Grasp Framework for Analyzing Serverless Security Policies

This technical report presents Grasp, a graph-based analysis framework designed to enhance the security of serverless applications by modeling access control policies as queryable reachability graphs. The report outlines the challenges associated with serverless computing, particularly in specifying security policies due to the ephemeral nature of serverless functions and existing misconfiguration issues with role-based access control solutions like Amazon IAM. Grasp aims to identify potential misconfigurations and attack vectors by generating reusable models that represent the interactions between application principals. The authors implemented Grasp for Amazon IAM using Prolog and evaluated it on a dataset of 731 open-source AWS Lambda applications. The findings indicate a trend of overly permissive policies, with a significant percentage of applications exhibiting full reachability among functions and resources. The report concludes by discussing the utility of Grasp in identifying security vulnerabilities and opportunities for policy hardening.