Detecting Denial of Wallet Vulnerabilities in Serverless Applications

MSc Proposal 2023-24

Name

DoWGuard

Title

Dissertation: Detecting Denial of Wallet Vulnerabilities in Serverless Applications

Advisor

Nuno Santos, Rodrigo Bruno

Objectives

Serverless computing has gained popularity due to its automated scalability and availability in a pay-as-you-go manner, enabling developers to focus on the application logic rather than worrying about the infrastructure. In particular, JavaScript is one of the most popular programming languages for serverless applications. On top of the typical JavaScript vulnerabilities, such as injection attacks, these applications are also vulnerable to a new set of attacks specific to the serverless environment, such as the Denial of Wallet (DoW) attacks. In this type of attack, attackers can exploit the flexible scalability of serverless architectures to trigger excessive resource usage, such as external APIs or public storage, resulting in financial damage to organizations. Therefore, the need for an effective detection mechanism to safeguard against DoW vulnerabilities in serverless applications is paramount.

This thesis proposal aims to develop DoWGuard, an automated tool to detect and mitigate DoW vulnerabilities in serverless applications. Following the successful approach of RuleKeeper [1] in finding GDPR compliance violations, DoWGuard will employ a similar technique for static analysis by analyzing the source code of serverless applications. By constructing a code property graph (CPG) model, DoWGuard will identify specific patterns indicative of DoW vulnerabilities, enabling developers to proactively address these security risks.

The primary objectives of this project are as follows: (1) Design and implement DoWGuard, a novel detection tool for DoW vulnerabilities in serverless applications; (2) Extend the existing code property graph (CPG) model to include serverless-specific constructs and interactions with external resources. (3) Define and specify queries within DoWGuard to accurately identify DoW vulnerability patterns, minimizing false positives and false negatives. (4) Integrate DoWGuard into the CI/CD pipeline of serverless applications, providing developers with immediate feedback on potential DoW vulnerabilities during the development lifecycle. (5) Evaluate DoWGuard's effectiveness by applying it to a diverse dataset of real-world serverless applications, including those using AWS Lambda or similar platforms.

By leveraging the insights gained from previous research on enforcing secure coding practices and analyzing vulnerabilities in serverless architectures, this thesis project seeks to make original contributions to the field of serverless security. DoWGuard will enable developers and organizations to identify and mitigate DoW vulnerabilities, ensuring the integrity, availability, and financial well-being of serverless applications.

[1] RuleKeeper: https://www.computer.org/csdl/proceedings-article/sp/2023/933600b014/1Js0DzhaXNm

Requirements

Interest in software security and distributed systems.

Location

IST-Alameda (INESC-ID) or IST-Tagus

Observations

This work will be performed in collaboration with other Ph.D. students with expertise in software security and distributed systems.