Abstract
Infrastructure as code (IaC) for the cloud, which automatically configures a system’s cloud environment from source code, is an important practice thanks to its efficient, reproducible provisioning. On a cloud IaC definition (template), developers must carefully manage permission settings to minimize the risk of cyber-attacks. To this end, least privilege on IaC templates, i.e., the assignment of a necessary and sufficient set of permissions, is widely regarded as a best practice. However, the discovery of least privilege can be an error-prone, burdensome task for developers. This is partially because the execution of an action on the cloud sometimes implicitly requires permissions of other services, and since these are difficult to recognize without actual execution, developers are forced to manually iterate the execution of an action and the modification of permissions. In this work, we present an approach to automatically discover least privilege. Our approach utilizes a test suite, which represents what a system should achieve on the cloud, as an indicator of least privilege, and it iterates testing on the cloud and (re)configuration of permissions on the basis of the test results. We also propose a stepwise filtering technique that utilizes the co-occurrences of cloud services/actions and clustering-based pruning to efficiently rule out unnecessary permissions. Our experiments demonstrate that this filtering reduces the number of iterations compared to naive approaches, which directly affects the time and cost to discover least privilege. Moreover, three case studies show that our approach can identify least privilege on Amazon Web Services within a practical time.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Amazon Web Services, Inc. Actions, resources, and condition keys for AWS services. https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html. Accessed 1 Feb 2022 (2022a)
Amazon Web Services, Inc. AWS cloudformation. https://aws.amazon.com/cloudformation/. Accessed 18 Nov 2022 (2022b)
Amazon Web Services, Inc. AWS serverless application model. https://aws.amazon.com/serverless/sam/. Accessed 1 Feb 2022 (2022c)
Amazon Web Services, Inc. IAM best practices—AWS identity and access management. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. Accessed 18 Nov 2022 (2022d)
Amazon Web Services, Inc. Using AWS IAM access analyzer—AWS identity and access management. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html. Accessed 18 Nov 2022 (2022e)
Artac, M., Borovssak, T., Di Nitto, E., et al.: Devops: introducing infrastructure-as-code. In: Proceedings of the 39th IEEE/ACM International Conference on Software Engineering Companion (2017). https://doi.org/10.1109/ICSE-C.2017.162
Backes, J., Bolignano, P., Cook, B., et al.: Semantic-based automated reasoning for AWS access policies using SMT. In: Proceedings of the International Conference on Formal Methods in Computer Aided Design, FMCAD 2018 (2018). https://doi.org/10.23919/FMCAD.2018.8602994
Binz, T., Breitenbücher, U., Kopp, O., et al.: TOSCA: Portable Automated Deployment and Management of Cloud Applications, pp. 527–549. Springer, New York (2014)
Burgess, M., College, O.: Cfengine: a site configuration engine. In: USENIX Computing Systems (1995)
Buyens, K., Scandariato, R., Joosen, W.: Least privilege analysis in software architectures. Softw. Syst. Model. 12(2), 331–348 (2013). https://doi.org/10.1007/s10270-011-0218-8
Cauli, C., Li, M., Piterman, N., et al.: Pre-deployment security assessment for cloud services through semantic reasoning. In: Proceedings of the 33rd International Conference on Computer Aided Verification, CAV 2021 (2021). https://doi.org/10.1007/978-3-030-81685-8_36
Chari, S.N., Cheng, P.C.: Bluebox: a policy-driven, host-based intrusion detection system. ACM Trans. Inf. Syst. Secur. 6(2), 173–200 (2003). https://doi.org/10.1145/762476.762477
Chen, H., Dou, W., Wang, D., et al.: Cofi: consistency-guided fault injection for cloud systems. In: Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020 (2020). https://doi.org/10.1145/3324884.3416548
Dai, T., Karve, A., Koper, G., et al.: Automatically detecting risky scripts in infrastructure code. In: Proceedings of the 11th ACM Symposium on Cloud Computing, SoCC 2020 (2020). https://doi.org/10.1145/3419111.3421303
DeMarinis, N., Williams-King, K., Jin, D., et al.: sysfilter: automated system call filtering for commodity software. In: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2020 (2020). https://www.usenix.org/conference/raid2020/presentation/demarinis
Denning, P.J.: Fault tolerant operating systems. ACM Comput. Surv. 8(4), 359–389 (1976). https://doi.org/10.1145/356678.356680
Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011 (2011). https://doi.org/10.1145/2046707.2046779
Gazzola, L., Micucci, D., Mariani, L.: Automatic software repair: a survey. IEEE Trans. Softw. Eng. 45(1), 34–67 (2019). https://doi.org/10.1109/TSE.2017.2755013
Geneiatakis, D., Fovino, I.N., Kounelis, I., et al.: A permission verification approach for android mobile applications. Comput. Secur. 49, 192–205 (2015). https://doi.org/10.1016/j.cose.2014.10.005
Gill, P., Dietl, W., Tripunitara, M.V.: Least-privilege calls to amazon web services. IEEE Trans. Dependable Secure Comput. 20(3), 2085–2096 (2023). https://doi.org/10.1109/TDSC.2022.3171740
Google Cloud. Deployment manager fundamentals. https://cloud.google.com/deployment-manager/docs/fundamentals. Accessed 18 Nov2022 (2022)
Guerriero, M., Garriga, M., Tamburri, D.A., et al.: Adoption, support, and challenges of infrastructure-as-code: insights from industry. In: Proceedings of the 35th IEEE International Conference on Software Maintenance and Evolution, ICSME 2019 (2019). https://doi.org/10.1109/ICSME.2019.00092
Hanappi, O., Hummer, W., Dustdar, S.: Asserting reliable convergence for configuration management scripts. In: Proceedings of the ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2016 (2016). https://doi.org/10.1145/2983990.2984000
HashiCorp T. Terraform by hashicorp. https://www.terraform.io/. Accessed 1 Feb 2022 (2022)
Herbold, S.: Autorank: a python package for automated ranking of classifiers. J. Open Source Softw. 5(48), 2173 (2020). https://doi.org/10.21105/joss.02173
Hummer, W., Rosenberg, F., Oliveira, F., et al.: Testing idempotence for infrastructure as code. In: Proceedings of the ACM/IFIP/USENIX 14th International Middleware Conference, Middleware 2013 (2013). https://doi.org/10.1007/978-3-642-45065-5_19
Ikeshita, K., Ishikawa, F., Honiden, S.: Test suite reduction in idempotence testing of infrastructure as code. In: Proceedings of the 11th International Conference on Tests and Proofs, TAP 2017 (2017). https://doi.org/10.1007/978-3-319-61467-0_6
Kanies, L.: Puppet: next-generation configuration management. Unisex Mag. 31(1), 19–25 (2006)
Kubernetes. Kubernetes. https://kubernetes.io/. Accessed 18 Nov 2022 (2022)
Le Goues, C., Nguyen, T., Forrest, S., et al.: Genprog: a generic method for automatic software repair. IEEE Trans. Softw. Eng. 38(1), 54–72 (2012). https://doi.org/10.1109/TSE.2011.104
Liu, Z., Xia, X., Lo, D., et al.: Automatic, highly accurate app permission recommendation. Autom. Softw. Eng. 26(2), 241–274 (2019). https://doi.org/10.1007/s10515-019-00254-6
Microsoft. Azure identity management and access control security best practices. https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices. Accessed 18 Nov2022 (2022a)
Microsoft. What are arm templates?. https://learn.microsoft.com/azure/azure-resource-manager/templates/overview. Accessed 18 Nov 2022 (2022b)
Morris, K.: Infrastructure as Code, 2nd edn. O’Reilly Media, Sebastopol (2020)
Murtagh, F.: A survey of recent advances in hierarchical clustering algorithms. Comput. J. 26(4), 354–359 (1983). https://doi.org/10.1093/comjnl/26.4.354
Nelson-Smith, S.: Test-Driven Infrastructure with Chef, 2nd edn. O’Reilly Media Inc., Sebastopol (2013)
OASIS Standard. Topology and orchestration specification for cloud applications version 1.0 (2013)
O’Hearn, P.W.: Continuous reasoning: scaling the impact of formal methods. In: Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018 (2018). https://doi.org/10.1145/3209108.3209109
OWASP Foundation. Server side request forgery. https://owasp.org/www-community/attacks/Server_Side_Request_Forgery. Accessed 18 Nov 2022 (2022)
Rahman, A., Mahdavi-Hezaveh, R., Williams, L.: A systematic mapping study of infrastructure as code research. Inf. Softw. Technol. 108, 65–77 (2019a). https://doi.org/10.1016/j.infsof.2018.12.004
Rahman, A., Parnin, C., Williams, L.: The seven sins: security smells in infrastructure as code scripts. In: Proceedings of the 41st International Conference on Software Engineering, ICSE 2019 (2019b). https://doi.org/10.1109/ICSE.2019.00033
Rahman, A., Rahman, M.R., Parnin, C., et al.: Security smells in ansible and chef scripts: a replication study. ACM Trans. Softw. Eng. Methodol. 30(1), 1–31 (2021). https://doi.org/10.1145/3408897
Red Hat, Inc. Ansible is simple it automation. https://www.ansible.com/. Accessed 18 Nov 2022 (2022)
Saavedra, N., Ferreira, J.F.: Glitch: automated polyglot security smell detection in infrastructure as code. In: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, ASE 2022 (2022)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975). https://doi.org/10.1109/PROC.1975.9939
Sandobalin, J., Insfran, E., Abrahao, S.: An infrastructure modelling tool for cloud provisioning. In: Proceedings of the 14th IEEE International Conference on Services Computing, SCC 2017 (2017). https://doi.org/10.1109/SCC.2017.52
Sandobalín, J., Insfran, E., Abrahão, S.: On the effectiveness of tools to support infrastructure as code: model-driven versus code-centric. IEEE Access 8, 17734–17761 (2020)
Sharath, A.V.: Aws security flaw which can grant admin access!. https://medium.com/ymedialabs-innovation/an-aws-managed-policy-that-allowed-granting-root-admin-access-to-any-role-51b409ea7ff0. Accessed 18 Nov 2022 (2018)
Shimizu, R., Kanuka, H.: Test-based least privilege discovery on cloud infrastructure as code. In: Proceedings of the 12th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2020 (2020). https://doi.org/10.1109/CloudCom49646.2020.00007
Sotiropoulos, T., Mitropoulos, D., Spinellis, D.: Practical fault detection in puppet programs. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, ICSE 2020 (2020). https://doi.org/10.1145/3377811.3380384
Strandberg, P.E., Sundmark, D., Afzal, W., et al.: Experience report: automated system level regression test prioritization using multiple factors. In: Proceedings of the IEEE 27th International Symposium on Software Reliability Engineering, ISSRE 2016 (2016). https://doi.org/10.1109/ISSRE.2016.23
Thoughtworks, Inc. Infrastructure as code | technology radar | thoughtworks. https://www.thoughtworks.com/radar/techniques/infrastructure-as-code. Accessed 18 Nov 2022 (2020)
Wang, S., Pei, K., Whitehouse, J., et al.: Formal security analysis of neural networks using symbolic intervals. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018 (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/wang-shiqi
Wang, X., Yadav, A.: Exploring the machine learning models behind cloud IAM recommender. https://cloud.google.com/blog/products/identity-security/exploring-the-machine-learning-models-behind-cloud-iam-recommender. Accessed 18 Nov 2022 (2019)
Ward, J.H.: Hierarchical grouping to optimize an objective function. J. Am. Stat. Assoc. 58(301), 236–244 (1963). https://doi.org/10.1080/01621459.1963.10500845
Weiss, A., Guha, A., Brun, Y.: Tortoise: interactive system configuration repair. In: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 (2017). https://doi.org/10.1109/ASE.2017.8115673
Wettinger, J., Binz, T., Breitenbücher, U., et al.: Unified invocation of scripts and services for provisioning, deployment, and management of cloud applications based on TOSCA. In: Proceedings of the 4th International Conference on Cloud Computing and Services Science, CLOSER 2014 (2014). https://doi.org/10.5220/0004859005590568
Wetzlmaier, T., Ramler, R., Putschögl, W.: A framework for monkey GUI testing. In: Proceedings of the IEEE International Conference on Software Testing, Verification and Validation, ICST 2016 (2016). https://doi.org/10.1109/ICST.2016.51
Wurster, M., Breitenbücher, U., Falkenthal, M., et al.: The essential deployment metamodel: a systematic review of deployment automation technologies. SICS Softw. Intens. Cyber Phys. Syst. 35(1), 63–75 (2020). https://doi.org/10.1007/s00450-019-00412-x
Yu, L., Luo, X., Chen, J., et al.: Ppchecker: towards accessing the trustworthiness of android apps’ privacy policies. IEEE Trans. Softw. Eng. 47(2), 221–242 (2021). https://doi.org/10.1109/TSE.2018.2886875
Zhai, G., Zeng, J., Ma, M., et al.: Implementation and automatic testing for security enhancement of linux based on least privilege. In: Proceedings of the 2008 International Conference on Information Security and Assurance, ISA 2008 (2008). https://doi.org/10.1109/ISA.2008.61
Zhang, M., Arcuri, A., Li, Y., et al.: White-box fuzzing RPC-based APIs with EvoMaster: an industrial case study. ACM Trans. Softw. Eng. Methodol. (2023). https://doi.org/10.1145/3585009
Zhou, H., Wang, H., Wu, S., et al.: Finding the missing piece: permission specification analysis for android NDK. In: Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering, ASE 2021 (2021). https://doi.org/10.1109/ASE51524.2021.9678843
Author information
Authors and Affiliations
Contributions
All authors contributed to the study conception and design. Experiments and case studies were performed by RS and YN. The first draft of the manuscript was written by RS and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no competing interests to declare that are relevant to the content of this article.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix 1. Details of the permissions used in case studies
Appendix 1. Details of the permissions used in case studies
The following tables detail the allowed set of actions used in our case studies. This information is provided in the appendix because it is too detailed to explain in the body of the paper but is helpful for clarifying what our tool can achieve and what Access Analyzer cannot.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Shimizu, R., Nunomura, Y. & Kanuka, H. Test-suite-guided discovery of least privilege for cloud infrastructure as code. Autom Softw Eng 31, 25 (2024). https://doi.org/10.1007/s10515-024-00420-5
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-024-00420-5