GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies
Pages 1644 - 1655
Abstract
Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high.
In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application's private resources through one of its public resources. These findings demonstrate GRASP's utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.
Supplemental Material
MP4 File
Supplemental video
- Download
- 5.49 MB
References
[1]
2019. New Attack Vector - Serverless Crypto Mining. https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining.
[2]
2021. AWSSupportServiceRolePolicy Informational Update. https://aws.amazon.com/security/security-bulletins/AWS-2021-007/.
[3]
2021. Serverless Framework. https://www.serverless.com/.
[4]
2021. Serverless IAM Roles Per Function Plugin. https://github.com/functionalone/serverless-iam-roles-per-function.
[5]
2022. AWS Lambda Customer Case Studies. https://aws.amazon.com/lambda/resources/customer-case-studies/.
[6]
2022. checkov. https://www.checkov.io/.
[7]
2022. Google Cloud Cloud Functions Customers. https://cloud.google.com/functions.
[8]
2022. Microsoft Customer Stories. https://customers.microsoft.com/en-us/search'sq=%22Azure%20Functions%22.
[9]
2022. Terraform Cloud. https://cloud.hashicorp.com/products/terraform.
[10]
Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2018. Secure Serverless Computing Using Dynamic Information Flow Control. Proc. ACM Program. Lang. 2, OOPSLA, Article 118 (Oct. 2018), 26 pages. https://doi.org/10.1145/3276488
[11]
Amazon Web Services. 2020. Identity and access management for AWS Lambda. https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html.
[12]
Amazon Web Services. 2023. IAM Access Analyzer Guides You Toward Least-Privilege Permissions. https://aws.amazon.com/iam/features/analyze-access/.
[13]
John Backes, Ulises Berrueco, Tyler Bray, Daniel Brim, Byron Cook, Andrew Gacek, Ranjit Jhala, Kasper Luckow, Sean McLaughlin, Madhav Menon, Daniel Peebles, Ujjwal Pugalia, Neha Rungta, Cole Schlesinger, Adam Schodde, Anvesh Tanuku, Carsten Varming, and Deepa Viswanathan. 2020. Stratified Abstraction of Access Control Policies. In Computer Aided Verification, Shuvendu K. Lahiri and Chao Wang (Eds.). Springer International Publishing, Cham, 165--176.
[14]
John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Luckow, Neha Rungta, Oksana Tkachuk, and Carsten Varming. 2018. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In 2018 Formal Methods in Computer Aided Design (FMCAD). 1--9. https://doi.org/10.23919/FMCAD.2018.8602994
[15]
M.B. Baig, C. Fitzsimons, S. Balasubramanian, R. Sion, and D.E. Porter. 2014. CloudFlow: Cloud-wide Policy Enforcement Using Fast VM Introspection. In Cloud Engineering (IC2E), 2014 IEEE International Conference on. 159--164. https://doi.org/10.1109/IC2E.2014.64
[16]
Ioana Baldini, Paul Castro, Kerry Chang, Perry Cheng, Stephen Fink, Vatche Ishakian, Nick Mitchell, Vinod Muthusamy, Rodric Rabbah, Aleksander Slominski, and Philippe Suter. 2017. Serverless Computing: Current Trends and Open Problems. Springer Singapore, Singapore, 1--20. https://doi.org/10.1007/978--981--10--5026--8_1
[17]
Adam Bates, Dave Tian, Grant Hernandez, Thomas Moyer, Kevin R.B. Butler, and Trent Jaeger. 2017. Taming the Costs of Trustworthy Provenance through Policy Reduction. ACM Trans. on Internet Technology 17, 4 (sep 2017), 34:1--34:21.
[18]
Malik Bouchet, Byron Cook, Bryant Cutler, Anna Druzkina, Andrew Gacek, Liana Hadarean, Ranjit Jhala, Brad Marshall, Dan Peebles, Neha Rungta, Cole Schlesinger, Chriss Stephens, Carsten Varming, and Andy Warfield. 2020. Block Public Access: Trust Safety Verification of Access Control Policies. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Virtual Event, USA) (ESEC/FSE 2020). Association for Computing Machinery, New York, NY, USA, 281--291. https://doi.org/10.1145/3368089.3409728
[19]
Giuliano Casale, Matej Artac, W-J van den Heuvel, André van Hoorn, Pelle Jakovits, Frank Leymann, Mike Long, Vasilis Papanikolaou, Domenico Presenza, Alessandra Russo, et al. 2020. RADON: rational decomposition and orchestration for serverless computing. SICS Software-Intensive Cyber-Physical Systems 35, 1 (2020), 77--87.
[20]
Check Point Software. 2019. A Deep Dive into Serverless Attacks, SLS-1: Event Injection. https://www.protego.io/a-deep-dive-into-serverless-attacks-sls-1-event-injection/.
[21]
D. D. Clark and D. Wilson. 1987. A comparison of military and commercial security policies. In IEEE Symposium on Security and Privacy.
[22]
Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor. 2000. SubDomain: Parsimonious Server Security. In Proceedings of the 14th USENIX Conference on System Administration (New Orleans, Louisiana) (LISA '00). USENIX Association, USA, 355--368.
[23]
Noam Dahan. 2020. Cloud infrastructure is not immune from the SolarWinds Orion breach. https://securityboulevard.com/2020/12/cloud-infrastructure-is-not-immune-from-the-solarwinds-orion-breach/.
[24]
Datadog. 2022. The State of Serverless. https://www.datadoghq.com/state-of-serverless/.
[25]
Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of The Web Conference 2020 (WWW '20), April 20--24, 2020, Taipei, Taiwan. Association for Computing Machinery, New York, NY, USA. https://adambates.org/documents/Datta_Www20.pdf
[26]
Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM 19, 5 (May 1976), 236--243. https://doi.org/10.1145/360051.360056
[27]
Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2006. Specifying and Reasoning about Dynamic Access-Control Policies. In Proceedings of the Third International Joint Conference on Automated Reasoning (Seattle, WA) (IJCAR'06). Springer-Verlag, Berlin, Heidelberg, 632--646.
[28]
Eslam Elnikety, Aastha Mehta, Anjo Vahldiek-Oberwagner, Deepak Garg, and Peter Druschel. 2016. Thoth: Comprehensive Policy Compliance in Data Retrieval Systems. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 637--654. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/elnikety
[29]
Frederik Willaert. 2019. AWS Lambda Container Lifetime and Config Refresh. https://www.linkedin.com/pulse/aws-lambda-container-lifetime-config-refresh-frederik-willaert/.
[30]
Jonathan Greig. 2020. 2020 Cloud Misconfigurations Report. https://divvycloud.com/misconfigurations-report-2020/.
[31]
Toshiharu Harada, Takashi Horie, and Kazuo Tanaka. 2004. Task oriented management obviates your onus on Linux. In Linux Conference, Vol. 3.
[32]
Boniface Hicks, Sandra Rueda, Luke St.Clair, Trent Jaeger, and Patrick McDaniel. 2010. A Logical Specification and Analysis for SELinux MLS Policy. ACM Trans. Inf. Syst. Secur. 13, 3, Article 26 (July 2010), 31 pages. https://doi.org/10.1145/1805874.1805982
[33]
Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: Policy-reduced Integrity Measurement Architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (Lake Tahoe, California, USA) (SACMAT '06). ACM, New York, NY, USA, 19--28. https://doi.org/10.1145/1133058.1133063
[34]
Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. 2003. Analyzing Integrity Protection in the SELinux Example Policy. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (Washington, DC) (SSYM'03). USENIX Association, Berkeley, CA, USA, 5--5. http://dl.acm.org/citation.cfm?id=1251353.1251358
[35]
Deepak Sirone Jegan, Liang Wang, Siddhant Bhagat, Thomas Ristenpart, and Michael Swift. 2020. Guarding Serverless Applications with SecLambda. arXiv:2011.05322 [cs.CR]
[36]
Jeremy Daly. 2020. Event Injection: Protecting your Serverless Applications. https://www.jeremydaly.com/event-injection-protecting-your-serverless-applications/.
[37]
Rich Jones. 2019. Gone in 60 Milliseconds: Intrusion and Exfiltration in Server-less Architectures. https://media.ccc.de/v/33c3--7865-gone_in_60_milliseconds.
[38]
Andrew Krug and Graham Jones. 2019. Hacking serverless runtimes: Profiling AWS Lambda, Azure Functions, And more. https://www.blackhat.com/us-17/briefings/schedule/#hacking-serverless-runtimes-profiling-aws-lambda-azure-functions-and-more-6434.
[39]
Paul Marinescu, Chad Parry, Marjori Pomarole, Yuan Tian, Patrick Tague, and Ioannis Papagiannis. 2017. IVD: Automatic Learning and Enforcement of Authorization Rules in Online Social Networks. In 2017 IEEE Symposium on Security and Privacy (SP). 1094--1109. https://doi.org/10.1109/SP.2017.33
[40]
Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon Caceres, and Reiner Sailer. 2006. Shamon: A System for Distributed Mandatory Access Control. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 23--32. https://doi.org/10.1109/ACSAC.2006.47
[41]
Aleksandar Nanevski, Anindya Banerjee, and Deepak Garg. 2011. Verification of Information Flow and Access Control Policies with Dependent Types. In 2011 IEEE Symposium on Security and Privacy. 165--179. https://doi.org/10.1109/SP.2011.12
[42]
Matthew Obetz, Stacy Patterson, and Ana Milanova. 2019. Static Call Graph Construction in AWS Lambda Serverless Applications. In Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing (Renton, WA, USA) (HotCloud'19). USENIX Association, USA, 20.
[43]
Ory Segal. 2019. Securing Serverless: Attacking an AWS Account via a Lambda Function. https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047.
[44]
PureSec. 2019. Hacking a Serverless Application: Demo. https://www.youtube.com/watch?v=TcN7wHuroVw.
[45]
Nathaniel Quist. 2021. Unit 42 Cloud Threat Report Update: Cloud Security Weakens as More Organizations Fail to Secure IAM. https://unit42.paloaltonetworks.com/iam-misconfigurations/.
[46]
R.S. Sandhu. 1993. Lattice-based access control models. Computer 26, 11 (1993), 9--19. https://doi.org/10.1109/2.241422
[47]
Arnav Sankaran, Pubali Datta, and Adam Bates. 2020. Workflow Integration Alleviates Identity and Access Management in Serverless Computing. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC '20). Association for Computing Machinery, New York, NY, USA, 496--509. https://doi.org/10.1145/3427228.3427665
[48]
Shayak Sen, Saikat Guha, Anupam Datta, Sriram K. Rajamani, Janice Tsai, and Jeannette M. Wing. 2014. Bootstrapping Privacy Compliance in Big Data Systems. In 2014 IEEE Symposium on Security and Privacy. 327--342. https://doi.org/10.1109/SP.2014.28
[49]
Serverless, Inc. 2023. Serverless Infrastructure Providers. https://www.serverless.com/framework/docs/providers.
[50]
Katsuya Sueyasu, Toshihiro Tabata, and Kouichi Sakurai. 2003. On the security of SELinux with a simplified policy. In Proceedings of the IASTED International Conference on Communication, Network, and Information Security, M.H. Hamza (Ed.). 79--84.
[51]
Hayawardh Vijayakumar, Guruprasad Jakka, Sandra Rueda, Joshua Schiffman, and Trent Jaeger. 2012. Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (Seoul, Korea) (ASIACCS '12). ACM, New York, NY, USA, 75--76. https://doi.org/10.1145/2414456.2414500
[52]
Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, and Michael Swift. 2018. Peeking Behind the Curtains of Serverless Platforms. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 133--146. https://www.usenix.org/conference/atc18/presentation/wang-liang
[53]
Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Ding-bang Xu, Wu Zhou, and Ahmed M. Azab. 2015. EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 351--366. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wang-ruowen
[54]
Yan Cui. 2021. Many-faced threats to Serverless security. https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba.
Index Terms
- GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies
Recommendations
Supporting Multi-Provider Serverless Computing on the Edge
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel ProcessingServerless computing has recently emerged as a new execution model for cloud computing, in which service providers offer compute runtimes, also known as Function-as-a-Service (FaaS) platforms, allowing users to develop, execute and manage application ...
Toward security quantification of serverless computing
AbstractServerless computing is one of the recent compelling paradigms in cloud computing. Serverless computing can quickly run user applications and services regardless of the underlying server architecture. Despite the availability of several commercial ...
Serverless Workflows for Containerised Applications in the Cloud Continuum
AbstractThis paper introduces an open-source platform to support serverless computing for scientific data-processing workflow-based applications across the Cloud continuum (i.e. simultaneously involving both on-premises and public Cloud platforms to ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 472Total Downloads
- Downloads (Last 12 months)472
- Downloads (Last 6 weeks)76
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in