Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities

Open Access
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12652)


Infrastructure as Code is a new approach to computing infrastructure management that allows users to leverage tools such as version control, automatic deployments, and program analysis for infrastructure configurations. This approach allows for faster and more homogeneous configuration of a complete infrastructure. Infrastructure as Code languages, such as CloudFormation or TerraForm, use a declarative model so that users only need to describe the desired state of the infrastructure. However, in practice, these languages are not processed atomically. During an upgrade, the infrastructure goes through a series of intermediate states. We identify a security vulnerability that occurs during an upgrade even when the initial and final states of the infrastructure are secure, and we show that those vulnerability are possible in Amazon’s AWS and Google Cloud. We call such attacks intra-update sniping vulnerabilities. In order to mitigate this shortcoming, we present a technique that detects such vulnerabilities and pinpoints the root causes of insecure deployment migrations. We implement this technique in a tool, Häyhä, that uses dataflow graph analysis. We evaluate our tool on a set of open-source CloudFormation templates and find that it is scalable and could be used as part of a deployment workflow.



This work was completed while working on the grant supported by the National Science Foundation under Grant No. CCF-1715387, and partially supported by the Office of Naval Research under Grant N00014-17-1-2787.


  1. 1.
    Julian Wood: Building well-architected serverless applications: Controlling serverless API access. AWS Compute Blog,
  2. 2.
    Al-Shaer, E., Marrero, W., El-Atawy, A., ElBadawi, K.: Network configuration in a box: towards end-to-end verification of network reachability and security. In: 2009 17th IEEE International Conference on Network Protocols (2009)Google Scholar
  3. 3. Inc: CloudFormation,
  4. 4.
    Backes, J., Bolignano, P., Cook, B., Dodge, C., Gacek, A., Luckow, K., Rungta, N., Tkachuk, O., Varming, C.: Semantic-based automated reasoning for AWS access policies using smt. In: 2018 Formal Methods in Computer Aided Design (FMCAD). IEEE (2018)Google Scholar
  5. 5.
    Ball, T., Bjørner, N., Gember, A., Itzhaky, S., Karbyshev, A., Sagiv, M., Schapira, M., Valadarsky, A.: Vericon: towards verifying controller programs in software-defined networks. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (2014)Google Scholar
  6. 6.
    Chef misc Inc: Chef,
  7. 7.
    Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR). IEEE (2017)Google Scholar
  8. 8.
    Continella, A., Polino, M., Pogliani, M., Zanero, S.: There’s a hole in that bucket! a large-scale analysis of misconfigured S3 buckets. In: Proceedings of the 34th Annual Computer Security Applications Conference. ACSAC ’18, Association for Computing Machinery, New York, NY, USA (2018)Google Scholar
  9. 9.
    Cook, B.: Formal reasoning about the security of amazon web services. In: Chockler, H., Weissenbacher, G. (eds.) Computer Aided Verification (CAV). Springer International Publishing (2018)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of the 4th Symp. on Principles of Programming Languages. ACM (1977)Google Scholar
  11. 11.
    Hashicorp: Terraform,
  12. 12.
    Hashicorp: What is mutable vs. immutable infrastructure?,
  13. 13.
    Huang, W., Ganjali, A., Kim, B.H., Oh, S., Lie, D.: The state of public infrastructure-as-a-service cloud security. ACM Comput. Surv. 47(4) (Jun 2015)Google Scholar
  14. 14.
    Hummer, W., Rosenberg, F., Oliveira, F., Eilam, T.: Testing idempotence for infrastructure as code. In: ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing. Springer (2013)Google Scholar
  15. 15.
    Ian Mckay: S3 Bucket Namesquatting - Abusing predictable S3 bucket names,
  16. 16.
    Ponce-de León, H., Furbach, F., Heljanko, K., Meyer, R.: Portability analysis for weak memory models porthos: One tool for all models. In: Ranzato, F. (ed.) Static Analysis Symposium. pp. 299–320. Springer International Publishing, Cham (2017)Google Scholar
  17. 17.
    Lepiller, J., Piskac, R., Schäf, M., Santolucito, M.: Häyhä (2021),
  18. 18.
    Liu, J., Hallahan, W., Schlesinger, C., Sharif, M., Lee, J., Soulé, R., Wang, H., Caşcaval, C., McKeown, N., Foster, N.: P4v: Practical verification for programmable data planes. In: Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication. SIGCOMM ’18, Association for Computing Machinery, New York, NY, USA (2018)Google Scholar
  19. 19.
    Meshman, Y., Dan, A.M., Vechev, M.T., Yahav, E.: Synthesis of memory fences via refinement propagation. In: Müller-Olm, M., Seidl, H. (eds.) Static Analysis - 21st International Symposium, SAS 2014, Munich, Germany, September 11–13, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8723, pp. 237–252. Springer (2014)Google Scholar
  20. 20.
    Michael DeHaan and Contributors: Ansible,
  21. 21.
    Parker, J., Vazou, N., Hicks, M.: Lweb: Information flow security for multi-tier web applications. Proc. ACM Program. Lang. 3(POPL) (Jan 2019)Google Scholar
  22. 22.
    Piskac, R.: New applications of software synthesis: Verification of configuration files and firewall repair. In: Podelski, A. (ed.) Static Analysis Symposium (SAS). Springer International Publishing (2018)Google Scholar
  23. 23.
    Puppet Inc: Puppet,
  24. 24.
    Raad, A., Doko, M., Rožić, L., Lahav, O., Vafeiadis, V.: On library correctness under weak memory consistency: Specifying and verifying concurrent libraries under declarative consistency models. Proc. ACM Program. Lang. 3(POPL) (Jan 2019).,
  25. 25.
    Rahman, A., Parnin, C., Williams, L.: The seven sins: Security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st International Conference on misc Engineering (ICSE) (2019)Google Scholar
  26. 26.
    Rahman, A.A.U., Williams, L.: misc security in devops: Synthesizing practitioners’ perceptions and practices. In: 2016 IEEE/ACM International Workshop on Continuous misc Evolution and Delivery (CSED) (2016)Google Scholar
  27. 27.
    Rahman, A., Parnin, C., Williams, L.: The seven sins: security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). pp. 164–175. IEEE (2019)Google Scholar
  28. 28.
    Santolucito, M., Zhai, E., Dhodapkar, R., Shim, A., Piskac, R.: Synthesizing configuration file specifications with association rule learning. Proceedings of the ACM on Programming Languages 1(OOPSLA) (2017)Google Scholar
  29. 29.
    Santolucito, M., Zhai, E., Piskac, R.: Probabilistic automated language learning for configuration files. In: International Conference on Computer Aided Verification. Springer (2016)Google Scholar
  30. 30.
    Shambaugh, R., Weiss, A., Guha, A.: Rehearsal: A configuration verification tool for puppet. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2016)Google Scholar

Copyright information

© The Author(s) 2021

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  1. 1.Yale UniversityNew HavenUSA
  2. 2.Amazon Web ServicesNYCUSA
  3. 3.Barnard CollegeColumbia UniversityNYCUSA

Personalised recommendations