More and more enterprises are restructuring their development teams to replicate the agility and innovation of startups.
In the last few years, microservices have gained popularity for their ability to provide modularity, scalability, high availability, as well as make it easier for smaller development teams to develop in an agile way.
But how do they deal with security? what about security contexts?
This talk will give insights about the most interesting issues found in the last years while testing the security of multilayered microservices solutions and how they were fixed.
3. Agenda
• Microservices Vs Monolithic Apps
• Security in Microservice Architectures
• Common Services: Security Exposed
– Authorization Flow
– Microservice Events
– Requestor Microservice
– REST Aggregator/Forwarder
– Serverless services.
– PDF Generator
3
4. Goal
• Talk about Security in Microservices
Architectures
• Give insights about some of the most
interesting issues found in the last years
while testing the security of Multilayered
Microservices Architectures and how they
were fxed
• Will not talk about AWS misconfgurations
(too much to tell:)
4
9. Scalability
9
●
X-axis scaling: scaling an application by running
clones behind a load balancer.
●
Y-axis scaling: splits the application into multiple,
different services.
●
The microservice architecture is an application of Y-
axis.
– Each service is responsible for one or more
closely related functions.
●
Two ways of decomposing the application into services.
– By Action: Verb-based decomposition and
define services that implement a single use case
such as checkout.
– By Context: decompose the application by noun
and create services responsible for all operations
related to a particular entity such as customer
management.
●
Mixed Action+Context works too.
10. Maintainability+Easy Refactor
• A component is a unit of software that is
independently replaceable and upgradeable.
• Services as components
– because services are independently deployable
• A service could be deployed on
– a fully controlled server on a container
– serverless (AWS Lambda, Google/Azure cloud
functions…)
– .. or in house of course
1
0
11. Communication between MS
• REST/Queues
• Remote calls are more
expensive than in-process
calls.
• Remote APIs need to be
coarser-grained
• Change the allocation of
responsibilities between
components.
1
1
12. Asynchronicity
• No more monolithic app means no more
single thread.
• Each Microservice can be considered as
a separate process
• If a process takes too much to fullfll its
duty it’ll block every one in the stack.
• Microservices must be Asynchronous as
much as possible
1
2
18. Agenda
• Microservices Vs Monolithic Apps
• Security in Microservice Architectures
• Common Services: Security Exposed
– Authorization Flow
– Microservice Events
– Requestor Microservice
– REST Aggregator/Forwarder
– Serverless services.
– PDF Generator
1
8
19. Auth and Authz in MS
1
9
REST REQUEST
'http://localhost:8003/products/the_odyssey'
REST REQUEST
'http://localhost:8003/rest/login'
20. Auth and Authz in MS
2
0
REST REQUEST
'http://localhost:8003/products/the_odyssey'
REST REQUEST
'http://localhost:8003/rest/login'
RESPONSE:
JWT:
{“user”:”stefano”,”id”: 22}.[CRYPTOGRAFICALLYSIGNED]
21. Auth and Authz in MS
2
1
REST REQUEST
'http://localhost:8003/products/the_odyssey'
REST REQUEST
'http://localhost:8003/rest/order/54252'
JWT: {“user”:”stefano”,”id”: 22}.
[CRYPTOGRAFICALLYSIGNED]
Is Logged In?
22. Auth and Authz in MS
2
2
Is Logged In?YES!
REST REQUEST
'http://localhost:8003/rest/order/54252'
JWT: {“user”:”stefano”,”id”: 22}.
[CRYPTOGRAFICALLYSIGNED]
23. Auth and Authz in MS
2
3
OKAY! GO ON!REST REQUEST
'http://localhost:8003/rest/order/54252'
JWT: {“user”:”stefano”,”id”: 22}.
[CRYPTOGRAFICALLYSIGNED]
24. Auth and Authz in MS
2
4
REST REQUEST
'http://localhost:8003/products/the_odyssey'
REST REQUEST
'http://localhost:8003/rest/order/54252'
JWT: {“user”:”stefano”,”id”: 22}.
[CRYPTOGRAFICALLYSIGNED]
OKAY! GO ON!
25. Authorization != Authentication
• Microservices must be aware at some point
who can do/has access to what.
• Design decisions must be made and
implemented.
• Defense in Depth is the most appreciated:
– Implement a Identity Management System
– Each MS will request if token X is allowed to
execute the service.
• Each MS is responsible for the data it manages
2
5
46. Requesting Arbitrary URL?
• Feature found several times during the years
• Sometimes correctly implemented.
• Sometimes not.
• Problems: Arbitrary requests to any internal
node.
• It might be called
SSRF By design
4
6
49. The Fix
• Containerize the service
• Deploy the container outside the other
sensitive services network
• Hardenize the container!
• Do not rely on DNS/IP black lists. Easy
to bypass! (at least keep the 1st
resolution!)
• Block requests to 127.0.0.1/8!!
4
9
50. Agenda
• Microservices Vs Monolithic Apps
• Security in Microservice Architectures
• Common Services: Security Exposed
– Authorization Flow
– Microservice Events
– Requestor Microservice
– REST Aggregator/Forwarder
– Serverless services.
– PDF Generator
5
0
56. The Attack
●
API GATEWAY SEES
http://hostname:8003/rest/products/%2e%2e%2fuser%2f1
id= “%2e%2e%2fuser%2f1”
and sends http://privateserver/products/%2e%2e%2fuser
%2f1
But HttpClient/private server normalizes the URL to :
●
http://privateserver/user/1
5
6
http://hostname:8003/rest/products/%252e%252e%252fuser%252f1
PRIVATE SERVER REST APP SEES: /user/1
57. The Fix
• Apply Defense in depth
– Each MS should validate input data
– Each MS should encode data according to
the context when it’s sent to another layer
– Separate services based on endpoints
sematic groups.
5
7
58. Agenda
• Microservices Vs Monolithic Apps
• Security in Microservice Architectures
• Common Services: Security Exposed
– Authorization Flow
– Microservice Events
– Requestor Microservice
– REST Aggregator/Forwarder
– Serverless services
– PDF Generator
5
8
60. The Threat
• In recent months, several articles and blog posts
exposed how malicious attackers are abusing
cloud environments in order to infect them with
crypto-mining malware.
• February 2018, cybersecurity firm Redlock
reported that hackers had secretly infiltrated
public cloud environments and were using the
compute instances to mine cryptocurrencies.
• Cloud Functions fit very well here! (AWS
Lamba, Google Cloud Functions etc…)
• Hardened Containers as well!!
6
0
61. The Threat
6
1
• One vulnerability is
enough RCE/Code
Injection.
• When you realize you’ve
been attacked it’s
probably too late:
Several $$ have
already been billed.
Eg:
AWS Lambda Scaling:
AWS Lambda will dynamically scale capacity in
response to increased trafic, subject to your
account's Account Level Concurrent Execution Limit.
To handle any burst in trafic, Lambda will
immediately increase your concurrently executing
functions by a predetermined amount, dependent on
which region it's executed
By default, the concurrent execution limit is enforced
against the sum of the concurrent executions of all
functions. The shared concurrent execution pool is
referred to as the unreserved concurrency allocation.
The default is set to 1,000.
62. Agenda
• Microservices Vs Monolithic Apps
• Security in Microservice Architectures
• Common Services: Security Exposed
– Authorization Flow
– Microservice Events
– Requestor Microservice
– REST Aggregator/Forwarder
– Serverless services.
– PDF Generator
6
2
64. The Feature
• Export orders in PDF.
• Application is a Single Page Application using JS
Framework.
• The idea is to use
– WebKitToPDF
– a headless Chrome
– Custom Electron with Webview
• To export the rendered html as pdf.
EASY PEASY!
6
4
65. The Feature
• Create a local web page using USER data
• Save it as PDF
• Send it back to the USER
• Problem:
– How to build the page?
– How user data is imported?
6
5
66. The Feature
• POST /create/pdf
htmlData=<body>...</body>
●
Is that a Cross Site Scripting?
●
Yeah but it’s a self XSS, no impact right?
6
6
68. The Attack
• It’s like having physical access to a browser on a
machine in hosts private network!
• In some case attacker might have access to
Filesystem (I.e read files in host FS)
• Attacker could also execute JavaScript
• ..and even implant a(nother) Cryptominer!
6
8
69. The Fix
• From a Browser perspective there’s no easy fix
but there’s a set of mitigations, too long to explain
but:
– Set browser to Offline (partially bypasssable)
– Disable JavaScript (bypassable)
– Intercept and block all request (partially
bypassable)
– Close process as soon as possible
• Mostly hardenize the container!!
6
9
70. Last question:
• How do we deploy?
• Infrastructure as code
• In the repository with
the rest of the code.
• Where are the access
keys and passwords?
• Is the repository
private? To whom?
7
0
71. Conclusions
• Microservices introduce new (old)
unexpected security scenarios
• Developers and System architects must
work together to generate ad hoc
containers to mitigate by design dangerous
features
• Complexity of the fows requires careful
design in grouping microservices together
• Never underestimate attackers
• Apply defense in depth!!!!
7
1