TY - GEN
T1 - Detecting Multi-Step IAM Attacks in AWS Environments via Model Checking
AU - Shevrin, Ilia
AU - Margalit, Oded
N1 - Publisher Copyright:
© 2023 32nd USENIX Security Symposium, USENIX Security 2023. All rights reserved.
PY - 2023/1/1
Y1 - 2023/1/1
N2 - Cloud services enjoy a surging popularity among IT professionals, owing to their rapid provision of virtual infrastructure on demand. Hand-in-hand with the growing usage, there is also a growing concern about potential security vulnerabilities arising from misconfigurations, exposing resources or allowing malicious actors to escalate privileges. Model checking is a known method for verifying that a finite-state Boolean model of a system satisfies certain properties, where the model and the properties are described in formal logic. In case it doesn't, a finite trace leading to a violating state can be generated. In this paper, we present an approach to construct a finitestate Boolean model from the Identity and Access Management (IAM) component of Amazon Web Services (AWS), and a property from an attack target, e.g., read a classified S3 bucket object. We run a model checker that detects whether some initial setup allows an attacker to escalate privileges and reach the target in one or more steps by applying IAM manipulating actions. We show that our approach can discover existing misconfigurations in real AWS environments, and that it can detect multi-step attacks in setups containing tens of AWS accounts with hundreds of resources in under a minute.
AB - Cloud services enjoy a surging popularity among IT professionals, owing to their rapid provision of virtual infrastructure on demand. Hand-in-hand with the growing usage, there is also a growing concern about potential security vulnerabilities arising from misconfigurations, exposing resources or allowing malicious actors to escalate privileges. Model checking is a known method for verifying that a finite-state Boolean model of a system satisfies certain properties, where the model and the properties are described in formal logic. In case it doesn't, a finite trace leading to a violating state can be generated. In this paper, we present an approach to construct a finitestate Boolean model from the Identity and Access Management (IAM) component of Amazon Web Services (AWS), and a property from an attack target, e.g., read a classified S3 bucket object. We run a model checker that detects whether some initial setup allows an attacker to escalate privileges and reach the target in one or more steps by applying IAM manipulating actions. We show that our approach can discover existing misconfigurations in real AWS environments, and that it can detect multi-step attacks in setups containing tens of AWS accounts with hundreds of resources in under a minute.
UR - http://www.scopus.com/inward/record.url?scp=85176138088&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85176138088
T3 - 32nd USENIX Security Symposium, USENIX Security 2023
SP - 6025
EP - 6042
BT - 32nd USENIX Security Symposium, USENIX Security 2023
PB - USENIX Association
T2 - 32nd USENIX Security Symposium, USENIX Security 2023
Y2 - 9 August 2023 through 11 August 2023
ER -