Towards Inter-Service Data Flow Analysis of Serverless Applications

Towards Inter-Service Data Flow Analysis of Serverless Applications

연구 분야: Verification

학회: 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

The recent advent of serverless applications has created a need for static analysis tools to analyse them. However, the event-driven architecture of serverless applications, along with the black-box nature of the services they invoke, make static analysis challenging. In this work, we propose a novel approach to statically analysing serverless applications, with a focus on the identification of data flows that can lead to code injection and information leakage. To reach our goal, we first design a new suite of microbenchmarks, which we publicly release. The microbenchmarks are based on documented serverless-specific vulnerabilities and the characterization of an existing dataset. We then introduce our static analysis approach and show how it can factor in the effect of platform services and eventtriggered code execution by extracting relevant information from both infrastructure and application code. This information is used to obtain a synchronous equivalent of the underlying asynchronous system, which can be inspected with a general-purpose static analysis tool. Preliminary evaluation results using a prototype implementation of our approach and the microbenchmark suite confirm the potential of our analysis technique.