๐ค AI Summary
This study addresses the pervasive issue of over-privileged permissions in serverless applications, which significantly expands the attack surface and exposes sensitive resources. It presents the first large-scale empirical investigation into real-world serverless deployments, proposing a static code analysisโbased approach to verify permission minimization. By analyzing interactions between functions and cloud resources and incorporating IAM policy semantics, the method quantifies permission redundancy and maps it to concrete adversarial capabilities, such as privilege escalation and defense evasion. An evaluation of 689 AWS Lambda applications reveals that 47.7% suffer from over-authorization, with an average of 99.65% of granted permissions being redundant. Applications employing wildcard policies exhibit a 274-fold higher risk of over-authorization, and 18.8% possess unnecessary capabilities enabling privilege escalation.
๐ Abstract
Serverless computing has seen rapid adoption in cloud deployments, yet the security implications of its service-oriented programming model remain poorly understood. Distributed, modular, and heterogeneous applications complicate the specification of precise security policies. Role-based access control solutions such as Identity and Access Management (IAM) already exhibit pervasive misconfiguration problems, and the multiplicity of functions, services, and resources in serverless applications, together with frequent permission model changes by cloud providers, greatly increases the likelihood of policy misconfigurations. Consequently, policies are often overprivileged, thereby enlarging the attack surface and exposing sensitive cloud resources to compromise.
We present a large-scale measurement study of overprivilege in real-world serverless applications, analyzing a curated dataset of 689 AWS Lambda applications comprised of 1,293 functions. To enable this study, we develop PrivLess, a static policy analysis framework that extracts function-to-resource interactions from application source code, derives an interaction-permission mapping, and reconciles inferred interactions with declared policies to quantify overprivilege. Our measurement reveals that overprivilege is systemic and severe across the serverless ecosystem: 47.7% of applications carry excess permissions with a significant privilege reduction potential of 99.65%. Applications with wildcard-defined permissions exhibited an average overprivilege ratio 274x higher than those without. More critically, the excess permissions enable concrete attack vectors: 18.8% of applications hold unnecessary Privilege Escalation capabilities, and 12 applications had Defense Evasion permissions they did not need.