CloudFlow: Identifying Security-sensitive Data Flows in Serverless Applications
Giuseppe Raffa
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · System Security 2: Trusted and Robust Computing
In this presentation, Giuseppe Raffa introduces **CloudFlow**, a novel framework designed to statically detect security-sensitive data flows within serverless applications. As enterprises increasingly adopt serverless computing for its agility and reduced operational overhead, the complexity of securing these applications has become a significant challenge. CloudFlow addresses this by providing a mechanism to inspect applications for vulnerabilities *before* deployment, a critical advantage over traditional dynamic analysis methods.
AI review
CloudFlow is legitimate academic security research solving a real and underserved problem: static taint analysis that actually understands the asynchronous, event-driven execution model of serverless architectures. The core contribution — synthesizing synchronous representations from IaC + source code to feed into existing analyzers like Pysa — is a clever engineering insight, not just a conceptual claim, and the CloudBench artifact plus the 104-app real-world evaluation give it empirical teeth.