This repository contains the implementation and analysis scripts for the paper "GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies", published in WWW 2024. GRASP is a graph-based analysis framework for modeling serverless access control policies as queryable reachability graphs.
The dataset of serverless projects analyzed in the GRASP paper is too large to host in a git repository. Please send a request for the original dataset.
To run the analysis on your dataset:
-
List serverless.yml paths to analyze in the
misc-scripts/data/sec-policy-only.csvfile. -
cd checkov/checkov/ -
python3 tool_name.py -l FILE_LIST: This command generates the model facts for each yml file in themisc-scripts/data/new-resultsdirectory and outputs the parsed-permissions in themisc-scripts/data/parsed-permissions.csvfile. -
python3 misc-scripts/graph_stats.py: This command analyzes the fact files from themisc-scripts/data/new-resultsdirectory and computes public and private functions, exfiltration paths, and other attributes. The output is written to themisc-scripts/data/prolog-results.csvfile. -
Some additional analysis scripts and files used for the evaluation are in the
additionaldirectory.