vulnerabilities.\n\n### Vulnerabilities\n\nIf Häyhä finds a vulnerability under the `check` command, it will report it\nat the end.  To prevent clutter on the screen, we only report one issue for\neach resource that has an issue, so after fixing issues, make sure to run the\ntool again!\n\nThere is a vulnerability when a resource can be referenced at a time it does\nnot exist.  This can happen when your target infrastructure creates a new\nresource and updates others to reference it.  If these other resources do not\ndepend on the new resource, they might be updated before and be vulnerable to\nan attacker registering your new resource before you do.  The message will\nlook like this:\n\n```\n\u003cResource AuthorizerToBeSniped\u003e is accessible at a time it doesn't exist\n```\n\nThis can be solved by adding a dependency in every resource that references\nit.  In the example, you can add a DependsOn property to `GreetingRequestPOST`\nwhich references it and makes it required too early.  Alternatively, use\n`!Ref` instead of `Ref` in `GreetingRequestPOST`'s  `AuthorizerId` field, as\nit will implicitly create a dependency.\n\nThere is a vulnerability when a resource can be accessed with the wrong security\ncontext.  The message will look like this:\n\n```\n\u003cResource GreetingRequestPOST\u003e is not sufficiently protected, it needs at least\nAuthorizerToBeSniped and is protected by None during upgrade.  Add DependsOn\nproperties to ensure correct security.\n```\n\nThis means that there is a possible intermediate state in which your `GreetingRequestPOST`\nis not correctly protected.  In fact, in at least one, it is not protected at\nall, even though it should be protected by at least `AuthorizerToBeSniped`.\n\nIf its security context becomes more strict in the target infrastructure, you\nshould add a DependsOn from it to all the required security resources (here\nonly to `AuthorizerToBeSniped`).  This dependency will ensure correct ordering\nof upgrade operations and makes sure that the authorizer is present before upgrading\n`GreetingRequestPOST` to a more sensitive version.\n\nIf its security context becomes less strict in the target infrastructure, you\nshould add a DependsOn from all the required security resources (here\n`AuthorizerToBeSniped`) to it.  This dependency ensures correct ordering of\nupgrade operations and makes sure that the authorizer is only removed after\nupgrading `GreetingRequestPOST` to a less sensitive version.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froptat%2Fhayha","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Froptat%2Fhayha","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froptat%2Fhayha/lists"}