Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Minimizing the attack
surface in Serverless
Avi Shulman
Co Founder & CTO @ PureSec
Serverless Security Expert
Security Research - F5 Networks, Argus, Israel Defense F...
What Will You Hear About Today?
What influences Serverless attack surface?
What are the exploitability options?
What can b...
SERVERLESS
ATTACK SURFACE
Data
Application
Configurations
Scalability
Monitoring
Patching
Setup
Operating System
Provisioning
Virtualization
Servers...
Executes our code
Manages scalability
Keeps data safe in transit
Patches the operating system
Provides isolation
“...IN CL...
The Cloud “Operating System”
2
4
1
3
5
Functions
Storage
API Gateways
Streams
Databases
Queues
https://hackernoon.com/yubls-road-to-serverless-part-1-overview-ca348370acde
The attack surface becomes
… Harder to understand
… Harder to visualize
… Harder to test
EXPLOITING SERVERLESS
ATTACK SURFACE
Complex data flows:
What exactly happened to a specific request?
Traditional security doesn’t fit:
How do I protect my ser...
Detect a Vulnerability
Find a serverless target
Fuzz the input
Code Injection
Identify available access
Lateral MovementPe...
Normal Execution
$ curl –s https://****.execute-api.us-east-
1.amazonaws.com/dev/users/get/KGRwM...nNTJ2l
kJwpwNApJMTIzNDU...
Injected command: sys.exit('0')
Successful Payload
>>> exploit = "csysnexitn(S'0'ntR.'ntR."
>>> base64.b64encode(exploit)
...
The Vulnerability (Under the Hood)
CWE-502:
Deserialization
of Untrusted
Data
>>>
Many more resources:
Potentially many functions, many IAM roles, etc.
Lack of visibility:
What’s happening in my applicati...
Access to an AWS account
Publicly available access keys
Malicious Lambda
Identify available access
Lateral MovementPersist...
https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-...
Easy to add input sources:
Just add another trigger to a Lambda function
Agile on steroids:
Code goes faster to production
Malicious 3rd party library
Code Injection
Identify available access
Lateral MovementPersistency Exfiltration
acqusition  acquisition
apidev-coop  apidev-coop_cms
bzip  bz2file
crypt  crypto
django-server  django-server-guardia...
After gaining access,
attackers will try to use the
access available to them
Identify available access
Lateral MovementPersistency Exfiltration
How?
https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf
By bruteforcing boto3 API cal...
Data leakage
Tampering with data
Exfiltration
Persistency
Lateral movement
Denial of Service
a
*
ses:SendEmail
Privilege E...
Easy, but bad practice
of serverless projects on Github are
improperly configured and
probability contain over privileged
roles
Minimize the Attack Surface with PureSec’s Serverless Plugin
Auto-magically creates least privileged
IAM roles for you – w...
DEMO
a
*
X
X
X
X
X
X
X
Minimize the risk
 Construct a proper threat model
 Follow best practices and tips
Keep least privileged permissions
 ...
THANK
YOU!
Serverless - minimizing the attack surface
Serverless - minimizing the attack surface
Serverless - minimizing the attack surface
Upcoming SlideShare
Loading in …5
×

Serverless - minimizing the attack surface

464 views

Published on

Slides from my talk at ServerlessConf NYC 2017.

The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Serverless - minimizing the attack surface

  1. 1. Minimizing the attack surface in Serverless
  2. 2. Avi Shulman Co Founder & CTO @ PureSec Serverless Security Expert Security Research - F5 Networks, Argus, Israel Defense Forces Twitter - @Shulik
  3. 3. What Will You Hear About Today? What influences Serverless attack surface? What are the exploitability options? What can be done to minimize the risks?
  4. 4. SERVERLESS ATTACK SURFACE
  5. 5. Data Application Configurations Scalability Monitoring Patching Setup Operating System Provisioning Virtualization Servers Network Data Center Data Application Configurations Scalability Monitoring Patching Setup Operating System Provisioning Virtualization Data Application Configurations Scalability Monitoring Patching Setup Operating System Data Application Configurations On Premise Data Center Hosting IaaS Serverless Security - The Responsibility of the Enterprise or The Cloud Provider? Servers Network Data Center Provisioning Virtualization Servers Network Data Center Scalability Monitoring Patching Setup OS Provisioning Virtualization Servers Network Data Center
  6. 6. Executes our code Manages scalability Keeps data safe in transit Patches the operating system Provides isolation “...IN CLOUD WE TRUST” CLOUD PROVIDER
  7. 7. The Cloud “Operating System” 2 4 1 3 5 Functions Storage API Gateways Streams Databases Queues
  8. 8. https://hackernoon.com/yubls-road-to-serverless-part-1-overview-ca348370acde
  9. 9. The attack surface becomes … Harder to understand … Harder to visualize … Harder to test
  10. 10. EXPLOITING SERVERLESS ATTACK SURFACE
  11. 11. Complex data flows: What exactly happened to a specific request? Traditional security doesn’t fit: How do I protect my serverless application?
  12. 12. Detect a Vulnerability Find a serverless target Fuzz the input Code Injection Identify available access Lateral MovementPersistency Exfiltration
  13. 13. Normal Execution $ curl –s https://****.execute-api.us-east- 1.amazonaws.com/dev/users/get/KGRwM...nNTJ2l kJwpwNApJMTIzNDUKcy4= | python –m json.tool { "address" : "US" } $ curl –s https://****.execute-api.us-east- 1.amazonaws.com/dev/users/get/Y3N5cwpleGl0Ci hTJzAnCnRSLickdFIu | python –m json.tool { "message" : "Internal server error" } Indication of a potential vulnerability
  14. 14. Injected command: sys.exit('0') Successful Payload >>> exploit = "csysnexitn(S'0'ntR.'ntR." >>> base64.b64encode(exploit) 'Y3N5cwpleGl0CihTJzAnCnRSLickKdFIu'
  15. 15. The Vulnerability (Under the Hood) CWE-502: Deserialization of Untrusted Data >>>
  16. 16. Many more resources: Potentially many functions, many IAM roles, etc. Lack of visibility: What’s happening in my application right now?
  17. 17. Access to an AWS account Publicly available access keys Malicious Lambda Identify available access Lateral MovementPersistency Exfiltration
  18. 18. https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf
  19. 19. Easy to add input sources: Just add another trigger to a Lambda function Agile on steroids: Code goes faster to production
  20. 20. Malicious 3rd party library Code Injection Identify available access Lateral MovementPersistency Exfiltration
  21. 21. acqusition  acquisition apidev-coop  apidev-coop_cms bzip  bz2file crypt  crypto django-server  django-server-guardian-api pwd  pwdhash setup-tools  setuptools telnet  telnetsrvlib urlib3  urllib3 urllib  urllib3 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/ “Devs unknowingly use malicious modules snuck into official Python repository”
  22. 22. After gaining access, attackers will try to use the access available to them
  23. 23. Identify available access Lateral MovementPersistency Exfiltration
  24. 24. How? https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf By bruteforcing boto3 API calls
  25. 25. Data leakage Tampering with data Exfiltration Persistency Lateral movement Denial of Service a * ses:SendEmail Privilege Elevation
  26. 26. Easy, but bad practice
  27. 27. of serverless projects on Github are improperly configured and probability contain over privileged roles
  28. 28. Minimize the Attack Surface with PureSec’s Serverless Plugin Auto-magically creates least privileged IAM roles for you – with the minimum required permissions Reduces the attack surface of Serverless applications on AWS Currently supported runtimes: Python & Node.js Currently supported services: DynamoDB, Kinesis, KMS, Lambda, S3, SES, SNS & Step Functions Works with the Serverless Framework
  29. 29. DEMO
  30. 30. a * X X X X X X X
  31. 31. Minimize the risk  Construct a proper threat model  Follow best practices and tips Keep least privileged permissions  Integrate suitable detection and response solutions
  32. 32. THANK YOU!

×