Implementing a security mechanism on top of APIs requires clear understanding of the semantics of each API, to ensure that security entitlements are enforced consistently and completely across all APIs that could perform the same function for an attacker. Unfortunately, APIs are not designed to be "semantically orthogonal" and they often overlap, for example by offering different performance points for the same functionality. This leaves it to the security mechanism to discover and account for API proxies, i.e., groups of APIs which together approximate the functionality of some other API. Lacking a complete view of the structure of the API-proxy relationship, current security mechanisms address it in an ad-hoc and reactive manner, by updating the implementation when new API proxies are uncovered and abused by attackers. We analyze the problem of discovering API-proxy relationships and show that its complexity makes it NP-complete, which makes computing exact information about API proxies prohibitively expensive for modern API surfaces that consist of tens of thousands of APIs. We then propose a simple heuristic algorithm to approximate the same API-proxy information and argue that this overapproximation can be safely used for security purposes, with only the downside of some utility loss. We conclude with a number of open problems of both theoretical and practical interest and with potential directions towards new solutions for the API-proxy problem.
翻译:在API之上实现安全机制需要清晰理解每个API的语义,以确保对所有可能为攻击者提供相同功能的API,安全权限能够被一致且完整地执行。遗憾的是,API在设计上并非"语义正交",它们常常存在功能重叠,例如针对同一功能提供不同的性能表现。这使得安全机制必须发现并处理API代理问题,即一组共同近似实现某个其他API功能的API集合。由于缺乏对API代理关系结构的完整视图,当前安全机制通常以临时性和反应性的方式处理这一问题——仅在攻击者发现并滥用新的API代理时更新实现。我们对API代理关系的发现问题进行形式化分析,证明其复杂度为NP完全问题,这意味着对于包含数万个API的现代API接口而言,精确计算API代理信息的代价高得令人望而却步。为此,我们提出一种简单的启发式算法来近似获取相同的API代理信息,并论证这种过近似方法可安全用于安全防御目的,仅以部分功能损失为代价。最后,我们总结了若干兼具理论和实践意义的开放性问题,并探讨了解决API代理问题的潜在新方向。