Abstract
The recent advent of serverless applications has created a need for static analysis tools to analyse them. However, the event-driven architecture of serverless applications, along with the black-box nature of the services they invoke, make static analysis challenging. In this work, we propose a novel approach to statically analysing serverless applications, with a focus on the identification of data flows that can lead to code injection and information leakage. To reach our goal, we first design a new suite of microbenchmarks, which we publicly release. The microbenchmarks are based on documented serverless-specific vulnerabilities and the characterization of an existing dataset. We then introduce our static analysis approach and show how it can factor in the effect of platform services and eventtriggered code execution by extracting relevant information from both infrastructure and application code. This information is used to obtain a synchronous equivalent of the underlying asynchronous system, which can be inspected with a general-purpose static analysis tool. Preliminary evaluation results using a prototype implementation of our approach and the microbenchmark suite confirm the potential of our analysis technique.