Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers need to configure IAM to specify the access control rules for their cloud organizations. However, incorrectly configured IAM can be exploited to cause a security attack such as privilege escalation (PE), leading to severe economic loss. To detect such PEs due to IAM misconfigurations, third-party cloud security services are commonly used. The state-of-the-art services apply whitebox penetration testing techniques, which require access to complete IAM configurations. However, the configurations can contain sensitive information. To prevent the disclosure of such information, customers need to manually anonymize the configuration. In this paper, we propose a precise greybox penetration testing approach called TAC for third-party services to detect IAM PEs. To mitigate the dual challenges of labor-intensive anonymization and potentially sensitive information disclosures, TAC interacts with customers by selectively querying only the essential information needed. Our key insight is that only a small fraction of information in the IAM configuration is relevant to the IAM PE detection. We first propose IAM modeling, enabling TAC to detect a broad class of IAM PEs based on the partial information collected from queries. To improve the efficiency and applicability of TAC, we aim to minimize interactions with customers by applying Reinforcement Learning (RL) with Graph Neural Networks (GNNs), allowing TAC to learn to make as few queries as possible. Experimental results on both synthetic and real-world tasks show that, compared to state-of-the-art whitebox approaches, TAC detects IAM PEs with competitively low false negative rates, employing a limited number of queries.

翻译：身份与访问管理（IAM）是云平台中的访问控制服务。为安全管理云资源，客户需配置IAM以指定其云组织的访问控制规则。然而，错误配置的IAM可能被利用引发权限提升等安全攻击，导致严重经济损失。为检测此类由IAM配置错误导致的权限提升问题，通常采用第三方云安全服务。现有先进服务采用白盒渗透测试技术，需要获取完整的IAM配置信息。但配置数据可能包含敏感信息。为防止信息泄露，客户需手动对配置进行匿名化处理。本文提出一种名为TAC的精确灰盒渗透测试方法，供第三方服务检测IAM权限提升问题。为应对人工匿名化的工作负担与潜在敏感信息泄露的双重挑战，TAC通过与客户交互，选择性地仅查询必要信息。我们的核心洞见是：IAM配置中仅小部分信息与权限提升检测相关。我们首先提出IAM建模方法，使TAC能够基于查询收集的部分信息检测广泛类型的IAM权限提升问题。为提升TAC的效率和适用性，我们通过结合图神经网络与强化学习的方法，使TAC能够学习如何最小化查询次数，从而减少与客户的交互需求。在合成任务和实际任务上的实验结果表明，相较于先进的白盒方法，TAC能以有限的查询次数检测IAM权限提升问题，同时保持具有竞争力的低漏报率。