Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers need to configure IAM to specify the access control rules for their cloud organizations. However, misconfigured IAM can lead to privilege escalation (PE) attacks, causing significant economic loss. Third-party cloud security services detect such issues using whitebox penetration testing, which requires full access to IAM configurations. However, since these configurations often contain sensitive data, customers must manually anonymize them to protect their privacy. To address the dual challenges of anonymization and data privacy, we introduce TAC, the first greybox penetration testing approach for third-party services to efficiently detect IAM PEs. Instead of requiring customers to blindly anonymize their entire IAM configuration, TAC intelligently interacts with customers by querying only a small fraction of information in the IAM configuration that is necessary for PE detection. To achieve this, TAC integrates two key innovations: (1) a comprehensive IAM modeling approach to detect a wide range of IAM PEs using partial information collected from query responses, and (2) a query optimization mechanism leveraging Reinforcement Learning (RL) and Graph Neural Networks (GNNs) to minimize customer inputs. Additionally, to address the scarcity of real-world IAM PE datasets, we introduce IAMVulGen, a synthesizer that generates a large number of diverse IAM PEs that mimic real-world scenarios. Experimental results on both synthetic and real-world benchmarks show that TAC, as a greybox approach, achieves competitively low and, in some cases, significantly lower false negative rates than state-ofthe-art whitebox approaches, while utilizing a limited number of queries.

翻译：身份与访问管理（IAM）是云平台中的访问控制服务。为安全管理云资源，客户需配置IAM以指定其云组织的访问控制规则。然而，配置不当的IAM可能导致权限提升（PE）攻击，造成重大经济损失。第三方云安全服务通常采用白盒渗透测试来检测此类问题，该方法需完全访问IAM配置。但由于这些配置常包含敏感数据，客户必须手动匿名化处理以保护隐私。为解决匿名化与数据隐私的双重挑战，我们提出了TAC——首个面向第三方服务的灰盒渗透测试方法，可高效检测IAM权限提升漏洞。TAC无需客户盲目匿名化整个IAM配置，而是通过智能交互，仅查询IAM配置中对PE检测必需的小部分信息。为实现这一目标，TAC融合了两项关键创新：（1）基于查询响应中收集的部分信息进行综合IAM建模，以检测各类IAM权限提升漏洞；（2）利用强化学习（RL）与图神经网络（GNN）的查询优化机制，最小化客户输入需求。此外，针对真实世界IAM漏洞数据稀缺的问题，我们开发了IAMVulGen合成器，可生成大量模拟真实场景的多样化IAM权限提升漏洞。在合成与真实基准测试上的实验结果表明：作为灰盒方法，TAC在仅使用有限查询次数的前提下，其假阴性率与最先进的白盒方法相比具有竞争力，且在部分场景中显著更低。