Abstract

As serverless computing continues to revolutionize the design and deployment of web services, it has become an increasingly attractive target to attackers. These adversaries are developing novel tactics for circumventing the ephemeral nature of serverless functions, exploiting container reuse optimizations and achieving lateral movement by “living off the land” provided by legitimate serverless workflows. Unfortunately, the traditional security controls currently offered by cloud providers are inadequate to counter these new threats. In this work, we propose WILL.IAM, a workflow-aware access control model and reference monitor that satisfies the functional requirements of the serverless computing paradigm. WILL.IAM encodes the protection state of a serverless application as a permissions graph that describes the permissible transitions of its workflows, associating web requests with a permissions set at the point of ingress according to a graph-based labeling state. By proactively enforcing the permissions requirements of downstream workflow components, WILL.IAM is able to avoid the costs of partially processing unauthorized requests and reduce the attack surface of the application. We implement the WILL.IAM framework in Go and evaluate its performance as compared to recent related work against the well-established Nordstrom “Hello, Retail!” application. We demonstrate that WILL.IAM imposes minimal burden to requests, averaging 0.51% overhead across representative workflows, but dramatically improves performance when handling unauthorized requests (e.g., DDoS attacks) as compared to past solutions. WILL.IAM thus demonstrates an effective and practical alternative for authorization in the serverless paradigm.