Skip to main content

stave prove

Run Z3 SMT queries against a Stave assessment

Usage

stave prove [flags]

Description

Prove loads observation snapshots, compiles them into a Z3 SMT model, and runs a formal verification query. The model covers IAM policies (identity, resource, KMS key, trust), asset relationships, and control invariants.

Queries: compatibility Can principal X perform action Y on resource Z? reachability Can principal X reach resource Y through any chain of role assumptions and policy grants? conflict Do the loaded policies contradict each other? choke-point What is the minimum set of statements whose removal breaks a reachability path? invariant Is a control's unsafe condition reachable for ANY input?

Inputs: --observations, -o Observation snapshots directory (required) --query Query to run (required) --controls, -i Control definitions directory (default: built-in catalog) --principal Principal ARN (compatibility, reachability, choke-point) --action Action (compatibility) --resource Resource ARN (compatibility, reachability, choke-point) --invariant Control ID (invariant query) --format, -f Output format: json (default), text

Outputs: stdout: query result as JSON (or text with --format text)

Exit codes: 0 Query completed successfully 2 Input error (bad flags, missing observations) 4 Internal error (Z3 not available, load failure) 130 Interrupted (SIGINT)

Requires: binary built with -tags 'cgo z3' and libz3 installed.

Offline-only: reads local files; makes zero network connections; no cloud credentials.

Flags

FlagTypeDescription
--actionstringaction (compatibility)
-i, --controlsstringcontrol definitions directory (empty = built-in catalog)
-f, --formatstringoutput format: json, text (default: json)
--invariantstringinvariant control ID (invariant query)
-o, --observationsstringpath to observations directory (required)
--principalstringprincipal ARN (compatibility, reachability, choke-point)
--querystringquery to run: compatibility, reachability, conflict, choke-point, invariant (required)
--resourcestringresource ARN (compatibility, reachability, choke-point)

Examples

# Can this role read from this bucket?
stave prove -o observations --query compatibility \
--principal arn:aws:iam::123456789012:role/MyRole \
--action s3:GetObject \
--resource arn:aws:s3:::my-bucket

# Is there any attack path from user to bucket?
stave prove -o observations --query reachability \
--principal arn:aws:iam::123456789012:user/attacker \
--resource arn:aws:s3:::sensitive-data

# Do any policies contradict each other?
stave prove -o observations --query conflict

# Verify a control holds for ALL possible inputs
stave prove -o observations --query invariant \
--invariant CTL.S3.PUBLIC.001

# Find the minimum fix to break an attack path
stave prove -o observations --query choke-point \
--principal arn:aws:iam::123456789012:user/attacker \
--resource arn:aws:s3:::sensitive-data