Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

CloudLens: Modeling and Detecting Cloud Security Vulnerabilities (2402.10985v3)

Published 16 Feb 2024 in cs.CR and cs.AI

Abstract: Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. With their growing popularity, concerns about security vulnerabilities are increasing. To address this, first, we provide a formal model, called CloudLens, that expresses relations between different cloud objects such as users, datastores, security roles, representing access control policies in cloud systems. Second, as access control misconfigurations are often the primary driver for cloud attacks, we develop a planning model for detecting security vulnerabilities. Such vulnerabilities can lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner generates attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (28)
  1. Amazon AWS. 2023. AWS Documentation. https://docs.aws.amazon.com/.
  2. ATT&CK, M. 2021. ATT&CK Matrix for Enterprise. https://attack.mitre.org. Accessed: 2022-05-29.
  3. AWS. 2023. Shared Responsibility Model. https://aws.amazon.com/compliance/shared-responsibility-model/.
  4. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In Formal Methods in Computer Aided Design (FMCAD), 1–9.
  5. Course of Action Generation for Cyber Security Using Classical Planning. In International Conference on International Conference on Automated Planning and Scheduling, 12–21.
  6. CSA. 2023. Top Threats to Cloud Computing: Pandemic 11 Deep Dive. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven-deep-dive/.
  7. Fox, B. 2021. IAM Vulnerable. https://github.com/BishopFox/iam-vulnerable. Accessed: 2023-12-01.
  8. Fox, B. 2023. Bishop Fox. https://bishopfox.com. Accessed: 2023-12-01.
  9. Gietzen, S. 2021. AWS IAM Privilege Escalation – Methods and Mitigation. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
  10. Helmert, M. 2006. The Fast Downward Planning System. Journal of Artificial Intelligence Research, 26(1): 191–246.
  11. Hoffmann, J. 2015. Simulated Penetration Testing: From “Dijkstra” to “Turing Test++”. In ICAPS, 364–372.
  12. Holmes, A. 2021. 533 million Facebook users’ phone numbers and personal data have been leaked online. https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4. Accessed: 2022-05-29.
  13. Fixing Privilege Escalations in Cloud Access Control with MaxSAT and Graph Neural Networks. In IEEE/ACM International Conference on Automated Software Engineering (ASE 2023). IEEE.
  14. Validating Datacenters at Scale. In Proceedings of the ACM Special Interest Group on Data Communication, 200–213.
  15. Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies. In International Joint Conference on Artificial Intelligence,, 1850–1858.
  16. Kuenzli, S. 2020. Why are good AWS security policies so difficult? https://www.k9security.io/posts/2020/06/why-are-good-aws-security-policies-so-difficult. Accessed: 2023-12-01.
  17. Labs, R. S. 2019. S3 Ransomware Part 1: Attack Vector. https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/#:~:text=Attacker%20creates%20a%20KMS%20key,not%20decrypt%20objects%20in%20S3. Accessed: 2023-12-01.
  18. An Annotated Review of Past Papers on Attack Graphs.
  19. Marks, G. 2021. A LinkedIn ‘Breach’ Exposes 92% Of Users. https://www.forbes.com/sites/quickerbettertech/2021/07/05/a-linkedin-breach-exposes-92-of-usersand-other-small-business-tech-news. Accessed: 2022-05-29.
  20. NCC Group. 2023. Principal Mapper. https://github.com/nccgroup/PMapper.
  21. Attack Planning in the Real World. In SecArt’10.
  22. One, C. 2022. Information on the Capital One Cyber Incident. https://www.capitalone.com/digital/facts2019/.
  23. Zanzibar: Google’s Consistent, Global Authorization System. In USENIX Annual Technical Conference (USENIX ATC).
  24. Pernet, C. 2021. Research reveals that IAM is too often permissive and misconfigured. https://www.techrepublic.com/article/research-iam-permissive-misconfigured/.
  25. Salesforce. 2023. Policy Sentry: IAM Least Privilege Policy Generator. https://policy-sentry.readthedocs.io/en/latest/.
  26. POMDPs Make Better Hackers: Accounting for Uncertainty in Penetration Testing. In AAAI.
  27. Scroxton, A. 2020. Leaky AWS S3 bucket once again at centre of data breach. https://www.computerweekly.com/news/252491842/Leaky-AWS-S3-bucket-once-again-at-centre-of-data-breach. Accessed: 2022-05-29.
  28. Unit42. 2022. IAM Your Defense Against Cloud Threats: The Latest Unit 42 Cloud Threat Research. https://unit42.paloaltonetworks.com/iam-cloud-threat-research/. Accessed: April 12, 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now