Amazon introduced the REX (Trusted Remote Execution) secure script execution engine, which allows only the operations authorized for each specific script. For example, if a script parses logs, it will only be granted read access to the log, while unauthorized attempts to delete or modify files will be blocked. REX is written in Rust and is open-sourced under the Apache 2.0 license.
REX can be used to control and restrict operations performed by scripts generated by AI agents during system automation requests. Using REX, the host owner can block unintended actions and control which operations are allowed, regardless of the requests received by the AI agent. This approach provides protection against a new class of attacks in which attackers use request substitution to manipulate AI agents to perform actions within the system.
REX uses the Rhai scripting language, which utilizes dynamic typing and provides a syntax reminiscent of a mixture of JavaScript and Rust. Scripts are assigned rules in the Cedar language, which govern every system operation performed by the script. Scripts are executed in an isolated sandbox environment, where only explicitly permitted file operations, network capabilities, process management tools, and other system functions are allowed. Every system call, such as opening, reading, or writing a file, is authorized according to the specified rules before execution.
The security model is based on rules being separated from scripts and defined not by script creators or script executors, but by the service owner. To prevent race conditions in scripts and symbolic link attacks, scripts use file descriptors rather than paths whenever possible. By default, scripts executed by the REX engine do not have direct access to the host and perform operations through authorized Rust APIs.
Source: opennet.ru
