En esta página

CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications

Raffa, Giuseppe ORCID: https://orcid.org/0009-0003-9178-4559, Blasco Alis, Jorge ORCID: https://orcid.org/0000-0003-4392-9023, O’Keeffe, Dan ORCID: https://orcid.org/0000-0003-3751-477X and Dash, Santanu Kumar ORCID: https://orcid.org/0000-0002-5674-8531 (2025). CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications. En: "34th USENIX Security Symposium", August 13–15, 2025, Seattle, WA, USA. ISBN 978-1-939133-52-6. pp. 1073-1090. https://doi.org/10.5555/3766078.3766134.

Descripción

Título: CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications
Autor/es:
Tipo de Documento: Ponencia en Congreso o Jornada (Artículo)
Título del Evento: 34th USENIX Security Symposium
Fechas del Evento: August 13–15, 2025
Lugar del Evento: Seattle, WA, USA
Título del Libro: Proceedings of the 34th USENIX Security Symposium
Fecha: 13 Agosto 2025
ISBN: 978-1-939133-52-6
Materias:
ODS:
Escuela: E.T.S.I. de Sistemas Informáticos (UPM)
Departamento: Sistemas Informáticos
Licencias Creative Commons: Reconocimiento - Sin obra derivada - No comercial

Texto completo

[thumbnail of 10486428.pdf] PDF (Portable Document Format) - Se necesita un visor de ficheros PDF, como GSview, Xpdf o Adobe Acrobat Reader
Descargar (660kB)

Resumen

The serverless computing paradigm has significantly changed how modern cloud applications are developed. This model allows developers to focus on application business logic while outsourcing to the cloud provider infrastructure details such as machine provisioning. However, the serverless model also presents new security challenges. Among these, static analysis of application security, a fundamental part of the secure software development lifecycle, becomes more complex due to the presence of event-triggered code and the black-box nature of cloud services.

In this paper, we present CloudFlow, a novel framework to statically detect security-sensitive data flows in serverless applications. To achieve this, CloudFlow leverages the infrastructure definition provided by the developer to identify the events, permissions and entry points of an application. Using this information and custom models for events and cloud API calls, it instruments the application code, which can then be analysed with general-purpose methods for static analysis. We evaluate our framework against a new suite of 40 microbenchmarks, CloudBench. Furthermore, we analyse 104 real-world applications selected from a recent dataset. To the best of our knowledge, this is the largest security-focused analysis of serverless applications to date. Our results show that CloudFlow passes all microbenchmarks, apart from three, and detects 11 code injection and information leakage vulnerabilities in real-world applications. Both CloudFlow and CloudBench are open-source to support future research.

Proyectos asociados

Tipo
Código
Acrónimo
Responsable
Título
Gobierno de España
PID2023-151996OB-I00
Sin especificar
Sin especificar
Sin especificar
Sin especificar
EP/Y036417/1
Sin especificar
Sin especificar
Sin especificar

Más información

ID de Registro: 95586
Identificador DC: https://oa.upm.es/95586/
Identificador OAI: oai:oa.upm.es:95586
URL Portal Científico: https://portalcientifico.upm.es/es/ipublic/item/10486428
Identificador DOI: 10.5555/3766078.3766134
URL Oficial: https://www.usenix.org/conference/usenixsecurity25...
Depositado por: iMarina Portal Científico
Depositado el: 17 Abr 2026 07:22
Ultima Modificación: 17 Abr 2026 07:22

El Archivo Digital UPM es el repositorio digital institucional mantenido por la Biblioteca de la Universidad Politécnica de Madrid. Desarrollado y gestionado con EPrints.

Sindicación: Atom, RSS 2.0 y RSS 1.0 (HTML)
Recolección: OAI 2.0