Cloud systems have been widely adopted in many real world production applications. Thus, security vulnerabilities in those cloud systems can cause serious widespread impact. Although previous intrusion detection systems can detect security attacks, understanding the underlying software defects that cause those security vulnerabilities is little studied. In this work, we conduct a systematic study over 109 software security vulnerabilities in 13 popular cloud server systems. To understand the underlying vulnerabilities, we answer the following questions: 1) what are the root causes of those security vulnerabilities? 2) what threat impact do those vulnerable code have? 3) how do developers patch those vulnerable code? Our results show that the root causes of the studied security vulnerabilities comprise five common categories: 1) improper execution restrictions, 2) improper permissions checks, 3) improper resource path-name checks, 4) improper sensitive data handling, and 5) improper synchronization handling. We further extract principal code patterns from those common root causes.

Olufogorehan (Fogo) Tunde-Onadele is a PhD student at North Carolina State University with research interests in machine learning, security, and distributed systems. He received his M.S. degree in Computer Science and B.S. degree in Computer Engineering from NCSU in 2019 and 2017, respectively. Fogo was a summer intern with Samsung Semiconductor, Inc. in 2019 and IBM Research in 2021.