Serverless - minimizing the attack surface
•Als PPTX, PDF herunterladen•
1 gefällt mir•905 views
Slides from my talk at ServerlessConf NYC 2017. The talk will cover the various aspects of reducing the attack surface on serverless applications with an emphasis on maintaining least privileged access. I’ll cover the possible ways for attackers to leverage an overly permissive application and what might be the impacts of such attempts. In the talk, I’ll present a demo of an open source tool which can help you maintain least privileged roles and policies for your Lambda functions and reduce the overall attack surface on your serverless application.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Serverless - minimizing the attack surface
Ähnlich wie Serverless - minimizing the attack surface (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Serverless - minimizing the attack surface
- 1. Minimizing the attack surface in Serverless
- 2. Avi Shulman Co Founder & CTO @ PureSec Serverless Security Expert Security Research - F5 Networks, Argus, Israel Defense Forces Twitter - @Shulik
- 3. What Will You Hear About Today? What influences Serverless attack surface? What are the exploitability options? What can be done to minimize the risks?
- 5. Data Application Configurations Scalability Monitoring Patching Setup Operating System Provisioning Virtualization Servers Network Data Center Data Application Configurations Scalability Monitoring Patching Setup Operating System Provisioning Virtualization Data Application Configurations Scalability Monitoring Patching Setup Operating System Data Application Configurations On Premise Data Center Hosting IaaS Serverless Security - The Responsibility of the Enterprise or The Cloud Provider? Servers Network Data Center Provisioning Virtualization Servers Network Data Center Scalability Monitoring Patching Setup OS Provisioning Virtualization Servers Network Data Center
- 6. Executes our code Manages scalability Keeps data safe in transit Patches the operating system Provides isolation “...IN CLOUD WE TRUST” CLOUD PROVIDER
- 7. The Cloud “Operating System” 2 4 1 3 5 Functions Storage API Gateways Streams Databases Queues
- 9. The attack surface becomes … Harder to understand … Harder to visualize … Harder to test
- 11. Complex data flows: What exactly happened to a specific request? Traditional security doesn’t fit: How do I protect my serverless application?
- 12. Detect a Vulnerability Find a serverless target Fuzz the input Code Injection Identify available access Lateral MovementPersistency Exfiltration
- 13. Normal Execution $ curl –s https://****.execute-api.us-east- 1.amazonaws.com/dev/users/get/KGRwM...nNTJ2l kJwpwNApJMTIzNDUKcy4= | python –m json.tool { "address" : "US" } $ curl –s https://****.execute-api.us-east- 1.amazonaws.com/dev/users/get/Y3N5cwpleGl0Ci hTJzAnCnRSLickdFIu | python –m json.tool { "message" : "Internal server error" } Indication of a potential vulnerability
- 14. Injected command: sys.exit('0') Successful Payload >>> exploit = "csysnexitn(S'0'ntR.'ntR." >>> base64.b64encode(exploit) 'Y3N5cwpleGl0CihTJzAnCnRSLickKdFIu'
- 15. The Vulnerability (Under the Hood) CWE-502: Deserialization of Untrusted Data >>>
- 16. Many more resources: Potentially many functions, many IAM roles, etc. Lack of visibility: What’s happening in my application right now?
- 17. Access to an AWS account Publicly available access keys Malicious Lambda Identify available access Lateral MovementPersistency Exfiltration
- 20. Easy to add input sources: Just add another trigger to a Lambda function Agile on steroids: Code goes faster to production
- 21. Malicious 3rd party library Code Injection Identify available access Lateral MovementPersistency Exfiltration
- 22. acqusition acquisition apidev-coop apidev-coop_cms bzip bz2file crypt crypto django-server django-server-guardian-api pwd pwdhash setup-tools setuptools telnet telnetsrvlib urlib3 urllib3 urllib urllib3 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/ “Devs unknowingly use malicious modules snuck into official Python repository”
- 23. After gaining access, attackers will try to use the access available to them
- 24. Identify available access Lateral MovementPersistency Exfiltration
- 25. How? https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf By bruteforcing boto3 API calls
- 26. Data leakage Tampering with data Exfiltration Persistency Lateral movement Denial of Service a * ses:SendEmail Privilege Elevation
- 27. Easy, but bad practice
- 30. of serverless projects on Github are improperly configured and probability contain over privileged roles
- 31. Minimize the Attack Surface with PureSec’s Serverless Plugin Auto-magically creates least privileged IAM roles for you – with the minimum required permissions Reduces the attack surface of Serverless applications on AWS Currently supported runtimes: Python & Node.js Currently supported services: DynamoDB, Kinesis, KMS, Lambda, S3, SES, SNS & Step Functions Works with the Serverless Framework
- 32. DEMO
- 34. Minimize the risk Construct a proper threat model Follow best practices and tips Keep least privileged permissions Integrate suitable detection and response solutions
- 35. THANK YOU!
Hinweis der Redaktion
- PureSec – A security platform for serverless architectures. Over the past year I have been researching serverless security
- Share my perspectives regarding what… What influences the attack surface – serverless changes the way we build applications – how these changes influence the security and the attack surface. What are the exploitability options – how attackers think. How attackers can leverage the changes that serverless development brings. What can be done to minimize the risk – what actions can we take to reduce probability of being successfully attacked.
- Shared responsibility concept. – Mark has already mentioned it earlier today, but please notice the great animation Cloud computing evolution. The cloud provider is now responsible more layers.
- Executes our code – after deploying our functions we trust the cloud provider to execute them. Manages scalability – we trust that the scale of the application will be fully managed by the providers. Keeps data safe in transit - when an event is passed to a function we trust that is happened securely. Patches the operating system – the image of the container in which our code is executed. Keeps the libraries up-to-date. Enforces the required permissions. Provides the required Isolation – between different functions and different customers.
- Serverless is not only the compute functionality. Array of services and tools. The compute part links all the services together. One term to describe what serverless creates is a Cloud Operating System. This is important because ... When analyzing and thinking about the attack surface in serverless, we should think about all the components we have, including the services we use. Every configuration in a service that is connected to our functions – is important for analyzing the attack surface. Let’s see an example of how a serverless architecture may look like.
- 1. A quite complicated architecture. 2. How many entry points does this application have? 3. Where should we put the security controls? 4. What are all the possible flows? 5. How can we define what might go wrong?
- Understand – an event driven architecture with limited control. Visualize – distributed logic, micro services. Test – How do we test the attack surface when we have difficulties debugging? How do we perform penetration testing in such applications?
- Influential factors on the attack surface: Complex data flows – Difficult to trace – API Gateway -> Lambda -> S3 -> Lambda Traditional security – What kind of security controls can we enforce? How do we protect event driven applications? What shall we do when the operating system and the network are abstracted?
- For those of you who wondered.. It's not a real book :) 1. A potential course of events may be…
- 1. Vulnerability in the cPickle library in Python 2. Deserialization of Untrusted Data
- More influential factors are... Many functions, many IAM roles. Instead of having several servers, we now have many Lambda functions (AWS), many DynamoDB tables and S3 Buckets… Lack of visibility – black box. Tracing requests, having a good understand of what’s going on.
- In serverless it becomes easy to add input sources and create new entry points to the system. Increases the probability of having a misconfigured entry point. CICD processes become much faster, code is easily added to production. It’s harder to remove pieces of code.
- 1. As you’ve seen in the previous slides…
- Speak only about identifying the access
- 1. This is what an attacker can do if he an over privileged compromised Lambda function.
- 1. Let’s talk about over permissive roles …
- 1. Do you want to guess how many projects contain iamRolesStatement?
- 1. Happy to introduce PureSec’s serverless plugin
- Threat modeling – What is the application is supposed to do? What the application shouldn’t allow to do? Trust Level External dependencies Entry points Best practices Development – input validation, popular frameworks. Use static & dynamic analysis tools. Scan for vulnerabilities in 3rd libraries and check their integrity. Use single purpose functions and limit the functions that have access to sensitive data. Don’t embed secrets and access keys in code. Least privileged – Functions Deployment System Solutions. That suite.