B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing
Serverless environments are rapidly emerging as the new paradigm for cloud computing due to their automatic scalability, cost efficiency, and ease of operation. However, IAM-based privilege management and event-driven execution mechanisms can introduce security vulnerabilities. In particular, comple...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11009021/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849689629646651392 |
|---|---|
| author | Changhee Shin Bom Kim Seungsoo Lee |
| author_facet | Changhee Shin Bom Kim Seungsoo Lee |
| author_sort | Changhee Shin |
| collection | DOAJ |
| description | Serverless environments are rapidly emerging as the new paradigm for cloud computing due to their automatic scalability, cost efficiency, and ease of operation. However, IAM-based privilege management and event-driven execution mechanisms can introduce security vulnerabilities. In particular, complex inter-functional call relationships expose systems to attacks such as privilege abuse and event call condition exploitation. These attacks often occur dynamically at runtime, making them difficult to address with static defenses. Existing static analysis methods attempt to mitigate these risks, but are inherently limited in capturing dynamic attacks that occur at runtime. In this paper, we propose B<sc>ambda</sc>, a dynamic security framework for serverless environments that prevents privilege abuse and chained function call attacks. B<sc>ambda</sc> performs real-time function call verification through centralized logging and automated code injection based on application-specific log groups. Specifically, we introduce a multi-step verification process that distinguishes between direct calls, event-driven calls, and API calls, effectively preventing unauthorized attacks without requiring additional security configurations from developers. Experiments conducted in AWS Lambda environments demonstrate that B<sc>ambda</sc> effectively defends against privilege abuse and chained function call attacks, achieving practical deployment with minimal performance overhead of 8.12% under warm start conditions. |
| format | Article |
| id | doaj-art-940d64494bd34236a1f02057875511ad |
| institution | DOAJ |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-940d64494bd34236a1f02057875511ad2025-08-20T03:21:33ZengIEEEIEEE Access2169-35362025-01-0113908969091110.1109/ACCESS.2025.357272911009021B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless ComputingChanghee Shin0https://orcid.org/0009-0001-3229-2664Bom Kim1https://orcid.org/0009-0006-5983-0844Seungsoo Lee2https://orcid.org/0000-0002-6883-1869Incheon National University, Incheon, Republic of KoreaIncheon National University, Incheon, Republic of KoreaIncheon National University, Incheon, Republic of KoreaServerless environments are rapidly emerging as the new paradigm for cloud computing due to their automatic scalability, cost efficiency, and ease of operation. However, IAM-based privilege management and event-driven execution mechanisms can introduce security vulnerabilities. In particular, complex inter-functional call relationships expose systems to attacks such as privilege abuse and event call condition exploitation. These attacks often occur dynamically at runtime, making them difficult to address with static defenses. Existing static analysis methods attempt to mitigate these risks, but are inherently limited in capturing dynamic attacks that occur at runtime. In this paper, we propose B<sc>ambda</sc>, a dynamic security framework for serverless environments that prevents privilege abuse and chained function call attacks. B<sc>ambda</sc> performs real-time function call verification through centralized logging and automated code injection based on application-specific log groups. Specifically, we introduce a multi-step verification process that distinguishes between direct calls, event-driven calls, and API calls, effectively preventing unauthorized attacks without requiring additional security configurations from developers. Experiments conducted in AWS Lambda environments demonstrate that B<sc>ambda</sc> effectively defends against privilege abuse and chained function call attacks, achieving practical deployment with minimal performance overhead of 8.12% under warm start conditions.https://ieeexplore.ieee.org/document/11009021/Serverlesscloud computingaccess control |
| spellingShingle | Changhee Shin Bom Kim Seungsoo Lee B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing IEEE Access Serverless cloud computing access control |
| title | B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing |
| title_full | B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing |
| title_fullStr | B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing |
| title_full_unstemmed | B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing |
| title_short | B<sc>ambda</sc>: A Real-Time Verification Framework for Serverless Computing |
| title_sort | b sc ambda sc a real time verification framework for serverless computing |
| topic | Serverless cloud computing access control |
| url | https://ieeexplore.ieee.org/document/11009021/ |
| work_keys_str_mv | AT changheeshin bscambdascarealtimeverificationframeworkforserverlesscomputing AT bomkim bscambdascarealtimeverificationframeworkforserverlesscomputing AT seungsoolee bscambdascarealtimeverificationframeworkforserverlesscomputing |