Checking Security Properties of Cloud Service REST APIs (ICST 2020 - Industry Track)

Write a Blog >>

Sat 24 - Wed 28 October 2020 Porto, Portugal

Who

Vaggelis Atlidakis, Patrice Godefroid, Marina Polishchuk

Track

ICST 2020 Industry Track

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 27 Oct 2020 10:30 - 11:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu
Tue 27 Oct 2020 21:30 - 22:00 at Farfetch (D. Maria) - IT3 - Safety & Security Chair(s): Rui Abreu

Abstract

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.

Link to Publication

https://doi.org/10.1109/ICST46399.2020.00046

DOI

https://doi.org/10.1109/ICST46399.2020.00046

Vaggelis Atlidakis

Columbia University

Greece

Patrice Godefroid

Microsoft Research, USA

United States

Marina Polishchuk