检查云服务REST接口安全属性

2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) Pub Date : 2020-10-01 DOI:10.1109/ICST46399.2020.00046

Vaggelis Atlidakis, Patrice Godefroid, Marina Polishchuk

{"title":"检查云服务REST接口安全属性","authors":"Vaggelis Atlidakis, Patrice Godefroid, Marina Polishchuk","doi":"10.1109/ICST46399.2020.00046","DOIUrl":null,"url":null,"abstract":"Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.","PeriodicalId":235967,"journal":{"name":"2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"32","resultStr":"{\"title\":\"Checking Security Properties of Cloud Service REST APIs\",\"authors\":\"Vaggelis Atlidakis, Patrice Godefroid, Marina Polishchuk\",\"doi\":\"10.1109/ICST46399.2020.00046\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.\",\"PeriodicalId\":235967,\"journal\":{\"name\":\"2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)\",\"volume\":\"38 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"32\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICST46399.2020.00046\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICST46399.2020.00046","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 32

摘要

大多数现代云和web服务都是通过REST api以编程方式访问的。本文讨论了攻击者如何通过利用REST API中的漏洞来危害服务。我们介绍了四条安全规则，这些规则捕获了REST api和服务所需的属性。然后，我们将展示如何使用自动测试和检测违反这些规则的活动属性检查器扩展有状态REST API模糊器。我们讨论了如何以模块化和高效的方式实现这样的检查器。使用这些检查器，我们在几个部署的生产Azure和Office365云服务中发现了新的错误，并讨论了它们的安全含义。所有这些bug都被修复了。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Checking Security Properties of Cloud Service REST APIs

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)

自引率

0.00%

发文量