CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications

The serverless computing paradigm has significantly changed how modern cloud applications are developed. This model allows developers to focus on application business logic while outsourcing to the cloud provider infrastructure details such as machine provisioning. However, the serverless model also presents new security challenges. Among these, static analysis of application security, a fundamental part of the secure software development lifecycle, becomes more complex due to the presence of event-triggered code and the black-box nature of cloud services.

In this paper, we present CloudFlow, a novel framework to statically detect security-sensitive data flows in serverless applications. To achieve this, CloudFlow leverages the infrastructure definition provided by the developer to identify the events, permissions and entry points of an application. Using this information and custom models for events and cloud API calls, it instruments the application code, which can then be analysed with general-purpose methods for static analysis. We evaluate our framework against a new suite of 40 microbenchmarks, CloudBench. Furthermore, we analyse 104 real-world applications selected from a recent dataset. To the best of our knowledge, this is the largest security-focused analysis of serverless applications to date. Our results show that CloudFlow passes all microbenchmarks, apart from three, and detects 11 code injection and information leakage vulnerabilities in real-world applications. Both CloudFlow and CloudBench are open-source to support future research.