Compile-time detection of machine image sniping

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Machine image sniping is a difficult-to-detect security vulnerability in cloud computing code. When programmatically initializing a machine, a developer specifies a machine image (operating system and file system). The developer should restrict the search to only those machine images which their organization controls: otherwise, an attacker can insert a similarly-named malicious image into the public database, where it might be selected instead of the image the developer intended. We present a lightweight type and effect system that detects requests to a cloud provider that are vulnerable to an image sniping attack, or proves that no vulnerable request exists in a codebase. We prototyped our type system for Java programs that initialize Amazon Web Services machines, and evaluated it on more than 500 codebases, detecting 14 vulnerable requests with only 3 false positives.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1256-1258
Number of pages3
ISBN (Electronic)9781728125084
DOIs
StatePublished - Nov 2019
Externally publishedYes
Event34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019 - San Diego, United States
Duration: Nov 10 2019Nov 15 2019

Publication series

NameProceedings - 2019 34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019

Conference

Conference34th IEEE/ACM International Conference on Automated Software Engineering, ASE 2019
Country/TerritoryUnited States
CitySan Diego
Period11/10/1911/15/19

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software
  • Control and Optimization

Keywords

  • AMI sniping
  • AWS
  • DescribeImagesRequest
  • EC2
  • Java
  • Lightweight verification
  • Pluggable types

Fingerprint

Dive into the research topics of 'Compile-time detection of machine image sniping'. Together they form a unique fingerprint.

Cite this