TY - GEN
T1 - GRASP
T2 - 33rd ACM Web Conference, WWW 2024
AU - Polinsky, Isaac
AU - Datta, Pubali
AU - Bates, Adam
AU - Enck, William
N1 - Publisher Copyright:
© 2024 Owner/Author.
PY - 2024/5/13
Y1 - 2024/5/13
N2 - Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high. In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application's private resources through one of its public resources. These findings demonstrate GRASP's utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.
AB - Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high. In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application's private resources through one of its public resources. These findings demonstrate GRASP's utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.
KW - access control
KW - security policy analysis
KW - serverless computing
UR - http://www.scopus.com/inward/record.url?scp=85194072486&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85194072486&partnerID=8YFLogxK
U2 - 10.1145/3589334.3645436
DO - 10.1145/3589334.3645436
M3 - Conference contribution
AN - SCOPUS:85194072486
T3 - WWW 2024 - Proceedings of the ACM Web Conference
SP - 1644
EP - 1655
BT - WWW 2024 - Proceedings of the ACM Web Conference
PB - Association for Computing Machinery
Y2 - 13 May 2024 through 17 May 2024
ER -