Danielle Lavi,Oleg Brodt,Dudu Mimran,Yuval Elovici,Asaf Shabtai

2024-08-06

Abstract:Serverless computing is an emerging cloud paradigm with serverless functions at its core. While serverless environments enable software developers to focus on developing applications without the need to actively manage the underlying runtime infrastructure, they open the door to a wide variety of security threats that can be challenging to mitigate with existing methods. Existing security solutions do not apply to all serverless architectures, since they require significant modifications to the serverless infrastructure or rely on third-party services for the collection of more detailed data. In this paper, we present an extendable serverless security threat detection model that leverages cloud providers' native monitoring tools to detect anomalous behavior in serverless applications. Our model aims to detect compromised serverless functions by identifying post-exploitation abnormal behavior related to different types of attacks on serverless functions, and therefore, it is a last line of defense. Our approach is not tied to any specific serverless application, is agnostic to the type of threats, and is adaptable through model adjustments. To evaluate our model's performance, we developed a serverless cybersecurity testbed in an AWS cloud environment, which includes two different serverless applications and simulates a variety of attack scenarios that cover the main security threats faced by serverless functions. Our evaluation demonstrates our model's ability to detect all implemented attacks while maintaining a negligible false alarm rate.

Cryptography and Security,Machine Learning

Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Xing Li,Xue Leng,Yan Chen

DOI: https://doi.org/10.1109/mnet.005.2100335

IF: 10.294

2022-01-01

IEEE Network

Abstract:Serverless computing is a new cloud service model that reduces both cloud providers' and consumers' costs through agile development, operation, and charging mechanisms. It has been widely applied since its emergence. Nevertheless, some characteristics of serverless computing, such as fragmented application boundaries, have raised new security challenges. Considerable literature has been committed to addressing these challenges. Commercial and open-source serverless platforms implement many security measures to enhance serverless environments. This article presents the first survey of serverless security that considers both the literature and industrial security measures. We summarize the primary security challenges, analyze corresponding solutions from the literature and industry, and identify potential research opportunities. Then, we conduct a gap analysis of the academic and industrial solutions, as well as commercial and open-source serverless platforms' security capabilities. Finally, we present a complete picture of current serverless security research.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Eduard Marin,Diego Perino,Roberto Di Pietro

DOI: https://doi.org/10.48550/arXiv.2107.03832

2022-01-27

Abstract:Serverless Computing is a virtualisation-related paradigm that promises to simplify application management and to solve the last challenges in the field: scale down and easy to use. The implied cost reduction, coupled with a simplified management of underlying applications, are expected to further push the adoption of virtualisation-based solutions, including cloud-computing or telco-cloud solutions. However, in this quest for efficiency, security is not ranked among the top priorities, also because of the (misleading) belief that current solutions developed for virtualised environments could be applied (as is) to this new paradigm. Unfortunately, this is not the case, due to the highlighted idiosyncratic features of serverless computing. In this paper, we review the current serverless architectures, abstract and categorise their founding principles, and provide an in depth analyse of them from the point of view of security, referring to principles and practices of the cybersecurity domain. In particular, we show the security shortcomings of the analysed serverless architectural paradigms, point to possible countermeasures, and highlight a few research directions.

Cryptography and Security

Yongkang Li,Yanying Lin,Yang Wang,Kejiang Ye,Cheng-Zhong Xu

DOI: https://doi.org/10.1109/tsc.2022.3166553

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Serverless computing is growing in popularity by virtue of its lightweight and simplicity of management. It achieves these merits by reducing the granularity of the computing unit to the function level. Specifically, serverless allows users to focus squarely on the function itself while leaving other cumbersome management and scheduling issues to the platform provider, who is responsible for striking a balance between high-performance scheduling and low resource cost. In this article, we conduct a comprehensive survey of serverless computing with a particular focus on its infrastructure characteristics. Whereby some existing challenges are identified, and the associated cutting-edge solutions are analyzed. With these results, we further investigate some typical open-source frameworks and study how they address the identified challenges. Given the great advantages of serverless computing, it is expected that its deployment would dominate future cloud platforms. As such, we also envision some promising research opportunities that need to be further explored in the future. We hope that our work in this article can inspire those researchers and practitioners who are engaged in related fields to appreciate serverless computing, thereby setting foot in this promising area and making great contributions to its development.

computer science, information systems, software engineering

Jinfeng Wen,Zhenpeng Chen,Yi Liu,Yiling Lou,Yun Ma,Gang Huang,Xin Jin,Xuanzhe Liu

DOI: https://doi.org/10.1145/3468264.3468558

2021-01-01

Abstract:Serverless computing is an emerging paradigm for cloud computing, gaining traction in a wide range of applications such as video processing and machine learning. This new paradigm allows developers to focus on the development of the logic of serverless computing based applications (abbreviated as serverless-based applications) in the granularity of function, thereby freeing developers from tedious and error-prone infrastructure management. Meanwhile, it also introduces new challenges on the design, implementation, and deployment of serverless-based applications, and current serverless computing platforms are far away from satisfactory. However, to the best of our knowledge, these challenges have not been well studied. To fill this knowledge gap, this paper presents the first comprehensive study on understanding the challenges in developing serverless-based applications from the developers’ perspective. We mine and analyze 22,731 relevant questions from Stack Overflow (a popular Q&A website for developers), and show the increasing popularity trend and the high difficulty level of serverless computing for developers. Through manual inspection of 619 sampled questions, we construct a taxonomy of challenges that developers encounter, and report a series of findings and actionable implications. Stakeholders including application developers, researchers, and cloud providers can leverage these findings and implications to better understand and further explore the serverless computing paradigm.

Michael Zhang,Chandra Krintz,Rich Wolski

DOI: https://doi.org/10.1109/percomworkshops48775.2020.9156239

2020-03-01

Abstract:Serverless computing is a promising new event-driven programming model that was designed by cloud vendors to expedite the development and deployment of scalable web services on cloud computing systems. Using the model, developers write applications that consist of simple, independent, stateless functions that the cloud invokes on-demand (i.e. elastically), in response to system-wide events (data arrival, messages, web requests, etc.). In this work, we present STOIC (Serverless TeleOperable HybrId Cloud), an application scheduling and deployment system that extends the serverless model in two ways. First, it uses the model in a distributed setting and schedules application functions across multiple cloud systems. Second, STOIC supports serverless function execution using hardware acceleration (e.g. GPU resources) when available from the underlying cloud system. We overview the design and implementation of STOIC and empirically evaluate it using real-world machine learning applications and multi-tier (e.g. edge-cloud) deployments. We find that STOIC's combined use of edge and cloud resources is able to outperform using either cloud in isolation for the applications and datasets that we consider.

Sina Ahmadi,

DOI: https://doi.org/10.47191/ijcsrr/v7-i1-23

2024-01-11

International Journal of Current Science Research and Review

Abstract:This research study explores the challenges and solutions related to serverless computing so that the computer systems connected to the network can be protected. Serverless computing can be defined as a method of managing computer services without the need to have fixed servers. The qualitative research method is used by this research study, which does not include any numerical data and involves the examination of non-number data so that the network security challenges can be identified in detail. In the literature review, the past studies from 2019 to 2023 are reviewed to identify study gaps so that the foundation for investigating serverless network security. The literature review is based on thematic analysis, so all the data can be organized into meaningful themes. The findings of this research study include the solutions to the challenges like data privacy, insecure dependencies and limited control. The strategies to overcome these challenges include encryption, strong monitoring and other relevant strategies. This research study also suggests the use of blockchain technology and Artificial Intelligence. In short, this research study provides insights to improve serverless computing security and also guides future researchers to innovate creative solutions for developing security challenges.

Zijun Li,Linsong Guo,Jiagan Cheng,Quan Chen,Minyi Guo,BingSheng He

DOI: https://doi.org/10.1145/3508360

IF: 16.6

2022-01-14

ACM Computing Surveys

Abstract:The development of cloud infrastructures inspires the emergence of cloud-native computing. As the most promising architecture for deploying microservices, serverless computing has recently attracted more and more attention in both industry and academia. Due to its inherent scalability and flexibility, serverless computing becomes attractive and more pervasive for ever-growing Internet services. Despite the momentum in the cloud-native community, the existing challenges and compromises still wait for more advanced research and solutions to further explore the potentials of the serverless computing model. As a contribution to this knowledge, this article surveys and elaborates the research domains in the serverless context by decoupling the architecture into four stack layers: Virtualization, Encapsule, System Orchestration, and System Coordination. Inspired by the security model, we highlight the key implications and limitations of these works in each layer, and make suggestions for potential challenges to the field of future serverless computing.

computer science, theory & methods

Bin Wang,Ahmed Ali-Eldin,Prashant Shenoy

DOI: https://doi.org/10.1145/3431379.3460646

2021-04-29

Abstract:Serverless computing has emerged as a new paradigm for running short-lived computations in the cloud. Due to its ability to handle IoT workloads, there has been considerable interest in running serverless functions at the edge. However, the constrained nature of the edge and the latency sensitive nature of workloads result in many challenges for serverless platforms. In this paper, we present LaSS, a platform that uses model-driven approaches for running latency-sensitive serverless computations on edge resources. LaSS uses principled queuing-based methods to determine an appropriate allocation for each hosted function and auto-scales the allocated resources in response to workload dynamics. LaSS uses a fair-share allocation approach to guarantee a minimum of allocated resources to each function in the presence of overload. In addition, it utilizes resource reclamation methods based on container deflation and termination to reassign resources from over-provisioned functions to under-provisioned ones. We implement a prototype of our approach on an OpenWhisk serverless edge cluster and conduct a detailed experimental evaluation. Our results show that LaSS can accurately predict the resources needed for serverless functions in the presence of highly dynamic workloads, and reprovision container capacity within hundreds of milliseconds while maintaining fair share allocation guarantees.

Distributed, Parallel, and Cluster Computing

Emilian Simion,Yuandou Wang,Hsiang-ling Tai,Uraz Odyurt,Zhiming Zhao

2024-01-04

Abstract:Serverless computing has emerged as an attractive paradigm due to the efficiency of development and the ease of deployment without managing any underlying infrastructure. Nevertheless, serverless computing approaches face numerous challenges to unlock their full potential in hybrid environments. To gain a deeper understanding and firsthand knowledge of serverless computing in edge-cloud deployments, we review the current state of open-source serverless platforms and compare them based on predefined requirements. We then design and implement a serverless computing platform with a novel edge orchestration technique that seamlessly deploys serverless functions across the edge and cloud environments on top of the Knative serverless platform. Moreover, we propose an offloading strategy for edge environments and four different functions for experimentation and showcase the performance benefits of our solution. Our results demonstrate that such an approach can efficiently utilize both cloud and edge resources by dynamically offloading functions from the edge to the cloud during high activity, while reducing the overall application latency and increasing request throughput compared to an edge-only deployment.

Distributed, Parallel, and Cluster Computing

Suyash Gupta,Sajjad Rahnama,Erik Linsenmayer,Faisal Nawab,Mohammad Sadoghi

DOI: https://doi.org/10.48550/arXiv.2201.00982

2022-01-04

Databases

Abstract:Modern edge applications demand novel solutions where edge applications do not have to rely on a single cloud provider (which cannot be in the vicinity of every edge device) or dedicated edge servers (which cannot scale as clouds) for processing compute-intensive tasks. A recent computing philosophy, Sky computing, proposes giving each user ability to select between available cloud providers. In this paper, we present our serverless-edge co-design, which extends the Sky computing vision. In our serverless-edge co-design, we expect edge devices to collaborate and spawn required number of serverless functions. This raises several key challenges: (1) how will this collaboration take place, (2) what if some edge devices are compromised, and (3) what if a selected cloud provider is malicious. Hence, we design ServerlessBFT, the first protocol to guarantee Byzantine fault-tolerant (BFT) transactional flow between edge devices and serverless functions. We present an exhaustive list of attacks and their solutions on our serverless-edge co-design. Further, we extensively benchmark our architecture on a variety of parameters.

Cheryl Lee,Zhouruixing Zhu,Tianyi Yang,Yintong Huo,Yuxin Su,Pinjia He,Michael R. Lyu

2024-08-21

Abstract:As an emerging cloud computing deployment paradigm, serverless computing is gaining traction due to its efficiency and ability to harness on-demand cloud resources. However, a significant hurdle remains in the form of the cold start problem, causing latency when launching new function instances from scratch. Existing solutions tend to use over-simplistic strategies for function pre-loading/unloading without full invocation pattern exploitation, rendering unsatisfactory optimization of the trade-off between cold start latency and resource waste. To bridge this gap, we propose SPES, the first differentiated scheduler for runtime cold start mitigation by optimizing serverless function provision. Our insight is that the common architecture of serverless systems prompts the concentration of certain invocation patterns, leading to predictable invocation behaviors. This allows us to categorize functions and pre-load/unload proper function instances with finer-grained strategies based on accurate invocation prediction. Experiments demonstrate the success of SPES in optimizing serverless function provision on both sides: reducing the 75th-percentile cold start rates by 49.77% and the wasted memory time by 56.43%, compared to the state-of-the-art. By mitigating the cold start issue, SPES is a promising advancement in facilitating cloud services deployed on serverless architectures.

Software Engineering,Distributed, Parallel, and Cluster Computing

Johann Schleier-Smith,Leonhard Holz,Nathan Pemberton,Joseph M. Hellerstein

DOI: https://doi.org/10.48550/arXiv.2009.09845

2020-09-16

Abstract:Serverless computing with cloud functions is quickly gaining adoption, but constrains programmers with its limited support for state management. We introduce a shared file system for cloud functions. It offers familiar POSIX semantics while taking advantage of distinctive aspects of cloud functions to achieve scalability and performance beyond what traditional shared file systems can offer. We take advantage of the function-grained fault tolerance model of cloud functions to proceed optimistically using local state, safe in the knowledge that we can restart if cache reads or lock activity cannot be reconciled upon commit. The boundaries of cloud functions provide implicit commit and rollback points, giving us the flexibility to use transaction processing techniques without changing the programming model or API. This allows a variety of stateful sever-based applications to benefit from the simplicity and scalability of serverless computing, often with little or no modification.

Distributed, Parallel, and Cluster Computing,Operating Systems

Emily Herbert,Arjun Guha

DOI: https://doi.org/10.48550/arXiv.1911.02178

2020-08-04

Abstract:Serverless computing is an approach to cloud computing that allows programmers to run serverless functions in response to external events. Serverless functions are priced at sub-second granularity, support transparent elasticity, and relieve programmers from managing the operating system. Thus serverless functions allow programmers to focus on writing application code, and the cloud provider to manage computing resources globally. Unfortunately, today's serverless platforms exhibit high latency, because it is difficult to maximize resource utilization while minimizing operating costs. This paper presents serverless function acceleration, which is an approach that transparently lowers the latency and resource utilization of a large class of serverless functions. We accomplish this using language-based sandboxing, whereas existing serverless platforms employ more expensive operating system sandboxing technologies, such as containers and virtual machines. OS-based sandboxing is compatible with more programs than language-based techniques. However, instead of ruling out any programs, we use language-based sandboxing when possible, and OS-based sandboxing if necessary. Moreover, we seamlessly transition between language-based and OS-based sandboxing by leveraging the fact that serverless functions must tolerate re-execution for fault tolerance. Therefore, when a serverless function attempts to perform an unsupported operation in the language-based sandbox, we can safely re-execute it in a container. We use a new approach to trace compilation to build source-level, interprocedural, execution trace trees for serverless functions written in JavaScript. We compile trace trees to a safe subset of Rust, validate the compiler output, and link it to a runtime system. We evaluate these techniques in our implementation, which we call Containerless.

Distributed, Parallel, and Cluster Computing,Programming Languages

Masudul Hasan Masud Bhuiyan,Cristian-Alexandru Staicu

DOI: https://doi.org/10.48550/arXiv.2211.11357

2022-11-21

Cryptography and Security

Abstract:Algorithmic complexity vulnerabilities are a class of security problems that enables attackers to trigger the worst-case complexity of certain algorithms. Such vulnerabilities can be leveraged to deploy low-volume, asymmetric, CPU-based denial-of-service (DoS) attacks. Previous work speculates that these vulnerabilities are more dangerous in certain web servers, like Node.js, than in traditional ones, like Apache. We believe it is of utmost importance to understand if this is indeed the case or if there are ways to compensate against such problems using various deployment strategies. To this end, we study the resilience of popular web servers against CPU-based DoS attacks in four major cloud platforms under realistic deployment conditions. We find that there are indeed significant differences in how various web servers react to an attack. However, our results suggest a more nuanced landscape than previously believed: while event-based systems tend to recover faster from DoS in certain scenarios, they also suffer the worst performance degradation overall. Nevertheless, in some setups, Apache performs worse than event-based systems, and there are cloud platforms in which all the considered servers are seriously exposed to the attack. We also find that developers can harden their servers against CPU-based DoS attacks by increasing the number of server instances running in parallel. This, in turn, can lead to an increased cost of operation or a slight degradation of performance in non-DoS conditions.

Maciej Malawski,Bartosz Balis

DOI: https://doi.org/10.48550/arXiv.2309.01681

2023-09-04

Distributed, Parallel, and Cluster Computing

Abstract:Serverless computing has become an important model in cloud computing and influenced the design of many applications. Here, we provide our perspective on how the recent landscape of serverless computing for scientific applications looks like. We discuss the advantages and problems with serverless computing for scientific applications, and based on the analysis of existing solutions and approaches, we propose a science-oriented architecture for a serverless computing framework that is based on the existing designs. Finally, we provide an outlook of current trends and future directions.

Aristotelis Peri,Michail Tsenos,Vana Kalogeraki

2024-10-09

Abstract:In recent years, serverless computing, especially Function as a Service (FaaS), is rapidly growing in popularity as a cloud programming model. The serverless computing model provides an intuitive interface for developing cloud-based applications, where the development and deployment of scalable microservices has become easier and cost-effective. An increasing number of batch-processing applications are deployed as pipelines that comprise a sequence of functions that must meet their deadline targets to be practical. In this paper, we present our Hybrid Cloud Scheduler (HCS) for orchestrating the execution of serverless batch-processing pipelines deployed over heterogeneous infrastructures. Our framework enables developers to (i) automatically schedule and execute batch-processing applications in heterogeneous environments such as the private edge and public cloud serverless infrastructures, (ii) benefit from cost reduction through the utilization of their own resources in a private cluster, and (iii) significantly improves the probability of meeting the deadline requirements of their applications. Our experimental evaluation demonstrates the efficiency and benefits of our approach.

Distributed, Parallel, and Cluster Computing

Seoungmo An,Taehoon Eom,Jong Sou Park,Jin B. Hong,Armstrong Nhlabatsi,Noora Fetais,Khaled M. Khan,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.1903.04271

2019-03-11

Abstract:Cloud computing has been adopted widely, providing on-demand computing resources to improve perfornance and reduce the operational costs. However, these new functionalities also bring new ways to exploit the cloud computing environment. To assess the security of the cloud, graphical security models can be used, such as Attack Graphs and Attack Trees. However, existing models do not consider all types of threats, and also automating the security assessment functions are difficult. In this paper, we propose a new security assessment tool for the cloud named CloudSafe, an automated security assessment for the cloud. The CloudSafe tool collates various tools and frameworks to automate the security assessment process. To demonstrate the applicability of the CloudSafe, we conducted security assessment in Amazon AWS, where our experimental results showed that we can effectively gather security information of the cloud and carry out security assessment to produce security reports. Users and cloud service providers can use the security report generated by the CloudSafe to understand the security posture of the cloud being used/provided.

Cryptography and Security