Detecting privilege escalations in code including cross-service calls

US 10,831,898 B1
Filed: 02/05/2018
Issued: 11/10/2020
Est. Priority Date: 02/05/2018
Status: Active Grant

First Claim

Patent Images

1. A system to analyze code executable on an on-demand code execution system to detect potential privilege escalation vulnerabilities, the system comprising:

a physical data store storing executable code submitted to the on-demand code execution system by a user device, the executable code including a code portion invoking a first network-accessible service;

a computing device in communication with the physical data store and configured, independent of execution of the executable code, to;

obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code;

identify the code portion within the executable code invoking the first network-accessible service;

determine an expected output of the first network-accessible service, the expected output including an expected invocation of one or more second network-accessible services not referenced within the executable code;

compare the expected output to the security information for the executable code to determine that the expected invocation of the one or more second network-accessible services e is not permissible under the security information; and

transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described for conducting static analysis of code invoking network-based services to identify, without requiring execution of the code, security issues that may be introduced due to the invocations of the network-based services. A system is provided that may analyze code to detect both direct invocations of services, as well as indirect invocations caused by the direct invocations. The system can compare permissions information for the code to both directly or indirectly invoked services to identify instances in which the code calls services not permitted by the permissions information. In some instances, the system can traverse a “call graph” of all services invoked by code either directly or indirectly to identify permissions errors through multiple levels of indirection.

568 Citations

21 Claims

1. A system to analyze code executable on an on-demand code execution system to detect potential privilege escalation vulnerabilities, the system comprising:
- a physical data store storing executable code submitted to the on-demand code execution system by a user device, the executable code including a code portion invoking a first network-accessible service;
  
  a computing device in communication with the physical data store and configured, independent of execution of the executable code, to;
  
  obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code;
  
  identify the code portion within the executable code invoking the first network-accessible service;
  
  determine an expected output of the first network-accessible service, the expected output including an expected invocation of one or more second network-accessible services not referenced within the executable code;
  
  compare the expected output to the security information for the executable code to determine that the expected invocation of the one or more second network-accessible services e is not permissible under the security information; and
  
  transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the invocation within the executable code of the first network-accessible service is an application programming interface (API) call.
  - 3. The system of claim 1, wherein determining that the invocation of the one or more second network-accessible services is not permissible under the security information comprises determining that the executable code is not permitted to invoke the one or more second network-accessible services.
  - 4. The system of claim 1, wherein the expected output includes an expected parameter to be passed to the one or more second network-accessible services, and wherein determining that the invocation of the one or more second network-accessible services is not permissible under the security information comprises determining that the executable code is not permitted to invoke the one or more second network-accessible services with the expected parameter.

5. A computer-implemented method comprising:
- obtaining executable code from a user device; and
  
  independent of execution of the executable code;
  
  obtaining security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code;
  
  identifying a code portion within the executable code invoking a first network-accessible service;
  
  determining that an expected output of the first network-accessible service corresponds to an expected invocation of one or more second network-accessible services;
  
  determining that the expected invocation of the one or more second network-accessible services is not permissible under the security information; and
  
  transmitting an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The computer-implemented method of claim 5, wherein the one or more second network-accessible services are not referenced within the executable code.
  - 7. The computer-implemented method of claim 5, wherein identifying the code portion within the executable code comprises referencing information mapping the code portion to the first network-accessible service.
  - 8. The computer-implemented method of claim 5, wherein determining that the expected output of the first network-accessible service corresponds to the invocation of the one or more second network-accessible services comprises determining that the expected output of the first network-accessible service is the invocation of the one or more second network-accessible services.
  - 9. The computer-implemented method of claim 5, wherein at least one of the one or more second network-accessible services is implemented as an execution of second executable code on an on-demand code execution system, and wherein determining that the expected output of the first network-accessible service corresponds to the invocation of the one or more second network-accessible services comprises determining that the expected output of the first network-accessible service satisfies criteria maintained at the on-demand code execution system for execution of the second executable code.
  - 10. The computer-implemented method of claim 5 further comprising:
    - determining that an expected output of the one or more second network-accessible services corresponds to an invocation of a third network-accessible service;
      
      determining that the invocation of the third network-accessible service is not permissible under the security information; and
      
      transmitting an indication that the invocation of the third network-accessible service is not permissible under the security information.
  - 11. The computer-implemented method of claim 5, wherein the indication that the invocation of the second network-accessible service is not permissible under the security information comprises at least one of an identification of the invocation of the first network-accessible service within the executable code and an identification of the expected output of the first network-accessible service.

12. Non-transitory computer-readable media comprising executable instructions that, when executed on a computing system, cause the computing system to:
- obtain executable code from a user device; and
  
  independent of execution of the executable code;
  
  obtain security information for the executable code, the security information including criteria for identifying invocations of one or more network-accessible services that are permissible during execution of the executable code;
  
  identify a code portion within the executable code invoking a first network-accessible service;
  
  determine that an expected output of the first network-accessible service corresponds to an expected invocation of one or more second network-accessible services;
  
  determine that the expected invocation of the one or more second network-accessible services is not permissible under the security information; and
  
  transmit an indication that the expected invocation of the one or more second network-accessible services is not permissible under the security information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The non-transitory computer-readable media of claim 12, wherein the executable instructions further cause the computing system to determine that at least one of the first network-accessible service and the one or more second network-accessible services includes execution of a function pre-designated as potentially insecure, and to transmit to the user device an indication of use of the potentially insecure function.
  - 14. The non-transitory computer-readable media of claim 12, wherein the executable instructions further cause the computing system to:
    - obtain permissions information for the first network-accessible service indicating whether the executable code is permitted to invoke the first network-accessible service;
      
      determine from the permissions information that the executable code is not permitted to invoke the first network-accessible service; and
      
      transmit an indication that the executable code is not permitted to invoke the first network-accessible service.
  - 15. The non-transitory computer-readable media of claim 12, wherein the executable instructions further cause the computing system to:
    - obtain permissions information for the one or more second network-accessible services indicating whether the first network-accessible service is permitted to invoke the one or more second network-accessible services;
      
      determine from the permissions information that the first network-accessible service is not permitted to invoke the one or more second network-accessible services; and
      
      transmit an indication that the first network-accessible service is not permitted to invoke the one or more second network-accessible services.
  - 16. The non-transitory computer-readable media of claim 12, wherein the expected output includes an expected parameter to be passed to the one or more second network-accessible services, and wherein determining that the expected invocation of the one or more second network-accessible services is not permissible under the security information comprises determining that the executable code is not permitted to invoke the one or more second network-accessible services with the expected parameter.
  - 17. The non-transitory computer-readable media of claim 16, wherein the executable instructions further cause the computing system to:
    - obtain service information for the first network-accessible service, the service information including a transformation of an input parameter to an output of the first network-accessible service; and
      
      determine the expected parameter to be passed to the second network-accessible service based at least partly on applying the transformation to a parameter to be passed to the first network-accessible service by the executable code.
  - 18. The non-transitory computer-readable media of claim 17, wherein the executable instructions further cause the computing system to:
    - determine the transformation based on a record of one or more prior input parameters to the first network-accessible service and one or more prior outputs of the first network-accessible service corresponding to the one or more prior input parameters.
  - 19. The non-transitory computer-readable media of claim 17, wherein the service information is obtained at the computing system in response to transmission of a query to an application programming interface of the first network-accessible service.
  - 20. The non-transitory computer-readable media of claim 14, wherein the indication includes a suggestion to make a modification to the security information for the executable code to permit the expected invocation of the one or more second network-accessible services.
  - 21. The non-transitory computer-readable media of claim 20, wherein the suggestion is selectable to cause the modification to the security information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Wagner, Timothy Allen
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/888,894
Time in Patent Office

1,009 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 9/547   Remote procedure calls [RPC...

Detecting privilege escalations in code including cross-service calls

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

568 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting privilege escalations in code including cross-service calls

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

568 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links