Write a Blog >>
Wed 11 Nov 2020 01:33 - 01:34 at Virtual room 2 - Cloud / Services 2

Data stored in cloud services is highly sensitive and so access to it is controlled via policies written in domain-specific languages (DSLs). The expressiveness of these DSLs provides users flexibility to cover a wide variety of uses cases, however, unintended misconfigurations can lead to potential security issues. We introduce Block Public Access, a tool that formally verifies policies to ensure that they only allow access to trusted principals, i.e. that they prohibit access to the general public. To this end, we formalize the notion of Trust Safety that formally characterizes whether or not a policy allows unconstrained (public) access. Next, we present a method to compile the policy down to a logical formula whose unsatisfiability can be (1) checked by SMT and (2) ensures Trust Safety. The constructs of the policy DSLs render unsatisfiability checking PSPACE-complete, which precludes verifying the millions of requests per second seen at cloud scale. Hence, we present an approach that leverages the structure of the policy DSL to compute a much smaller residual policy that corresponds only to untrusted accesses. Our approach allows Block Public Access to, in the common case, syntactically verify Trust Safety without having to query the SMT solver. We have implemented Block Public Access and present an evaluation showing how the above optimization yields a low-latency policy verifier that the S3 team at AWS has integrated into their authorization system, where it is currently in production, analyzing millions of policies everyday to ensure that client buckets do not grant unintended public access.

Wed 11 Nov

Displayed time zone: (UTC) Coordinated Universal Time change

01:30 - 02:00
01:30
2m
Talk
A Principled Approach to GraphQL Query Cost AnalysisACM SIGSOFT Distinguished Paper Award
Research Papers
Alan Cha IBM Research, USA, Erik Wittern IBM, USA, Guillaume Baudart IBM Research, USA, James C. Davis Purdue University, USA, Louis Mandel IBM Research, USA, Jim A. Laredo IBM Research, USA
DOI Pre-print Media Attached
01:33
1m
Talk
Block Public Access: Trust Safety Verification of Access Control Policies
Research Papers
Malik Bouchet Amazon, USA, Byron Cook Amazon, Bryant Cutler Amazon, USA, Anna Druzkina Amazon, USA, Andrew Gacek Amazon, USA, Liana Hadarean Amazon, Ranjit Jhala Amazon, USA, Brad Marshall Amazon, USA, Dan Peebles Amazon, USA, Neha Rungta Amazon Web Services, Cole Schlesinger Amazon, USA, Chriss Stephens Amazon, USA, Carsten Varming Amazon, USA, Andy Warfield Amazon, USA
DOI
01:35
1m
Talk
Efficient Incident Identification from Multi-dimensional Issue Reports via Meta-heuristic Search
Research Papers
Jiazhen Gu Fudan University, China, Chuan Luo Microsoft Research, China, Si Qin Microsoft Research, n.n., Bo Qiao Microsoft Research, China, Qingwei Lin Microsoft Research, China, Hongyu Zhang University of Newcastle, Australia, Ze Li Microsoft, USA, Yingnong Dang Microsoft, USA, Shaowei Cai Institute of Software at Chinese Academy of Sciences, China, Wei-Cheng Wu University of Southern California, USA, Yangfan Zhou Fudan University, China, Murali Chintalapati Microsoft, n.n., Dongmei Zhang Microsoft Research, China
DOI
01:37
1m
Talk
Graph-Based Trace Analysis for Microservice Architecture Understanding and Problem Diagnosis
Industry Papers
Xiaofeng Guo Fudan University, China, Xin Peng Fudan University, China, Hanzhang Wang eBay, Wanxue Li eBay, USA, Huai Jiang eBay, USA, Dan Ding Fudan University, China, Tao Xie Peking University, Liangfei Su eBay, USA
DOI
01:39
1m
Talk
Real-Time Incident Prediction for Online Service Systems
Research Papers
Nengwen Zhao Tsinghua University, Junjie Chen Tianjin University, China, Zhou Wang BizSeer, China, Xiao Peng Beijing University of Posts and Telecommunications, China, Gang Wang China EverBright Bank, Yong Wu China EverBright Bank, Fang Zhou China EverBright Bank, Zhen Feng EverBright Bank, China, Xiaohui Nie EverBright Bank, China, Wenchi Zhang Tsinghua University, China, Kaixin Sui BizSeer, Dan Pei BizSeer, China
DOI
01:41
1m
Talk
Scaling Static Taint Analysis to Industrial SOA Applications: A Case Study at Alibaba
Industry Papers
Jie Wang Peking University, China / Ant Group, China / Alibaba Group, China, Yunguang Wu Ant Group, China, Gang Zhou Ant Group, China, Yiming Yu Ant Group, China, Zhenyu Guo Ant Group, China, Yingfei Xiong Peking University
DOI
01:43
17m
Talk
Conversations on Cloud / Services 2
Paper Presentations
Alan Cha IBM Research, USA, Andrew Gacek , Jiazhen Gu , Jie Wang Institute of Software, Chinese Academy of Sciences, Nengwen Zhao Tsinghua University, Xiaofeng Guo Fudan University, China, M: Satish Chandra Facebook, USA