Isaac Polinsky
William Enck
ABSTRACT
Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high.
In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application's private resources through one of its public resources. These findings demonstrate GRASP's utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.
Supplemental Material
- 2019. New Attack Vector - Serverless Crypto Mining. https://www.puresec.io/blog/new-attack-vector-serverless-crypto-mining.Google Scholar
- 2021. AWSSupportServiceRolePolicy Informational Update. https://aws.amazon.com/security/security-bulletins/AWS-2021-007/.Google Scholar
- 2021. Serverless Framework. https://www.serverless.com/.Google Scholar
- 2021. Serverless IAM Roles Per Function Plugin. https://github.com/functionalone/serverless-iam-roles-per-function.Google Scholar
- 2022. AWS Lambda Customer Case Studies. https://aws.amazon.com/lambda/resources/customer-case-studies/.Google Scholar
- 2022. checkov. https://www.checkov.io/.Google Scholar
- 2022. Google Cloud Cloud Functions Customers. https://cloud.google.com/functions.Google Scholar
- 2022. Microsoft Customer Stories. https://customers.microsoft.com/en-us/search'sq=%22Azure%20Functions%22.Google Scholar
- 2022. Terraform Cloud. https://cloud.hashicorp.com/products/terraform.Google Scholar
- Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2018. Secure Serverless Computing Using Dynamic Information Flow Control. Proc. ACM Program. Lang. 2, OOPSLA, Article 118 (Oct. 2018), 26 pages. https://doi.org/10.1145/3276488Google ScholarDigital Library
- Amazon Web Services. 2020. Identity and access management for AWS Lambda. https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html.Google Scholar
- Amazon Web Services. 2023. IAM Access Analyzer Guides You Toward Least-Privilege Permissions. https://aws.amazon.com/iam/features/analyze-access/.Google Scholar
- John Backes, Ulises Berrueco, Tyler Bray, Daniel Brim, Byron Cook, Andrew Gacek, Ranjit Jhala, Kasper Luckow, Sean McLaughlin, Madhav Menon, Daniel Peebles, Ujjwal Pugalia, Neha Rungta, Cole Schlesinger, Adam Schodde, Anvesh Tanuku, Carsten Varming, and Deepa Viswanathan. 2020. Stratified Abstraction of Access Control Policies. In Computer Aided Verification, Shuvendu K. Lahiri and Chao Wang (Eds.). Springer International Publishing, Cham, 165--176.Google Scholar
- John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Luckow, Neha Rungta, Oksana Tkachuk, and Carsten Varming. 2018. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In 2018 Formal Methods in Computer Aided Design (FMCAD). 1--9. https://doi.org/10.23919/FMCAD.2018.8602994Google ScholarCross Ref
- M.B. Baig, C. Fitzsimons, S. Balasubramanian, R. Sion, and D.E. Porter. 2014. CloudFlow: Cloud-wide Policy Enforcement Using Fast VM Introspection. In Cloud Engineering (IC2E), 2014 IEEE International Conference on. 159--164. https://doi.org/10.1109/IC2E.2014.64Google ScholarDigital Library
- Ioana Baldini, Paul Castro, Kerry Chang, Perry Cheng, Stephen Fink, Vatche Ishakian, Nick Mitchell, Vinod Muthusamy, Rodric Rabbah, Aleksander Slominski, and Philippe Suter. 2017. Serverless Computing: Current Trends and Open Problems. Springer Singapore, Singapore, 1--20. https://doi.org/10.1007/978--981--10--5026--8_1Google ScholarCross Ref
- Adam Bates, Dave Tian, Grant Hernandez, Thomas Moyer, Kevin R.B. Butler, and Trent Jaeger. 2017. Taming the Costs of Trustworthy Provenance through Policy Reduction. ACM Trans. on Internet Technology 17, 4 (sep 2017), 34:1--34:21.Google ScholarDigital Library
- Malik Bouchet, Byron Cook, Bryant Cutler, Anna Druzkina, Andrew Gacek, Liana Hadarean, Ranjit Jhala, Brad Marshall, Dan Peebles, Neha Rungta, Cole Schlesinger, Chriss Stephens, Carsten Varming, and Andy Warfield. 2020. Block Public Access: Trust Safety Verification of Access Control Policies. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Virtual Event, USA) (ESEC/FSE 2020). Association for Computing Machinery, New York, NY, USA, 281--291. https://doi.org/10.1145/3368089.3409728Google ScholarDigital Library
- Giuliano Casale, Matej Artac, W-J van den Heuvel, André van Hoorn, Pelle Jakovits, Frank Leymann, Mike Long, Vasilis Papanikolaou, Domenico Presenza, Alessandra Russo, et al. 2020. RADON: rational decomposition and orchestration for serverless computing. SICS Software-Intensive Cyber-Physical Systems 35, 1 (2020), 77--87.Google ScholarCross Ref
- Check Point Software. 2019. A Deep Dive into Serverless Attacks, SLS-1: Event Injection. https://www.protego.io/a-deep-dive-into-serverless-attacks-sls-1-event-injection/.Google Scholar
- D. D. Clark and D. Wilson. 1987. A comparison of military and commercial security policies. In IEEE Symposium on Security and Privacy.Google Scholar
- Crispin Cowan, Steve Beattie, Greg Kroah-Hartman, Calton Pu, Perry Wagle, and Virgil Gligor. 2000. SubDomain: Parsimonious Server Security. In Proceedings of the 14th USENIX Conference on System Administration (New Orleans, Louisiana) (LISA '00). USENIX Association, USA, 355--368.Google ScholarDigital Library
- Noam Dahan. 2020. Cloud infrastructure is not immune from the SolarWinds Orion breach. https://securityboulevard.com/2020/12/cloud-infrastructure-is-not-immune-from-the-solarwinds-orion-breach/.Google Scholar
- Datadog. 2022. The State of Serverless. https://www.datadoghq.com/state-of-serverless/.Google Scholar
- Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of The Web Conference 2020 (WWW '20), April 20--24, 2020, Taipei, Taiwan. Association for Computing Machinery, New York, NY, USA. https://adambates.org/documents/Datta_Www20.pdfGoogle ScholarDigital Library
- Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM 19, 5 (May 1976), 236--243. https://doi.org/10.1145/360051.360056Google ScholarDigital Library
- Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2006. Specifying and Reasoning about Dynamic Access-Control Policies. In Proceedings of the Third International Joint Conference on Automated Reasoning (Seattle, WA) (IJCAR'06). Springer-Verlag, Berlin, Heidelberg, 632--646.Google ScholarDigital Library
- Eslam Elnikety, Aastha Mehta, Anjo Vahldiek-Oberwagner, Deepak Garg, and Peter Druschel. 2016. Thoth: Comprehensive Policy Compliance in Data Retrieval Systems. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 637--654. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/elniketyGoogle Scholar
- Frederik Willaert. 2019. AWS Lambda Container Lifetime and Config Refresh. https://www.linkedin.com/pulse/aws-lambda-container-lifetime-config-refresh-frederik-willaert/.Google Scholar
- Jonathan Greig. 2020. 2020 Cloud Misconfigurations Report. https://divvycloud.com/misconfigurations-report-2020/.Google Scholar
- Toshiharu Harada, Takashi Horie, , and Kazuo Tanaka. 2004. Task oriented management obviates your onus on Linux. In Linux Conference, Vol. 3.Google Scholar
- Boniface Hicks, Sandra Rueda, Luke St.Clair, Trent Jaeger, and Patrick McDaniel. 2010. A Logical Specification and Analysis for SELinux MLS Policy. ACM Trans. Inf. Syst. Secur. 13, 3, Article 26 (July 2010), 31 pages. https://doi.org/10.1145/1805874.1805982Google ScholarDigital Library
- Trent Jaeger, Reiner Sailer, and Umesh Shankar. 2006. PRIMA: Policy-reduced Integrity Measurement Architecture. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (Lake Tahoe, California, USA) (SACMAT '06). ACM, New York, NY, USA, 19--28. https://doi.org/10.1145/1133058.1133063Google ScholarDigital Library
- Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. 2003. Analyzing Integrity Protection in the SELinux Example Policy. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (Washington, DC) (SSYM'03). USENIX Association, Berkeley, CA, USA, 5--5. http://dl.acm.org/citation.cfm?id=1251353.1251358Google ScholarDigital Library
- Deepak Sirone Jegan, Liang Wang, Siddhant Bhagat, Thomas Ristenpart, and Michael Swift. 2020. Guarding Serverless Applications with SecLambda. arXiv:2011.05322 [cs.CR]Google Scholar
- Jeremy Daly. 2020. Event Injection: Protecting your Serverless Applications. https://www.jeremydaly.com/event-injection-protecting-your-serverless-applications/.Google Scholar
- Rich Jones. 2019. Gone in 60 Milliseconds: Intrusion and Exfiltration in Server-less Architectures. https://media.ccc.de/v/33c3--7865-gone_in_60_milliseconds.Google Scholar
- Andrew Krug and Graham Jones. 2019. Hacking serverless runtimes: Profiling AWS Lambda, Azure Functions, And more. https://www.blackhat.com/us-17/briefings/schedule/#hacking-serverless-runtimes-profiling-aws-lambda-azure-functions-and-more-6434.Google Scholar
- Paul Marinescu, Chad Parry, Marjori Pomarole, Yuan Tian, Patrick Tague, and Ioannis Papagiannis. 2017. IVD: Automatic Learning and Enforcement of Authorization Rules in Online Social Networks. In 2017 IEEE Symposium on Security and Privacy (SP). 1094--1109. https://doi.org/10.1109/SP.2017.33Google ScholarCross Ref
- Jonathan M. McCune, Trent Jaeger, Stefan Berger, Ramon Caceres, and Reiner Sailer. 2006. Shamon: A System for Distributed Mandatory Access Control. In 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 23--32. https://doi.org/10.1109/ACSAC.2006.47Google ScholarDigital Library
- Aleksandar Nanevski, Anindya Banerjee, and Deepak Garg. 2011. Verification of Information Flow and Access Control Policies with Dependent Types. In 2011 IEEE Symposium on Security and Privacy. 165--179. https://doi.org/10.1109/SP.2011.12Google ScholarDigital Library
- Matthew Obetz, Stacy Patterson, and Ana Milanova. 2019. Static Call Graph Construction in AWS Lambda Serverless Applications. In Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing (Renton, WA, USA) (HotCloud'19). USENIX Association, USA, 20.Google Scholar
- Ory Segal. 2019. Securing Serverless: Attacking an AWS Account via a Lambda Function. https://www.darkreading.com/cloud/securing-serverless-attacking-an-aws-account-via-a-lambda-function/a/d-id/1333047.Google Scholar
- PureSec. 2019. Hacking a Serverless Application: Demo. https://www.youtube.com/watch?v=TcN7wHuroVw.Google Scholar
- Nathaniel Quist. 2021. Unit 42 Cloud Threat Report Update: Cloud Security Weakens as More Organizations Fail to Secure IAM. https://unit42.paloaltonetworks.com/iam-misconfigurations/.Google Scholar
- R.S. Sandhu. 1993. Lattice-based access control models. Computer 26, 11 (1993), 9--19. https://doi.org/10.1109/2.241422Google ScholarDigital Library
- Arnav Sankaran, Pubali Datta, and Adam Bates. 2020. Workflow Integration Alleviates Identity and Access Management in Serverless Computing. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC '20). Association for Computing Machinery, New York, NY, USA, 496--509. https://doi.org/10.1145/3427228.3427665Google ScholarDigital Library
- Shayak Sen, Saikat Guha, Anupam Datta, Sriram K. Rajamani, Janice Tsai, and Jeannette M. Wing. 2014. Bootstrapping Privacy Compliance in Big Data Systems. In 2014 IEEE Symposium on Security and Privacy. 327--342. https://doi.org/10.1109/SP.2014.28Google ScholarDigital Library
- Serverless, Inc. 2023. Serverless Infrastructure Providers. https://www.serverless.com/framework/docs/providers.Google Scholar
- Katsuya Sueyasu, Toshihiro Tabata, and Kouichi Sakurai. 2003. On the security of SELinux with a simplified policy. In Proceedings of the IASTED International Conference on Communication, Network, and Information Security, M.H. Hamza (Ed.). 79--84.Google Scholar
- Hayawardh Vijayakumar, Guruprasad Jakka, Sandra Rueda, Joshua Schiffman, and Trent Jaeger. 2012. Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (Seoul, Korea) (ASIACCS '12). ACM, New York, NY, USA, 75--76. https://doi.org/10.1145/2414456.2414500Google ScholarDigital Library
- Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, and Michael Swift. 2018. Peeking Behind the Curtains of Serverless Platforms. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). USENIX Association, Boston, MA, 133--146. https://www.usenix.org/conference/atc18/presentation/wang-liangGoogle ScholarDigital Library
- Ruowen Wang, William Enck, Douglas Reeves, Xinwen Zhang, Peng Ning, Ding-bang Xu, Wu Zhou, and Ahmed M. Azab. 2015. EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 351--366. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wang-ruowenGoogle ScholarDigital Library
- Yan Cui. 2021. Many-faced threats to Serverless security. https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba.Google Scholar
Index Terms
- GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies
Recommendations
Supporting Multi-Provider Serverless Computing on the Edge
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel ProcessingServerless computing has recently emerged as a new execution model for cloud computing, in which service providers offer compute runtimes, also known as Function-as-a-Service (FaaS) platforms, allowing users to develop, execute and manage application ...
Serverless Workflows for Containerised Applications in the Cloud Continuum
AbstractThis paper introduces an open-source platform to support serverless computing for scientific data-processing workflow-based applications across the Cloud continuum (i.e. simultaneously involving both on-premises and public Cloud platforms to ...
Serverless Computing and Cloud Function-based Applications
UCC '19 Companion: Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud Computing CompanionServerless computing is a growing industry trend with corresponding rise in interest by scholars and tinkerers. Increasingly, open source and academic system prototypes are being proposed especially in relation with cloud, edge and fog computing among ...
Comments