Checking Security Properties of Cloud Service REST APIs

Submitted by grigby1 on Wed, 01/20/2021 - 3:19pm

Title	Checking Security Properties of Cloud Service REST APIs
Publication Type	Conference Paper
Year of Publication	2020
Authors	Atlidakis, V., Godefroid, P., Polishchuk, M.
Conference Name	2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)
Date Published	Oct. 2020
Publisher	IEEE
ISBN Number	978-1-7281-5778-8
Keywords	active property checkers, API, APIs, application program interfaces, application programming interface, capture desirable properties, checking security properties, Cloud and Web services, cloud computing, cloud service REST, compositionality, Computer bugs, formal verification, fuzzing, modern cloud, Office365 cloud services, Production, pubcrawl, rendering (computer graphics), resilience, Resiliency, REST APIs, security, security of data, security rules, stateful REST API fuzzer, test generation, web services
Abstract	Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.
URL	https://ieeexplore.ieee.org/document/9159084
DOI	10.1109/ICST46399.2020.00046
Citation Key	atlidakis_checking_2020

Groups:

Science of Security VO