{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:17:31Z","timestamp":1766441851136,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","funder":[{"name":"Key Research and Development Program of Shaanxi","award":["2025CY-YBXM-066"],"award-info":[{"award-number":["2025CY-YBXM-066"]}]},{"name":"111 Center","award":["B16037"],"award-info":[{"award-number":["B16037"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765106","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"3401-3415","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Dangers Behind Access Control: Understanding and Exploiting Implicit Permissions in Kubernetes"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-9346-6679","authenticated-orcid":false,"given":"Nanzi","family":"Yang","sequence":"first","affiliation":[{"name":"Xidian University, Xi'an, China and University of Minnesota, Minneapolis, MN, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-1640-8046","authenticated-orcid":false,"given":"Xingyu","family":"Liu","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2899-6121","authenticated-orcid":false,"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0709-7434","authenticated-orcid":false,"given":"Jinku","family":"Li","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4763-7354","authenticated-orcid":false,"given":"Kangjie","family":"Lu","sequence":"additional","affiliation":[{"name":"University of Minnesota, Minneapolis, MN, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3472883.3486977"},{"key":"e_1_3_2_1_2_1","unstructured":"Kubernetes Authors. 2022. Kubernetes. https:\/\/kubernetes.io\/."},{"key":"e_1_3_2_1_3_1","unstructured":"Kubernetes Authors. 2023a. Deployment. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/deployment\/."},{"key":"e_1_3_2_1_4_1","unstructured":"Kubernetes Authors. 2023b. StatefulSets. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/statefulset\/."},{"key":"e_1_3_2_1_5_1","unstructured":"Kubernetes Authors. 2025a. API Overview. https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.29\/."},{"key":"e_1_3_2_1_6_1","unstructured":"Kubernetes Authors. 2025b. API Overview. https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.30\/."},{"key":"e_1_3_2_1_7_1","unstructured":"Kubernetes Authors. 2025c. API Overview. https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.31\/."},{"key":"e_1_3_2_1_8_1","unstructured":"Kubernetes Authors. 2025d. Controllers. https:\/\/kubernetes.io\/docs\/concepts\/architecture\/controller\/."},{"key":"e_1_3_2_1_9_1","unstructured":"Kubernetes Authors. 2025 e. Create Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/staging\/src\/k8s.io\/apiserver\/pkg\/registry\/generic\/registry\/store.go#L446."},{"key":"e_1_3_2_1_10_1","unstructured":"Kubernetes Authors. 2025 f. DaemonSet v1 apps. https:\/\/kubernetes.io\/docs\/reference\/generated\/kubernetes-api\/v1.30\/##daemonset-v1-apps."},{"volume-title":"2025 g. Delete Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/registry\/core\/service\/storage\/storage.go#L79","author":"Authors Kubernetes","key":"e_1_3_2_1_11_1","unstructured":"Kubernetes Authors. 2025 g. Delete Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/registry\/core\/service\/storage\/storage.go#L79."},{"key":"e_1_3_2_1_12_1","unstructured":"Kubernetes Authors. 2025 h. Get Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/staging\/src\/k8s.io\/apiserver\/pkg\/registry\/generic\/registry\/store.go#L847."},{"key":"e_1_3_2_1_13_1","unstructured":"Kubernetes Authors. 2025 i. Ingress-nginx CVE-2025-1974: What You Need to Know. https:\/\/kubernetes.io\/blog\/2025\/03\/24\/ingress-nginx-cve-2025-1974\/."},{"key":"e_1_3_2_1_14_1","unstructured":"Kubernetes Authors. 2025 j. kube-apiserver. https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kube-apiserver\/."},{"key":"e_1_3_2_1_15_1","unstructured":"Kubernetes Authors. 2025 k. Kubernetes Source Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/staging\/src\/k8s.io\/apiserver\/pkg\/endpoints\/request\/requestinfo.go#L177."},{"key":"e_1_3_2_1_16_1","unstructured":"Kubernetes Authors. 2025 l. Node Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/registry\/core\/rest\/storage_core.go#L294."},{"key":"e_1_3_2_1_17_1","unstructured":"Kubernetes Authors. 2025 m. Pod Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/registry\/core\/rest\/storage_core.go#L232."},{"key":"e_1_3_2_1_18_1","unstructured":"Kubernetes Authors. 2025 n. Secrets. https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/."},{"key":"e_1_3_2_1_19_1","unstructured":"Kubernetes Authors. 2025 o. Service Code. https:\/\/github.com\/kubernetes\/kubernetes\/blob\/master\/pkg\/registry\/core\/rest\/storage_core.go#L284."},{"volume-title":"2025","author":"Authors Kubernetes","key":"e_1_3_2_1_20_1","unstructured":"Kubernetes Authors. 2025 p. Using RBAC Authorization. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/."},{"key":"e_1_3_2_1_21_1","unstructured":"Yuval Avrahami and Shaul Ben Hai. 2022. Kubernetes Privilege Escalation: Container Escape == Cluster Admin? https:\/\/www.blackhat.com\/us-22\/briefings\/schedule\/kubernetes-privilege-escalation-container-escape-cluster-admin-26344."},{"key":"e_1_3_2_1_22_1","unstructured":"AWS. 2025. What is Amazon EKS? https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/what-is-eks.html."},{"key":"e_1_3_2_1_23_1","unstructured":"Azure. 2025a. Azure Kubernetes Service (AKS). https:\/\/azure.microsoft.com\/en-us\/products\/kubernetes-service."},{"key":"e_1_3_2_1_24_1","unstructured":"MicroSoft Azure. 2025b. Install a Kubernetes application. https:\/\/portal.azure.com\/view\/Microsoft_Azure_Marketplace\/MarketplaceOffersBlade\/subscription\/0ef5e6d1-a771-46d2-98e6-33fc6a9e2cbc\/searchInitiatedFrom\/AksExtensions\/fromContext\/AKS."},{"key":"e_1_3_2_1_25_1","unstructured":"Bridgecrew. 2025. Checkov. https:\/\/github.com\/bridgecrewio\/checkov\/tree\/main."},{"key":"e_1_3_2_1_26_1","unstructured":"Alibaba Cloud. 2025a. Alibaba Cloud Container Service for Kubernetes (ACK). https:\/\/www.alibabacloud.com\/product\/kubernetes."},{"key":"e_1_3_2_1_27_1","unstructured":"Alibaba Cloud. 2025b. Marketplace. https:\/\/cs.console.aliyun.com\/?spm=5176.9843921.console-base.dcsk.44e74882hd4cbN\/next\/app-catalog."},{"key":"e_1_3_2_1_28_1","unstructured":"Google Cloud. 2025c. Bug Hunters. https:\/\/bughunters.google.com\/."},{"key":"e_1_3_2_1_29_1","unstructured":"Google Cloud. 2025d. Configure metrics collection. https:\/\/cloud.google.com\/kubernetes-engine\/docs\/how-to\/configure-metrics."},{"key":"e_1_3_2_1_30_1","unstructured":"Google Cloud. 2025 e. Marketplace. https:\/\/console.cloud.google.com\/marketplace\/browse?filter=solution-type:k8s."},{"key":"e_1_3_2_1_31_1","unstructured":"Google Cloud. 2025 f. Set up managed collection. https:\/\/cloud.google.com\/stackdriver\/docs\/managed-prometheus\/setup-managed."},{"key":"e_1_3_2_1_32_1","unstructured":"GitHub Contributors. 2025a. krane. https:\/\/github.com\/appvia\/krane\/."},{"key":"e_1_3_2_1_33_1","unstructured":"GitHub Contributors. 2025b. kube-linter. https:\/\/github.com\/stackrox\/kube-linter\/."},{"key":"e_1_3_2_1_34_1","unstructured":"GitHub Contributors. 2025c. rbac-tool. https:\/\/github.com\/alcideio\/rbac-tool."},{"key":"e_1_3_2_1_35_1","unstructured":"GitHub Contributors. 2025d. terrascan. https:\/\/github.com\/tenable\/terrascan\/tree\/master."},{"key":"e_1_3_2_1_36_1","unstructured":"GitHub Contributors. 2025 e. trivy. https:\/\/github.com\/aquasecurity\/trivy\/."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380173"},{"key":"e_1_3_2_1_38_1","volume-title":"CNCF 2023 Annual Survey. https:\/\/www.cncf.io\/reports\/cncf-annual-survey-2023\/.","author":"Computing Foundation Cloud Native","year":"2025","unstructured":"Cloud Native Computing Foundation. 2025. CNCF 2023 Annual Survey. https:\/\/www.cncf.io\/reports\/cncf-annual-survey-2023\/."},{"key":"e_1_3_2_1_39_1","unstructured":"Cloud Native Computing Fundation. 2023a. GRADUATED AND INCUBATING PROJECTS. https:\/\/www.cncf.io\/projects\/."},{"key":"e_1_3_2_1_40_1","unstructured":"Cloud Native Computing Fundation. 2023b. SANDBOX PROJECTS. https:\/\/www.cncf.io\/sandbox-projects\/."},{"key":"e_1_3_2_1_41_1","volume-title":"Proceedings of the 12th conference on security and privacy in wireless and mobile networks. 151-161","author":"William Enck Sigmund Albert","year":"2019","unstructured":"Sigmund Albert Gorski III and William Enck. 2019. Arf: identifying re-delegation vulnerabilities in android system services. In Proceedings of the 12th conference on security and privacy in wireless and mobile networks. 151-161."},{"key":"e_1_3_2_1_42_1","first-page":"19","article-title":"Systematic detection of capability leaks in stock android smartphones","volume":"14","author":"Grace Michael C","year":"2012","unstructured":"Michael C Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones.. In NDSS, Vol. 14. 19.","journal-title":"NDSS"},{"key":"e_1_3_2_1_43_1","volume-title":"EPScan: Automated Detection of Excessive RBAC Permissions in Kubernetes Applications. In 2025 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 11-11","author":"Gu Yue","year":"2024","unstructured":"Yue Gu, Xin Tan, Yuan Zhang, Siyan Gao, and Min Yang. 2024. EPScan: Automated Detection of Excessive RBAC Permissions in Kubernetes Applications. In 2025 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 11-11."},{"key":"e_1_3_2_1_44_1","unstructured":"Kanister. 2025. Adopters. https:\/\/github.com\/kanisterio\/kanister\/blob\/master\/ADOPTERS.md."},{"key":"e_1_3_2_1_45_1","unstructured":"Krane. 2025. rules. https:\/\/github.com\/appvia\/krane\/blob\/master\/config\/rules.yaml."},{"key":"e_1_3_2_1_46_1","unstructured":"Kubecost. 2025. Kubecost | Kubernetes cost monitoring and management. https:\/\/www.kubecost.com\/."},{"key":"e_1_3_2_1_47_1","first-page":"2579","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Lee Yu-Tsung","year":"2021","unstructured":"Yu-Tsung Lee, William Enck, Haining Chen, Hayawardh Vijayakumar, Ninghui Li, Zhiyun Qian, Daimeng Wang, Giuseppe Petracca, and Trent Jaeger. 2021. {PolyScope}:{Multi-Policy} Access Control Analysis to Compute Authorized Attack Operations in Android Systems. In 30th USENIX Security Symposium (USENIX Security 21). 2579-2596."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00070"},{"key":"e_1_3_2_1_49_1","first-page":"2513","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Li Wen","year":"2022","unstructured":"Wen Li, Jiang Ming, Xiapu Luo, and Haipeng Cai. 2022. {PolyCruise}: A {Cross-Language} dynamic information flow analysis. In 31st USENIX Security Symposium (USENIX Security 22). 2513-2530."},{"key":"e_1_3_2_1_50_1","first-page":"3971","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Li Xing","year":"2021","unstructured":"Xing Li, Yan Chen, Zhiqiang Lin, Xiao Wang, and Jim Hao Chen. 2021a. Automatic policy generation for {Inter-Service} access control of microservices. In 30th USENIX Security Symposium (USENIX Security 21). 3971-3988."},{"key":"e_1_3_2_1_51_1","unstructured":"Palo Alto Networks. 2022. Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms. https:\/\/www.paloaltonetworks.com\/resources\/whitepapers\/ kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"crossref","unstructured":"Maryam Rostamipoor Aliakbar Sadeghi and Michalis Polychronakis. 2025. KubeKeeper: Protecting Kubernetes Secrets Against Excessive Permissions. (2025).","DOI":"10.1109\/EuroSP63326.2025.00027"},{"key":"e_1_3_2_1_53_1","unstructured":"Amazon Web Services. 2025. AWS Marketplace. https:\/\/aws.amazon.com\/marketplace\/search\/results?ref_=header_nav_dm_eks_add_on&FULFILLMENT_OPTION_TYPE=EKS_ADD_ON&filters=FULFILLMENT_OPTION_TYPE."},{"key":"e_1_3_2_1_54_1","unstructured":"Container Security Site. 2025. Container Breakout Vulnerabilities. https:\/\/www.container-security.site\/attackers\/container_breakout_vulnerabilities.html."},{"key":"e_1_3_2_1_55_1","first-page":"415","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Tuncay G\u00fcliz Seray","year":"2020","unstructured":"G\u00fcliz Seray Tuncay, Jingyu Qian, and Carl A Gunter. 2020. See no evil: phishing for permissions with false transparency. In 29th USENIX Security Symposium (USENIX Security 20). 415-432."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516728"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623121"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765106","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:14:51Z","timestamp":1766441691000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765106"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":57,"alternative-id":["10.1145\/3719027.3765106","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765106","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}