Cloud Resource Protection via Automated Security Property Reasoning
Authors: 
Zhixing Xu, Shengjian Guo, Oksana Tkachuk, Saeed Nejati, Niloofar Razavi, George ArgyrosAuthors Info & Claims
Abstract
As cloud computing gains widespread adoption across various industries, securing cloud resources has become a top priority for cloud providers. However, ensuring configuration security among highly interconnected cloud resources is challenging due to the complexities of resource modeling, correlation analysis, and large-scale security checks. To tackle those practical challenges, we propose Security Invariants (SI), a precise, effective, and scalable tool that proactively protects cloud resources by automated security reasoning. We have integrated SI into the rigorous Amazon Web Services (AWS) security review process. Partnered with security engineers and other security scanners, SI periodically scans billions of cloud resources in pre-launch services for potential security risks, maximizing the security guarantees of cloud applications. The continuous assessment of evolving resources not only brings a deep understanding of cloud security risks but also introduces a generalized solution from the holistic security analysis perspective.
References
[1]
2024. prowler. https://github.com/prowler-cloud/prowler
[2]
Apache. [n. d.]. Apache Jena. https://jena.apache.org/
[3]
AWS. 2024. Amazon CloudTrail. https://aws.amazon.com/cloudtrail/
[4]
AWS. 2024. Amazon DynamoDB. https://aws.amazon.com/dynamodb/
[5]
AWS. 2024. Amazon EC2. https://aws.amazon.com/ec2/
[6]
AWS. 2024. Amazon S3. https://aws.amazon.com/s3/
[7]
AWS. 2024. AWS Config. https://aws.amazon.com/config
[8]
AWS. 2024. AWS Identity and Access Management. https://aws.amazon.com/iam
[9]
AWS. 2024. AWS Lambda. https://aws.amazon.com/lambda
[10]
AWS. 2024. Developing Cloudformation hooks. https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html
[11]
John Backes, Sam Bayless, Byron Cook, Catherine Dodge, Andrew Gacek, Alan J Hu, Temesghen Kahsai, Bill Kocik, Evgenii Kotelnikov, Jure Kukovec, et al. 2019. Reachability analysis for AWS-based networks. In Computer Aided Verification: 31st International Conference, CAV 2019, New York City, NY, USA, July 15--18, 2019, Proceedings, Part II 31. Springer, 231--241.
[12]
John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Luckow, Neha Rungta, Oksana Tkachuk, and Carsten Varming. 2018. Semantic-based automated reasoning for AWS access policies using SMT. In 2018 Formal Methods in Computer Aided Design (FMCAD). IEEE, 1--9.
[13]
Claudia Cauli, Meng Li, Nir Piterman, and Oksana Tkachuk. 2021. Pre-deployment security assessment for cloud services through semantic reasoning. In Computer Aided Verification: 33rd International Conference, CAV 2021, Virtual Event, July 20--23, 2021, Proceedings, Part I 33. Springer, 767--780.
[14]
AWS Cloudformation. 2024. AWS CloudFormation Linter. https://github.com/aws-cloudformation/cfn-lint
[15]
World Wide Web Consortium. [n. d.]. SPARQL 1.1 Query Language. https://www.w3.org/TR/sparql11-query/
[16]
Rhino Security Labs. 2020. AWS Privilege Escalation Vulnerabilities. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation
[17]
nccgroup. 2024. ScoutSuite. https://github.com/nccgroup/ScoutSuite
[18]
Ilia Shevrin and Oded Margalit. 2023. Detecting Multi-Step IAM Attacks in AWS Environments via Model Checking. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 6025--6042. https://www.usenix.org/conference/usenixsecurity23/presentation/shevrin
Index Terms
- Cloud Resource Protection via Automated Security Property Reasoning
Index terms have been assigned to the content through auto-classification.
Recommendations
Different facets of security in the cloud
CNS '12: Proceedings of the 15th Communications and Networking Simulation SymposiumCloud computing is a long fantasized visualization of computing as a utility, where data owners can remotely store and access their data in the cloud anytime and from anywhere. Using a shared pool of configurable resources, users can be relieved from ...
Cloud Computing Security: Opportunities and Pitfalls
The evolution of modern computing systems has lead to the emergence of Cloud computing. Cloud computing facilitates on-demand establishment of dynamic, large scale, flexible, and highly scalable computing infrastructures. However, as with any other ...
Cloud security issues and challenges
The cloud computing provides on demand services over the Internet with the help of a large amount of virtual storage. The main features of cloud computing is that the user does not have any setup of expensive computing infrastructure and the cost of its ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2024
2587 pages
ISBN:9798400712487
DOI:10.1145/3691620
- General Chair:
- Vladimir Filkov,
- Program Co-chairs:
- Baishakhi Ray,
- Minghui Zhou
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering
October 27 - November 1, 2024
CA, Sacramento, USA
Acceptance Rates
Overall Acceptance Rate 82 of 337 submissions, 24%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 136Total Downloads
- Downloads (Last 12 months)136
- Downloads (Last 6 weeks)44
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in