Kumo: A Security-Focused Serverless Cloud Simulator

TL;DR

Kumo is a specialized simulator that enables detailed, reproducible security analysis of serverless platforms, focusing on risks like co-location and denial-of-service, which are hard to study on real systems.

Contribution

Kumo introduces a security-centric simulation framework for serverless computing, modeling attacker-victim interactions and system behaviors to analyze security risks systematically.

Findings

Scheduler choice significantly impacts co-location attack risks.

Resource contention influences denial-of-service vulnerabilities.

System-level factors like queuing and capacity affect attack severity.

Abstract

Serverless computing abstracts infrastructure management but also obscures system-level behaviors that can introduce security risks. Prior work has shown that serverless platforms are vulnerable to attacks exploiting shared execution environments, including attacker--victim co-location and denial-of-service through resource contention, yet analyzing these risks on production platforms is difficult due to limited observability, high cost, and lack of experimental control, while existing simulators primarily focus on performance and cost rather than security. We present Kumo, a security-focused simulator for serverless platforms that enables controlled, reproducible analysis of security risks arising from scheduling and resource sharing decisions. Kumo models invocation arrivals, scheduler placement, container reuse, resource contention, and queuing within a discrete-event framework, explicitly representing attackers and victims as first-class entities and providing metrics such as co-location probability, time to first co-location, invocation drop rate, and tail latency. Through two case studies, we show that scheduler choice is a first-order factor for co-location attacks, inducing orders-of-magnitude differences under identical workloads, while Denial-of-Service behavior is largely governed by system-level factors such as service time, queuing policy, and cluster capacity once contention dominates. These results highlight the need to distinguish scheduler-driven isolation risks from broader resource exhaustion vulnerabilities and position Kumo as a flexible foundation for systematic, security-aware exploration of serverless platforms.