Static Analysis

LeakGauge: Infrastructure-as-Code–Aware Sensitive Data Flow Analysis in Event-Driven Serverless Applications

LeakGauge is an IaC-aware static analysis framework that traces sensitive data flows across serverless deployments. Using CodeQL-based data- and taint-flow analysis informed by Infrastructure-as-Code configurations, LeakGauge identifies …

Confine: Fine-grained System Call Filtering for Container Attack Surface Reduction

Reducing the attack surface of the OS kernel is a promising defense-in-depth approach for mitigating the fragile isolation guarantees of container environments. In contrast to hypervisor-based systems, malicious containers can exploit vulnerabilities …