GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies

Isaac Polinsky, Pubali Datta, Adam Bates, William Enck

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high. In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application's private resources through one of its public resources. These findings demonstrate GRASP's utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.

Original languageEnglish (US)
Title of host publicationWWW 2024 - Proceedings of the ACM Web Conference
PublisherAssociation for Computing Machinery
Pages1644-1655
Number of pages12
ISBN (Electronic)9798400701719
DOIs
StatePublished - May 13 2024
Event33rd ACM Web Conference, WWW 2024 - Singapore, Singapore
Duration: May 13 2024May 17 2024

Publication series

NameWWW 2024 - Proceedings of the ACM Web Conference

Conference

Conference33rd ACM Web Conference, WWW 2024
Country/TerritorySingapore
CitySingapore
Period5/13/245/17/24

Keywords

  • access control
  • security policy analysis
  • serverless computing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Fingerprint

Dive into the research topics of 'GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies'. Together they form a unique fingerprint.

Cite this