Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers are required to configure IAM to specify the access control rules for their cloud organizations. However, IAM misconfiguration may be exploited to perform privilege escalation attacks, which can cause severe economic loss. To detect privilege escalations due to IAM misconfigurations, existing third-party cloud security services apply whitebox penetration testing techniques, requiring the access of complete IAM configurations. To prevent sensitive information disclosure, this requirement places a considerable burden on customers, demanding lots of manual efforts for the anonymization of their configurations. In this paper, we propose a precise greybox penetration testing approach called TAC for third-party services to detect IAM privilege escalations. To mitigate the dual challenges of labor-intensive anonymizations and potential sensitive information disclosures, TAC interacts with customers by selectively querying only the essential information needed. To accomplish this, we first propose abstract IAM modeling, enabling TAC to detect IAM privilege escalations based on the partial information collected from queries. Moreover, to improve the efficiency and applicability of TAC, we minimize the interactions with customers by applying Reinforcement Learning (RL) with Graph Neural Networks (GNNs), allowing TAC to learn to make as few queries as possible. To pretrain and evaluate TAC with enough diverse tasks, we propose an IAM privilege escalation task generator called IAMVulGen. Experimental results on both our task set and the only publicly available task set IAM Vulnerable show that, in comparison to state-of-the-art whitebox approaches, TAC detects IAM privilege escalations with competitively low false negative rates, employing a limited number of queries.

翻译：身份与访问管理（IAM）是云平台中的一种访问控制服务。为安全地管理云资源，客户需配置IAM以指定其云组织的访问控制规则。然而，IAM配置错误可能被利用进行权限提升攻击，进而造成严重的经济损失。为检测因IAM配置错误导致的权限提升，现有的第三方云安全服务采用白盒渗透测试技术，这要求获取完整的IAM配置信息。为防止敏感信息泄露，该要求为客户带来沉重负担，需要投入大量人工对配置进行匿名化处理。本文提出一种名为TAC的精确化灰盒渗透测试方法，供第三方服务检测IAM权限提升漏洞。为缓解人工匿名化工作量大与潜在敏感信息泄露的双重挑战，TAC通过选择性查询仅获取必要信息，实现与客户的交互。为此，我们首先提出抽象IAM建模，使TAC能够基于查询收集的部分信息检测IAM权限提升。此外，为提升TAC的效率和适用性，我们采用结合图神经网络（GNN）的强化学习（RL）技术最小化与客户的交互次数，使TAC学会尽可能少地发起查询。为使用足够多样化的任务预训练和评估TAC，我们提出一个名为IAMVulGen的IAM权限提升任务生成器。在本文任务集与唯一公开任务集IAM Vulnerable上的实验结果表明，与最先进的白盒方法相比，TAC通过有限次查询即可检测IAM权限提升，并具有极具竞争力的低漏报率。