GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies

Isaac Polinsky; Pubali Datta; Adam Bates; William Enck

GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies

Isaac Polinsky, Pubali Datta, Adam Bates, William Enck

Published: 23 Jan 2024, Last Modified: 23 May 2024TheWebConf24EveryoneRevisionsBibTeX

Keywords: Cloud Security, Access Control, Serverless Computing, Function-as-a-Service

TL;DR: Security analysis of serverless access control policies of real-world applications through graph-based modelling

Abstract: Serverless computing is supplanting past versions of cloud computing as the easiest way to rapidly prototype and deploy applications. However, the reentrant and ephemeral nature of serverless functions only exacerbates the challenge of correctly specifying security policies. Unfortunately, with role-based access control solutions like Amazon Identity and Access Management (IAM) already suffering from pervasive misconfiguration problems, the likelihood of policy failures in serverless applications is high. In this work, we introduce GRASP, a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs. GRASP generates reusable models that represent the principals of a serverless application, and the interactions between those principals. We implement GRASP for Amazon IAM in Prolog, then deploy it on a corpus of 731 open source Amazon Lambda applications. We find that serverless policies tend to be short and highly permissive, e.g., 92% of surveyed policies are comprised of just 10 statements and 30% exhibit full reachability between all application functions and resources. We then use GRASP to identify potential attack vectors permitted by these policies, including hundreds of sensitive access channels, a dozen publicly-exposed resources, and four channels that may permit an attacker to exfiltrate an application’s private resources through one of its public resources. These findings demonstrate GRASP’s utility as a means of identifying opportunities for hardening application policies and highlighting potential exfiltration channels.

Track: Security

Submission Guidelines Scope: Yes

Submission Guidelines Blind: Yes

Submission Guidelines Format: Yes

Submission Guidelines Limit: Yes

Submission Guidelines Authorship: Yes

Student Author: No

Submission Number: 678

Loading