Threat Modeling Serverless Architectures

The highest level of computing abstraction currently offered by public cloud vendors is called serverless. Key characteristics these offerings promise are a full abstraction of the underlying infrastructure and platform, virtually instant and unlimited scalability both up and down and a granular pay-per-use billing model.

As a result of the high level of abstraction and the newly introduced programming paradigm, where a single function is the smallest deployable unit, the attack surface of serverless architectures differs from traditional cloud architectures. Therefore there is the need for systematically analyzing the security posture of this new kind of architecture. In addition, this knowledge has to be implemented into developer tooling to effectively influence the security of existing and future serverless applications.

To identify serverless weaknesses, a threat model based on a Microsoft Azure reference architecture is developed. A data flow analysis based on the STRIDE methodology is performed and attack trees for the defined assets and attacker goals are built. The resulting application-specific threats are generalized to application-agnostic weaknesses and merged with common weaknesses described in the literature. To the best of the author’s knowledge, such a threat model was not yet utilized to identify serverless weaknesses which is why it is the first key contribution of this thesis.

Based on the resulting weaknesses, a prototypical static source code analyzer is devel- oped. It considers the source code of Azure Function Apps as well as the according Infrastructure as Code files and identifies common serverless-specific security mis- configurations at build time. The tools effectiveness is illustrated by an evaluation of the security configurations of open-source repositories. Since at the time of writing there seem to be no open-source tools with these capabilities available for the Microsoft Azure platform, the analyzer is the second fundamental contribution of this thesis.