Papers
Topics
Authors
Recent
2000 character limit reached

CloudLens: Modeling and Detecting Cloud Security Vulnerabilities

Published 16 Feb 2024 in cs.CR and cs.AI | (2402.10985v4)

Abstract: Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. With their growing popularity, concerns about security vulnerabilities are increasing. To address this, first, we provide a formal model, called CloudLens, that expresses relations between different cloud objects such as users, datastores, security roles, representing access control policies in cloud systems. Second, as access control misconfigurations are often the primary driver for cloud attacks, we develop a planning model for detecting security vulnerabilities. Such vulnerabilities can lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner generates attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (28)
  1. Amazon AWS. 2023. AWS Documentation. https://docs.aws.amazon.com/.
  2. ATT&CK, M. 2021. ATT&CK Matrix for Enterprise. https://attack.mitre.org. Accessed: 2022-05-29.
  3. AWS. 2023. Shared Responsibility Model. https://aws.amazon.com/compliance/shared-responsibility-model/.
  4. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In Formal Methods in Computer Aided Design (FMCAD), 1–9.
  5. Course of Action Generation for Cyber Security Using Classical Planning. In International Conference on International Conference on Automated Planning and Scheduling, 12–21.
  6. CSA. 2023. Top Threats to Cloud Computing: Pandemic 11 Deep Dive. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven-deep-dive/.
  7. Fox, B. 2021. IAM Vulnerable. https://github.com/BishopFox/iam-vulnerable. Accessed: 2023-12-01.
  8. Fox, B. 2023. Bishop Fox. https://bishopfox.com. Accessed: 2023-12-01.
  9. Gietzen, S. 2021. AWS IAM Privilege Escalation – Methods and Mitigation. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
  10. Helmert, M. 2006. The Fast Downward Planning System. Journal of Artificial Intelligence Research, 26(1): 191–246.
  11. Hoffmann, J. 2015. Simulated Penetration Testing: From “Dijkstra” to “Turing Test++”. In ICAPS, 364–372.
  12. Holmes, A. 2021. 533 million Facebook users’ phone numbers and personal data have been leaked online. https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4. Accessed: 2022-05-29.
  13. Fixing Privilege Escalations in Cloud Access Control with MaxSAT and Graph Neural Networks. In IEEE/ACM International Conference on Automated Software Engineering (ASE 2023). IEEE.
  14. Validating Datacenters at Scale. In Proceedings of the ACM Special Interest Group on Data Communication, 200–213.
  15. Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies. In International Joint Conference on Artificial Intelligence,, 1850–1858.
  16. Kuenzli, S. 2020. Why are good AWS security policies so difficult? https://www.k9security.io/posts/2020/06/why-are-good-aws-security-policies-so-difficult. Accessed: 2023-12-01.
  17. Labs, R. S. 2019. S3 Ransomware Part 1: Attack Vector. https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/#:~:text=Attacker%20creates%20a%20KMS%20key,not%20decrypt%20objects%20in%20S3. Accessed: 2023-12-01.
  18. An Annotated Review of Past Papers on Attack Graphs.
  19. Marks, G. 2021. A LinkedIn ‘Breach’ Exposes 92% Of Users. https://www.forbes.com/sites/quickerbettertech/2021/07/05/a-linkedin-breach-exposes-92-of-usersand-other-small-business-tech-news. Accessed: 2022-05-29.
  20. NCC Group. 2023. Principal Mapper. https://github.com/nccgroup/PMapper.
  21. Attack Planning in the Real World. In SecArt’10.
  22. One, C. 2022. Information on the Capital One Cyber Incident. https://www.capitalone.com/digital/facts2019/.
  23. Zanzibar: Google’s Consistent, Global Authorization System. In USENIX Annual Technical Conference (USENIX ATC).
  24. Pernet, C. 2021. Research reveals that IAM is too often permissive and misconfigured. https://www.techrepublic.com/article/research-iam-permissive-misconfigured/.
  25. Salesforce. 2023. Policy Sentry: IAM Least Privilege Policy Generator. https://policy-sentry.readthedocs.io/en/latest/.
  26. POMDPs Make Better Hackers: Accounting for Uncertainty in Penetration Testing. In AAAI.
  27. Scroxton, A. 2020. Leaky AWS S3 bucket once again at centre of data breach. https://www.computerweekly.com/news/252491842/Leaky-AWS-S3-bucket-once-again-at-centre-of-data-breach. Accessed: 2022-05-29.
  28. Unit42. 2022. IAM Your Defense Against Cloud Threats: The Latest Unit 42 Cloud Threat Research. https://unit42.paloaltonetworks.com/iam-cloud-threat-research/. Accessed: April 12, 2022.

Summary

  • The paper presents CloudLens, which models and detects cloud security vulnerabilities by representing IAM configurations with relational tuples.
  • It uses PDDL to simulate multi-step attack paths for exploits like privilege escalation and data exfiltration across platforms such as AWS, GCP, and Azure.
  • Experiments on 14 real-world AWS configurations reveal that even short attack sequences can expose critical IAM misconfigurations, highlighting practical risks.

CloudLens: Modeling and Detecting Cloud Security Vulnerabilities

Introduction

Cloud computing offers significant advantages in scalability and cost-effectiveness for business operations. However, the increasing reliance on cloud services raises substantial security concerns, particularly around misconfigurations in Identity and Access Management (IAM) policies that can lead to data breaches and other cyber threats. The paper "CloudLens: Modeling and Detecting Cloud Security Vulnerabilities" presents a framework for identifying potential vulnerabilities in cloud IAM configurations using AI planning approaches.

IAM Vulnerabilities in Cloud Environments

The paper highlights that misconfigurations in IAM policies are a principal cause of security vulnerabilities in cloud environments. These misconfigurations can lead to various security threats, including privilege escalation, ransomware, and data exfiltration. Figure 1

Figure 1: Real-world datasets: The number of unique compromised users (after exclusion of admin users).

Methodology

IAM Model Representation

The framework utilizes a tuple-based model to represent IAM configurations, capturing relationships between identities (users, roles, groups) and resources (datastores). This model supports a wide range of cloud platforms such as AWS, GCP, and Azure, and accommodates changes in configuration with minimal disruption.

PDDL Modeling

The framework employs the Planning Domain Definition Language (PDDL) to simulate potential attack paths in cloud environments. Multi-step attacks are modeled in PDDL, enabling the planner to identify sequences of actions that could lead to successful exploits. Key modeling components include:

  • Relational Tuples: To represent permissions and identity relationships.
  • Permission Flow Actions: To model how permissions propagate through identity relations.
  • Attack Actions: To model specific actions that lead to security breaches. Figure 2

    Figure 2: Distribution of attack path lengths measured in terms of the number of actions.

Attack Path Generation

The planner is capable of generating complex attack strategies by simulating attacker behavior. Different classes of attack actions are considered, such as data exfiltration and privilege escalation. The success of an attack simulation depends on the ability to gain necessary permissions through strategic permission flows.

Experimental Evaluation

The framework is tested on 14 real-world AWS configurations, demonstrating its capability to detect security vulnerabilities that are overlooked by current state-of-the-art tools. The experiments reveal:

  • A large number of users in these environments are vulnerable to multiple attack vectors.
  • Attack paths often involve short sequences of actions, indicating ease of exploiting certain vulnerabilities.
  • Common configuration weaknesses include inadequate configuration of IAM policies allowing for unrestricted data movement and inadequate use of MFA and versioning in S3 buckets. Figure 3

    Figure 3: Execution time of the translation and search phases of the Fast Downward planner (log scale).

Conclusion

The "CloudLens" framework presents an innovative approach to detecting and modeling cloud security vulnerabilities through AI planning. While the research showcases significant potential in improving cloud security configurations, it highlights the need for continuous evaluation of IAM policies to prevent escalated privileges and data breaches. Future research may explore further scalability improvements and integration of real-time threat detection mechanisms.

In summary, the framework provides an effective toolset for cloud security analysis, able to tackle complex multi-step attack scenarios and expose significant vulnerabilities that demand attention in modern cloud infrastructure deployments.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 3 tweets with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free