Write a Blog >>
Wed 11 Nov 2020 01:33 - 01:34 at Virtual room 2 - Cloud / Services 2

Data stored in cloud services is highly sensitive and so access to it is controlled via policies written in domain-specific languages (DSLs). The expressiveness of these DSLs provides users flexibility to cover a wide variety of uses cases, however, unintended misconfigurations can lead to potential security issues. We introduce Block Public Access, a tool that formally verifies policies to ensure that they only allow access to trusted principals, i.e. that they prohibit access to the general public. To this end, we formalize the notion of Trust Safety that formally characterizes whether or not a policy allows unconstrained (public) access. Next, we present a method to compile the policy down to a logical formula whose unsatisfiability can be (1) checked by SMT and (2) ensures Trust Safety. The constructs of the policy DSLs render unsatisfiability checking PSPACE-complete, which precludes verifying the millions of requests per second seen at cloud scale. Hence, we present an approach that leverages the structure of the policy DSL to compute a much smaller residual policy that corresponds only to untrusted accesses. Our approach allows Block Public Access to, in the common case, syntactically verify Trust Safety without having to query the SMT solver. We have implemented Block Public Access and present an evaluation showing how the above optimization yields a low-latency policy verifier that the S3 team at AWS has integrated into their authorization system, where it is currently in production, analyzing millions of policies everyday to ensure that client buckets do not grant unintended public access.

Wed 11 Nov
Times are displayed in time zone: (UTC) Coordinated Universal Time change

01:30 - 02:00: Cloud / Services 2Paper Presentations / Research Papers / Industry Papers at Virtual room 2
01:30 - 01:32
Talk
A Principled Approach to GraphQL Query Cost AnalysisACM SIGSOFT Distinguished Paper Award
Research Papers
Alan ChaIBM Research, USA, Erik WitternIBM, USA, Guillaume BaudartIBM Research, USA, James C. DavisPurdue University, USA, Louis MandelIBM Research, USA, Jim A. LaredoIBM Research, USA
DOI Pre-print Media Attached
01:33 - 01:34
Talk
Block Public Access: Trust Safety Verification of Access Control Policies
Research Papers
Malik BouchetAmazon, USA, Byron CookAmazon, Bryant CutlerAmazon, USA, Anna DruzkinaAmazon, USA, Andrew GacekAmazon, USA, Liana HadareanAmazon, Ranjit JhalaAmazon, USA, Brad MarshallAmazon, USA, Dan PeeblesAmazon, USA, Neha RungtaAmazon Web Services, Cole SchlesingerAmazon, USA, Chriss StephensAmazon, USA, Carsten VarmingAmazon, USA, Andy WarfieldAmazon, USA
DOI
01:35 - 01:36
Talk
Efficient Incident Identification from Multi-dimensional Issue Reports via Meta-heuristic Search
Research Papers
Jiazhen GuFudan University, China, Chuan LuoMicrosoft Research, China, Si QinMicrosoft Research, n.n., Bo QiaoMicrosoft Research, China, Qingwei LinMicrosoft Research, China, Hongyu ZhangUniversity of Newcastle, Australia, Ze LiMicrosoft, USA, Yingnong DangMicrosoft, USA, Shaowei CaiInstitute of Software at Chinese Academy of Sciences, China, Wei-Cheng WuUniversity of Southern California, USA, Yangfan ZhouFudan University, China, Murali ChintalapatiMicrosoft, n.n., Dongmei ZhangMicrosoft Research, China
DOI
01:37 - 01:38
Talk
Graph-Based Trace Analysis for Microservice Architecture Understanding and Problem Diagnosis
Industry Papers
Xiaofeng GuoFudan University, China, Xin PengFudan University, China, Hanzhang WangeBay, Wanxue LieBay, USA, Huai JiangeBay, USA, Dan DingFudan University, China, Tao XiePeking University, Liangfei SueBay, USA
DOI
01:39 - 01:40
Talk
Real-Time Incident Prediction for Online Service Systems
Research Papers
Nengwen ZhaoTsinghua University, Junjie ChenTianjin University, China, Zhou WangBizSeer, China, Xiao PengBeijing University of Posts and Telecommunications, China, Gang WangChina EverBright Bank, Yong WuChina EverBright Bank, Fang ZhouChina EverBright Bank, Zhen FengEverBright Bank, China, Xiaohui NieEverBright Bank, China, Wenchi ZhangTsinghua University, China, Kaixin SuiBizSeer, Dan PeiBizSeer, China
DOI
01:41 - 01:42
Talk
Scaling Static Taint Analysis to Industrial SOA Applications: A Case Study at Alibaba
Industry Papers
Jie WangPeking University, China / Ant Group, China / Alibaba Group, China, Yunguang WuAnt Group, China, Gang ZhouAnt Group, China, Yiming YuAnt Group, China, Zhenyu GuoAnt Group, China, Yingfei XiongPeking University
DOI
01:43 - 02:00
Talk
Conversations on Cloud / Services 2
Paper Presentations
Alan ChaIBM Research, USA, Andrew Gacek, Jiazhen Gu, Jie WangInstitute of Software, Chinese Academy of Sciences, Nengwen ZhaoTsinghua University, Xiaofeng GuoFudan University, China, M: Satish ChandraFacebook, USA