Master's Thesis

Detecting Denial of Wallet Vulnerabilities in Serverless Applications

Bernardo Taipina Carvalho Ribeiro2024

Key information

Authors:

Bernardo Taipina Carvalho Ribeiro (Bernardo Taipina Carvalho Ribeiro)

Supervisors:

Rodrigo Fraga Barcelos Paulus Bruno (Rodrigo Fraga Barcelos Paulus Bruno); Nuno Miguel Carvalho dos Santos (Nuno Miguel Carvalho dos Santos)

Published in

10/31/2024

Abstract

Serverless computing has gained popularity due to its automated scalability, availability, and pay-as-you-use billing model highlighting that the service is extremely elastic. Furthermore, this new cloud paradigm enables developers to focus on the application logic rather than worrying about the infrastructure. However, with all these benefits, security risks also emerge, such as data privacy violations or data exposure. Serverless computing introduces new threats, such as Denial-of-Wallet (DoW) attacks and overly permissive policies. In DoW attacks, malicious users can exploit the flexible scalability of serverless architectures to trigger excessive resource usage, such as external APIs or public storage, resulting in financial damage to application providers. Considering these threats, in this thesis, we propose a tool called Dr.FaaS, a static-analysis tool that, given the application’s source code and Infrastructure-as-Code (IaC) template, will produce a language and platform-independent graph, an abstraction of the serverless application, that is, the combination of three types of graph: Control-Flow-Graph, Object-Dependency-Graph and Policy-Graph. We present a DoW plugin with a library of queries that extract information from the previous graph to generate symbolic executions to determine upper bounds for inputs and loop iterations, which are then instrumented as assertions in serverless functions to prevent exceeding cost limits defined by the developer. Additionally, the graph provides sufficient data for detecting overly permissive policies, personal data violations, and potential data exfiltration through dedicated queries. Furthermore, we evaluated Dr.FaaS and its plugins through various AWS applications to demonstrate how efficiently and successfully it helped mitigate previous threats.

Publication details

Authors in the community:

Supervisors of this institution:

Fields of Science and Technology (FOS)

electrical-engineering-electronic-engineering-information-engineering - Electrical engineering, electronic engineering, information engineering

Publication language (ISO code)

eng - English

Rights type:

Embargoed access

Date available:

09/05/2025

Institution name

Instituto Superior Técnico