Detecting privilege escalations in code including cross-service calls
First Claim
1. A system to analyze code executable on an on-demand code execution system to detect potential privilege escalation vulnerabilities, the system comprising:
- a physical data store storing executable code submitted to the on-demand code execution system by a user device, the executable code including a code portion invoking a first network-accessible service;
a computing device in communication with the physical data store and configured, independent of execution of the executable code, to;
obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code;
identify the code portion within the executable code invoking the first network-accessible service;
determine an expected output of the first network-accessible service, the expected output including an expected invocation of one or more second network-accessible services not referenced within the executable code;
compare the expected output to the security information for the executable code to determine that the expected invocation of the one or more second network-accessible services e is not permissible under the security information; and
transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described for conducting static analysis of code invoking network-based services to identify, without requiring execution of the code, security issues that may be introduced due to the invocations of the network-based services. A system is provided that may analyze code to detect both direct invocations of services, as well as indirect invocations caused by the direct invocations. The system can compare permissions information for the code to both directly or indirectly invoked services to identify instances in which the code calls services not permitted by the permissions information. In some instances, the system can traverse a “call graph” of all services invoked by code either directly or indirectly to identify permissions errors through multiple levels of indirection.
568 Citations
21 Claims
-
1. A system to analyze code executable on an on-demand code execution system to detect potential privilege escalation vulnerabilities, the system comprising:
-
a physical data store storing executable code submitted to the on-demand code execution system by a user device, the executable code including a code portion invoking a first network-accessible service; a computing device in communication with the physical data store and configured, independent of execution of the executable code, to; obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code; identify the code portion within the executable code invoking the first network-accessible service; determine an expected output of the first network-accessible service, the expected output including an expected invocation of one or more second network-accessible services not referenced within the executable code; compare the expected output to the security information for the executable code to determine that the expected invocation of the one or more second network-accessible services e is not permissible under the security information; and transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method comprising:
-
obtaining executable code from a user device; and independent of execution of the executable code; obtaining security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code; identifying a code portion within the executable code invoking a first network-accessible service; determining that an expected output of the first network-accessible service corresponds to an expected invocation of one or more second network-accessible services; determining that the expected invocation of the one or more second network-accessible services is not permissible under the security information; and transmitting an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. Non-transitory computer-readable media comprising executable instructions that, when executed on a computing system, cause the computing system to:
-
obtain executable code from a user device; and independent of execution of the executable code; obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code; identify a code portion within the executable code invoking a first network-accessible service; determine that an expected output of the first network-accessible service corresponds to an expected invocation of one or more second network-accessible services; determine that the expected invocation of the one or more second network-accessible services is not permissible under the security information; and transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
Specification