Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The FaaS and the Curious

1,413 views

Published on

Despite Amazon’s diligent efforts to secure their Lambda FaaS platform, its intended ability to access a variety of resources and services can be abused for unintended results. This presentation explores the attack surface of the AWS Lambda FaaS platform and how it can be surreptitiously used to circumvent security controls. Specifically, it will demonstrate how to hijack and impersonate Lambda functions, gain persistent remote access to the AWS cloud environment, and reverse engineer the Lambda runtime environment itself.

Published in: Technology
  • Be the first to comment

The FaaS and the Curious

  1. 1. Agenda Introduction FaaS Overview AWS Services Attack Vectors Mitigations
  2. 2. Introduction Bryan McAninch, a.k.a aph3x » @BryanMcAninch Founder at Prevade Cybersecurity » @PrevadeLLC Background » 20+ years in pentesting, security architecture, digital forensics Research Interests » Cloud, Containerization, Artificial Intelligence Whoami
  3. 3. Introduction Rich Jones — @GUNdotIO » Gone in 60 Milliseconds Andrew Krug — @AndrewKrug » Hacking Serverless Runtimes DFW Hacker Community » @NTXCSG, @Dallas_Hackers, @DC214DFW, @OWASPDallas Inspirational Sources
  4. 4. What is FaaS? Function as as Service, a.k.a. “Serverless” » Application deployment » Event-driven execution Benefits » Minimal cloud infrastructure » Minimal operational overhead Growth Estimates » Valuation of $7.75B USD by 2021. » Forecasted to grow 33%
  5. 5. What is FaaS? Days Seconds MillisecondsMinutesTime Cost $$$$ $$$ $$ $ Agility Scalability
  6. 6. AWS Services A serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. You can use AWS Lambda to extend other AWS services with custom logic, or create your own back- end services that operate at AWS scale, performance, and security. Lambda Overview
  7. 7. AWS Services A serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. You can use AWS Lambda to extend other AWS services with custom logic, or create your own back- end services that operate at AWS scale, performance, and security. Lambda Overview
  8. 8. AWS Services Lambda Attributes Stateless » Ephemeral resources » Read-only file system Sandboxed » Non-privileged local user » IAM restricted execution Monitored » X-Ray distributed tracing » Analytics and debugging Configurable » Versioning » Compute and memory Timed » Minimum is 1 milliseconds » Maximum is 300 seconds Scalable » Multiple concurrency » Dynamic capacity allocation
  9. 9. AWS Services ECS SNS APIGW CFT S3 DBD Lambda Architecture EC2 DockerLambda EC2 DockerLambda EC2 DockerLambda
  10. 10. AWS Services Lambda Example print('Loading function…') def lambda_handler(event, context): print("event['key1']) = " + event['key1']) print("event['key2']) = " + event['key2']) print("event['key3']) = " + event['key3']) return event['key1'] ": "value3", "key2": "value2", "key1": "value1"} { "key3": "value3", "key2": "value2", "key1": "value1” } Loading function… event['key1']) = value1 event['key2']) = value2 event['key3’]) = value3 value1 INPUT CODE OUTPUT
  11. 11. AWS Services Identity and Access Management enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM Overview
  12. 12. AWS Services IAM Attributes User » A person or service for interacting with AWS console, API, CLI » Authenticated with name, password, access keys » Created with no permissions by default Group » A collection of IAM users with common permissions » Administrative convenience for granting and revoking access
  13. 13. AWS Services IAM Attributes Role » An identity with permissions but no associated credentials » Assumed by a resource to temporarily gain access for a specific task » Retrieves credentials locally from EC2 metadata or AWS Simple Token Service Policy » JSON formatted object that defines explicit permissions » AWS managed or custom inline » Extremely granular, but supports entity wildcards
  14. 14. AWS Services IAM Confused { "Version": "2012-10-17", "Id": "some-unique-id”, "Statement": { "Sid": "1", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111222333444:user/colonel_sanders"}, "Action": [ "s3:PutObject”, "s3:GetObject" ], "Resource": "arn:aws:s3:::kfc-bucket/*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-11-04T00:00:00Z” } } } }
  15. 15. Attack Vectors All attack vectors shown assume applicable permissions have been granted through IAM roles and policies. Because of IAM policy granularity, esoteric nature, and deny-by-default model, it is not unusual for permissions to be lax. Culprits include serverless web service frameworks, automation tools, third party solutions, and untrained cloud administrators. Disclaimer
  16. 16. Attack Vectors Active Reconnaissance Credential Hijacking Persistent Remote Access Reverse Engineering
  17. 17. Attack Vectors » Where are credentials stored? » How can credentials be abused? » What is the operating system? » How is the network configured? » What are the file system permissions? » Which processes are running? » How is our code bootstrapped? » What data can we control? » How can we change the runtime execution flow? Curious Minds Want to Know…
  18. 18. Attack Vectors AWS Lambda FAQ’s
  19. 19. Attack Vectors AWS Lambda FAQ’s
  20. 20. Attack Vectors » Started with simple Python syscall import os os.system(“ls”) » Worked originally, now restricted Active Reconnaissance
  21. 21. Attack Vectors Active Reconnaissance
  22. 22. Attack Vectors Active Reconnaissance
  23. 23. Attack Vectors Active Reconnaissance
  24. 24. Attack Vectors Active Reconnaissance
  25. 25. Attack Vectors Limitations » Spray-and-pray approach » Iterative API calls are inefficient Workarounds » Interactive shell for deeper profiling » Reverse shell FTW Active Reconnaissance
  26. 26. Attack Vectors Active Reconnaissance
  27. 27. Attack Vectors Active Reconnaissance https://youtu.be/K2rwe4NBxks
  28. 28. Attack Vectors OS » Containerized Amazon Linux » Likely running on AWS ECS EC2 cluster » Kernel version, compilation date, release cycle Network » Dynamically assigned IP’s » Interface vinternal_3 at 169.254.76.X/23 » Interface: vtarget_2 at 169.254.79.1/32 » Default gateway: 169.254.76.6 Active Reconnaissance
  29. 29. Attack Vectors Users » Interactive login shells only for ec2-user and root users » Sandboxed runtime username nomenclature ‘sbx_user####’ Services » X-Ray daemon always resides at 169.254.79.2 » Lambda bootstrapping and execution Active Reconnaissance
  30. 30. Attack Vectors Filesystem — /proc/1/mounts none /proc proc rw,nosuid,nodev,noexec,relatime 0 0 /dev/xvda1 / ext4 ro,nosuid,nodev,noatime,data=ordered 0 0 /dev/xvda1 /dev ext4 rw,nosuid,noexec,noatime,data=ordered 0 0 /dev/xvda1 /var/task ext4 ro,nosuid,noatime,data=ordered 0 0 /dev/xvda1 /var/runtime ext4 o,nosuid,nodev,noatime,data=ordered 0 0 /dev/xvda1 /var/lang ext4 ro,nosuid,nodev,noatime,data=ordered 0 0 /dev/xvda1 /proc/sys/kernel/random/boot_id ext4 ro,nosuid,nodev,noatime,data=ordered 0 0 /dev/loop0 /tmp ext4 rw,relatime,data=ordered 0 0 Active Reconnaissance
  31. 31. Attack Vectors Filesystem — /dev drwxr-xr-x 2 root root 4096 Dec 16 11:19 . drwxr-xr-x 21 root root 4096 Dec 16 11:19 .. crw-rw-rw- 1 root root 1, 7 Dec 16 11:19 full crw-rw-rw- 1 root root 1, 3 Dec 16 11:19 null crw-rw-rw- 1 root root 1, 8 Dec 16 11:19 random lrwxrwxrwx 1 root root 15 Dec 16 11:19 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 root root 15 Dec 16 11:19 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 root root 15 Dec 16 11:19 stdout -> /proc/self/fd/1 crw-rw-rw- 1 root root 1, 9 Dec 16 11:19 urandom crw-rw-rw- 1 root root 1, 5 Dec 16 11:19 zero Active Reconnaissance
  32. 32. Attack Vectors Export and Import » AWS CLI » AWS API » AWS SDK Lambda IAM Credentials » Access key ID » Secret access key » Security/session token Credential Hijacking
  33. 33. Attack Vectors Credential Hijacking
  34. 34. Attack Vectors Credential Hijacking
  35. 35. Attack Vectors Limitations » Lambda function max lifetime (300 seconds) » Security token max lifetime (3600 seconds) Workarounds » Session token renewal » Persistent remote access Credential Hijacking
  36. 36. Attack Vectors HTTP GET HTTP 200 Attacker Internet API Gateway Lambda Persistent Remote Access OS.ENVIRON
  37. 37. Attack Vectors Persistent Remote Access
  38. 38. Attack Vectors HTTP GET HTTP 200 Attacker Internet API Gateway Lambda Services Persistent Remote Access AWS API
  39. 39. Attack Vectors HTTP 200 Attacker Internet API Gateway Lambda S3 GetObject Persistent Remote Access object HTTP GET
  40. 40. Attack Vectors Persistent Remote Access TCP ACK Attacker Internet API Gateway Lambda Internet TCP SYNHTTP GET HTTP 200
  41. 41. Attack Vectors Limitations » Invocation billing costs » Higher probability of detection » Runtime execution control Workarounds » Reverse engineer bootstrap and runtime » Control data and runtime execution flow Persistent Remote Access
  42. 42. Attack Vectors Reverse Engineering
  43. 43. Attack Vectors Reverse Engineering
  44. 44. Attack Vectors Reverse Engineering
  45. 45. Attack Vectors Reverse Engineering
  46. 46. Attack Vectors Reverse Engineering
  47. 47. Attack Vectors Reverse Engineering
  48. 48. Attack Vectors Reverse Engineering
  49. 49. Attack Vectors Reverse Engineering
  50. 50. Attack Vectors Reverse Engineering
  51. 51. Attack Vectors Reverse Engineering
  52. 52. Attack Vectors Reverse Engineering
  53. 53. Attack Vectors Execution Control » Manipulate the cpython interpreter » Set our own PYTHONPATH environment variable » Place our package in $PYTHONPATH with same name » Our package is loaded instead of intended package Hypothetical Possibilities » Spoof Lambda execution time » Malicious code injection / log poisoning » Container escape Reverse Engineering
  54. 54. Attack Vectors Reverse Engineering
  55. 55. Mitigations Access Control » Study IAM… for science! » Least-privilege / need-to-know IAM roles and policies » Account housekeeping » Restrict CLI, SDK, API access Test and Assess » Peer review Lambda function code » Integrate into CI/CD pipeline » Automated SAST pre-deployment » Infrastructure as Code (IaC) Proactive Controls
  56. 56. Mitigations Monitoring » Decoupled account provisioning processes » CloudTrail and CloudWatch for IOC’s » Visualization with native ELK stack deployment Response » Leverage the power of CI/CD automation » Instantly alert DFIR team upon detection » Revert to known state with Cloud Formation Templates (CFT) Reactive Controls

×