I-Corps: A Learned Cloud Infrastructure-as-Code (IaC) Linter

The broader impact/commercial potential of this I-Corps project is the development of a tool for orchestrating cloud computing resources. It is designed for cloud providers to make their service easier to access, and for cloud tenants for migrating their workloads to the cloud. Existing tools are derived from low-level cloud application programming interface (API) specifications, which fail to capture a complete picture of the interactions between cloud resources.

Therefore, they can make mistakes or leave problems undetected until the deployment is run. The proposed technology is an infrastructure-as-code (IaC) tool that increases the reliability of IaC cloud resource deployment. It has the potential to detect many classes of bugs and misconfigurations to reduce the number of errors and security vulnerabilities in the actual deployment.

The proposed technology may be able to detect a variety of cloud deployment problems in advance and help suggest repairs. This may change the status-quo on how people manage and deploy public cloud infrastructure, and may reduce manpower needed for the development and deployment life cycle of cloud tenants.

This I-Corps project is based on the development of a learned cloud infrastructure-as-code (IaC) linter that enables extracting cloud provider requirements automatically and formalizes them as configuration checks. This is an end-to-end tool chain to extract cloud provider requirements from various sources, formally validate their correctness, and turn them into efficient checks against user-written IaC configurations.

While previous IaC linters could check against security or policy compliance based on manually written rules, the proposed technology takes automatically extracted provider conformance rules as the first-class objective. This technology is part of a long-term research endeavor that aims at simplifying cloud management with infrastructure clarity. The goal is to bridge the communication gap between the internal logistics of cloud providers and the intent from various cloud tenants, which hampers the adoption of public cloud services.

To mitigate this problem, the proposed technology leverages a unique combination of interdisciplinary techniques, including well-established concepts such as program analysis, formal reasoning, and software testing, as well as fast-growing technologies such as large language models. This tool may help users detect misconfigurations and security problems before they manifest, saving time, manpower and money required to fix problems.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.