Dissertação de Mestrado

Detecting Denial of Wallet Vulnerabilities in Serverless Applications

Bernardo Taipina Carvalho Ribeiro2024

Informações chave

Autores:

Bernardo Taipina Carvalho Ribeiro (Bernardo Taipina Carvalho Ribeiro)

Orientadores:

Rodrigo Fraga Barcelos Paulus Bruno (Rodrigo Fraga Barcelos Paulus Bruno); Nuno Miguel Carvalho dos Santos (Nuno Miguel Carvalho dos Santos)

Publicado em

31/10/2024

Resumo

Serverless computing has gained popularity due to its automated scalability, availability, and pay-as-you-use billing model highlighting that the service is extremely elastic. Furthermore, this new cloud paradigm enables developers to focus on the application logic rather than worrying about the infrastructure. However, with all these benefits, security risks also emerge, such as data privacy violations or data exposure. Serverless computing introduces new threats, such as Denial-of-Wallet (DoW) attacks and overly permissive policies. In DoW attacks, malicious users can exploit the flexible scalability of serverless architectures to trigger excessive resource usage, such as external APIs or public storage, resulting in financial damage to application providers. Considering these threats, in this thesis, we propose a tool called Dr.FaaS, a static-analysis tool that, given the application’s source code and Infrastructure-as-Code (IaC) template, will produce a language and platform-independent graph, an abstraction of the serverless application, that is, the combination of three types of graph: Control-Flow-Graph, Object-Dependency-Graph and Policy-Graph. We present a DoW plugin with a library of queries that extract information from the previous graph to generate symbolic executions to determine upper bounds for inputs and loop iterations, which are then instrumented as assertions in serverless functions to prevent exceeding cost limits defined by the developer. Additionally, the graph provides sufficient data for detecting overly permissive policies, personal data violations, and potential data exfiltration through dedicated queries. Furthermore, we evaluated Dr.FaaS and its plugins through various AWS applications to demonstrate how efficiently and successfully it helped mitigate previous threats.

Detalhes da publicação

Autores da comunidade :

Orientadores desta instituição:

Domínio Científico (FOS)

electrical-engineering-electronic-engineering-information-engineering - Engenharia Eletrotécnica, Eletrónica e Informática

Idioma da publicação (código ISO)

eng - Inglês

Acesso à publicação:

Acesso Embargado

Data do fim do embargo:

05/09/2025

Nome da instituição

Instituto Superior Técnico