skip to main content
research-article
Open Access

Secure serverless computing using dynamic information flow control

Published:24 October 2018Publication History
Skip Abstract Section

Abstract

The rise of serverless computing provides an opportunity to rethink cloud security. We present an approach for securing serverless systems using a novel form of dynamic information flow control (IFC).

We show that in serverless applications, the termination channel found in most existing IFC systems can be arbitrarily amplified via multiple concurrent requests, necessitating a stronger termination-sensitive non-interference guarantee, which we achieve using a combination of static labeling of serverless processes and dynamic faceted labeling of persistent data.

We describe our implementation of this approach on top of JavaScript for AWS Lambda and OpenWhisk serverless platforms, and present three realistic case studies showing that it can enforce important IFC security properties with modest overhead.

References

  1. Airbnb. 2017. StreamAlert: A serverless framework for real-time data analysis and alerting. http://airbnb.io/projects/ streamalert/ .Google ScholarGoogle Scholar
  2. Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2017. Trapeze source code repository. https://github.com/kalevalp/trapeze .Google ScholarGoogle Scholar
  3. Amazon. 2017a. AWS Lambda. https://aws.amazon.com/lambda/ .Google ScholarGoogle Scholar
  4. Amazon. 2017b. AWS Rekognition. https://aws.amazon.com/rekognition/ .Google ScholarGoogle Scholar
  5. Apache Software Foundation. 2017. OpenWhisk. https://openwhisk.apache.org/ .Google ScholarGoogle Scholar
  6. Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-Insensitive Noninterference Leaks More Than Just a Bit. In Proc. of ESORICS 2008. Malaga, Spain, 333–348. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Thomas H. Austin and Cormac Flanagan. 2009. Efficient Purely-dynamic Information Flow Analysis. In Proc. of PLAS 2009. 113–124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Thomas H. Austin and Cormac Flanagan. 2010. Permissive Dynamic Information Flow Analysis. In Proc. of PLAS 2010. 1–12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Thomas H. Austin and Cormac Flanagan. 2012. Multiple Facets for Dynamic Information Flow. In Proc. of POPL 2012. 165–178. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Thomas H. Austin, Tommy Schmitz, and Cormac Flanagan. 2017. Multiple Facets for Dynamic Information Flow with Exceptions. ACM Trans. Program. Lang. Syst. 39, 3, Article 10 (May 2017), 56 pages. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted Execution of Policy-agnostic Programs. In Proc. of PLAS. Seattle, Washington, USA, 15–26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Jean Bacon, David Eyers, Thomas F. J.-M. Pasquier, Jatinder Singh, Ioannis Papagiannis, and Peter Pietzuch. 2014. Information Flow Control for Secure Cloud Computing. IEEE Transactions on Network and Service Management 11, 1 (Jan. 2014), 76–89.Google ScholarGoogle ScholarCross RefCross Ref
  13. Andrew Baird, Michael Connor, and Patrick Brandt. 2016. Coca-Cola: Running Serverless Applications with Enterprise Requirements. https://aws.amazon.com/serverless/videos/video- lambda- coca- cola/ .Google ScholarGoogle Scholar
  14. D. Elliott Bell and Leonard J. LaPadula. 1973. Secure Computer Systems: Mathematical Foundations. Technical Report 2547. MITRE.Google ScholarGoogle Scholar
  15. Nataliia Bielova and Tamara Rezk. 2016. Spot the difference: Secure multi-execution and multiple facets. In European Symposium on Research in Computer Security. Springer, 501–519.Google ScholarGoogle ScholarCross RefCross Ref
  16. Arnab Kumar Biswas, Dipak Ghosal, and Shishir Nagaraja. 2017. A Survey of Timing Channels and Countermeasures. ACM Comput. Surv. 50, 1 (March 2017), 6:1–6:39. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Aaron Bohannon, Benjamin C Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the 16th ACM conference on Computer and communications security. ACM, 79–90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Mark Boyd. 2017. iRobot Confronts the Challenges of Running Serverless at Scale. https://thenewstack.io/ irobot- confronts- challenges- running- serverless- scale/ .Google ScholarGoogle Scholar
  19. Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, and Deian Stefan. 2017. Finding and Preventing Bugs in JavaScript Bindings. In Proc. of S&P 2017. 559–578.Google ScholarGoogle ScholarCross RefCross Ref
  20. Kuldeep Chowhan. 2016. Serverless Computing Patterns at Expedia. https://www.slideshare.net/AmazonWebServices/ aws- reinvent- 2016- serverless- computing- patterns- at- expedia- svr306 .Google ScholarGoogle Scholar
  21. CNET Magazine. 2011. The PlayStation Network breach (FAQ). https://www.cnet.com/news/ the- playstation- network- breach- faq/ .Google ScholarGoogle Scholar
  22. Computerworld. 2009. SQL injection attacks led to Heartland, Hannaford breaches. https://www.computerworld.com/ article/2527185/security0/sql- injection- attacks- led- to- heartland- - hannaford- breaches.html .Google ScholarGoogle Scholar
  23. Computerworld. 2014. Two-factor authentication oversight led to JPMorgan breach. https://www.computerworld.com/ article/2862578/twofactor- authentication- oversight- led- to- jpmorgan- breach- investigators- reportedly- found.html .Google ScholarGoogle Scholar
  24. Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proc. of CCS 2012. 748–759. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Dorothy E Denning. 1976. A lattice model of secure information flow. Comm, of the ACM 19, 5 (1976), 236–243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (July 1977), 504–513. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Dominique Devriese and Frank Piessens. 2010. Noninterference Through Secure Multi-execution. In Proc. IEEE SSP 2010. 109–124. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Digital Trends. 2016. The latest data breach involves the voting records of 93.4 million Mexican citizens. https://www. digitaltrends.com/computing/mexico- voting- breach/ .Google ScholarGoogle Scholar
  29. Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek, and Robert Morris. 2005. Labels and event processes in the Asbestos operating system. In Proc. of SOSP 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Ken Ellis. 2017. How Reuters Replaced WebSockets with Amazon Cognito and SQS. https://serverless.com/blog/ how- reuters- replaced- websockets- with- amazon- cognito- and- sqs/ .Google ScholarGoogle Scholar
  31. Marius Eriksen. 2013. Your server as a function. In In Proc. of PLOS 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Fn Project. 2017. https://fnproject.io/ .Google ScholarGoogle Scholar
  33. Forbes. 2014. eBay Suffers Massive Security Breach, All Users Must Change Their Passwords. https://www.forbes. com/sites/gordonkelly/2014/05/21/ebay- suffers- massive- security- breach- all- users- must- their- change- passwords/ #793467c57492 .Google ScholarGoogle Scholar
  34. Forbes. 2017. How Hackers Broke Equifax: Exploiting A Patchable Vulnerability. https://www.forbes.com/sites/ thomasbrewster/2017/09/14/equifax- hack- the- result- of- patched- vulnerability/#20abe9015cda .Google ScholarGoogle Scholar
  35. Sadjad Fouladi, Dan Iter, Shuvo Chatterjee, Christos Kozyrakis, Matei Zaharia, and Keith Winstein. 2017a. A Thunk to Remember: make -j1000 (and other jobs) on functions-as-a-service infrastructure (Under review). http://stanford.edu/ ~sadjad/gg- paper.pdf .Google ScholarGoogle Scholar
  36. Sadjad Fouladi, Riad S. Wahby, Brennan Shacklett, Karthikeyan Vasuki Balasubramaniam, William Zeng, Rahul Bhalerao, Anirudh Sivaraman, George Porter, and Keith Winstein. 2017b. Encoding, Fast and Slow: Low-Latency Video Processing Using Thousands of Tiny Threads. In Proc. of NSDI 2017. Boston, MA, 363–376. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Google. 2017. Google Cloud Functions. https://cloud.google.com/functions/ .Google ScholarGoogle Scholar
  38. Nevin Heintze and Jon G. Riecke. 1998. The SLam Calculus: Programming with Secrecy and Integrity. In Proc. of POPL 1998. San Diego, California, USA, 365–377. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proc. of OSDI 2016. Savannah, GA, USA, 533–549. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. IBM. 2017. IBM Cloud Functions. https://console.bluemix.net/openwhisk/ .Google ScholarGoogle Scholar
  41. Intel Corporation. 2014. Intel Software Guard Extensions Programming Reference.Google ScholarGoogle Scholar
  42. Eric Jonas, Shivaram Venkataraman, Ion Stoica, and Benjamin Recht. 2017. Occupy the Cloud: Distributed Computing for the 99%. CoRR abs/1702.04024 (2017). http://arxiv.org/abs/1702.04024Google ScholarGoogle Scholar
  43. Murad Kablan, Azzam Alsudais, Eric Keller, and Franck Le. 2017. Stateless Network Functions: Breaking the Tight Coupling of State and Processing. In Proc. of NSDI 2017. Boston, MA, 97–112. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. 2011. Timing-and termination-sensitive secure information flow: Exploring a new approach. In 2011 IEEE Symposium on Security and Privacy. IEEE, 413–428. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. McKim, John. 2017. Announcing the Winners of the Inaugural ServerlessConf Architecture Competition. https://read. acloud.guru/announcing- the- winners- of- the- inaugural- serverlessconf- architecture- competition- 1dce2db6da3 .Google ScholarGoogle Scholar
  46. Microsoft. 2017. Azure Functions. https://azure.microsoft.com/services/functions/ .Google ScholarGoogle Scholar
  47. Andrew C Myers. 1999. JFlow: Practical mostly-static information flow control. In Proc. of POPL 1999. 228–241. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Andrew C Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. TOSEM 9, 4 (2000), 410–442. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. National Vulnerability Database. 2017. CVE-2017-5638. https://nvd.nist.gov/vuln/detail/CVE- 2017- 5638 .Google ScholarGoogle Scholar
  50. Nordstrom Technology. 2017. Hello, Retail! https://github.com/Nordstrom/hello- retail .Google ScholarGoogle Scholar
  51. Thomas Pasquier, Jean Bacon, Jatinder Singh, and David Eyers. 2016. Data-Centric Access Control for Cloud Computing. In Proc. of SACMAT 2016. Shanghai, China, 81–88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. PCWorld. 2010. Microsoft Cloud Data Breach Heralds Things to Come. https://www.pcworld.com/article/214775/microsoft_ cloud_data_breach_sign_of_future.html .Google ScholarGoogle Scholar
  53. Andrei Sabelfeld and Andrew C Myers. 2003. Language-based information-flow security. IEEE Journal on selected areas in communications 21, 1 (2003), 5–19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Andrei Sabelfeld and David Sands. 2001. A Per Model of Secure Information Flow in Sequential Programs. Higher Order Symbol. Comput. 14, 1 (March 2001), 59–91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Peter Sbarski. 2017. Serverless Architectures on AWS: With examples using AWS Lambda. Manning Publications, Shelter Island, NY.Google ScholarGoogle Scholar
  56. Serverless, Inc. 2017. Serverless Examples. https://github.com/serverless/examples .Google ScholarGoogle Scholar
  57. Geoffrey Smith and Dennis Volpano. 1998. Secure Information Flow in a Multi-threaded Imperative Language. In Proc. of POPL 1998. San Diego, California, USA, 355–364. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C Mitchell, and David Mazieres. 2012. Addressing covert termination and timing channels in concurrent information flow systems. In ACM SIGPLAN Notices, Vol. 47. 201–214. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible Dynamic Information Flow Control in Haskell. In Proc. of Haskell 2011. 95–106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. TechRepublic. 2017. Massive Amazon S3 leaks highlight user blind spots in enterprise race to the cloud. https://www. techrepublic.com/article/massive- amazon- s3- breaches- highlight- blind- spots- in- enterprise- race- to- the- cloud/ .Google ScholarGoogle Scholar
  61. The Register. 2011. RSA explains how attackers breached its systems. https://www.theregister.co.uk/2011/04/04/rsa_hack_ howdunnit/ .Google ScholarGoogle Scholar
  62. Tom Van Cutsem and Mark S. Miller. 2013. Trustworthy Proxies: Virtualizing Objects with Invariants. In Proc. of ECOOP 2013. Montpellier, France, 154–178. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. VM2 2017. VM2. https://github.com/patriksimek/vm2 .Google ScholarGoogle Scholar
  64. Wikipedia. 2017a. Anthem medical data breach. https://en.wikipedia.org/wiki/Anthem_medical_data_breach .Google ScholarGoogle Scholar
  65. Wikipedia. 2017b. Sony Pictures hack. https://en.wikipedia.org/wiki/Sony_Pictures_hack .Google ScholarGoogle Scholar
  66. Wikipedia. 2017c. Yahoo! data breaches. https://en.wikipedia.org/wiki/Yahoo!_data_breaches .Google ScholarGoogle Scholar
  67. Wired. 2016. Inside the Cyberattack That Shocked the US Government. https://www.wired.com/2016/10/ inside- cyberattack- shocked- us- government/ .Google ScholarGoogle Scholar
  68. Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. 2016. Precise, Dynamic Information Flow for Database-backed Applications. In Proc. of PLDI 2016. Santa Barbara, CA, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Matei Zaharia, Mosharaf Chowdhury, Tathagata Das, Ankur Dave, Justin Ma, Murphy McCauley, Michael J. Franklin, Scott Shenker, and Ion Stoica. 2012. Resilient Distributed Datasets: A Fault-tolerant Abstraction for In-memory Cluster Computing. In Proc. of NSDI 2012. San Jose, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Stephan Arthur Zdancewic. 2002. Programming languages for information security. Ph.D. thesis, Cornell University.Google ScholarGoogle Scholar
  71. ZDNet. 2015. Anatomy of the Target data breach: Missed opportunities and lessons learned. http://www.zdnet.com/article/ anatomy- of- the- target- data- breach- missed- opportunities- and- lessons- learned/ .Google ScholarGoogle Scholar
  72. ZDNet. 2016. AdultFriendFinder network hack exposes 412 million accounts. http://www.zdnet.com/article/ adultfriendfinder- network- hack- exposes- secrets- of- 412- million- users .Google ScholarGoogle Scholar

Index Terms

  1. Secure serverless computing using dynamic information flow control

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image Proceedings of the ACM on Programming Languages
        Proceedings of the ACM on Programming Languages  Volume 2, Issue OOPSLA
        November 2018
        1656 pages
        EISSN:2475-1421
        DOI:10.1145/3288538
        Issue’s Table of Contents

        Copyright © 2018 Owner/Author

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 24 October 2018
        Published in pacmpl Volume 2, Issue OOPSLA

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!