Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers are required to configure IAM to specify the access control rules for their cloud organizations. However, IAM misconfiguration may be exploited to perform privilege escalation attacks, which can cause severe economic loss. To detect privilege escalations due to IAM misconfigurations, existing third-party cloud security services apply whitebox penetration testing techniques, which require the access of complete IAM configurations. This requirement might cause problems such as information disclosure and anonymization. To mitigate the limitation, we propose a greybox penetration testing approach called TAC for third-party services to detect IAM privilege escalations, without requiring the access of complete IAM configurations. The idea is to intelligently query a limited amount of information that is only related to IAM privilege escalation detection. Cloud customers are allowed to specify which entities such as users and services (automatically anonymized by TAC) in their IAM configurations can be queried, and also limit the maximum number of queries. To realize the idea, we 1) propose abstract IAM modeling to detect IAM privilege escalations based on the collected partial information; 2) apply Reinforcement Learning (RL) with Graph Neural Networks (GNNs) to learn to make as few queries as possible. To pretrain and evaluate TAC with enough diverse tasks, we propose an IAM privilege escalation task generator called IAMVulGen. Experimental results show that TAC detects IAM privilege escalations with significantly lower false negative rates than baselines with high query efficiency, on both our task set and the only publicly available privilege escalation task set called IAM Vulnerable.

翻译：身份与访问管理（IAM）是云平台中的一项访问控制服务。为安全地管理云资源，客户需配置IAM以指定其云组织的访问控制规则。然而，IAM配置错误可能被利用进行权限提升攻击，从而导致严重的经济损失。为检测因IAM配置错误导致的权限提升，现有第三方云安全服务采用白盒渗透测试技术，这需要获取完整的IAM配置信息。该要求可能引发信息泄露和匿名化等问题。为缓解这一局限，我们提出一种名为TAC的灰盒渗透测试方法，使第三方服务无需获取完整IAM配置即可检测IAM权限提升。其核心思想是智能查询仅与IAM权限提升检测相关的有限信息。云客户可指定其IAM配置中允许被查询的实体（如用户和服务，由TAC自动匿名化），并限制最大查询次数。为实现该思想，我们1）提出抽象IAM建模方法，基于收集的局部信息检测IAM权限提升；2）应用基于图神经网络（GNNs）的强化学习（RL）以尽可能减少查询次数。为使用足够多样的任务对TAC进行预训练和评估，我们提出名为IAMVulGen的IAM权限提升任务生成器。实验结果表明，在我们的任务集和唯一公开的权限提升任务集IAM Vulnerable上，TAC在检测IAM权限提升时，相比基线方法具有显著更低的漏报率和较高的查询效率。