Visible to the public Checking Security Properties of Cloud Service REST APIs

TitleChecking Security Properties of Cloud Service REST APIs
Publication TypeConference Paper
Year of Publication2020
AuthorsAtlidakis, V., Godefroid, P., Polishchuk, M.
Conference Name2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)
Date PublishedOct. 2020
ISBN Number978-1-7281-5778-8
Keywordsactive property checkers, API, APIs, application program interfaces, application programming interface, capture desirable properties, checking security properties, Cloud and Web services, cloud computing, cloud service REST, compositionality, Computer bugs, formal verification, fuzzing, modern cloud, Office365 cloud services, Production, pubcrawl, rendering (computer graphics), resilience, Resiliency, REST APIs, security, security of data, security rules, stateful REST API fuzzer, test generation, web services

Most modern cloud and web services are programmatically accessed through REST APIs. This paper discusses how an attacker might compromise a service by exploiting vulnerabilities in its REST API. We introduce four security rules that capture desirable properties of REST APIs and services. We then show how a stateful REST API fuzzer can be extended with active property checkers that automatically test and detect violations of these rules. We discuss how to implement such checkers in a modular and efficient way. Using these checkers, we found new bugs in several deployed production Azure and Office365 cloud services, and we discuss their security implications. All these bugs have been fixed.

Citation Keyatlidakis_checking_2020