Skip to main content

Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 12652)

Abstract

Infrastructure as Code is a new approach to computing infrastructure management that allows users to leverage tools such as version control, automatic deployments, and program analysis for infrastructure configurations. This approach allows for faster and more homogeneous configuration of a complete infrastructure. Infrastructure as Code languages, such as CloudFormation or TerraForm, use a declarative model so that users only need to describe the desired state of the infrastructure. However, in practice, these languages are not processed atomically. During an upgrade, the infrastructure goes through a series of intermediate states. We identify a security vulnerability that occurs during an upgrade even when the initial and final states of the infrastructure are secure, and we show that those vulnerability are possible in Amazon’s AWS and Google Cloud. We call such attacks intra-update sniping vulnerabilities. In order to mitigate this shortcoming, we present a technique that detects such vulnerabilities and pinpoints the root causes of insecure deployment migrations. We implement this technique in a tool, Häyhä, that uses dataflow graph analysis. We evaluate our tool on a set of open-source CloudFormation templates and find that it is scalable and could be used as part of a deployment workflow.

References

  1. Julian Wood: Building well-architected serverless applications: Controlling serverless API access. AWS Compute Blog, https://aws.amazon.com/blogs/compute/building-well-architected-serverless-applications-controlling-serverless-api-access-part-1/

  2. Al-Shaer, E., Marrero, W., El-Atawy, A., ElBadawi, K.: Network configuration in a box: towards end-to-end verification of network reachability and security. In: 2009 17th IEEE International Conference on Network Protocols (2009)

    Google Scholar 

  3. Amazon.com Inc: CloudFormation, aws.amazon.com

  4. Backes, J., Bolignano, P., Cook, B., Dodge, C., Gacek, A., Luckow, K., Rungta, N., Tkachuk, O., Varming, C.: Semantic-based automated reasoning for AWS access policies using smt. In: 2018 Formal Methods in Computer Aided Design (FMCAD). IEEE (2018)

    Google Scholar 

  5. Ball, T., Bjørner, N., Gember, A., Itzhaky, S., Karbyshev, A., Sagiv, M., Schapira, M., Valadarsky, A.: Vericon: towards verifying controller programs in software-defined networks. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (2014)

    Google Scholar 

  6. Chef misc Inc: Chef, https://www.chef.io

  7. Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE (2017)

    Google Scholar 

  8. Continella, A., Polino, M., Pogliani, M., Zanero, S.: There’s a hole in that bucket! a large-scale analysis of misconfigured S3 buckets. In: Proceedings of the 34th Annual Computer Security Applications Conference. ACSAC ’18, Association for Computing Machinery, New York, NY, USA (2018)

    Google Scholar 

  9. Cook, B.: Formal reasoning about the security of amazon web services. In: Chockler, H., Weissenbacher, G. (eds.) Computer Aided Verification (CAV). Springer International Publishing (2018)

    Google Scholar 

  10. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of the 4th Symp. on Principles of Programming Languages. ACM (1977)

    Google Scholar 

  11. Hashicorp: Terraform, https://www.terraform.io

  12. Hashicorp: What is mutable vs. immutable infrastructure?, https://www.hashicorp.com/resources/what-is-mutable-vs-immutable-infrastructure/

  13. Huang, W., Ganjali, A., Kim, B.H., Oh, S., Lie, D.: The state of public infrastructure-as-a-service cloud security. ACM Comput. Surv. 47(4) (Jun 2015)

    Google Scholar 

  14. Hummer, W., Rosenberg, F., Oliveira, F., Eilam, T.: Testing idempotence for infrastructure as code. In: ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing. Springer (2013)

    Google Scholar 

  15. Ian Mckay: S3 Bucket Namesquatting - Abusing predictable S3 bucket names, https://onecloudplease.com/blog/s3-bucket-namesquatting

  16. Ponce-de León, H., Furbach, F., Heljanko, K., Meyer, R.: Portability analysis for weak memory models porthos: One tool for all models. In: Ranzato, F. (ed.) Static Analysis Symposium. pp. 299–320. Springer International Publishing, Cham (2017)

    Google Scholar 

  17. Lepiller, J., Piskac, R., Schäf, M., Santolucito, M.: Häyhä (2021), https://gitlab.com/rose-yale/hayha

  18. Liu, J., Hallahan, W., Schlesinger, C., Sharif, M., Lee, J., Soulé, R., Wang, H., Caşcaval, C., McKeown, N., Foster, N.: P4v: Practical verification for programmable data planes. In: Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication. SIGCOMM ’18, Association for Computing Machinery, New York, NY, USA (2018)

    Google Scholar 

  19. Meshman, Y., Dan, A.M., Vechev, M.T., Yahav, E.: Synthesis of memory fences via refinement propagation. In: Müller-Olm, M., Seidl, H. (eds.) Static Analysis - 21st International Symposium, SAS 2014, Munich, Germany, September 11–13, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8723, pp. 237–252. Springer (2014)

    Google Scholar 

  20. Michael DeHaan and Contributors: Ansible, https://www.ansible.com

  21. Parker, J., Vazou, N., Hicks, M.: Lweb: Information flow security for multi-tier web applications. Proc. ACM Program. Lang. 3(POPL) (Jan 2019)

    Google Scholar 

  22. Piskac, R.: New applications of software synthesis: Verification of configuration files and firewall repair. In: Podelski, A. (ed.) Static Analysis Symposium (SAS). Springer International Publishing (2018)

    Google Scholar 

  23. Puppet Inc: Puppet, https://www.puppet.com

  24. Raad, A., Doko, M., Rožić, L., Lahav, O., Vafeiadis, V.: On library correctness under weak memory consistency: Specifying and verifying concurrent libraries under declarative consistency models. Proc. ACM Program. Lang. 3(POPL) (Jan 2019). https://doi.org/10.1145/3290381, https://doi.org/10.1145/3290381

  25. Rahman, A., Parnin, C., Williams, L.: The seven sins: Security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st International Conference on misc Engineering (ICSE) (2019)

    Google Scholar 

  26. Rahman, A.A.U., Williams, L.: misc security in devops: Synthesizing practitioners’ perceptions and practices. In: 2016 IEEE/ACM International Workshop on Continuous misc Evolution and Delivery (CSED) (2016)

    Google Scholar 

  27. Rahman, A., Parnin, C., Williams, L.: The seven sins: security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). pp. 164–175. IEEE (2019)

    Google Scholar 

  28. Santolucito, M., Zhai, E., Dhodapkar, R., Shim, A., Piskac, R.: Synthesizing configuration file specifications with association rule learning. Proceedings of the ACM on Programming Languages 1(OOPSLA) (2017)

    Google Scholar 

  29. Santolucito, M., Zhai, E., Piskac, R.: Probabilistic automated language learning for configuration files. In: International Conference on Computer Aided Verification. Springer (2016)

    Google Scholar 

  30. Shambaugh, R., Weiss, A., Guha, A.: Rehearsal: A configuration verification tool for puppet. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2016)

    Google Scholar 

Download references

Acknowledgement

This work was completed while working on the grant supported by the National Science Foundation under Grant No. CCF-1715387, and partially supported by the Office of Naval Research under Grant N00014-17-1-2787.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ruzica Piskac .

Editor information

Editors and Affiliations

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Lepiller, J., Piskac, R., Schäf, M., Santolucito, M. (2021). Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities. In: Groote, J.F., Larsen, K.G. (eds) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2021. Lecture Notes in Computer Science(), vol 12652. Springer, Cham. https://doi.org/10.1007/978-3-030-72013-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72013-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72012-4

  • Online ISBN: 978-3-030-72013-1

  • eBook Packages: Computer ScienceComputer Science (R0)