{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,12]],"date-time":"2026-06-12T10:07:34Z","timestamp":1781258854898,"version":"3.54.1"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,10,23]],"date-time":"2022-10-23T00:00:00Z","timestamp":1666483200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,10,23]],"date-time":"2022-10-23T00:00:00Z","timestamp":1666483200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["No 871793 (Accordion)"],"award-info":[{"award-number":["No 871793 (Accordion)"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010661","name":"Horizon 2020 Framework Programme","doi-asserted-by":"publisher","award":["No 871793 (Accordion)"],"award-info":[{"award-number":["No 871793 (Accordion)"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100008982","name":"Qatar National Research Fund","doi-asserted-by":"publisher","award":["NPRP-S-11-0109-180242"],"award-info":[{"award-number":["NPRP-S-11-0109-180242"]}],"id":[{"id":"10.13039\/100008982","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cloud Comp"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>In this article we review the current serverless architectures, abstract and categorize their founding principles, and provide an in-depth security analysis. In particular, we: show the security shortcomings of the analyzed serverless architectural paradigms; point to possible countermeasures; and, highlight several research directions for practitioners, Industry, and Academia.<\/jats:p>","DOI":"10.1186\/s13677-022-00347-w","type":"journal-article","created":{"date-parts":[[2022,10,23]],"date-time":"2022-10-23T18:03:40Z","timestamp":1666548220000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":59,"title":["Serverless computing: a security perspective"],"prefix":"10.1186","volume":"11","author":[{"given":"Eduard","family":"Marin","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Diego","family":"Perino","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Roberto","family":"Di Pietro","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2022,10,23]]},"reference":[{"key":"347_CR1","unstructured":"Armbrust M, Fox A, Griffith R, Joseph AD, Katz R, Konwinski A, Lee G, Patterson D, Rabkin A, Stoica I, Zaharia M (2009) Above the clouds: A berkeley view of cloud computing. Tech Rep, University of California at Berkeley. http:\/\/berkeleyclouds.blogspot.com\/2009\/02\/above-clouds-released.html"},{"key":"347_CR2","volume-title":"Security for Cloud Computing","author":"F Lombardi","year":"2015","unstructured":"Lombardi F, Di Pietro R (2015) Security for Cloud Computing. Artech House, Norwood"},{"issue":"12","key":"347_CR3","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1145\/3368454","volume":"62","author":"P Castro","year":"2019","unstructured":"Castro P, Ishakian V, Muthusamy V, Slominski A (2019) The Rise of Serverless Computing. Commun ACM 62(12):44\u201354","journal-title":"Commun ACM"},{"key":"347_CR4","first-page":"03383","volume":"1902","author":"E Jonas","year":"2019","unstructured":"Jonas E, Schleier-Smith J, Sreekanti V, Tsai C, Khandelwal A, Pu Q, Shankar V, Carreira J, Krauth K, Yadwadkar NJ, Gonzalez JE, Popa RA, Stoica I, Patterson DA (2019) Cloud Programming Simplified: A Berkeley View on Serverless Computing. CoRR. 1902:03383","journal-title":"CoRR."},{"key":"347_CR5","unstructured":"(2021) AWS Lambda. https:\/\/aws.amazon.com\/lambda\/. Accessed 21 Oct 2022"},{"key":"347_CR6","unstructured":"(2021) Azure Serverless | Microsoft Azure. https:\/\/azure.microsoft.com\/solutions\/serverless\/. Accessed 21 Oct 2022"},{"key":"347_CR7","unstructured":"(2021) Serverless Computing Solutions\u2014Google Cloud. https:\/\/cloud.google.com\/serverless. Accessed 21 Oct 2022"},{"key":"347_CR8","unstructured":"(2021) IBM Cloud Functions. https:\/\/www.ibm.com\/cloud\/functions. Accessed 21 Oct 2022"},{"key":"347_CR9","unstructured":"(2021) Alibaba Cloud Function Compute. https:\/\/www.alibabacloud.com\/products\/function-compute. Accessed 21 Oct 2022"},{"key":"347_CR10","unstructured":"(2021a) AWS Lambda Customer Case Studies. https:\/\/aws.amazon.com\/lambda\/resources\/customer-case-studies\/. Accessed 21 Oct 2022"},{"key":"347_CR11","unstructured":"(2021b) Serverless Computing Market Insights. https:\/\/www.digitaljournal.com\/pr\/serverless-computing-market-insights-2022-business-opportunities-current-trends-and-restraints-forecast-2026#ixzz7W67yDNi4. Accessed 21 Oct 2022"},{"key":"347_CR12","unstructured":"Hong S, Srivastava A, Shambrook W, Dumitras T (2018) Go Serverless: Securing Cloud via Serverless Design Patterns. In: USENIX Workshop on Hot Topics in Cloud Computing (HotCloud). USENIX Association, Boston"},{"key":"347_CR13","unstructured":"(2021) OWASP Serverless Top 10. https:\/\/owasp.org\/www-project-serverless-top-10\/. Accessed 21 Oct 2022"},{"key":"347_CR14","unstructured":"(2021) AWS Serverless Application Repository. https:\/\/aws.amazon.com\/en\/serverless\/serverlessrepo\/. Accessed 21 Oct 2022"},{"issue":"5","key":"347_CR15","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/MCC.2016.100","volume":"3","author":"T Combe","year":"2016","unstructured":"Combe T, Martin A, Di Pietro R (2016) To Docker or Not to Docker: A Security Perspective. IEEE Cloud Comput 3(5):54\u201362","journal-title":"IEEE Cloud Comput"},{"key":"347_CR16","doi-asserted-by":"crossref","unstructured":"Gao X, Gu Z, Li Z, Jamjoom H, Wang C (2019) Houdini\u2019s Escape: Breaking the Resource Rein of Linux Control Groups. In: ACM SIGSAC Conference on Computer and Communications Security (CCS). pp 1073\u20131086. Association for Computing Machinery, New York","DOI":"10.1145\/3319535.3354227"},{"key":"347_CR17","unstructured":"Nam J, Lee S, Seo H, Porras P, Yegneswaran V, Shin S (2020) BASTION: A Security Enforcement Network Stack for Container Networks. In: USENIX Annual Technical Conference (USENIX ATC). pp 81\u201395. USENIX Association"},{"key":"347_CR18","unstructured":"(2021a) Ory Segal: Serverless Security \/\/ Serverless Days TLV. https:\/\/www.youtube.com\/watch?v=M7wUanfWs1c &t=743s. Accessed 21 Oct 2022"},{"key":"347_CR19","unstructured":"(2021b) Event Injection: Protecting your Serverless Applications. https:\/\/www.jeremydaly.com\/event-injection-protecting-your-serverless-applications\/. Accessed 21 Oct 2022"},{"key":"347_CR20","doi-asserted-by":"crossref","unstructured":"Yelam A, Subbareddy S, Ganesan K, Savage S, Mirian A (2021) CoResident Evil: Covert Communication In The Cloud With Lambdas. In: the Web Conference (WWW). pp 1005\u20131016. Association for Computing Machinery, New York","DOI":"10.1145\/3442381.3450100"},{"key":"347_CR21","unstructured":"Wang L, Li M, Zhang Y, Ristenpart T, Swift M (2018) Peeking behind the Curtains of Serverless Platforms. In: USENIX Conference on Usenix Annual Technical Conference (USENIX ATC). pp 133\u2013145. USENIX Association, Boston"},{"key":"347_CR22","unstructured":"(2022) CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit. https:\/\/www.crowdstrike.com\/blog\/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit\/. Accessed Oct 21 2022"},{"key":"347_CR23","unstructured":"(2019) Hacking serverless runtimes: Profiling AWS Lambda, Azure Functions, And more. https:\/\/www.blackhat.com\/us-17\/briefings\/schedule\/#hacking-serverless-runtimes-profiling-aws-lambda-azure-functions-and-more-6434"},{"key":"347_CR24","doi-asserted-by":"crossref","unstructured":"Xiong J, Wei M, Lu Z, Liu Y (2021) Warmonger: Inflicting Denial-of-Service via Serverless Functions in the Cloud. In: ACM SIGSAC Conference on Computer and Communications Security (CCS). pp 955\u2013969. Association for Computing Machinery, New York","DOI":"10.1145\/3460120.3485372"},{"key":"347_CR25","doi-asserted-by":"crossref","unstructured":"Kelly D, Glavin FG, Barrett E (2021) Denial of wallet\u2013Defining a looming threat to serverless computing. Journal of Information Security and Applications (60):2214\u20132126","DOI":"10.1016\/j.jisa.2021.102843"},{"key":"347_CR26","unstructured":"(2021) Many-faced threats to Serverless security. https:\/\/hackernoon.com\/many-faced-threats-to-serverless-security-519e94d19dba. Accessed 21 Oct 2022"},{"key":"347_CR27","unstructured":"Liu G, Gao X, Wang H, Sun K (2022) Exploring the Unchartered Space of Container Registry Typosquatting. In: USENIX Security Symposium (USENIX Security). pp 35\u201351. USENIX Association, Boston"},{"key":"347_CR28","doi-asserted-by":"crossref","unstructured":"Makrani HM, Sayadi H, Nazari N, Khasawneh KN, Sasan A, Rafatirad S, Homayoun H (2021) Cloak & Co-locate: Adversarial Railroading of Resource Sharing-based Attacks on the Cloud. In: International Symposium on Secure and Private Execution Environment Design (SEED). pp 1\u201313","DOI":"10.1109\/SEED51797.2021.00011"},{"key":"347_CR29","doi-asserted-by":"crossref","unstructured":"Fang C, Wang H, Nazari N, Omidi B, Sasan A, Khasawneh KN, Rafatirad S, Homayoun H (2022) Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks. In: Network and Distributed System Security Symposium (NDSS)","DOI":"10.14722\/ndss.2022.23149"},{"key":"347_CR30","unstructured":"Razavi K, Gras B, Bosman E, Preneel B, Giuffrida C, Bos H (2016) Flip Feng Shui: Hammering a Needle in the Software Stack. In: USENIX Security Symposium (USENIX Security). pp 1\u201318. USENIX Association, Austin"},{"key":"347_CR31","doi-asserted-by":"crossref","unstructured":"Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2019) Spectre Attacks: Exploiting Speculative Execution. In: IEEE Symposium on Security and Privacy (S&P). pp 1\u201319","DOI":"10.1109\/SP.2019.00002"},{"key":"347_CR32","unstructured":"Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown: Reading Kernel Memory from User Space. In: USENIX Security Symposium (USENIX Security). pp 973\u2013990. USENIX Association, Baltimore"},{"key":"347_CR33","doi-asserted-by":"crossref","unstructured":"Datta P, Kumar P, Morris T, Grace M, Rahmati A, Bates A (2020) Valve: Securing Function Workflows on Serverless Computing Platforms. In: The Web Conference (WWW). pp 939\u2013950. Association for Computing Machinery, New York","DOI":"10.1145\/3366423.3380173"},{"key":"347_CR34","doi-asserted-by":"crossref","unstructured":"Sankaran A, Datta P, Bates A (2020) Workflow Integration Alleviates Identity and Access Management in Serverless Computing. In: Annual Computer Security Applications Conference (ACSAC). pp 496\u2013509. Association for Computing Machinery, New York","DOI":"10.1145\/3427228.3427665"},{"key":"347_CR35","doi-asserted-by":"crossref","unstructured":"Anjali, Caraza-Harter T, Swift MM (2020) Blending Containers and Virtual Machines: A Study of Firecracker and GVisor. In: ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments (VEE). pp 101\u2013113. Association for Computing Machinery, New York","DOI":"10.1145\/3381052.3381315"},{"key":"347_CR36","unstructured":"(2021) Hyper-V Technology Overview. https:\/\/docs.microsoft.com\/en-us\/windows-server\/virtualization\/hyper-v\/hyper-v-technology-overview. Accessed 21 Oct 2022"},{"key":"347_CR37","unstructured":"(2021) Nabla containers: a new approach to container isolation. https:\/\/nabla-containers.github.io\/. Accessed 21 Oct 2022"},{"key":"347_CR38","unstructured":"(2021) Kata containers. https:\/\/katacontainers.io\/. Accessed 21 Oct 2022"},{"key":"347_CR39","doi-asserted-by":"publisher","unstructured":"Ferraiolo DF, Kuhn DR (2009) Role-Based Access Controls. https:\/\/doi.org\/10.48550\/ARXIV.0903.2171","DOI":"10.48550\/ARXIV.0903.2171"},{"key":"347_CR40","doi-asserted-by":"publisher","DOI":"10.1142\/9789814366151","volume-title":"Role Mining in Business: Taming Role-Based Access Control Administration","author":"A Colantonio","year":"2012","unstructured":"Colantonio A, Di Pietro R, Ocello A (2012) Role Mining in Business: Taming Role-Based Access Control Administration. World Scientific, Singapore"},{"issue":"2","key":"347_CR41","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1109\/MC.2015.33","volume":"48","author":"VC Hu","year":"2015","unstructured":"Hu VC, Kuhn DR, Ferraiolo DF, Voas J (2015) Attribute-Based Access Control. Computer 48(2):85\u201388. https:\/\/doi.org\/10.1109\/MC.2015.33","journal-title":"Computer"},{"key":"347_CR42","unstructured":"(2021) Spiffe: Secure Production Identity Framework for Everyone. https:\/\/spiffe.io\/. Accessed 21 Oct 2022"},{"key":"347_CR43","unstructured":"(2021) Corsha: API Identity & Access Management. https:\/\/corsha.com\/. Accessed 21 Oct 2022"},{"key":"347_CR44","unstructured":"(2021) The Minimum Elements For a Software Bill of Materials (SBOM). https:\/\/www.ntia.doc.gov\/report\/2021\/minimum-elements-software-bill-materials-sbom. Accessed 21 Oct 2022"},{"key":"347_CR45","unstructured":"(2021) Gone in 60 Milliseconds: Intrusion and Exfiltration in Serverless Architectures. https:\/\/media.ccc.de\/v\/33c3-7865-gone_in_60_milliseconds. Accessed 21 Oct 2022"},{"key":"347_CR46","unstructured":"(2021) How AWS Lambda reuses containers (and how it affects you). https:\/\/pfisterer.dev\/posts\/aws-lambda-container-reuse. Accessed 21 Oct 2022"},{"key":"347_CR47","doi-asserted-by":"crossref","unstructured":"Savi M, Banfi A, Tundo A, Ciavotta M (2022) Serverless Computing for NFV: Is it Worth it? A Performance Comparison Analysis. In: IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops). pp 680\u2013685","DOI":"10.1109\/PerComWorkshops53856.2022.9767495"}],"container-title":["Journal of Cloud Computing"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-022-00347-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s13677-022-00347-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-022-00347-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,10,23]],"date-time":"2022-10-23T18:14:24Z","timestamp":1666548864000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofcloudcomputing.springeropen.com\/articles\/10.1186\/s13677-022-00347-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,23]]},"references-count":47,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["347"],"URL":"https:\/\/doi.org\/10.1186\/s13677-022-00347-w","relation":{},"ISSN":["2192-113X"],"issn-type":[{"value":"2192-113X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,10,23]]},"assertion":[{"value":"20 July 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 September 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 October 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"The authors declare that they have no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"69"}}