Formal Analysis of the API Proxy Problem

Implementing a security mechanism on top of APIs requires clear understanding of the semantics of each API, to ensure that security entitlements are enforced consistently and completely across all APIs that could perform the same function for an attacker. Unfortunately, APIs are not designed to be "semantically orthogonal" and they often overlap, for example by offering different performance points for the same functionality. This leaves it to the security mechanism to discover and account for API proxies, i.e., groups of APIs which together approximate the functionality of some other API. Lacking a complete view of the structure of the API-proxy relationship, current security mechanisms address it in an ad-hoc and reactive manner, by updating the implementation when new API proxies are uncovered and abused by attackers. We analyze the problem of discovering API-proxy relationships and show that its complexity makes it NP-complete, which makes computing exact information about API proxies prohibitively expensive for modern API surfaces that consist of tens of thousands of APIs. We then propose a simple heuristic algorithm to approximate the same API-proxy information and argue that this overapproximation can be safely used for security purposes, with only the downside of some utility loss. We conclude with a number of open problems of both theoretical and practical interest and with potential directions towards new solutions for the API-proxy problem.