Abstract
The rise of serverless computing provides an opportunity to rethink cloud security. We present an approach for securing serverless systems using a novel form of dynamic information flow control (IFC).
We show that in serverless applications, the termination channel found in most existing IFC systems can be arbitrarily amplified via multiple concurrent requests, necessitating a stronger termination-sensitive non-interference guarantee, which we achieve using a combination of static labeling of serverless processes and dynamic faceted labeling of persistent data.
We describe our implementation of this approach on top of JavaScript for AWS Lambda and OpenWhisk serverless platforms, and present three realistic case studies showing that it can enforce important IFC security properties with modest overhead.
- Airbnb. 2017. StreamAlert: A serverless framework for real-time data analysis and alerting. http://airbnb.io/projects/ streamalert/ .Google Scholar
- Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2017. Trapeze source code repository. https://github.com/kalevalp/trapeze .Google Scholar
- Amazon. 2017a. AWS Lambda. https://aws.amazon.com/lambda/ .Google Scholar
- Amazon. 2017b. AWS Rekognition. https://aws.amazon.com/rekognition/ .Google Scholar
- Apache Software Foundation. 2017. OpenWhisk. https://openwhisk.apache.org/ .Google Scholar
- Aslan Askarov, Sebastian Hunt, Andrei Sabelfeld, and David Sands. 2008. Termination-Insensitive Noninterference Leaks More Than Just a Bit. In Proc. of ESORICS 2008. Malaga, Spain, 333–348. Google Scholar
Digital Library
- Thomas H. Austin and Cormac Flanagan. 2009. Efficient Purely-dynamic Information Flow Analysis. In Proc. of PLAS 2009. 113–124. Google Scholar
Digital Library
- Thomas H. Austin and Cormac Flanagan. 2010. Permissive Dynamic Information Flow Analysis. In Proc. of PLAS 2010. 1–12. Google Scholar
Digital Library
- Thomas H. Austin and Cormac Flanagan. 2012. Multiple Facets for Dynamic Information Flow. In Proc. of POPL 2012. 165–178. Google Scholar
Digital Library
- Thomas H. Austin, Tommy Schmitz, and Cormac Flanagan. 2017. Multiple Facets for Dynamic Information Flow with Exceptions. ACM Trans. Program. Lang. Syst. 39, 3, Article 10 (May 2017), 56 pages. Google Scholar
Digital Library
- Thomas H. Austin, Jean Yang, Cormac Flanagan, and Armando Solar-Lezama. 2013. Faceted Execution of Policy-agnostic Programs. In Proc. of PLAS. Seattle, Washington, USA, 15–26. Google Scholar
Digital Library
- Jean Bacon, David Eyers, Thomas F. J.-M. Pasquier, Jatinder Singh, Ioannis Papagiannis, and Peter Pietzuch. 2014. Information Flow Control for Secure Cloud Computing. IEEE Transactions on Network and Service Management 11, 1 (Jan. 2014), 76–89.Google Scholar
Cross Ref
- Andrew Baird, Michael Connor, and Patrick Brandt. 2016. Coca-Cola: Running Serverless Applications with Enterprise Requirements. https://aws.amazon.com/serverless/videos/video- lambda- coca- cola/ .Google Scholar
- D. Elliott Bell and Leonard J. LaPadula. 1973. Secure Computer Systems: Mathematical Foundations. Technical Report 2547. MITRE.Google Scholar
- Nataliia Bielova and Tamara Rezk. 2016. Spot the difference: Secure multi-execution and multiple facets. In European Symposium on Research in Computer Security. Springer, 501–519.Google Scholar
Cross Ref
- Arnab Kumar Biswas, Dipak Ghosal, and Shishir Nagaraja. 2017. A Survey of Timing Channels and Countermeasures. ACM Comput. Surv. 50, 1 (March 2017), 6:1–6:39. Google Scholar
Digital Library
- Aaron Bohannon, Benjamin C Pierce, Vilhelm Sjöberg, Stephanie Weirich, and Steve Zdancewic. 2009. Reactive noninterference. In Proceedings of the 16th ACM conference on Computer and communications security. ACM, 79–90. Google Scholar
Digital Library
- Mark Boyd. 2017. iRobot Confronts the Challenges of Running Serverless at Scale. https://thenewstack.io/ irobot- confronts- challenges- running- serverless- scale/ .Google Scholar
- Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, and Deian Stefan. 2017. Finding and Preventing Bugs in JavaScript Bindings. In Proc. of S&P 2017. 559–578.Google Scholar
Cross Ref
- Kuldeep Chowhan. 2016. Serverless Computing Patterns at Expedia. https://www.slideshare.net/AmazonWebServices/ aws- reinvent- 2016- serverless- computing- patterns- at- expedia- svr306 .Google Scholar
- CNET Magazine. 2011. The PlayStation Network breach (FAQ). https://www.cnet.com/news/ the- playstation- network- breach- faq/ .Google Scholar
- Computerworld. 2009. SQL injection attacks led to Heartland, Hannaford breaches. https://www.computerworld.com/ article/2527185/security0/sql- injection- attacks- led- to- heartland- - hannaford- breaches.html .Google Scholar
- Computerworld. 2014. Two-factor authentication oversight led to JPMorgan breach. https://www.computerworld.com/ article/2862578/twofactor- authentication- oversight- led- to- jpmorgan- breach- investigators- reportedly- found.html .Google Scholar
- Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In Proc. of CCS 2012. 748–759. Google Scholar
Digital Library
- Dorothy E Denning. 1976. A lattice model of secure information flow. Comm, of the ACM 19, 5 (1976), 236–243. Google Scholar
Digital Library
- Dorothy E. Denning and Peter J. Denning. 1977. Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (July 1977), 504–513. Google Scholar
Digital Library
- Dominique Devriese and Frank Piessens. 2010. Noninterference Through Secure Multi-execution. In Proc. IEEE SSP 2010. 109–124. Google Scholar
Digital Library
- Digital Trends. 2016. The latest data breach involves the voting records of 93.4 million Mexican citizens. https://www. digitaltrends.com/computing/mexico- voting- breach/ .Google Scholar
- Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey, David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek, and Robert Morris. 2005. Labels and event processes in the Asbestos operating system. In Proc. of SOSP 2005. Google Scholar
Digital Library
- Ken Ellis. 2017. How Reuters Replaced WebSockets with Amazon Cognito and SQS. https://serverless.com/blog/ how- reuters- replaced- websockets- with- amazon- cognito- and- sqs/ .Google Scholar
- Marius Eriksen. 2013. Your server as a function. In In Proc. of PLOS 2013. Google Scholar
Digital Library
- Fn Project. 2017. https://fnproject.io/ .Google Scholar
- Forbes. 2014. eBay Suffers Massive Security Breach, All Users Must Change Their Passwords. https://www.forbes. com/sites/gordonkelly/2014/05/21/ebay- suffers- massive- security- breach- all- users- must- their- change- passwords/ #793467c57492 .Google Scholar
- Forbes. 2017. How Hackers Broke Equifax: Exploiting A Patchable Vulnerability. https://www.forbes.com/sites/ thomasbrewster/2017/09/14/equifax- hack- the- result- of- patched- vulnerability/#20abe9015cda .Google Scholar
- Sadjad Fouladi, Dan Iter, Shuvo Chatterjee, Christos Kozyrakis, Matei Zaharia, and Keith Winstein. 2017a. A Thunk to Remember: make -j1000 (and other jobs) on functions-as-a-service infrastructure (Under review). http://stanford.edu/ ~sadjad/gg- paper.pdf .Google Scholar
- Sadjad Fouladi, Riad S. Wahby, Brennan Shacklett, Karthikeyan Vasuki Balasubramaniam, William Zeng, Rahul Bhalerao, Anirudh Sivaraman, George Porter, and Keith Winstein. 2017b. Encoding, Fast and Slow: Low-Latency Video Processing Using Thousands of Tiny Threads. In Proc. of NSDI 2017. Boston, MA, 363–376. Google Scholar
Digital Library
- Google. 2017. Google Cloud Functions. https://cloud.google.com/functions/ .Google Scholar
- Nevin Heintze and Jon G. Riecke. 1998. The SLam Calculus: Programming with Secrecy and Integrity. In Proc. of POPL 1998. San Diego, California, USA, 365–377. Google Scholar
Digital Library
- Tyler Hunt, Zhiting Zhu, Yuanzhong Xu, Simon Peter, and Emmett Witchel. 2016. Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data. In Proc. of OSDI 2016. Savannah, GA, USA, 533–549. Google Scholar
Digital Library
- IBM. 2017. IBM Cloud Functions. https://console.bluemix.net/openwhisk/ .Google Scholar
- Intel Corporation. 2014. Intel Software Guard Extensions Programming Reference.Google Scholar
- Eric Jonas, Shivaram Venkataraman, Ion Stoica, and Benjamin Recht. 2017. Occupy the Cloud: Distributed Computing for the 99%. CoRR abs/1702.04024 (2017). http://arxiv.org/abs/1702.04024Google Scholar
- Murad Kablan, Azzam Alsudais, Eric Keller, and Franck Le. 2017. Stateless Network Functions: Breaking the Tight Coupling of State and Processing. In Proc. of NSDI 2017. Boston, MA, 97–112. Google Scholar
Digital Library
- Vineeth Kashyap, Ben Wiedermann, and Ben Hardekopf. 2011. Timing-and termination-sensitive secure information flow: Exploring a new approach. In 2011 IEEE Symposium on Security and Privacy. IEEE, 413–428. Google Scholar
Digital Library
- McKim, John. 2017. Announcing the Winners of the Inaugural ServerlessConf Architecture Competition. https://read. acloud.guru/announcing- the- winners- of- the- inaugural- serverlessconf- architecture- competition- 1dce2db6da3 .Google Scholar
- Microsoft. 2017. Azure Functions. https://azure.microsoft.com/services/functions/ .Google Scholar
- Andrew C Myers. 1999. JFlow: Practical mostly-static information flow control. In Proc. of POPL 1999. 228–241. Google Scholar
Digital Library
- Andrew C Myers and Barbara Liskov. 2000. Protecting privacy using the decentralized label model. TOSEM 9, 4 (2000), 410–442. Google Scholar
Digital Library
- National Vulnerability Database. 2017. CVE-2017-5638. https://nvd.nist.gov/vuln/detail/CVE- 2017- 5638 .Google Scholar
- Nordstrom Technology. 2017. Hello, Retail! https://github.com/Nordstrom/hello- retail .Google Scholar
- Thomas Pasquier, Jean Bacon, Jatinder Singh, and David Eyers. 2016. Data-Centric Access Control for Cloud Computing. In Proc. of SACMAT 2016. Shanghai, China, 81–88. Google Scholar
Digital Library
- PCWorld. 2010. Microsoft Cloud Data Breach Heralds Things to Come. https://www.pcworld.com/article/214775/microsoft_ cloud_data_breach_sign_of_future.html .Google Scholar
- Andrei Sabelfeld and Andrew C Myers. 2003. Language-based information-flow security. IEEE Journal on selected areas in communications 21, 1 (2003), 5–19. Google Scholar
Digital Library
- Andrei Sabelfeld and David Sands. 2001. A Per Model of Secure Information Flow in Sequential Programs. Higher Order Symbol. Comput. 14, 1 (March 2001), 59–91. Google Scholar
Digital Library
- Peter Sbarski. 2017. Serverless Architectures on AWS: With examples using AWS Lambda. Manning Publications, Shelter Island, NY.Google Scholar
- Serverless, Inc. 2017. Serverless Examples. https://github.com/serverless/examples .Google Scholar
- Geoffrey Smith and Dennis Volpano. 1998. Secure Information Flow in a Multi-threaded Imperative Language. In Proc. of POPL 1998. San Diego, California, USA, 355–364. Google Scholar
Digital Library
- Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C Mitchell, and David Mazieres. 2012. Addressing covert termination and timing channels in concurrent information flow systems. In ACM SIGPLAN Notices, Vol. 47. 201–214. Google Scholar
Digital Library
- Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. 2011. Flexible Dynamic Information Flow Control in Haskell. In Proc. of Haskell 2011. 95–106. Google Scholar
Digital Library
- TechRepublic. 2017. Massive Amazon S3 leaks highlight user blind spots in enterprise race to the cloud. https://www. techrepublic.com/article/massive- amazon- s3- breaches- highlight- blind- spots- in- enterprise- race- to- the- cloud/ .Google Scholar
- The Register. 2011. RSA explains how attackers breached its systems. https://www.theregister.co.uk/2011/04/04/rsa_hack_ howdunnit/ .Google Scholar
- Tom Van Cutsem and Mark S. Miller. 2013. Trustworthy Proxies: Virtualizing Objects with Invariants. In Proc. of ECOOP 2013. Montpellier, France, 154–178. Google Scholar
Digital Library
- VM2 2017. VM2. https://github.com/patriksimek/vm2 .Google Scholar
- Wikipedia. 2017a. Anthem medical data breach. https://en.wikipedia.org/wiki/Anthem_medical_data_breach .Google Scholar
- Wikipedia. 2017b. Sony Pictures hack. https://en.wikipedia.org/wiki/Sony_Pictures_hack .Google Scholar
- Wikipedia. 2017c. Yahoo! data breaches. https://en.wikipedia.org/wiki/Yahoo!_data_breaches .Google Scholar
- Wired. 2016. Inside the Cyberattack That Shocked the US Government. https://www.wired.com/2016/10/ inside- cyberattack- shocked- us- government/ .Google Scholar
- Jean Yang, Travis Hance, Thomas H. Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. 2016. Precise, Dynamic Information Flow for Database-backed Applications. In Proc. of PLDI 2016. Santa Barbara, CA, USA. Google Scholar
Digital Library
- Matei Zaharia, Mosharaf Chowdhury, Tathagata Das, Ankur Dave, Justin Ma, Murphy McCauley, Michael J. Franklin, Scott Shenker, and Ion Stoica. 2012. Resilient Distributed Datasets: A Fault-tolerant Abstraction for In-memory Cluster Computing. In Proc. of NSDI 2012. San Jose, CA. Google Scholar
Digital Library
- Stephan Arthur Zdancewic. 2002. Programming languages for information security. Ph.D. thesis, Cornell University.Google Scholar
- ZDNet. 2015. Anatomy of the Target data breach: Missed opportunities and lessons learned. http://www.zdnet.com/article/ anatomy- of- the- target- data- breach- missed- opportunities- and- lessons- learned/ .Google Scholar
- ZDNet. 2016. AdultFriendFinder network hack exposes 412 million accounts. http://www.zdnet.com/article/ adultfriendfinder- network- hack- exposes- secrets- of- 412- million- users .Google Scholar
Index Terms
Secure serverless computing using dynamic information flow control
Recommendations
On Merits and Viability of Multi-Cloud Serverless
SoCC '21: Proceedings of the ACM Symposium on Cloud ComputingServerless computing is a rapidly growing paradigm in the cloud industry that envisions functions as the computational building blocks of an application. Instead of forcing the application developer to provision cloud resources for their application, ...
Building a Chatbot with Serverless Computing
MOTA '16: Proceedings of the 1st International Workshop on Mashups of Things and APIsChatbots are emerging as the newest platform used by millions of consumers worldwide due in part to the commoditization of natural language services, which provide provide developers with many building blocks to create chatbots inexpensively. However, ...
The SPEC cloud group's research vision on FaaS and serverless architectures
WoSC '17: Proceedings of the 2nd International Workshop on Serverless ComputingCloud computing enables an entire ecosystem of developing, composing, and providing IT services. An emerging class of cloud-based software architectures, serverless, focuses on providing software architects the ability to execute arbitrary functions ...






Comments