Stratosphere: Finding Vulnerable Cloud Storage Buckets
Jack Cable, Drew Gregory, Liz Izhikevich, Zakir Durumeric
TL;DR
This paper introduces Stratosphere, a system that models cloud storage bucket naming patterns to identify vulnerable buckets, revealing widespread exploitation and increasing insecurity in cloud storage configurations.
Contribution
We develop a novel system that learns naming patterns of cloud buckets to efficiently identify vulnerable and misconfigured storage, highlighting the scale of insecurity.
Findings
Widespread exploitation of vulnerable buckets detected
Vulnerable configurations are increasing over time
Stratosphere effectively predicts bucket names for security assessment
Abstract
Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.