Identity and Access Management (IAM) is an access control service in cloud platforms. To securely manage cloud resources, customers are required to configure IAM to specify the access control rules for their cloud organizations. However, IAM misconfiguration may be exploited to perform privilege escalation attacks, which can cause severe economic loss. To detect privilege escalations due to IAM misconfigurations, existing third-party cloud security services apply whitebox penetration testing techniques, requiring the access of complete IAM configurations. To prevent sensitive information disclosure, this requirement places a considerable burden on customers, demanding lots of manual efforts for the anonymization of their configurations. In this paper, we propose a precise greybox penetration testing approach called TAC for third-party services to detect IAM privilege escalations. To mitigate the dual challenges of labor-intensive anonymizations and potential sensitive information disclosures, TAC interacts with customers by selectively querying only the essential information needed. To accomplish this, we first propose abstract IAM modeling, enabling TAC to detect IAM privilege escalations based on the partial information collected from queries. Moreover, to improve the efficiency and applicability of TAC, we minimize the interactions with customers by applying Reinforcement Learning (RL) with Graph Neural Networks (GNNs), allowing TAC to learn to make as few queries as possible. To pretrain and evaluate TAC with enough diverse tasks, we propose an IAM privilege escalation task generator called IAMVulGen. Experimental results on both our task set and the only publicly available task set IAM Vulnerable show that, in comparison to state-of-the-art whitebox approaches, TAC detects IAM privilege escalations with competitively low false negative rates, employing a limited number of queries.

翻译：身份与访问管理（IAM）是云平台中的一种访问控制服务。为了安全地管理云资源，客户需要配置IAM来为其云组织指定访问控制规则。然而，IAM配置错误可能被利用来执行权限提升攻击，从而导致严重的经济损失。为了检测由IAM配置错误导致的权限提升，现有的第三方云安全服务采用白盒渗透测试技术，这需要访问完整的IAM配置。为了防止敏感信息泄露，这一要求给客户带来了沉重负担，需要大量人工努力对其配置进行匿名化处理。在本文中，我们提出了一种名为TAC的精确灰盒渗透测试方法，供第三方服务检测IAM权限提升。为了缓解劳动密集型匿名化和潜在敏感信息泄露的双重挑战，TAC通过选择性查询仅必要的信息与客户交互。为实现这一点，我们首先提出了抽象IAM建模，使TAC能够基于从查询中收集的部分信息检测IAM权限提升。此外，为了提高TAC的效率和适用性，我们通过应用基于图神经网络（GNN）的强化学习（RL）最小化与客户的交互，使TAC学会尽可能少地进行查询。为了用足够多样化的任务预训练和评估TAC，我们提出了一个名为IAMVulGen的IAM权限提升任务生成器。在我们的任务集和唯一公开可用的任务集IAM Vulnerable上的实验结果表明，与最先进的白盒方法相比，TAC以有竞争力的低假阴性率检测IAM权限提升，且仅使用有限数量的查询。