Skip to main content

Advances, Systems and Applications

Toward security quantification of serverless computing

Abstract

Serverless computing is one of the recent compelling paradigms in cloud computing. Serverless computing can quickly run user applications and services regardless of the underlying server architecture. Despite the availability of several commercial and open-source serverless platforms, there are still some open issues and challenges to address. One of the key concerns in serverless computing platforms is security. Therefore, in this paper, we present a multi-layer abstract model of serverless computing for an security investigation. We conduct a quantitative analysis of security risks for each layer. We observe that the Attack Tree and Attack-Defense Tree methodologies are viable approaches in this regard. Consequently, we make use of the Attack Tree and the Attack-Defense Tree to quantify the security risks and countermeasures of serverless computing. We also propose a novel measure called the Relative Risk Matrix (RRM) to quantify the probability of attack success. Stakeholders including application developers, researchers, and cloud providers can potentially apply these findings and implications to better understand and further enhance the security of serverless computing.

Introduction

The serverless computing paradigm has received a lot of attention since its birth. Both the rise of the 5G and 6G era and the popularity of various edge devices make the industry and academia pay more and more attention to this new computing paradigm [1]. Serverless computing has gained popularity through the concept of Function-as-a-Service (FaaS), which requires a smaller domain to manage traditional Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). Enthusiastically, it allows developers to focus on the core security logic of the application, regardless of virtual machine (VM) or cloud server infrastructure. The advantages of cloud computing include the ease of sharing resources, autoscaling strategy, and on-demand use [2]. Serverless computing has taken cloud computing one step further by breaking down the units from resources into functions and containers, thereby allowing developers to focus only on the implementation of the specific function or service rather than the complexity of operations and maintenance for underlying servers and infrastructures. Serverless computing is favored by the industrial community and researchers because of its low latency, cost-effectiveness, pay-as-you-go, and autoscaling strategy, consequently offering huge benefits for some cloud computing services [3]. Before serverless computing, automatic scaling of cloud services was used to automatically configure the VM to reserve resources, but customers would still pay for that capacity even if it remains idle. By contrast, cloud service providers pay for idle resources in serverless computing. Customers who use the resources provided by serverless computing can pay according to the workload actually generated. In several mature commercial serverless computing platforms [4], customers can easily migrate their business from traditional cloud servers to serverless computing. Through serverless computing platforms, cloud service providers can better control resource utilization and improve infrastructure utilization. The ease of use of serverless computing is another incentive for users to migrate services. Amazon Web Services (AWS) [5], Google Cloud Platform (GCP) [6], and Microsoft Azure are aggressively expanding their serverless computing platforms and achieving high-profit growth [7]. The community also has several open-source frameworks such as OpenFaaS [7,8,9], Kubeless [7], Knative [10], and many other. Serverless computing has recently been increasingly used in many areas, including video processing, machine learning, data processing, website requests, IoT scenarios, and various stateless APIs [1]. Although serverless computing is concise on the user-end, there are still many challenges in the design, implementation, and deployment of the serverless architecture. Serverless computing platforms are still in their juvenile stage. According to our literature search, there are some challenges that have not been well studied. One of the most important challenges is security.

In this paper, we focus on the security aspects of serverless computing. It is about the security quantification toward the enhancement. Security is perhaps the greatest deterrent that prevents serverless computing from being widely adopted. Many business organizations and research institutes are quite vigilant in migrating their information assets to third-party service providers. Conventional IT infrastructures hold information assets in their private data centers or servers. Running, saving, and backing up data and applications are organized locally in the administrative domain [11]. Traditional organizations are often reluctant to use cloud services as infrastructure. The security measures for external organizations are often transparent. In addition, the presence of a large number of individual users has prompted transparency in security measures. Users may be trusted by cloud service providers, but distrust exists between different users. These reasons cause customers to distrust and conflict with cloud service providers’ assets. Serverless computing exacerbates this trend. When users have only heard of the concept initially, they will not get too interested in or dependent on serverless computing. With the development of the serverless computing ecosystem, more and more people begin to pay attention to the security of serverless computing.

The rise of serverless computing provides an opportunity to construct a novel security quantification method to reveal the degree of risk that exists in serverless computing. We propose a quantification method combining Attack-Defense Tree, Risk Matrix and Probability of Success to demonstrate the risks of serverless computing. In essence, we explore the following specific areas in quantifying serverless security:

  • Understand and analyze the underlying architecture, principles, and applications of container technologies, such as Docker and Kubernetes towards the development and deployment of serverless computing.

  • Study and comprehend the architecture, principles, effectiveness, and workflow of serverless computing, identify challenges and related issues toward the security enhancement.

  • Survey and analyze the prominent and standard security quantification mechanisms (for quantifying security attributes, measures, or metrics) such as Attack Tree and Attack Defense Tree.

  • Propose a novel quantitative measure to logically compute the probability of risk (an attack) or countermeasure.

  • Carry out the risk analysis of serverless computing while dividing it into its constituent layers. In fine, we analyze how the quantification can help direct the end-to-end security enhancement of serverless computing.

The rest of this paper is organized as follows. “Related work” section briefly reviews the related works dedicated to serverless security quantification using Attack Tree and Attack Defense Tree. “Serverless computing and OpenFaaS” section presents the architecture, principles, effectiveness, workflow of serverless computing, and the deployment of serverless applications using OpenFaaS (one of the most popular serverless frameworks) [12]. “Security quantification mechanism” section presents our proposed novel security quantification mechanism to carry out the security analysis. “Security quantification of serverless computing” section presents the security quantification of Serverless Computing. Note that the serverless architecture is divided into its constituent layers and thorough quantification is carried out for better analysis. “Conclusion and future works” section concludes this paper with discussion of future research works.

Related work

In this section, we present a literature review delving with security quantification of serverless computing, as following:

Security quantification methodology

We find that the commonly used methodologies for analyzing security risks, threats, vulnerabilities, attacks are Attack Tree, Threat Model, Risk Tree, and others. We briefly demonstrate their principles and evaluation metrics, as follows:

Attack Tree

An Attack Tree is a conceptual diagram used to model possible attack scenarios or threats in a system. It uses graphical, mathematical, and structured decision-tree symbols to model possible attacks. Besides, it also systematically classifies the ways that a system can be attacked. Notably, its complimentary Attack-Defense Tree helps us model defenses against these attacks.

Threat model

Similar to Attack Tree, Threat modelFootnote 1 analyzes potential threats, vulnerabilities, or the absence of potential countermeasures.

Risk tree

Risk TreeFootnote 2 is a methodology, which is used for risk management. Notably, it is developed on the top of Attack Tree approach. Using Risk Tree, we can precisely capture and prioritize the risks of a system and its applications.

Risk matrix

Risk matrix [13] is a tool used to quantitatively assess and prioritize project risk. In the risk matrix table, risks are classified into different levels, such as high, medium, and low. Risk matrix has become one of the widely used quantitative risk assessment techniques [14]. The two main disadvantages of a risk matrix are its poor resolution [15], which may not accurately differentiate and compare distinct risks, and its ambiguous inputs and outputs, which necessitate subjective interpretation and could lead to disparate assessments of the same risk.

Discussion

We observe that the aforementioned methodologies perform similar analysis concerned with security risks, threats, vulnerabilities, attacks, and so on. Among these we choose Attack Tree, since it is well-established compared with other methodologies (as discussed in the later part of this section). Also, our objective is to do quantitative and qualitative analysis concerned with security. To this end, we look for the readily available tools. Respectively, we find a couple of open-source and commercial tools available for Attack Tree as stated later part of this section.

Therefore, we do our quantification toward security area by leveraging Attack Tree (ATree) and Attack-Defense Tree (ADTree). In this section, we review the relevant works to understand the foundations of Attack Tree and Attack-Defense Tree. Besides, the modeling tools and frameworks of Attack Tree and Attack-Defense Tree are analyzed. In addition to the analysis of these fundamental options, we analyze how communities use these tools in terms of security quantification. According to the above analysis, we quantify the security, on which serverless computing focuses.

Foundations of Attack Tree and Attack-Defense Tree

Mauw et al. [16], offers a formal definition of the concepts of Attack Tree that is an effective and intuitive aid to threat analysis. The formal interpretation helps to learn and manipulate Attack Tree precisely. Besides, the denotational semantics based on attack suites, attribution, and projection in attack trees are formally defined.

Mauw et al. [17, 18] give formal definitions of Attack-Defense Tree. As an enhanced version of Attack Tree, Attack-Defense Tree can handle more complex security challenges and scenarios. They utilize Attack-Defense Tree to create effective defenses, and calculate the probability of attack success after defense through some of its attributes which is evaluated in ADTree.

Ingoldsby, Terrance R [19] analyzes threats based on Attack Tree. The author demonstrates the Attack Trees bring greater rigor and objectivity in analyzing the hostile risk. This work gives the origin, use conditions, analysis methods, and calculation of Attack Tree. Besides, it explains how to step in risk analysis. Risk analysis using attack tree model more clearly expresses expert knowledge and reasoning. Analysts can better express their understanding of security issues in a unified and mature model, which promotes discussion among security experts. We know how to model the threat correctly and concisely, which helps us construct attack scenarios against the entire system using attack tree and Attack-Defense Tree methods.

Hansen et al. [20] introduce ADTLANG, a programming language technique for better reasoning of ADTrees. In particular, the authors come up with a set of approaches and augmentations in extending the basic Boolean logic of ADTrees with behavioral properties and quantities. Notably, the authors facilitate the the use of ADTrees introducing a domain specific language and coming up with a tool. This tool/approach is the ADTLANG accompanying with IDE. It facilitates the reuse, collaborative tree construction, and modularity. It also helps separate the quantitative/behavioral elements and logical attributes. The authors evaluate the effectiveness of their tool implementing a reactive Break The Glass policy and achieves comparable results. This research work affirms the significance and importance of ADTree.

Broccia et al. [21] assess the acceptance and understandability of ADTrees notations in analysing security constraints. In particular, the authors assert that while the quality of the notations has been predominantly measured quantitatively, its simplicity, clarity, and comprehensibility (in short, understandability) have not been reviewed, even though they are essential for its success. For this, in evaluating the acceptance and understandability of ADT notations, the authors perform an experiment with 25 human subjects. The experimental analysis prove that ADT notations are well accepted and have a very high level of understandability.

Modeling tools for Attack Tree and Attack-Defense Tree

In the early stage of our research, we first conduct a thorough survey and comparison of the Attack Tree modeling tools available in the market. We then divide them into two types according to commercial or open-source tools as follows:

  • Commercial Tools: SecurlTree from Amenaza Technologies , AttackTree+ from Isograph and RiskTree from 2T Security.

  • Open Source Tools: Ent [22], SeaMonster [23] and ADTool [24, 25].

From these two categories, we exclude commercial tools because we have to pay for them. In our study, we will choose the most suitable tool from open source tools through analysis and comparison, and finally we choose ADTool.

Table 1 Open-source Attack Tree modeling tools comparison

In Table 1, we show the comparison of three open-source modeling tools to visually illustrate the technical and functional differences among them. After completing the comparison, we chose ADTool as our attack tree modeling tool. ADTool is ahead of other tools in terms of activity and feature support. Notably, ADToolFootnote 3 was developed at the University of Luxembourg. It allows users to perform quantitative analysis based on Attack Tree and Attack-Defense Tree. It has 13 built-in property fields, which fully support the quantitative analysis related functions we need. The biggest difference between the other two tools is that ADTool is designed and developed for Attack-Defense Tree, not just Attack Tree, which meets our research objectives.

Use cases of Attack Tree and Attack-Defense Tree

We observe that the protocols and standards used in control systems have little regard for security. To this, we study the use-cases of Attack Tree and Attack-Defense Tree in analyzing security requirements and constraints of various service providers, applications, and systems. We find that Byres et al. [26] use the attack tree to evaluate the possible vulnerability risk of MODBUS protocol stack in SCADA system. By defining several basic categories of risk and environmental assumptions, the authors brainstorm eleven attacker targets and identify security vulnerabilities inherent in the specification and typical deployments of SCADA systems. According to the attack tree, the vulnerability of the system can be analyzed and the related equipment can be tested. The main benefits of using attack trees are that they focus on evaluable targets and can define specific tests, rather than merely considering theoretical vulnerabilities in terms of devices, networks, and protocol implementations without practical testing. We also get guidance on how to quantify risk concretely.

MyProxy system proposed by Saini et al. [27] is a security subsystem in Globus grid computing toolkit, which is used to store user proxy credentials. The authors use the concept of Attack Tree to evaluate its security and calculates the attack cost and damage cost for each attack scenario. Using this system as an example, the authors demonstrate the feasibility of using Attack Tree modeling in enterprise risk management, rather than the complex traditional trust modeling ideas of academia, to quickly understand risk modeling. The authors determine the priority of security vulnerability risk by constructing the qualitative analysis of Attack Tree, which inspires us to conduct the qualitative analysis of serverless computing.

Notably, we also analyze the use cases of ATree and ADTree in e-Voting. To ensure secure access to any Internet application or system, especially for binding Government elections, every vote must be counted. The public, process, equipment, software, strategy, law, and other factors jointly affect the election system and constitute a complex network environment. Pardue et al. [28] build a threat tree for this system. They identified three threats to voting systems: voting equipment attacks, voting process attacks, and insider threats. Although there are overlapping parts among these threats, they are distinguished by different contexts, threat sources, and threat trigger conditions. They treat these three threats as three branches of the threat tree. The sub-threats are defined in a similar way to outline title hierarchy. They also use the OR and AND operators to represent the relationship between the threat nodes. Although their analysis is mainly about threat trees, the principle is similar to attack trees, thereby enlightening us on some strategies of how to attack serverless computing systems. From their risk assessment techniques, we learn how to classify risks into different categories.

Kordy et al. [29] present a method to evaluate probabilistic measurement of offensive and defensive scenarios involving correlative actions using Bayesian networks combined with ADTree method. This approach provides a practical way to perform accurate probabilistic evaluation of security scenarios modeled using attack trees or ADTrees by removing the assumption of independence. However, the application of this method relies on professionals and may require structurally complex models, which makes models difficult to understand and verify, and also makes calculations slow. In our scenario, we use the cumulative distribution function of the standard normal distribution to calculate the probabilities of various risks, saving a lot of time and resources.

Fraile et al. [30] use Attack-Defense Tree to analyze automated teller machines (ATM) threats. ATM security is critical and requires a sophisticated understanding of the threat. The authors introduce the application of Attack-Defense Tree in computer system and creates multi-stage attack scenarios to analyze ATM security. While they do not explain the attack and defense in detail, they do have a good taxonomy of possible ATM risks. We learned how to systematically build an Attack-Defense Tree and the strengths and weaknesses of the analysis. This is a good case study and the best practice for beginners.

Notably, we also analyze the applications of Attack Trees in the field of software and protocols. We find that the quantification of risk assessment is very important in every field of computing, especially for cloud computing, which can directly represent the results of the model. Attack Trees can help us make sound and effective risk assessments. Tanimoto et al. [31, 32] analyze the risk management of security problems in cloud computing. In recent years, the research on cloud computing by cloud service providers and academia mainly focuses on the server side rather than the security side. The authors conducted a comprehensive study and investigation on the security of cloud computing from the perspective of users. Specifically, user-side risk factors could be extracted by risk breakdown structure (RBS) method. According to the result of this method, the author puts forward specific countermeasures and suggestions. Tanimoto et al., in their first study conduct a qualitative assessment of these risks [31]. In their second study, [32], they filled in the quantitative part of the risk assessment. They put forward the risk quantification matrix, using their risk formula to calculate the risk value of each risk factor and its countermeasures to simplify the quantification. The matrix contains three factors, including Asset, Threat and Vulnerability. The final risk value can be obtained by multiplying these three factors. We learn the quantitative method of risk assessment and made more scientific refinement. They do not use attack defense trees to visualize risks and measures while we believe that attack defense is more intuitive in vision than simple table form in their study, and can also reflect the corresponding relationship between different attacks and countermeasures, as well as the hierarchical relationship between different attacks. Li et al. [33] present an offensive and defensive behavior tree model based on the Border Gateway protocol (BGP) attack tree. Their proposition is like that Defense tree model is not easy scalable. On the other hand, based on our study, we find that we can easily scale Attack-Defense tree model. In their study, the authors introduce Game theory into the attack tree model which is intended to demonstrate specific network attack and defensive scenarios. With this, the authors propose an algorithm for the calculation of the target attack success rate and finally its attack probability. This study is in line with ours, however, in our study we come with deriving probability scores of each individual attack and its countermeasures with Attack-Defense tree.

Wang et al. [34] talks about Cybersecurity risk assessment and protection on industrial control systems since it is important for effective response to network attacks. The authors introduce cybersecurity risk assessment method which is applied to airport automatic fuel supply control system. Notably, the method is based on fuzzy theory of Attack-Defense Tree model and probability cybersecurity risk assessment technology. The authors claim that the results are objective and reasonable while they reduce the subjective impact as the assessment is susceptible to subjective and objective effects.

Bryans et al. [35] work on Attack Defense Trees with sequential conjunction in Cyber-Physical Systems (CPS). Their methodology for generating these trees involves using a CPS model and predefined attack and defense templates. The manual process of constructing attack and defense trees is very time-consuming and prone to errors. Therefore, they automatically generate sequentially-connected attack-defense trees to facilitate the analysis of CPS network security. Differentiating our study from theirs, we incorporate probability with Attack Defense Trees. This enhancement dives even deeper into recognizing and comprehending potential system vulnerabilities.

Meng et al. [36] takes help of ADTree to analyze system architectures toward synthesizing optimal cost defense mechanism using MaxSMT [37]. Their goal is to defend all possible attacks/risks with minimal cost. While evaluation, they perform the experiment on a delivery drone system model and it achieves comparable results. Notably, we can also perform cost analysis with ADTree and it can also helps estimate minimum cost toward defending all the possible attacks in a system. As stated earlier, in this paper, we limit our analysis to success probability of attack. Notably, the analysis of minimum cost of attack and minimum cost of defense while mitigating all the attacks is our future study. In future, we plan to perform a comparative study between the study of Meng et al. [36] and ours.

In summary, we explore a set of research works related to threat and attack modeling, which enables us to better analyze the vulnerabilities and risks of serverless computing and conduct reasonable and objective risk assessment, helping us to conduct a scientific security quantification.

Serverless computing and OpenFaaS

We know that serverless computing is emerged with a myriad of features and functions for cloud users while the optimizing the quality of service (QoS), service level agreements (SLAs), cost, resources, time, and many more. However, we find that that we may encounter a couple of issues while working with the public commercial serverless offerings. They require the functions to be written or deployed in a certain way, resulting in vendor lock-in. On the other hand, the open source FaaS frameworks allow us to run serverless computing on private infrastructure, thereby avoiding any form of vendor lock-in. As stated earlier, some of the popular ones are OpenFaaS, Knative, Kubeless, and so on. Among these, OpenFaaS is the most flexible, most popular, and most commonly used [12].

Fig. 1
figure 1

An example OpenFaaS workflow [8]

OpenFaaS and its workflow

OpenFaaS is versatile enough to be deployed on private infrastructure, support multiple container runtimes based on K8s, or deploy with its own engine faasd. As one of the most popular platforms, OpenFaaS is getting a lot of attention from the community and its ecosystem is becoming more mature. OpenFaaS makes it easy for developers to deploy functions and microservices regardless of the underlying infrastructure and servers. Package code and binaries into Docker images and deploy them to OpenFaaS for autoscaling and metrics monitoring. OpenFaaS supports most container choreography platforms, such as K8s, OpenShift, and Docker Swarm (Deprecated). The core of OpenFaaS consists of two parts: API gateway and Watchdog. The former is responsible for routing function of the API, autosacling, and providing various metrics of the function. The latter is responsible for starting and monitoring OpenFaaS functions, and the watchdog can turn any binary into a function, similar to a simple initialization process. Watchdog also provides high throughput and reuses expensive resources such as database connections or machine learning models. Gateway metrics can be picked up and visualized by PrometheusFootnote 4 [38,39,40] or Grafana DashboardFootnote 5[41]. AlertManagerFootnote 6 accesses requests per second metrics from Prometheus and decides the time of firing an alert to the API Gateway. The gateway scales when it receives an alert. Figure 1 is the workflow of OpenFaaS which shows the whole running process of the system.

OpenFaaS cluster

We deploy OpenFaaS to K8s, so we have built a K8s cluster with kindFootnote 7 and deployed OpenFaaS on top of it. kind is a tool to run local Kubernetes using Docker container. Notably, the configuration of our system is, as shown in the Table 2.

Table 2 System configuration

In the cluster, we first install faas-cli, it is a very useful command line tool, through which we can quickly perform different operations on the function, we can view all supported commands through faas-cli help including new, deploy, build, and so on. Next we need to install K8s and Docker to support the running of virtual nodes. We use Arkade for quick installation of OpenFaaS. We have 2 namespaces - openfaas and openfaas-fn, The first contains all the basic components of OpenFaaS, and the second contains all the functions and function containers.

Security quantification mechanism

Novel quantification measure for security analysis

In order to quantify the security of serverless computing, our main goal is to find an intuitional measure to do it. We have used attack defense trees to model some of the risks of serverless computing and have visualized them with ADTool. An important question is how to assign an appropriate probability value to each risk. We applied the risk matrix to each risk in attack tree to get the risk probabilitiy values. Then, We propose a new quantitative measure to express the probability of risk. In our quantification of security analysis, we combine Risk Matrix, Standard Normal Distribution, and cumulative distribution function to propose a new quantitative measure called Relative Risk Matrix evaluating the probability of risk effectively and efficiently. Our measure is mainly concerned with probability estimation in risks. Among all the attribute domains of Attack-Defense Tree method, we chose the Probability of success domain to support our security quantification analysis. The proposed measure can be described step by step:

  1. 1

    Compute the matrix value by multiplying the evaluation factor values.

  2. 2

    Standardize these matrix values to conform to a standard normal distribution.

  3. 3

    Use the Cumulative Distribution Function(CDF) to generate probabilities from these standardized values.

Notably, it is the process of the formulation of Relative Risk Matrix (RRM) & Relative Risk Mitigation Matrix (RRMM).

Relative risk matrix & relative risk mitigation matrix

In this section, we demonstrate the formulation of Relative Risk Matrix and Relative Risk Mitigation Matrix.

Relative risk matrix for attack

There are three important factors in the relative risk matrix: Vulnerability Severity, Consequence Impact, and Exploitability.

  • Vulnerability Severity is how critically a vulnerability can affect a system if exploited. This might include considerations such as the potential disruption to the system, the scope of the damage, and the level of access it can provide to an attacker. It is a measure of the potential harm a vulnerability can cause without considering if an exploitation for it exists.

  • Consequence Impact is often related to what could happen to a system post-exploitation. This mainly concerns the aftermath and potential damage should a vulnerability be successfully exploited. It takes into account factors like data loss, system downtime, reputational damage, etc.

  • Exploitability is an indication of how simple it is to exploit a given vulnerability. This involves things like whether an exploit is publicly available or known, the level of sophistication needed to exploit the vulnerability, or whether special conditions are required for an attack to be successful.

Notably, although those three factors seem to be closely related due to their involvement in risk assessment, they are different aspects of the overall picture. Each one provides distinct information: the potential severity of a vulnerability, the impact post-exploitation, and the likelihood of successful exploitation. A comprehensive understanding of a system’s security can be obtained by considering all three factors.

Vulnerability Severity and Consequence Impact are often correlated. A high Vulnerability Severity may result in a high Consequence Impact, which can be exemplified by a critical software bug that, once exploited, can bring down the entire system and cause extensive data loss and downtime. However, there can also be many cases where these two factors do not correlate. For example, a system might comprise an exploit with high Vulnerability Severity score because its exploitation would disrupt the system’s operation significantly. However, if that system only contains non-sensitive data, an exploit would not result in serious data loss, which means the Consequence Impact score would be low. On the other hand, a system handling extremely sensitive data could have a high Consequence Impact owing to the seriousness of any data breach. However, if exploiting the vulnerability requires very specific conditions that are difficult for attackers to meet, the Vulnerability Severity could be lower. Hence, although Vulnerability Severity and Consequence Impact are often linked, they do not always correlate. It is vital to consider both when assessing the overall severity of vulnerability and potential impact of consequence.

We have designed a scoring system from 1 to 4 for each risk factor. A score of 1 implies a low probability of this factor leading to the risk, or a minor impact if the risk is triggered by this factor. A score of 2 indicates a below-average likelihood or impact. A score of 3 means this factor has a higher-than-average probability to lead to the risk, or it may cause an above-average impact. Lastly, a score of 4 suggests that this factor has a high probability to cause the risk, and the potential risk could be substantial. This scoring system provides a clear basis for judgements when assessing the contribution of each factor to the risk, thus allowing wiser risk management decisions.

$$\begin{aligned} \textrm{RRM Value}= \text {Vulnerability {Severity}} \times \text {Consequence Impact} \times \text {Exploitability} \end{aligned}$$
(1)

Below we give a range of values for each factor, shown in Table 3. A simple example of Relative Risk Matrix is shown in Table 4.

  • Vulnerability Severity: Low(1), Medium(2), High(3), Extreme(4)

  • Consequence Impact: Low(1), Medium(2), High(3), Extreme(4)

  • Exploitability: Low(1), Medium(2), High(3), Extreme(4)

Table 3 Risk assessment table
Table 4 Relative risk matrix value example

Let us describe the process of calculating probabilities in detail using a sample Table 4 as an example.

  1. 1

    Evaluate factor values and compute matrix values. In Table 4, for the risk of “Data modification”, we assess its Vulnerability Severity as medium with a value of 2. Its Consequence Impact is High, with a value of 3. It has an Exploitability of Medium with a value of 2. The product of these factors results in a risk matrix value of 12. Similarly, for the risk of “Privilege Escalation”, we conducted a corresponding evaluation and obtained a risk matrix value of 18.

  2. 2

    Calculate standard values for matix values. Standardize the matrix values are standardized to conform to a standard distribution. Calculate mean \(\mu\) by the formula \(\mu = \frac{(12+18)}{2}= 15\), and calculate standard deviation \(\sigma\) by the formula \(\sigma =\sqrt{\frac{18}{2}}=\sqrt{9}=3\). Utilizing the provided mean and standard deviation, we can compute the standard value with: \(SV = (X - \mu ) / \sigma\). Consequently, the standard Value for “Data Modification” is \(-1\), indicating its risk matrix value is one standard deviation below the average. The standard Value for “Privilege Escalation” is 1, indicating it is one standard deviation above the mean. These computations let us understand these values’ positioning within the distribution in respect to the mean value.

  3. 3

    Use the cumulative distribution function to describe the probability distribution of these standardized values [42]. The CDF uses the integral of the probability density function to calculate the probability that a random variable will take on a value less than or equal to a specified value. Applying this function to our standardized values allows us to generate a new set of values that represent the probabilities of each potential risk. For standard value \(-1\), the probability is approximately 0.16. This probability can be interpreted as there being a 16% chance that a random variable will take on a value equal to or less than the risk matrix value for “Data Modification”. For standard value 1, the probability is approximately 0.84. This means there is an 84% chance that a random variable will take on a value equal to or less than the risk matrix value for “Privilege Escalation”.

Relative risk mitigation matrix for countermeasure

There are three important factors in the relative risk mitigation matrix: Mitigation Degree, Feasibility, and Implementation Simplicity.

  • Mitigation Degree assesses how much a certain strategy will reduce the risk. For example, if a security vulnerability can be totally eliminated by applying a certain patch, then this strategy’s mitigation degree is very high.

  • Feasibility evaluates the viability of actually applying a mitigation strategy. For example, we might have a highly effective strategy, but if it requires an investment in equipment that our organization can not afford, or expertise we do not have, then its feasibility is low.

  • Implementation Simplicity measures the ease or difficulty in implementing the mitigation strategy. For example, a strategy might require a simple configuration change that can be done in minutes (high simplicity), or it may require significant application code rewrites that could take weeks or months (low simplicity).

$$\begin{aligned} \textrm{RRMM Value}= \text {Mitigation Degree} \times \text {Feasibility} \times \text {Implementation Simplicity} \end{aligned}$$
(2)

Below we give a range of values for each factor.

  • Mitigation Degree: Low(1), Medium(2), High(3), Extreme(4)

  • Feasibility: Low(1), Medium(2), High(3), Extreme(4)

  • Implementation Simplicity: Low(1), Medium(2), High(3), Extreme(4)

A simple example of Relative Risk Mitigation Matrix is shown in Table 5.

Table 5 Relative risk mitigation matrix value example

In essence, we propose a new security quantification measure which can be used in serverless computing security analysis combining with risk matrix, standard normal distribution, and cumulative distribution function. This metric assesses the probability of the risks meticulously. We take serverless computing as an example to verify the effectiveness of our measure. In the following sections, we conduct a security quantification for serverless computing. Leveraging a RRM that we developed, we assess potential probabilities associated with various risk events. This information is then modeled and analyzed using Attack Trees and Attack Defense Trees methodology. This novel integration of relative risk matrix and attack modelling techniques provides an enhanced understanding of the security landscape in serverless computing environments, a necessary step towards mitigating potential threats.

Security quantification of serverless computing

Layers of serverless computing

In the “Serverless computing and OpenFaaS” section, we describe the architecture of Serverless Computing. From the architecture, we can divide Serverless Computing into the following layers and conduct quantitative analysis on each layer separately. After performing individual quantitative analyses, they are added together to form a holistic analysis. Below are the defined layers of Serverless Computing:

  1. 1

    Cloud Layer

  2. 2

    Container Infrastructure Layer

  3. 3

    Serverless Layer

  4. 4

    Access Layer

The following parts describe the security quantification of each layer in Serverless Computing.

Security quantification of cloud layer

More than a decade ago, the concept of cloud computing emerged and continued to grow [43]. The flourish of cloud computing migrates away the innovation and deployment of user software and computing activity from on-premises to the cloud. Cloud computing is the delivery of computing services over the Internet while computers on the Internet can communicate with many servers at the same time and some of them may be exchanging information with each other. Serverless Computing is built on the high degree of maturity of cloud computing and still use servers to compute [44].

The security challenges that Serverless Computing faces first come from the Cloud Layer. Cloud computing presents plenty of security issues and challenges. The security problems relate to the cloud model architecture, multi-tenancy, elasticity, and layer dependency stack [45]. In this section, we quantify the security problems in Cloud layer of Serverless Computing with the attack-defense tree method.

Attack scenario one: Attack Tree modeling and quantification

Attack Tree modeling

We model potential threats in serverless computing by using attack tree. We find three perspectives in cloud computing would have threats and there is a great deal of attack to be put into effect. The typical attack tree diagram is shown in Figs. 2 and 3 while we pick a few options with a high probability of attack. This figure categorizes attack types explicitly and indicates different aspects of our analysis. Attack of CSP side focus on the risks that may occur in CSP while their platform, infrastructure, application, or storage services might have some vulnerabilities. Attack of cloud user side produces the risks in cloud user while users do not secure their credentials and secrets properly. Other attacks are related to emergencies which are not caused by CSP or cloud users.

Cloud service provider side has different ways to attack. When serverless computing provides service in the cloud computing world, CSP side will not ensure its data security, integrity, and consistency. There are some vulnerabilities which allow malicious codes to attack a CSP [46]. Three cloud service models (SaaS, PaaS, and IaaS) used by CSPs store customers’ data in their data centers. All these data can be accessed by CSP, internal employees, and external hackers. CSP have full control over data that can be sold to obtain huge economic benefits. Internal employees may have permission to these data, know how to access data without authentication or develop an exploitable application programming interface. External hackers exploit vulnerabilities with a great deal of cybersecurity attack techniques, such as backdoor, session hijacking, network eavesdropping, and many more. Those threats in CSP side could cause data modification and destruction, data leakage and risky application programming interface. Data leakage over the cloud has become one of the greatest risks [47]. Many CSPs have reported that they lost a lot of customer interest, such as Alibaba Cloud, AWS, IBM, and many others. Application programming interface can be compromised and data can be stolen via this way. Some sensitive interfaces should be authorized and encrypted carefully.

Fig. 2
figure 2

ATree for cloud layer of serverless computing

Cloud user side is another compromised part in cloud computing. While users have complete control over their data to decide who has the permission to read or change data and which part of data is available, there are some requirements for cloud users. User access management is a big issue while leaving this operation to the users. Users often do not have very specialized security knowledge and operation knowledge about access management. Mostly, they are not aware of the importance of permission control while their credentials and secrets are obtained by abnormal user. Consequently, the data is compromised. External hackers obtain user credentials easily if users are not aware of security precautions. Bypassing authentication is more unconventional, but also common. Hackers use their tools to execute penetration testing. For example, SQL Injection is a code injection technique used to attack applications to spoof identity without authentication.

Figure 2 shows that some attacks come from natural factors outside of the cloud. Cloud computing services still store data and applications in cloud data centers. Each data center may contains tens of thousands of computers and other auxiliary facilities [48]. While data center faces supplier extensive outage, man-made sabotage and natural disaster, cloud service provider suffers very serious financial losses. These risks cause attacks to cloud layer such as environmental adverse impact, physical destruction, and network faults. The outage causes a large-scale downtime. Even, internal employees or externals could enter the data center and wreak havoc. Moreover, natural disasters such as earthquake and tornado are very common in the some parts of the world.

Quantification with Attack Tree

Now, we use a good metric to quantify the probabilities of risk with Attack Tree in the risks analysis. We find that there is Probability of success in attribute domain in Attack Tree. The success probability of attack equals to the probabilities of risk in our context because the success means the presence of the risk instead of the elimination of the risk. Therefore, we can draw Attack Tree with this attribute domain to quantify the risk.

In our quantitative analysis, we choose the relative risk matrix of attacks of our evaluation method. From Eq. (1), we have three factor and multiply them to get the final matrix value. We normalize these matrix values with standard normal distribution to get the standard value (Y) for each matrix value (X). We calculate the mean value and the standard deviation value of them. We decide the probability of each risk by the standard value and expert consensus. All values are showed in Table 6.

  • Mean: \(\mu = \frac{(12+12.42+11.25+13.5+12.96+3+4+6.75)}{8}= 9.48\)

  • Standard Deviation: \(\sigma =\sqrt{\frac{125.84}{8}}=\sqrt{15.73}=3.97\)

Table 6 Relative risk matrix value for Attack Tree of cloud layer of serverless computing

After getting the matrix value from relative risk matrix, we determine the probability of success of each node in the attack tree based on matrix value, security disclosure degree, professional advice and historical issues of those attacks. It is acceptable that the probability is affected by some subjective factors because risk analysis is conducted by an expert in corresponding area. In our analysis, multiple risk types are examined within the ATree model. Adopting a comparatively objective scoring system, the probabilities of these risks were investigated via search engines and professional databases like MITRE [49]. For instance, the risk category of Data modification & destruction received an evaluation score of 2 for Vulnerability Severity, 3 for Consequence Impact, and 2 for Exploitability. Therefore, the total score would be calculated as \(matrix\_value = 2\times 2\times 3 = 12\). All other risks listed in Table 6 are scored using the same criteria. These risk values are then normalized and the probability of each value is calculated through the CDF. We present the Attack Tree of the serverless cloud layer in Fig. 3 with attacking probabilities. Each node is an OR relationship, which means that a successful attack on any node is feasible. We see that the success probability of attack is 99.99\(\%\).

Fig. 3
figure 3

Probability in ATree for cloud layer of serverless computing

Attack scenario one: Attack-Defense Tree modeling and quantification

Attack-Defense Tree modeling

After using attack tree to point out some security risks in the Cloud layer of Serverless Computing, we also find some countermeasures to eliminate or mitigate these risks. Thus, we model an attack-defense tree for it as shown in Fig. 4. We give each attack a defense to prevent or mitigate it. More defenses can be given for an attack, but in order to simplify the quantitative model, we will only propose a most effective defense for demonstration.

While we give each attack a defense, we will describe each defense in detail.

Fig. 4
figure 4

ADTree for cloud layer of serverless computing

Regarding attacks at the cloud service provider side, data backup is a good countermeasure to cope with the exception when data is modified or destructed. CSP prepares an efficient backup solution and fast recovery when they find that their data go wrong. Many well-known CSPs have complete data backup plans. National Institute of Standards and Technology(NIST) suggests backup plans should be reviewed periodically (at least annually) [50]. In 2018, a Tencent Cloud user called “qian yan shu kong” found the file system metadata was corrupted due to firmware bugs in the disk. Based on its own assessment, the user filed a claim of up to RMB 11,016,000 (About 1.6 million US Dollar) against Tencent Cloud for the failure [51]. To provide consistent, stable and secure services, a cloud data backup plan is necessary and fundamental. Data leakage is a common threat while CSPs fail to secure access rights or compromise data transfer interface [50]. Data leakage might also happen in incomplete data deletion and isolation failure [52]. One effective countermeasure is that CSPs could restrict access to protect from data leakage. CSPs have services and applications which are developed quickly and iteratively expose to interface vulnerabilities. We propose adequate technical specification and testing to reduce and mitigate the possibility of occurrence in risky application programming interface.

In attack of cloud user side, user credentials and secrets are highly confidential. When user credentials and secrets are obtained by third party organizations, they will have access to everything the user owns. Multi-factor authentication mitigates the issue of the leakage of user credentials and secrets. This authentication method allows a granted user to access with two or more factors. It effectively dealt with the partial disclosure of confidential user information. Another attack is bypassing authentication. Bypassing authentication means an attack gains access to a service or application having the same permission as authenticated users. Continuous monitoring can get more context in the user authentication process and avoid being confused by some of the user’s persistent credentials. Continuous monitoring also combines perfectly with multi-factor authentication that allows context in each step of authentication is available.

For other attacks in cloud layer attack, we suggest having a stable environment to protect against the threat of environmental adverse impact. When suffering from physical destruction, first countermeasure is high availability for data centers. The second countermeasure is to strengthen access control for data center anti-damage quality and assurance personnel so that only trusted people can obtain access and take adequate follow-up measures. The last attack is network fault which can be caused by natural disaster, network hardware fault and Internet Service Provider’s fault. The most effective and efficient countermeasure for this attack is to have a completed and updated network backup plan.

Quantification with Attack-Defense Tree

We conduct a quantification with attack defense tree. Similar to the analysis of attack tree, we adopt the same attribute domain and relative risk mitigation matrix to quantify it. After assigning the factors’ value (mitigation degree, feasibility, implementation simplicity) based on our perspective and cognition, we get the mean value \(\mu\) and the standard deviation \(\sigma\). Table 7 shows the whole calculation process of each defense.

  • Mean:\(\mu = \frac{(24+18.75+18+9+18+27+36+24)}{8} = 21.84\)

  • Standard Deviation:\(\sigma =\sqrt{\frac{440.37}{8}}=\sqrt{55}=7.42\)

The score of RRMM factors in Table 7 is evaluated comprehensively through sources such as search engines and MITRE D3FEND Knowledge Graph [53]. After the computation of Table 7, we figure out the probability of each defense and assign each defense the probability value in ADTool to generate Fig. 5. When the success probability of each defense node is assigned, the success probability of their corresponding attack node will be reduced according to the corresponding computation. After applying our defense strategy, we can see that the final attack probability on cloud layer attack nodes has decreased from nearly 100% to 98% now. We observed an improvement by applying a single defense against each type of attack. If we apply more defensive techniques, then we will be able to achieve more protection. The quantification of cloud layer attack demonstrates effective protection with reasonable defensive countermeasures.

Table 7 Relative risk mitigation matrix value for attack defense tree of cloud layer of serverless computing
Fig. 5
figure 5

Probability in ADTree for cloud layer of serverless computing

Security quantification of container infrastructure layer

Container technology and container orchestration are popular concept in cloud computing. The prosperous of container ecosystem accelerated the development of container technology in the last decade. Docker is the most prevalent representative of container technology. As a lightweight alternative to virtual machines, container is small, fast, and low overhead to provide the resources that microservices needed [54]. However, container is more vulnerable than virtual machines. On the other hand, Kubernetes is the fastest-growing project and the most famous container orchestration framework which is mature in production in arranging containerized applications. As a rapidly evolving and iterative cloud native project, Kubernetes Infrastructure security has a high priority in community and industry. In container infrastructure layer of serverless computing, we analyze the security risks from container side and Kubernetes side while these two sides are the fundamental of FaaS. In attack scenario two, we construct attack tree and attack defense tree for container infrastructure layer of serverless computing. Notably, MITRE ATT&CK framework is a good knowledge base in cyber attacks which coverage for Windows and Linux [55]. Some attacks in our attack tree are highly referenced to this excellent framework and the article which modeled the threat matrix for Kubernetes in Microsoft Security [56].

Attack scenario two: Attack Tree modeling and quantification

Attack Tree modeling

We conduct the attack tree modeling of the container infrastructure layer to realize the potential threats. The attack tree contains two types of attacks. One is the attack of container side and another is the attack of Kubernetes side. The attack tree diagram is shown in Fig. 6.

In attack of container side, we propose five possible risks that we will discuss in detail. Secrets are exposed due to the lack of awareness of confidentiality. These secrets are compromised and need to be protected to avoid possible security breach. For example, secrets are written into Dockerfile without any encryption or obfuscation. We also find Docker Engine may add secrets to its log which is the description in CVE-2019-13509Footnote 8. A privileged container can be exploited to extract the secrets without the user noticing. In network communication, secured networking is required to protect sensitive messages. Containers use the shared operating system model. Attacks on vulnerabilities in the host operating system can result in attacks on all containers, and the containers themselves are not completely secure. Insecure networking may result in the current container being able to access private information in physical hosts and other containers. A badly configured container is a vulnerable node that is easily overlooked by container users and administrators [57]. Loopholes can occur in default profiles or inadvertently misconfigured profiles. The vulnerability CVE-2016-8867Footnote 9 describes misconfiguration can allow malicious images to bypass user permissions to access sensitive data in container file systems or mounted volumes. Other common examples are configuring a container to run with unnecessary privileges, giving it more privileges on the host than it really needs, or to run with exposing unnecessary ports. Build machine attack is an attack on the physical machine or virtual machine that builds the container images. In build machine, this is typically initiated by extracting the image from Docker Hub and launching the container on the host environment [58]. There are usually three types of images: images built by third parties, images built by attackers and vanilla imagesFootnote 10. The first two types of images can easily be planted with malicious behavior. Even in the vanilla images, attack is possible because vanilla images may have some vulnerabilities. During build process, a software used to run CI/CD or build container images may be attacked and malicious code is added to container which will run on production. Execution into container means there are executions from an unexpected third party in the container. For example, the container’s host is leaked in Internet and someone execute malicious code in this container.

In another (Kubernetes) side, we select some typical attacks to demonstrate the attack of Kubernetes. API attack refers to the attack of all interfaces from Kubernetes API server (The default implementation of a Kubernetes API server is kube-apiserver) used to control Pods, Services, Replication Controllers, and other components. These REST APIs may have some risky vulnerabilities. For example, third party gain the access to Kubelet, to instance, and to API server if there are some vulnerabilities. Attackers may try to sniff the cluster network to gain information on the running services. CVE-2020-8554Footnote 11 is a potential API attack vulnerability that can intercept traffic to malicious IP addresses and obtain sensitive data from related interfaces. Some techniques get access to Kubernetes cluster such as using a compromised cloud credential or a malicious software preinstalled in cluster machines. Execution pod is that attacks run their code inside Kubernetes pods. There are three tactics to be able to successfully execute code within Pods. Executing into container by using “kubectl exec” which get the shell in a running container. Creating new pods that execute the attacker’s malicious code. Got a remote code execution vulnerability in application by attacker. The last attack is deleting Kubernetes data, it can be implemented in a number of ways. One way is to delete data via compromised API. Another way is to clean up the storage with respect to Kubernetes data.

Quantification with Attack Tree

Similar to scenario One, we choose the probability of success attribute domain in ATree to indicate the probabilities of risk. The matrix value and standard value in the Table 8, are calculated in the same way as the evaluation in the Cloud layer. We draw the ATree of Container Infrastructure Layer of Serverless Computing to show attacks in a tree structure and attacks in different child nodes, including the tree with probability computation result. We calculate the mean value and the standard deviation value of these attacks in Table 8.

  • Mean: \(\mu = \frac{(12+8.8+6+12+6+12+12+9+8)}{9} = 9.53\)

  • Standard Deviation: \(\sigma =\sqrt{\frac{52.48}{9}}=\sqrt{5.83}=2.41\)

When we get the standard values from relative risk matrix, we decide the probabilities of success. These probabilities are influenced by subjective views, but give a general idea of how threatening certain attacks are. Figure 7 presents the final probability of ATree of Container Infrastructure Layer. We notice the attacks of container and Kubernetes are both 99% which indicate these two components are weak to resist from attack.

Fig. 6
figure 6

ATree for containter infrastructure layer of serverless computing

Table 8 Relative risk matrix value for Attack Tree of container infrastructure layer of serverless computing
Fig. 7
figure 7

Probability in ATree for container infrastructure layer of serverless computing

Attack scenario two: Attack-Defense Tree modeling and quantification

Attack-Defense Tree modeling

We have already conducted attack tree modeling in former part. Accordingly, we have many strategies to deal with these attacks. We model an attack defense tree to show our quantification result in Fig. 8. We choose the Probability of success attribute domain and obtain these probabilities with relative risk mitigation matrix. The standard value of each countermeasure is in Table 9. We can offer more defenses against these attacks while we matched only one defense for each attack to simplify our analysis.

In attack of container side, exposed secrets often happens in our work scenarios. Rotating secrets is an effective countermeasure to mitigate the risk of exposed secrets. Rotating means periodically generating a new secret and expiring the old secret which sounds like changing a password. The longer secret is kept, the more likely it is to leak. Rotating secrets allows container to use the latest Secret on a regular basis, making it harder for someone to crack the old secret. Encrypting traffic on insecure networks is a good idea. For example, Transport Layer Security is a cryptographic protocol to secure information over the network. TLS is widely used in HTTPS, having provable security and tightness. In modern cryptography [59]. A badly configured container usually occurs when the user manually configures the container or the system automatically configures the container. An automated monitor is a good way to find possible errors with well-configured rules. Azure Defender [60] is a good monitoring product for monitoring container anomalies. Build machine attack is usually run because the host is being attacked or the container is being exploited by an unauthorized third party. Use trusted image and trusted registry server to get rid of build machine attack. Execution into a container often occurs when an administrator does not close the container’s extranet access port found by some port scanning tool. We can turn off external access by default and use these scanning tools to test our own systems.

Fig. 8
figure 8

ADTree for container infrastructure layer of serverless computing

In attack of Kubernetes side, API attack are the easiest and most common. The third party usually has complete control over the API resources and can inject any load to attack the resource processing (for example, fetching arbitrary Java code or system command execution). Disable anonymous access is the simplest and most effective way to avoid external API attacks. The attack of accessing to cluster can also be alleviated by the above method. Execution pod is similar to execution into a container, we need to enable network policies to mitigate it. Network policy has no effect on cluster using flannel network plugin but has effect on cluster using calico. In the case of deleting Kubernetes data, data backup is a reasonable and effective approach, and a fast recovery scheme is also required.

Quantification with attack defense tree

We continued to quantify our countermeasures with the ADTree. Similar to the analysis of attack tree, we adopt the same attribute domain (probability of success) and relative risk mitigation matrix to quantify it. First, we assign the mitigation degree value, feasibility value and implementation simplicity value. The mean value \(\mu\) is 16.88 and the standard deviation \(\sigma\) is 3.66 after computation of normal distribution. Table 9 shows the whole calculation process of each defense giving the final standard value and probability.

  • Mean: \(\mu = \frac{(18+12+18+15+18+18+12+24)}{8} = 16.87\)

  • Standard Deviation: \(\sigma =\sqrt{\frac{106.88}{8}}=\sqrt{13.36}=3.65\)

The matrix value and standard value in the Table 9, are calculated in the same way as the evaluation in the Cloud layer. We figure out the probability of each defense and assign each defense the probability value in ADTool to generate Fig. 9. When the success probability of each defense node is assigned, the success probability of their corresponding attack node will be reduced according to the corresponding computation. After applying our defense strategy, we can see that the final attack probability on cloud layer attack nodes has decreased from nearly 100% to 97% now. Although the increase in defensive probability is not significant, we only applied a few defensive measures. If we could apply more measures, the outcome would be improved. The quantification of cloud layer attack demonstrates the effective protection with reasonable defensive countermeasures.

Table 9 Relative risk mitigation matrix value for attack defense tree of container infrastructure layer of serverless computing
Fig. 9
figure 9

Probability in ADTree for container infrastructure layer of serverless computing

Security quantification of serverless layer

After the analysis of cloud layer and container infrastructure layer of serverless computing, the perspective moves to the serverless layer which is the layer where serverless framework such as OpenFaaS, Kubeless, Fission, or any other is aligned/integrated [7] with the serverless computing stack. As stated earlier, serverless computing framework provides an easy interface for developers to use [44]. A serverless framework handles the programmer’s program logic and provides services that are invoked in real time. The benefit of serverless computing is low operational problems and efficient resource management and utilization. As a cloud computing execution model, serverless simplify management responsibility for backend cloud infrastructure and operational tasks. From the point of view of security, serverless framework has its own security risks. With the use of serverless computing in various cloud service companies/providers and various products, the security of serverless framework has attracted more and more attention. In this section, we will take OpenFaaS as an example to quantify the possible risks in serverless layer of serverless computing.

Attack scenario three: Attack Tree modeling and quantification

Attack Tree modeling

Security issues primarily exist in four components of the OpenFaaS, such as, in OpenFaaS gateway, NATS streaming, OpenFaaS provider, and Watchdog. Accordingly, we show the attack tree diagram in Fig. 10.

OpenFaaS gateway handles all REST API from client user side, acting as a reverse proxy. We use two attacks to quantify gateway. One attack is penetration testing. Penetration testing is a broad type of network attack that can be used to check gateway for exploitable vulnerabilities. There are several automation software tools for different targets. A basic purpose of these tools is to gather information about the environment to understand how the system is built. For example, NAMP and Metasploit are often used as a basic penetration tool with effective results [61, 62]. Another attack is stealing registered functions and containers. If the stored information is obtained by an attacker, the attacker can determine which web services and containers may have vulnerabilities based on the information publicly available on the Web and their relevant experience.

There are some potential attacks in NATS streaming. NATS is a connective technology that powers modern distributed systems [63]. NATS streaming is a modern messaging system similar to Kafka and RabbitMQ [64]. OpenFaaS use NATS streaming to support high-availability and persistence in asynchronous invocations for functions and containers. NATS streaming is a very small infrastructure compared to Kafka or RabbitMQ while they all have similar security issues in cloud native computing [65,66,67]. Message hijacking and malicious execution are two common attacks in NATS streaming. Attacker uses packet sniffing to read network traffic between two parties to steal messages from NATS streaming. By using local binary hijacking and getting escalated privilege on a target machine, attackers can execute arbitrary malicious code. OpenFaaS provider would have security risks.

OpenFaaS provider support combing the existing OpenFaaS ecosystem and tooling with third party projects. These third party projects have not undergone a rigorous security review and, like other open source projects, have a high probability of security risks. We believe that there are two parts of attack in provider: malicious execution and attack on provider side. Malicious execution is worked by using replay attacks and man-in-the-middle attacks. Both trusted and untrusted providers are vulnerable to a variety of attacks.

Watchdog attack is a notable attack in OpenFaaS. The OpenFaaS watchdog is responsible for starting and monitoring functions in OpenFaaS. Any binary can become a function through the use of watchdog. There are two kinds of watchdog: classic watchdog and of-watchdog. Watchdog have similar security issues to gateway. Insecure networking can cause watchdog traffic to be hijacked and tampered with.

Quantification with Attack Tree

We choose the probability of success attribute domain in ATree to quantify the risks in Serverless layer. The matrix value and standard value in the Table 10, are calculated in the same way as the evaluation in the Cloud layer. Then we show the probability of success in Fig. 11.

  • Mean: \(\mu = \frac{(18+12+6+12+18+8)}{6} = 12.33\)

  • Standard Deviation: \(\sigma =\sqrt{\frac{123.33}{6}}=\sqrt{20.55}=4.53\)

The decision of these probabilities is interfered by certain subjective factors.

Fig. 10
figure 10

ATree for serverless layer of serverless computing

Table 10 Relative risk matrix value for Attack Tree of serverless layer of serverless computing

Different people have different judgment on the weight of various influencing factors and conditions, but it generally reflects the objective situation.

Fig. 11
figure 11

Probability in ATree for serverless layer of serverless computing

Attack scenario three: Attack-Defense Tree modeling and quantification

Attack-Defense Tree modeling

As analyzed in the earlier sections, we take into account a handful set of strategies to deal with the attacks. Accordingly, we model an attack defense tree to show our analysis in Fig. 12.

We also describe and explain the demonstration of defense against each attack in detail.

We may encounter penetration testing attacks under OpenFaaS Gateway attack. Penetration testing attacks usually revolve around known vulnerabilities. In general, keeping our application and service environments in a non-root state is an effective way to prevent detection of most vulnerabilities. Many penetration tools and scripts also require root permission to utilize. Through the limitation of permissions, the attacker needs to carry out additional operations for privilege escalation, which brings much more complexity to them. Registered functions and containers are usually stored in databases which allow an attacker to attack and get the corresponding data after cracking. This prevents an attacker from directly guessing production information about an OpenFaaS system through plaintext.

NATS streaming attack can be considered from network transmission and application program interface vulnerability. Message hijacking in network transport and hook API in underlying network library could be implemented in this part. Encryption is a good strategy. By turning the plaintext of the data stream into ciphertext, we often keep and hide our private keys from being discovered. An attacker could also interface malicious execution code to NATS streaming, overloading the data streaming system, or bogged the OpenFaaS system into function execution indefinitely. We need to use session tokens to control interface traffic and prevent malicious traffic.

OpenFaaS provider attack faces similar issues with NATS Streaming. Open interfaces can lead to malicious code execution. We use the same strategy: session tokens. Another kind of attack comes from provider. Provider is some services or plugins from third-party. If this part of code is maliciously used for mining cryptocurrency or embedding trojan, it will lead to serious consequences. We need to choose a trusted and certified public provider or a private self-built service to ensure that the code does not pose a security risk.

Watchdog, as the initialization process of OpenFaaS function and container, and has open API, is also vulnerable to network attacks. We use the policy of encrypting the network traffic of the interface to deal with it. Although the performance of API will be slower, this kind of the cost is worth it.

Quantification with Attack-Defense Tree

We choose the probability of success attribute domain in ATree to quantify the risks in Serverless layer. The matrix value and standard value in the Table 11, are calculated in the same way as the evaluation in the Cloud layer. We obtain mean value and standard deviation value of attacks in Table 11 and show the probability of success in Fig. 13.

  • Mean: \(\mu = \frac{(36+18+18+12+18)}{6} = 20.4\)

  • Standard Deviation: \(\sigma =\sqrt{\frac{331.2}{5}}=\sqrt{66.24}=8.13\)

As in the previous section, we continue to calculate the change in the success probability of attacks if defensive measures are adopted. The probability of successful attacks in serverless layer has been reduced from 99% to 95%. The probability of success of each attack node decreases with the adoption of corresponding defense measures. We use ADTool to draw the final probability Fig. 13 of the serverless layer, and the quantification of the serverless layer also proves the effectiveness of our measure. It is believed that with the increasing number of defense measures, the probability of attacking nodes will be further reduced to a tiptop safe point.

Fig. 12
figure 12

ADTree for serverless layer of serverless computing

Table 11 Relative risk mitigation matrix value for attack defense tree of serverless layer of serverless computing
Fig. 13
figure 13

Probability in ATree for serverless layer of serverless computing

Security quantification of access layer

Access layer offers users the ability to access serverless computing services via a variety of intelligent network devices. Today people have the access to the Internet from anywhere at any time [68]. With the rapid development of the network and the diversification of devices, rich access devices such as smart TV, fixed workstations, personal computers, tablets and smartphones can easily interact with the Internet. Service providers and users of serverless computing can communicate at any time through simple web interaction and API calls. Therefore, any device in the access layer can easily access the products and services of serverless computing. However, there are potential security risks with any device. For example, a user’s device is vulnerable to all kinds of attacks that make them vulnerable and insecure. The user’s device may leak privacy due to theft, or it may be easy to access sensitive information on the device because the device does not have a strong password or more advanced identification methods such as fingerprint recognition and face recognition. The access layer differs from the previous layers in that it is not an asset on the cloud, but rather an asset on the user side. Device management in this layer is often determined by the user, not by the cloud provider. The security of the access layer depends on the security awareness and means of users. We need to ensure the security of the network environment and the installation of application software. Although we have a general way to build some attack scenarios and countermeasures, we will not conduct in-depth modeling of this layer and analyze related security risks and defense measures in consideration of the complexity of the device and the importance that users attach to this layer.

Attack scenario four

We simply build the ATree (Fig. 14) and ADTree (Fig. 15) of access layer. We list several risks that are within our knowledge. The ATree shows there are six risks in the access layer of serverless computing: unauthorized devices; stolen devices; remote control; malware; network interception; phishing, vishing and smishing. The ADTree includes six countermeasures to mitigate these attacks.

Fig. 14
figure 14

ATree for access layer of serverless computing

Fig. 15
figure 15

ADTree for access layer of serverless computing

These attacks are not completely independent, and they may have overlapping parts with each other. Again, these precautions are just examples, and it is best to use multiple measures in practice to mitigate the risk of a particular attack. For most users, we recommend keeping the device physically secure and the device software secure.

Towards a securer serverless computing

We take serverless computing system architecture as an abstract model and divide it into four layers. We make a discussion about these layers and get security quantification results. We summarized the results of probability in the aforementioned tables of both attack trees and attack-defense trees in Table 12. However, we mainly focus on the first three layers, to represent the risk probability of the entire serverless computing system. The access layer which is the last layer is in brief discussion while we have few experiences and confront the complexity of access devices.

Table 12 Quantification results of each layer

As observed in the table, we can find a reduction in risk probability with the defensive countermeasures. The highest risk reduction is in the serverless layer, and the remaining two layers have almost the same degree of decline. The comparison between attack tree probability and attack defense tree probability also show that quantization method proposed by us is effective.

Based on the calculated risk probability of each layer, we can figure out the overall risk probability of serverless computing. An attacker has a \(98\%\) success rate to attack the cloud layer which includes cloud computing technology. Then the attack to the container infrastructure layer has the probability of success \(97\%\). The probability of an attack on the serverless layer is \(95\%\). A breach of any of these layers is equivalent to a breach of the system as a whole. We record the probability of defense as G(x) and the probability of attack as H(x). The following two equations give the probability of avoiding an attack and the probability of being attacked.

$$G(x)=\left(1-0.98\right)\times\left(1-0.97\right)\times\left(1-0.95\right)=0.00003=0.03\%$$
(3)
$$\begin{aligned} H(x)=1-G(x) = 0.9997 = 99.97\%, \end{aligned}$$
(4)

Equation (3) figures out the defense probability of the serverless computing which is \(99.97\%\) and the attack probability is \(99.97\%\). Based on these results, we believe the system is still far from secure. Improving the security of serverless computing is an aspect worthy of attention and investment. More precise and detailed quantitative methods and reasoning strategies are also worth considering. Based on our analysis, we strongly recommend that related practitioners pay more attention to serverless computing security to build a securer serverless computing system.

Conclusion and future works

Conclusion

In this paper, we present a new measure of quantitative analysis in order to objectively quantify the analysis of serverless computing systems. The quantification measure of relative risk matrix, relative risk mitigation matrix, and probability of success directly shows the risk probability of each layer in serverless computing. After the introduction of serverless computing, cloud computing, container technology, and container choreography technology, we have a certain understanding and knowledge reserve of the technical foundation, principles and ecology of serverless computing. We take OpenFaaS as an example to analyze its threats and risks. Next, we applied Attack Tree and Attack-Defense Tree methods, constructed multiple scenarios and Attack Trees and Attack-Defense Trees, and then used the attribute field of success rate to observe the probability of each risk. We demonstrate that the Attack-Defense Tree approach is very effective and intuitive in quantitative analysis of serverless computing, allowing analysts to easily and quickly discover threats, vulnerabilities, risks, and defensive countermeasures. We calculate the probability of success of each risk and the probability of success of the risk after applying a series of countermeasures to mitigate or eliminate it and use the relative risk matrix and the relative risk mitigation matrix respectively to figure out probabilities. The technique of relative risk matrix and relative risk mitigation matrix synthesize top relevant factors and make the calculated probability more scientific. After appending these probabilities to risks of Attack Trees and Attack-Defense Trees, we also intuitively and vividly observe the changes of risk probability and risk probability reduction in each risk and the overall risk. We have discussed the results of the security quantification analysis. Based on these results, we also propose some suggestions on how to improve the security of serverless computing systems. We also appeal to enterprises and communities to pay more attention to the security of serverless computing to protect all stakeholders and mitigate losses when risks occur.

Future works

We summarize this paper and make a quantitative quantification security evaluation of our proposed quantitative measures. However, we have not evaluated and validated the quantitative accuracy of this measurement. Therefore, we have a series of plans for future expansions, as follows:

  • We have shown that our method is reasonable and has great practical value in the security part of serverless computing. It’s more convinced if we compare our method with other quantitative methods in the security field and analyze the results of the comparison. In addition, our method can also be applied to other software and system security analysis. Besides, some other attribute domains can be discussed.

  • Serverless computing is built on top of the latest cloud native technologies, but security concerns of serverless computing are not fully considered. In this paper, after a rigorous analysis of these potential risks, it may be possible to design a serverless computing system specifically aimed at security to protect the interests of enterprises and users.

  • Although we have proposed corresponding defense measures for each risk in the system in quantitative analysis, the risk probability is still more than 50%. Therefore, in the future we can try more advanced defense measures and technologies to reduce the probability of risk. We also plan to use Fault Tree to quantify vulnerabilities and Reliability Block Diagram to quantify the safety of serverless computing.

  • In this paper, we use Attack Tree to perform security quantification while lacking the empirical evaluation and verification. In the future, we will conduct empirical evaluation and verification for each attack and corresponding defense countermeasure. We would perform comprehensive penetration testing to evaluate and validate our analysis that is more convincingly judge the security of serverless computing systems. It can also help us discover vulnerabilities and threats that we did not consider before, guide us to take a more comprehensive countermeasure, and demonstrate the adaptability and robustness of our security quantification method.

  • In this paper, we work analysing success probability of attack. In future, our plan is to derive minimum cost of attack and minimum cost of defense while mitigating all the attacks/risks. To this, we also plan to perform a comparative analysis between our future study related to cost analysis (as stated) and the study of cost analysis by Meng et al. [36] toward finding a comparable and better viable strategy.

Availability of data and materials

Not applicable.

Notes

  1. Threat Model https://owasp.org/www-community/Threat_Modeling

  2. RiskTree https://risktree.2t-security.co.uk/

  3. ADTool https://github.com/tahti/ADTool2, https://satoss.uni.lu/members/piotr/adtool/

  4. Prometheus https://prometheus.io/

  5. Grafana Dashboard https://grafana.com/grafana/dashboards/

  6. https://prometheus.io/docs/alerting/latest/alertmanager/

  7. kind (A tool to run local Kubernetes using Docker container.) https://kind.sigs.k8s.io/

  8. CVE-2019-13509 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13509

  9. CVE-2016-8867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8867

  10. Vanilla Docker environment https://github.com/vanilla/vanilla-docker

  11. CVE-2020-8554 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8554

Abbreviations

ATree:

Attack Tree

ADTree:

Attack-Defense Tree

API:

Application Programming Interface

AWS:

Amazon Web Service

GCP:

Google Cloud Platform

CSP:

Cloud Service Provider

CI/CD:

Continuous Integration/Continuous Deployment

CLI:

Command Line Interface

FaaS:

Function as a Service

IaaS:

Infrastructure as a Service

K8s:

Kubernetes

OS:

Operating System

PaaS:

Platform as a Service

RRM:

Relative Risk Matrix

RRMM:

Relative Risk Mitigation Matrix

SaaS:

Software as a Service

TLS:

Transport Layer Security

VM:

Virtual Machine

CDF:

Cumulative Distribution Function

References

  1. Wen J, Chen Z, Liu Y, Lou Y, Ma Y, Huang G, Jin X, Liu X (2021) An empirical study on challenges of application development in serverless computing. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Athens, pp 416–428

  2. Hassan HB, Barakat SA, Sarhan QI (2021) Survey on serverless computing. J Cloud Comput 10(1):1–29

    Article  Google Scholar 

  3. Hellerstein JM, Faleiro JM, Gonzalez J, Schleier-Smith J, Sreekanti V, Tumanov A, Wu C (2019) Serverless computing: One step forward, two steps back. In: 9th Biennial Conference on Innovative Data Systems Research, CIDR 2019, Asilomar, CA, USA, January 13-16, 2019, Online Proceedings. http://cidrdb.org/cidr2019/papers/p119-hellerstein-cidr19.pdf

  4. Baldini I, Castro P, Chang K, Cheng P, Fink S, Ishakian V, Mitchell N, Muthusamy V, Rabbah R, Slominski A, et al (2017) Serverless computing: Current trends and open problems. In: Research advances in cloud computing, Springer, pp 1–20

  5. Ifrah S (2019) Deploy a containerized application with amazon eks. In: Deploy Containers on AWS, Springer, pp 135–173

  6. Krishnan S, Gonzalez JLU (2015) Building your next big thing with google cloud platform: A guide for developers and enterprise architects. Springer

  7. Mohanty SK, Premsankar G, di Francesco M (2018) An evaluation of open source serverless computing frameworks. In: 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp 115–120. https://doi.org/10.1109/CloudCom2018.2018.00033

  8. (2021) Alex ellis (2019) the power of interfaces in openfaas. https://blog.alexellis.io/the-power-of-interfaces-openfaas/. Accessed 15 Nov 2021

  9. Kaewkasi C (2018) Docker for Serverless Applications: Containerize and orchestrate functions using OpenFaas, OpenWhisk, and Fn. Packt Publishing Ltd

  10. Kaviani N, Kalinin D, Maximilien M (2019) Towards serverless as commodity: a case of knative. In: Proceedings of the 5th International Workshop on Serverless Computing, UC Davis, pp 13–18

  11. Ali M, Khan SU, Vasilakos AV (2015) Security in cloud computing: Opportunities and challenges. Inf Sci 305:357–383. https://doi.org/10.1016/j.ins.2015.01.025

    Article  MathSciNet  Google Scholar 

  12. Mondal SK, Pan R, Kabir H, Tian T, Dai HN (2022) Kubernetes in it administration and serverless computing: An empirical study and research challenges. J Supercomput 78(2):2937–2987

    Article  Google Scholar 

  13. Garvey PR, Lansdowne ZF (1998) Risk matrix: an approach for identifying, assessing, and ranking program risks. Air Force J Logist 22(1):18–21

    Google Scholar 

  14. Khan FI, Amyotte PR, Amin MT (2020) Advanced methods of risk assessment and management: An overview. Methods Chem Process Saf 4:1–34

    Article  Google Scholar 

  15. Anthony (Tony) Cox Jr L (2008) What’s wrong with risk matrices? Risk Anal Int J 28(2):497–512

  16. Mauw S, Oostdijk M (2006) Foundations of attack trees. In: Information Security and Cryptology - ICISC 2005, Berlin, Heidelberg, vol 3935, pp 186–198. https://doi.org/10.1007/11734727_17

  17. Kordy B, Mauw S, Radomirović S, Schweitzer P (2011) Foundations of attack-defense trees. Formal Aspects of Security and Trust. Springer, Berlin, Heidelberg, pp 80–95

    Chapter  Google Scholar 

  18. Kordy B, Mauw S, Radomirović S, Schweitzer P (2012) Attack–defense trees1. J Log Comput 24(1):55–87. https://doi.org/10.1093/logcom/exs029

    Article  Google Scholar 

  19. Ingoldsby TR (2010) Attack tree-based threat risk analysis. Amenaza Technologies Limited, pp 3–9

  20. Hansen RR, Larsen KG, Legay A, Jensen PG, Poulsen DB (2021) Adtlang: a programming language approach to attack defense trees. Int J Softw Tools Technol Transfer 23:89–104

    Article  Google Scholar 

  21. Broccia G, ter Beek MH, Lluch Lafuente A, Spoletini P, Ferrari A (2024) Assessing the understandability and acceptance of attack-defense trees for modelling security requirements. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, Springer, pp 39–56

  22. (2021) Ent-attack tree modeling tool. https://github.com/jimmythompson/ent. Accessed 15 Oct 2021

  23. Meland PH, Spampinato DG, Hagen E, Baadshaug ET, Krister KM, Velle KS (2008) Seamonster: Providing tool support for security modeling. Norsk informasjonssikkerhetskonferanse, NISK

    Google Scholar 

  24. Kordy P, Schweitzer P (2012) The adtool manual. University of Luxembourg

  25. Kordy B, Kordy P, Mauw S, Schweitzer P (2013) Adtool: security analysis with attack-defense trees. International conference on quantitative evaluation of systems. Springer, Berlin, Heidelberg, pp 173–176

    Chapter  Google Scholar 

  26. Byres EJ, Franz M, Miller D (2004) The use of attack trees in assessing vulnerabilities in scada systems. In: Proceedings of the international infrastructure survivability workshop, Citeseer, Lisbon, pp 3–10

  27. Saini V, Duan Q, Paruchuri V (2008) Threat modeling using attack trees. J Comput Sci Coll 23(4):124–131

    Google Scholar 

  28. Pardue H, Yasinsac A, Landry J (2010) Towards internet voting security: A threat tree for risk assessment. 2010 Fifth International Conference on Risks and Security of Internet and Systems (CRiSIS). IEEE, Montreal, pp 1–7

    Google Scholar 

  29. Kordy B, Pouly M, Schweitzer P (2014) A probabilistic framework for security scenarios with dependent actions. In: Integrated Formal Methods: 11th International Conference, IFM 2014, Bertinoro, Italy, September 9-11, 2014, Proceedings 11, Springer, pp 256–271

  30. Fraile M, Ford M, Gadyatskaya O, Kumar R, Stoelinga M, Trujillo-Rasua R (2016) Using attack-defense trees to analyze threats and countermeasures in an atm: a case study. The Practice of Enterprise Modeling. Springer, Skövde, pp 326–334

    Chapter  Google Scholar 

  31. Tanimoto S, Hiramoto M, Iwashita M, Sato H, Kanai A (2011) Risk management on the security problem in cloud computing. 2011 First ACIS/JNU International Conference on Computers. Networks, Systems and Industrial Engineering, IEEE, Jeju, pp 147–152

    Google Scholar 

  32. Tanimoto S, Sato R, Kato K, Iwashita M, Seki Y, Sato H, Kanai A (2014) A study of risk assessment quantification in cloud computing. 2014 17th International Conference on Network-Based Information Systems. IEEE, Salerno, pp 426–431

    Chapter  Google Scholar 

  33. Li J, Wu Y, Li Y, Zhang Z, Fouad H, Altameem T (2023) A network security prediction method based on attack defense tree. J Nanoelectron Optoelectron 18(3):357–366

    Article  Google Scholar 

  34. Wang S, Ding L, Sui H, Gu Z (2021) Cybersecurity risk assessment method of ics based on attack-defense tree model. J Intell Fuzzy Syst 40(6):10475–10488

    Article  Google Scholar 

  35. Bryans J, Liew LS, Nguyen HN, Sabaliauskaite G, Shaikh SA (2023) Formal template-based generation of attack–defence trees for automated security analysis. Information 14(9). https://doi.org/10.3390/info14090481

  36. Meng B, Viswanathan A, Paul S, Smith W, Moitra A, Siu K, Durling M (2024) Attack–defense tree-based analysis and optimal defense synthesis for system design. Innovations in Systems and Software Engineering 1–17. https://link.springer.com/article/10.1007/s11334-024-00556-3#citeas

  37. Bjørner N, Phan AD, Fleckenstein L (2015) \(\nu\)z - an optimizing smt solver. In: Baier C, Tinelli C (eds) Tools and Algorithms for the Construction and Analysis of Systems. Springer, Berlin Heidelberg, Berlin, Heidelberg, pp 194–199

  38. Sabharwal N, Pandey P (2020) Getting started with prometheus and alert manager. In: Monitoring Microservices and Containerized Applications, Springer, pp 43–83

  39. Turnbull J (2018) Monitoring with Prometheus. Turnbull Press

  40. Brazil B (2018) Prometheus: Up & Running: Infrastructure and Application Performance Monitoring, 1st edn. O’Reilly Media, Inc

  41. Labs G (2022) Grafana dashboard. https://grafana.com/grafana/dashboards/. Accessed 24 June 2022

  42. Aron A, Aron EN (1999) Statistics for psychology. Prentice-Hall, Inc

  43. Hayes B (2008) Cloud computing. Commun ACM 51(7):9–11. https://doi.org/10.1145/1364782.1364786

    Article  Google Scholar 

  44. Jonas E, Schleier-Smith J, Sreekanti V, Tsai C, Khandelwal A, Pu Q, Shankar V, Carreira J, Krauth K, Yadwadkar NJ, Gonzalez JE, Popa RA, Stoica I, Patterson DA (2019) Cloud programming simplified: A berkeley view on serverless computing. CoRR. arXiv:1902.03383

  45. Almorsy M, Grundy J, Mueller I (2010) An analysis of the cloud computing security problem. In: APSEC 2010 Cloud Workshop, Sydney, pp 1–6

  46. Chou TS (2013) Security threats on cloud computing vulnerabilities. Int J Comput Sci Inf Technol 5(3):79

    Google Scholar 

  47. Almond C (2009) A practical guide to cloud computing security. A white paper from Accenture and Microsoft, pp 3–9

  48. Al-Fares M, Loukissas A, Vahdat A (2008) A scalable, commodity data center network architecture. ACM SIGCOMM Comput Commun Rev 38(4):63–74

    Article  Google Scholar 

  49. (2024) Mitre cve database. https://cve.mitre.org. Accessed 26 May 2024

  50. Sen J (2015) Security and privacy issues in cloud computing. In: Cloud technology: concepts, methodologies, tools, and applications, IGI global, pp 1585–1630

  51. (2022) Tencent cloud says ‘improper operations’ led to data loss for client as it seeks to implement improvements. https://www.scmp.com/tech/article/2158785/tencent-cloud-says-improper-operations-led-data-loss-client-it-seeks-implement. Accessed 31 Jan 2022

  52. Priebe C, Muthukumaran D, O’ Keeffe D, Eyers D, Shand B, Kapitza R, Pietzuch P (2014) Cloudsafetynet: Detecting data leakage between cloud tenants. In: Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, Association for Computing Machinery, Scottsdale, Arizona, USA, CCSW ’14, p 117–128. https://doi.org/10.1145/2664168.2664174

  53. (2024) Mitre d3fend knwoledge graph. https://cve.mitre.org. Accessed 26 May 2024

  54. Sultan S, Ahmad I, Dimitriou T (2019) Container security: issues, challenges, and the road ahead. IEEE Access 7:52976–52996

    Article  Google Scholar 

  55. Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG, Thomas CB (2018) Mitre att &ck: design and philosophy. Tech. rep

  56. (2022) Secure containerized environments with updated threat matrix for kubernetes. https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/. Accessed 1 Feb 2022

  57. Merkel D et al (2014) (2014) Docker: lightweight linux containers for consistent development and deployment. Linux J 239:2

    Google Scholar 

  58. Tomar A, Jeena D, Mishra P, Bisht R (2020) Docker security: A threat model, attack taxonomy and real-time attack scenario of dos. 2020 10th International Conference on Cloud Computing, Data Science & Engineering (Confluence). IEEE, Noida, pp 150–155

    Chapter  Google Scholar 

  59. Diemert D, Jager T (2021) On the tight security of tls 1.3: Theoretically sound cryptographic parameters for real-world deployments. J Cryptol 34(3):1–57

  60. Copeland M (2021) Azure sentinel overview. In: Cloud Defense Strategies with Azure Sentinel, Springer, pp 3–38

  61. Holik F, Horalek J, Marik O, Neradova S, Zitta S (2014) Effective penetration testing with metasploit framework and methodologies. 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI). IEEE, Budapest, pp 237–242

    Google Scholar 

  62. Kennedy D, O’gorman J, Kearns D, Aharoni M (2011) Metasploit: the penetration tester’s guide. No Starch Press

  63. (2022) Nats introduction. https://docs.nats.io/, Accessed 1 Feb 2022

  64. T S, K SN (2019) A study on modern messaging systems- kafka, rabbitmq and NATS streaming. CoRR. arXiv:1912.03715

  65. Kwon S, Son S, Choi Y, Lee JH (2020) Protocol fuzzing to find security vulnerabilities of rabbitmq. Concurr Comput Pract Experience 33. https://doi.org/10.1002/cpe.6012

  66. McAteer IN, Malik MI, Baig Z, Hannay P (2017) Security vulnerabilities and cyber threat analysis of the AMQP protocol for the internet of things. In: Valli C (Ed). The Proceedings of 15th Australian Information Security Management Conference, 5–6 December 2017, Edith Cowan University, Perth, pp 70–80

  67. Leang B, Ean S, Ryu G, Yoo KH (2019) Improvement of Kafka streaming using partition and multi-threading in big data environment. Sensors 19(1):134

    Article  Google Scholar 

  68. Jalal A, Zeb MA (2008) Security enhancement for e-learning portal. Int J Comput Sci Netw Secur 8(3):41–45

Download references

Acknowledgements

Authors gratefully acknowledge the funding sources. The authors also would like to thank the anonymous reviewers for their quality reviews and suggestions.

Funding

This work was supported in part by The Science and Technology Development Fund of Macao, Macao SAR, China under grant 0033/2022/ITP and in part by The Faculty Research Grant Projects of Macau University of Science and Technology, Macao SAR, China under grant FRG-22-020-FI.

Author information

Authors and Affiliations

Authors

Contributions

All the authors have contributed significantly including problem formulation, methodology, validation, and so on. Also, all the authors have worked on writing, review-editing, and proofreading. Notably, the first two authors have equal and greater contributions than the rest. In particular, Kan Ni has contributed by problem formulation, proposed methodology, validation, and so on. Also, he has worked on writing, review-editing, and proofreading. Subrota Kumar Mondal has contributed by initial idea, problem formulation, proposed methodology, validation, and so on. Also, he has worked on writing, review-editing, and proofreading. H M Dipu Kabir has contributed by problem formulation, writing, review-editing, and proofreading. Tian Tan has contributed by problem formulation, methodology, writing, review-editing, and proofreading. Hong-Ning Dai has contributed by problem formulation, writing, review-editing, and proofreading.

Corresponding author

Correspondence to Subrota Kumar Mondal.

Ethics declarations

Ethics approval and consent to participate

Not applicable.

Competing interests

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ni, K., Mondal, S.K., Kabir, H.M.D. et al. Toward security quantification of serverless computing. J Cloud Comp 13, 140 (2024). https://doi.org/10.1186/s13677-024-00703-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s13677-024-00703-y

Keywords