Security
The transition to a serverless model has many implications for security. Established techniques such as secure enclaves can be used with FaaS, but doing so requires overcoming various obstacles [1,2,3].
Fine-grained isolation in FaaS offers potential security benefits, but it will be difficult for programmers to take advantage of this without supporting tools and techniques. Information flow control [4] provides the basis for some approaches, including Valve [5] and work by Alpernas et al. [6]. Will.iam [7] a produces more robust permission boundaries through workflow integration, and Hong et al. [8] suggest a collection of design patterns that can help develop secure serverless applications.
Researchers have found that serverless computing is susceptible to novel forms of attack. For example, Kelly et al. [9] describe “denial of wallet” attacks that exploit the scalability of serverless computing to exhaust the victim’s budget. The Warmonger attack [10] is a type of denial of service attack that exploits multi-tenant infrastructure to introduce abusive activity on a victim’s IPs, leading other services to block them.
Work has also focused on analyzing the security of specific applications, e.g., the OmniBallot online voting system [11].
- [1]Bohdan Trach, Oleksii Oleksenko, Franz Gregor, Pramod Bhatotia, and Christof Fetzer. 2019. Clemmys: Towards Secure Remote Execution in FaaS. In Proceedings of the 12th ACM International Conference on Systems and Storage, 44–54.
- [2]Weizhong Qiang, Zezhao Dong, and Hai Jin. 2018. Se-Lambda: Securing Privacy-Sensitive Serverless Applications Using SGX Enclave. In International Conference on Security and Privacy in Communication Systems, Springer, 451–470.
- [3]David Goltzsche, Manuel Nieke, Thomas Knauth, and Rüdiger Kapitza. 2019. Acctee: A WebAssembly-Based Two-Way Sandbox for Trusted Resource Accounting. In Proceedings of the 20th International Middleware Conference, 123–135.
- [4]Andrei Sabelfeld and Andrew C. Myers. 2003. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications 21, 1 (2003), 5–19.
- [5]Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of The Web Conference 2020, 939–950.
- [6]Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2018. Secure Serverless Computing Using Dynamic Information Flow Control. Proceedings of the ACM on Programming Languages 2, OOPSLA (2018), 1–26.
- [7]Arnav Sankaran, Pubali Datta, and Adam Bates. 2020. Workflow Integration Alleviates Identity and Access Management in Serverless Computing. In Annual Computer Security Applications Conference, 496–509.
- [8]Sanghyun Hong, Abhinav Srivastava, William Shambrook, and Tudor Dumitra\cbs. 2018. Go Serverless: Securing Cloud via Serverless Design Patterns. In 10th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 18).
- [9]Alessandro Bocci, Stefano Forti, Gian-Luigi Ferrari, and Antonio Brogi. 2021. Secure FaaS Orchestration in the Fog: How Far Are We? Computing 103, 5 (2021), 1025–1056.
- [10]Junjie Xiong, Mingkui Wei, Zhuo Lu, and Yao Liu. 2021. Warmonger: Inflicting Denial-of-Service via Serverless Functions in the Cloud. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 955–969.
- [11]Michael Specter and J. Alex Halderman. 2021. Security Analysis of the Democracy Live Online Voting System. In 30th USENIX Security Symposium (USENIX Security 21).