Skip to content

Instantly share code, notes, and snippets.

@bparanj

bparanj/transitive.md

Last active May 22, 2026 15:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bparanj/2c05b57bd6f763bf83d29bcd756f9815 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bparanj/2c05b57bd6f763bf83d29bcd756f9815 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
transitive.md

Transitive reasoning is a logic pattern.

Example:

A depends on B.
B depends on C.
Therefore, A indirectly depends on C.

It is about following relationships across steps.

Transitive trust is a security risk caused by indirect trust.

Example:

I trust service A.
Service A trusts service B.
So I may indirectly be affected by service B.

The danger is:

If B is compromised, A may be compromised.
If A is trusted by me, I may be affected.

So the relationship is:

Transitive reasoning = the thinking method.
Transitive trust = one thing you can reason about using that method.

For Stave:

Bucket trusts policy.
Policy trusts principal.
Principal has path to public access.
Therefore, bucket may be exposed.

That is transitive reasoning used to detect transitive trust risk.

Transitive trust is modeled using transitive reasoning.

Simple form:

A trusts B.
B trusts C.
Therefore, A indirectly trusts C.

That reasoning pattern is transitive.

But be careful with wording:

Transitive reasoning = the logic rule.
Transitive trust = the security relationship discovered by applying that rule.

So a better sentence is:

Transitive trust is an example of transitive reasoning applied to trust relationships.

Yes. Compound chain risk is transitive reasoning across multiple weak links.

A single issue may not look catastrophic.

WAF has SSRF bug.
IAM role has too much S3 access.
S3 bucket contains sensitive data.
Network path allows metadata access.
Logging or detection misses the behavior.

Each one is a separate condition.

The risk appears when they connect:

Attacker reaches WAF
→ WAF can reach metadata service
→ metadata service returns role credentials
→ role credentials can read S3
→ S3 contains sensitive customer data
→ attacker exfiltrates data

That is transitive reasoning.

The attacker does not need direct access to S3. They need a path through trusted relationships.

For the Capital One breach, public analysis commonly describes the chain as SSRF against a misconfigured web application firewall, access to temporary AWS credentials through instance metadata, and use of those credentials to access S3 data. The breach affected over 100 million people. (Krebs on Security)

So the relationship is:

Transitive trust:
WAF trusted the metadata service.
AWS trusted the instance role.
S3 trusted the IAM permissions.
Capital One trusted the cloud configuration.

Transitive reasoning:
Follow the path from one trusted edge to the next.

Compound chain risk:
The full path creates impact even when each part looks smaller alone.

For Stave, this is important.

A normal scanner may say:

S3 bucket is private.
No direct public access found.

But chain reasoning asks:

Can anything public reach something trusted?
Can that trusted thing get credentials?
Can those credentials read sensitive storage?
Can that storage expose PHI, PII, or regulated data?

The key idea:

Direct exposure is one risk.
Indirect exposure is chain risk.
Transitive reasoning is how you find it.

So Capital One is not just an “S3 misconfiguration” story.

It is a path-to-impact story. The damage came from the chain.

A point-in-time scanner usually detects local facts:

Is this bucket public?
Does this security group allow 0.0.0.0/0?
Does this IAM policy allow s3:GetObject?
Is encryption enabled?

But an attack path needs relationship reasoning:

Public app
→ SSRF-capable endpoint
→ metadata service
→ temporary role credentials
→ IAM permissions
→ S3 objects
→ sensitive data

Many scanners miss this because the dangerous fact is not in one place. It is distributed across services.

So the better statement is:

Traditional scanners detect misconfigurations.
Attack-path reasoning detects how misconfigurations compose into impact.

For Stave, this is the stronger framing:

Stave is not only asking, “Is this resource unsafe?”
It asks, “Can this safe-looking state become unsafe through a chain?”

That is where time also matters:

Today: bucket is private because Public Access Block masks the risk.
Tomorrow: PAB is changed.
Result: latent public policy becomes active exposure.

So there are two hard problems:

Transitive risk:
A reaches B, B reaches C, so A may impact C.

Temporal risk:
Safe now does not mean structurally safe.

Attack path scanners need graph reasoning.
Cloud safety tools need graph reasoning plus time reasoning.

That is the gap Stave can own.

Transitive reasoning = abstract logic level
Transitive trust     = domain/security level

Transitive reasoning:
If A relates to B, and B relates to C,
then A may relate to C.

Transitive trust:
If A trusts B, and B trusts C,
then A may indirectly trust C.

So:

Abstract pattern:
A → B → C

Security meaning:
trust flows across A → B → C

For Stave:

Abstract level:
Follow relationships across resources.

Domain level:
Follow trust, access, exposure, and permission paths across cloud resources.

Transitive trust is transitive reasoning applied to trust relationships.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment