面向Serverless应用的跨函数行为分析与约束技术

doi:10.3969/j.issn.1671-1122.2025.09.001

信息网络安全 ›› 2025, Vol. 25 ›› Issue (9): 1329-1337.doi: 10.3969/j.issn.1671-1122.2025.09.001

面向Serverless应用的跨函数行为分析与约束技术

詹东阳¹, 黄子龙¹, 谭凯¹(), 俞兆丰¹, 贺铮², 张宏莉¹

1.哈尔滨工业大学网络空间安全学院，哈尔滨 150001
2.黑龙江省气候中心，哈尔滨 150030

收稿日期:2025-06-03 出版日期:2025-09-10 发布日期:2025-09-18
通讯作者: 谭凯 tankai@hit.edu.cn
作者简介:詹东阳（1991—），男，黑龙江，副教授，博士，CCF会员，主要研究方向为系统安全、云计算安全|黄子龙（2000—），男，新疆，硕士研究生，主要研究方向为云安全|谭凯（1994—），男，黑龙江，副研究员，博士，主要研究方向为恶意软件分析、云安全|俞兆丰（1997—），男，新疆，博士研究生，主要研究方向为程序分析、漏洞挖掘|贺铮（1993—），女，黑龙江，工程师，硕士，主要研究方向为机器学习、气候变换分析|张宏莉（1973—），女，吉林，教授，博士，主要研究方向为网络测量、数据安全
基金资助:
国家自然科学基金(62302122);黑龙江省重点研发计划(JD2023SJ07)

Cross-Function Behavior Analysis and Constraint Technology for Serverless Applications

ZHAN Dongyang¹, HUANG Zilong¹, TAN Kai¹(), YU Zhaofeng¹, HE Zheng², ZHANG Hongli¹

1. School of Cyberspace Science, Harbin Institute of Technology, Harbin 150001, China
2. Heilongjiang Climate Center, Harbin 150030, China

Received:2025-06-03 Online:2025-09-10 Published:2025-09-18

摘要/Abstract

摘要：

无服务器计算中的应用被分解为函数运行于不同容器中，由于具有轻量化优势被广泛应用，但是也带来了安全风险。这种架构使程序内部接口暴露于网络，增加了攻击面以及越权访问等安全风险，威胁控制流和数据流的完整性。而现有的安全检测方法难以同时保护无服务器计算中容器（函数）间的控制流和数据流完整性。因此，文章提出一种面向Serverless应用的跨函数行为分析与约束技术，研究基于静态分析的函数间完整业务访问模型提取方法，实现实时的跨函数访问安全检测。实验结果表明，文章所提方法的异常控制流与数据流检出率分别达到97.54%和92.87%，并将监控误报率降低了10%以上，能够提升无服务器计算安全性。

关键词: 无服务器计算, 静态分析, 访问控制

Abstract:

Applications in Serverless computing are decomposed into functions and run in different containers, they have the advantage of being lightweight and was widely used, but they also brings security risks. This architecture exposes the internal interfaces of the program to the network, increases the attack surface and security risks such as unauthorized access, and threatens the integrity of the control flow and data flow. However, existing security monitoring methods are difficult to protect the integrity of the control flow and data flow between containers (or functions) in Serverless computing. As a result, this paper proposed a cross-function behavior analysis and constraint technology for Serverless applications, by studying the extraction method of the complete access model between functions based on static analysis, real-time access control across functions was performed. Experimental results show that the method achieves an average of 97.54% as well as 92.87% for the anomalous control flow and data flow identification rate, and reduces the monitoring false alarms by more than 10%, which is able to improve the security of Serverless computing.

Key words: Serverless computing, static analysis, access control

中图分类号:

TP309

詹东阳, 黄子龙, 谭凯, 俞兆丰, 贺铮, 张宏莉. 面向Serverless应用的跨函数行为分析与约束技术[J]. 信息网络安全, 2025, 25(9): 1329-1337.

ZHAN Dongyang, HUANG Zilong, TAN Kai, YU Zhaofeng, HE Zheng, ZHANG Hongli. Cross-Function Behavior Analysis and Constraint Technology for Serverless Applications[J]. Netinfo Security, 2025, 25(9): 1329-1337.

图/表 7

图1

图2

表1

图3

图4

图5

表2

参考文献 20

[1]	LI Yongkang, LIN Yanying, WANG Yang, et al. Serverless Computing: State-of-the-Art, Challenges and Opportunities[J]. IEEE Transactions on Services Computing, 2022, 16(2): 1522-1539.
[2]	GEORGE J. Comparing Scalable Serverless Analytics Architecture on Amazon Web Services and Google Cloud[EB/OL]. (2024-10-31)[2025-03-27]. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4963383.
[3]	LI Zijun, CHENG Jiagan, CHEN Quan, et al. RunD: A Lightweight Secure Container Runtime for High-Density Deployment and High-Concurrency Startup in Serverless Computing[C]// USENIX. 2022 USENIX Annual Technical Conference. Berkeley: USENIX, 2022: 53-68.
[4]	AHMADI S. Challenges and Solutions in Network Security for Serverless Computing[J]. International Journal of Current Science Research and Review, 2024, 7(1): 218-229.
[5]	KIM Y, KOO J, KIM U M. Vulnerabilities and Secure Coding for Serverless Applications on Cloud Computing[C]// Springer. International Conference on Human-Computer Interaction. Heidelberg: Springer, 2022: 145-163.
[6]	HEDIN D, SABELFELD A. A Perspective on Information-Flow Control[M]. Amsterdam: IOS Press, 2012.
[7]	LI Xing, LENG Xue, CHEN Yan. Securing Serverless Computing: Challenges, Solutions, and Opportunities[J]. IEEE Network, 2022, 37(2): 166-173.
[8]	ZHU Xiaogang, WEN Sheng, CAMTEPE S, et al. Fuzzing: A Survey for Roadmap[J]. ACM Computing Surveys (CSUR), 2022, 54(11): 1-36.
[9]	DATTA P, KUMAR P, MORRIS T, et al. Valve: Securing Function Workflows on Serverless Computing Platforms[C]// ACM. The Web Conference 2020. New York: ACM, 2020: 939-950.
[10]	LIN W T, KRINTZ C, WOLSKI R, et al. Tracking Causal Order in AWS Lambda Applications[C]// IEEE. IEEE International Conference on Cloud Engineering (IC2E). New York: IEEE, 2018: 50-60.
[11]	JEGAN D S, WANG Liang, BHAGAT S, et al. Guarding Serverless Applications with Kalium[C]// USENIX. 32nd USENIX Security Symposium. Berkeley: USENIX, 2023: 4087-4104.
[12]	OBETZ M, PATTERSON S, MILANOVA A. Static Call Graph Construction in AWS Lambda Serverless Applications[EB/OL]. (2019-07-08)[2025-03-27]. https://www.usenix.org/conference/hotcloud19/presentation/obetz.
[13]	WEN Jinfeng, CHEN Zhenpeng, JIN Xin, et al. Rise of the Planet of Serverless Computing: A Systematic Review[J]. ACM Transactions on Software Engineering and Methodology, 2023, 32(5): 1-61.
[14]	WU Xiaojun, WANG Ziyi, YUAN Sheng, et al. Improved Construction Scheme of Fully-Extended Call Graph to Enhance Observability of Serverless-Based Applications[C]// IEEE. IEEE International Conference on Software Engineering and Artificial Intelligence (SEAI). New York: IEEE, 2024: 139-145.
[15]	NAM J, LEE S, SEO H, et al. BASTION: A Security Enforcement Network Stack for Container Networks[C]// USENIX. USENIX Annual Technical Conference (USENIX ATC 20). Berkeley: USENIX, 2020: 81-95.
[16]	TAFT S T. Sound and Precise Static Analysis Using a Generalization of Static Single Assignment and Value Numbering[J]. International Journal on Software Tools for Technology Transfer, 2024, 26(5): 621-632.
[17]	THOTA R C. Efficient Serverless Architectures: Leveraging AWS Lambda and SageMaker for Scalable Workflow Solutions[J]. Journal of Science & Technology, 2024, 5(3): 133-152.
[18]	GUO Fu, ZHANG Yanfeng, GE Yu. A Fair Comparison of Message Queuing Systems[J]. IEEE Access, 2020, 9: 421-432.
[19]	TIWARI P, SHARMA S. Automation of FaaS Serverless Frameworks OpenFaaS and OpenWhisk in Private Cloud[C]// IEEE. World Conference on Communication & Computing (WCONF). New York: IEEE, 2023: 1-11.
[20]	ESKANDANI N, SALVANESCHI G. The Wonderless Dataset for Serverless Computing[C]// IEEE. IEEE/ACM International Conference on Mining Software Repositories (MSR). New York: IEEE, 2021: 565-569.

编程语言	配置信息
Python	PyAST、ast模块
Node.js	Acorn、Esprima、TypeScript Compiler API、WebAssembly
TypeScript	Acorn、Esprima、TypeScript Compiler API、WebAssembly
Go	go/ast包

请求服务次数/次	插入前用时/s	插入后用时/s
100	334.27	336.84
500	1724.35	1744.91
1000	3547.76	3578.27

面向Serverless应用的跨函数行为分析与约束技术

Cross-Function Behavior Analysis and Constraint Technology for Serverless Applications

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 20

相关文章 15

编辑推荐

Metrics

本文评价

[1]	叶佳骏, 高翠凤, 薛吟兴. 基于静态分析的价格预言机操纵源代码检测方法研究[J]. 信息网络安全, 2025, 25(5): 732-746.
[2]	张新有, 刘庆夫, 冯力, 邢焕来. 基于多权威属性基加密的智能电网数据安全共享模型[J]. 信息网络安全, 2025, 25(1): 98-109.
[3]	吕秋云, 周凌飞, 任一支, 周士飞, 盛春杰. 一种全生命周期可控的公共数据共享方案[J]. 信息网络安全, 2024, 24(8): 1291-1305.
[4]	王巍, 胡永涛, 刘清涛, 王凯崙. 铁路运行环境下ERT可信根实体的软件化技术研究[J]. 信息网络安全, 2024, 24(5): 794-801.
[5]	许良晨, 孟昭逸, 黄文超, 熊焰. 面向程序可达性验证的数组处理循环压缩方法[J]. 信息网络安全, 2024, 24(3): 374-384.
[6]	周权, 陈民辉, 卫凯俊, 郑玉龙. 基于SM9的属性加密的区块链访问控制方案[J]. 信息网络安全, 2023, 23(9): 37-46.
[7]	石润华, 谢晨露. 云边缘环境中基于属性加密的可验证EMR外包解决方案[J]. 信息网络安全, 2023, 23(7): 9-21.
[8]	张晓旭, 石润华. EHR系统中一种验证外包加密数据正确性的访问控制方案[J]. 信息网络安全, 2023, 23(5): 85-94.
[9]	朱怡昕, 苗张旺, 甘静鸿, 马存庆. 基于细粒度访问控制的勒索软件防御系统设计[J]. 信息网络安全, 2023, 23(10): 31-38.
[10]	陈星任, 熊焰, 黄文超, 付贵禄. 一种基于静态分析的多视图硬件木马检测方法[J]. 信息网络安全, 2023, 23(10): 48-57.
[11]	王健, 黄俊. 基于智能合约的日志安全存储与公平访问方法[J]. 信息网络安全, 2022, 22(7): 27-36.
[12]	郭宝霞, 王佳慧, 马利民, 张伟. 基于零信任的敏感数据动态访问控制模型研究[J]. 信息网络安全, 2022, 22(6): 86-93.
[13]	刘嘉微, 马兆丰, 王姝爽, 罗守山. 基于区块链的隐私信用数据受限共享技术研究[J]. 信息网络安全, 2022, 22(5): 54-63.
[14]	靳姝婷, 何泾沙, 朱娜斐, 潘世佳. 基于本体推理的隐私保护访问控制机制研究[J]. 信息网络安全, 2021, 21(8): 52-61.
[15]	沈卓炜, 高鹏, 许心宇. 基于安全协商的DDS安全通信中间件设计[J]. 信息网络安全, 2021, 21(6): 19-25.