Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CloudLens: Modeling and Detecting Cloud Security Vulnerabilities

Mikhail Kazdagli, Mohit Tiwari, Akshat Kumar

TL;DR

This work presents CloudLens, a formal, tuple-based model of cloud IAM that links identities, resources, and permissions, and CloudExploit, a PDDL-based planner that automatically generates multi-step attack sequences from IAM configurations. By modeling permission flow with 3- and 4-tuples and enabling regex-like abstractions, the authors construct attack graphs and optimize attack plans, establishing NP-hardness for the IAM attack-path problem. The approach is validated on 14 real AWS configurations and benchmarked against PMapper, showing broader attack coverage (6 types) and the ability to reveal ransomware and data-exfiltration vulnerabilities that prior tools miss, including large-scale real-world datasets with hundreds to thousands of principals. The results demonstrate significant practical impact for cloud security hardening and incident prevention, providing IT admins with a rigorous, proactive co-pilot for policy repair and risk assessment.

Abstract

Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. With their growing popularity, concerns about security vulnerabilities are increasing. To address this, first, we provide a formal model, called CloudLens, that expresses relations between different cloud objects such as users, datastores, security roles, representing access control policies in cloud systems. Second, as access control misconfigurations are often the primary driver for cloud attacks, we develop a planning model for detecting security vulnerabilities. Such vulnerabilities can lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner generates attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.

CloudLens: Modeling and Detecting Cloud Security Vulnerabilities

TL;DR

This work presents CloudLens, a formal, tuple-based model of cloud IAM that links identities, resources, and permissions, and CloudExploit, a PDDL-based planner that automatically generates multi-step attack sequences from IAM configurations. By modeling permission flow with 3- and 4-tuples and enabling regex-like abstractions, the authors construct attack graphs and optimize attack plans, establishing NP-hardness for the IAM attack-path problem. The approach is validated on 14 real AWS configurations and benchmarked against PMapper, showing broader attack coverage (6 types) and the ability to reveal ransomware and data-exfiltration vulnerabilities that prior tools miss, including large-scale real-world datasets with hundreds to thousands of principals. The results demonstrate significant practical impact for cloud security hardening and incident prevention, providing IT admins with a rigorous, proactive co-pilot for policy repair and risk assessment.

Abstract

Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. With their growing popularity, concerns about security vulnerabilities are increasing. To address this, first, we provide a formal model, called CloudLens, that expresses relations between different cloud objects such as users, datastores, security roles, representing access control policies in cloud systems. Second, as access control misconfigurations are often the primary driver for cloud attacks, we develop a planning model for detecting security vulnerabilities. Such vulnerabilities can lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner generates attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.
Paper Structure (38 sections, 3 equations, 4 figures, 3 tables)

This paper contains 38 sections, 3 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Contributions
  4. Cloud Identity Access Management
  5. Attack Example
  6. CloudLens: Modeling Cloud IAM
  7. Relational modeling of IAM
  8. IAM Attacks as Sequential Decision Making
  9. State definition
  10. Goal
  11. Attack graph formulation
  12. CloudExploit: Automated Planning for Attack Generation
  13. Permission flow actions
  14. Actions for handling regular expressions
  15. Actions for adding additional tuples
  16. ...and 23 more sections

Figures (4)

  • Figure 1: Real-world datasets: The number of unique compromised users (after exclusion of admin users).
  • Figure 2: Distribution of attack path lengths measured in terms of the number of actions)
  • Figure 3: Execution time of the translation and search phases of the Fast Downward planner (log scale))
  • Figure 4: Comparison of PMapper and CloudExploit )