Serverless computing abstracts infrastructure management but also obscures system-level behaviors that can introduce security risks. Prior work has shown that serverless platforms are vulnerable to attacks exploiting shared execution environments, including attacker--victim co-location and denial-of-service through resource contention, yet analyzing these risks on production platforms is difficult due to limited observability, high cost, and lack of experimental control, while existing simulators primarily focus on performance and cost rather than security. We present Kumo, a security-focused simulator for serverless platforms that enables controlled, reproducible analysis of security risks arising from scheduling and resource sharing decisions. Kumo models invocation arrivals, scheduler placement, container reuse, resource contention, and queuing within a discrete-event framework, explicitly representing attackers and victims as first-class entities and providing metrics such as co-location probability, time to first co-location, invocation drop rate, and tail latency. Through two case studies, we show that scheduler choice is a first-order factor for co-location attacks, inducing orders-of-magnitude differences under identical workloads, while Denial-of-Service behavior is largely governed by system-level factors such as service time, queuing policy, and cluster capacity once contention dominates. These results highlight the need to distinguish scheduler-driven isolation risks from broader resource exhaustion vulnerabilities and position Kumo as a flexible foundation for systematic, security-aware exploration of serverless platforms.

翻译：无服务器计算抽象了基础设施管理，但同时也掩盖了可能引入安全风险的系统级行为。已有研究表明，无服务器平台易受利用共享执行环境进行的攻击，包括攻击者与受害者的共驻攻击以及通过资源争用实现的拒绝服务攻击。然而，在真实生产平台上分析这些风险由于可观测性有限、成本高昂以及缺乏实验可控性而困难重重，而现有模拟器主要关注性能和成本，而非安全性。我们提出了Kumo，一种面向安全性的无服务器平台模拟器，能够对调度和资源共享决策引发的安全风险进行可控、可复现的分析。Kumo在离散事件框架内对调用到达、调度器放置、容器复用、资源争用和排队进行建模，将攻击者和受害者明确作为一等实体，并提供共驻概率、首次共驻时间、调用丢弃率和尾部延迟等指标。通过两个案例研究，我们表明调度器选择是共驻攻击的一阶影响因素，在相同工作负载下可导致数量级的差异；而一旦资源争用占主导地位，拒绝服务行为主要受服务时间、排队策略和集群容量等系统级因素控制。这些结果强调了区分调度器驱动的隔离风险与更广泛的资源耗尽漏洞的必要性，并将Kumo定位为系统化、安全感知的无服务器平台探索的灵活基础。