SERVERLESS SECURITY:

Attackers & Defenders

Ory Segal

https://www.puresec.io/
About Me ( @orysegal )

• CTO & Co-founder at PURESEC, Serverless security

• Involved in AppSec field since the 90’s

• AppShield (World’s 1st WAF), IBM AppScan, Akamai Kona Cloud

Security

• Author of 20+ patents in the fields of App Security

HTTP/2 fingerprinting, SSHowDowN Proxy (IoT), JS Code-flow Founder & guitarist of the Israeli
Manipulation, HQL Tampering, Apache httpd RCE (CVE-2002-0061), Art-Rock band PITS
Apache OpenWhisk Mutability (CVE-2018-11756/7), Serverless Security
Top 10, CSA Serverless Security Top 12 - & contributed to HTTP Response
Splitting, HTTP Request Smuggling, MITRE CWE, SANS Top25, …

https://pits1.bandcamp.com/
Agenda

SERVERLESS SECURITY IN A NUTSHELL

FOCUS ON A FEW RISKS & PITFALLS

GET OUR HANDS DIRTY WITH A LIVE DEMO

ACTION ITEMS FOR YOU

Why Serverless?
Serverless Benefits

No servers to manage

Continuous scaling

Sub-second metering

Less security responsibilities

SERVERLESS SECURITY…

2014 - 2017: NOT YOUR SERVERS, NOT YOUR

PROBLEM…

2018 – TODAY: NOT QUITE…

Shared Model Of Responsibility

CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT

APPLICATION
OWNER
APPLICATIONS (FUNCTIONS)
RESPONSIBLE FOR
SECURITY “IN” THE
IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION
CLOUD

OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS

CLOUD PROVIDER
RESPONSIBLE FOR COMPUTE STORAGE DATABASE NETWORK
SECURITY “OF”
THE CLOUD REGIONS AVAILABILITY ZONES EDGE LOCATIONS
Security Responsibility: When You Own The Infrastructure (IaaS)

http://bit.ly/faas-vs-iaas ❑ Physical infrastructure, access restrictions to physical perimeter and hardware

❑ Secure configuration of infrastructure devices and systems
❑ Regularly testing the security of all systems/processes (OS, services)
CLOUD ❑ Identification and authentication of access to systems (OS, services)
❑ Patching and fixing flaws in OS
PROVIDER ❑ Hardening OS and services
❑ Protecting all systems against malware and backdoors
❑ Patching and fixing flaws in runtime environment and related software packages
❑ Exploit prevention and memory protection
8% ❑ Network segmentation
❑ Tracking and monitoring all network resources and access
❑ Installation and maintenance of network firewalls
❑ Network-layer DoS protection
❑ Authentication of users
❑ Authorization controls when accessing application and data
APPLICATION ❑ Log and maintain audit trails of all access to application and data
❑ Deploy an application layer firewall for event-data inspection
92% OWNER ❑ Detect and fix vulnerabilities in third-party dependencies
❑ Use least-privileged IAM roles and permissions
❑ Enforce legitimate application behavior
❑ Data leak prevention
❑ Scan code and configurations statically during development
❑ Maintain serverless/cloud asset inventory
❑ Remove obsolete/unused cloud services and functions
❑ Continuously monitor errors and security incidents
Security Responsibility: When You Adopt Serverless

http://bit.ly/faas-vs-iaas ❑ Physical infrastructure, access restrictions to physical perimeter and hardware

❑ Secure configuration of infrastructure devices and systems
❑ Regularly testing the security of all systems/processes (OS, services)
❑ Identification and authentication of access to systems (OS, services)
❑ Patching and fixing flaws in OS
❑ Hardening OS and services
52% ❑ Protecting all systems against malware and backdoors
❑ Patching and fixing flaws in runtime environment and related software packages
❑
CLOUD Exploit prevention and memory protection
❑ Network segmentation
PROVIDER ❑ Tracking and monitoring all network resources and access
❑ Installation and maintenance of network firewalls
❑ Network-layer DoS protection
❑ Authentication of users
❑ Authorization controls when accessing application and data
❑ Log and maintain audit trails of all access to application and data
❑
48% Deploy an application layer firewall for event-data inspection
❑ Detect and fix vulnerabilities in third-party dependencies
❑ Use least-privileged IAM roles and permissions
❑ Enforce legitimate application behavior
❑ Data leak prevention
APPLICATION ❑ Scan code and configurations statically during development
❑ Maintain serverless/cloud asset inventory
OWNER ❑ Remove obsolete/unused cloud services and functions
❑ Continuously monitor errors and security incidents
 SERVERLESS
EVENT SOURCES
(OVER)
SIMPLIFIED
EVENT
SOURCES
EVENT TRIGGER
…

CODE DEPLOY OUTPUT

{;}
CODE FUNCTION
REPOSITORY

CLOUD RESOURCES

INTERACTIONS
CLOUD
RESOURCES
REST API
 (SOME)
SERVERLESS
EVENT-DATA
INJECTION ATTACK
EVENT SURFACES
SOURCES
Compromise data

UNAUTHORIZED Business logic abuse

DEPLOYMENT Bypass authentication
{;} Leak secrets
DEPENDENCY
POISONING CODE FUNCTION Denial of service
REPOSITORY
Financial exhaustion
Code execution
...
CLOUD
TAMPER WITH RESOURCES
DATA
 Top Risks for Serverless Applications http://bit.ly/csa-top-12

Function event-data injection Insecure app secrets storage

SAS-1 SAS-7

Broken authentication SAS-8

DoS & Financial exhaustion
SAS-2

Insecure serverless deployment SAS-9

Serverless business logic manipulation
SAS-3

Over-privileged function permissions SAS-10

Improper exceptions handling & errors
SAS-4

Inadequate function monitoring SAS-11

Legacy functions & cloud resources
SAS-5

Insecure 3rd party dependencies SAS-12

Cross-execution data persistency
SAS-6
The Need For Serverless-Native Protection

TRADITIONAL SECURITY SERVERLESS

Protects applications by The application owner doesn't
being deployed on networks have any control over the
and servers infrastructure
 Traditional Protections Cannot Be Deployed On Serverless

INFRASTRUCTURE
L AY E R 7
INBOUND
OUTBOUND
NETWORK
B E H AV I O R AL

SERVERLESS
AP P L I C ATI O N EPP IPS WFUNCTIONS
SG NG-FW W AF

With No Infrastructure Based Protections,

Your Security is Reduced to
Good Coding and Strict Configuration
THE CHALLENGE OF ”LEAST-PRIVILEGED” IAM ROLES
Dynamo:*

▪BatchGetItem
Functions should only be allowed to do GetShardIterator
what they are tasked with
BatchWriteItem ListStreams
▪CreateTable
AWS IAM model is extremely powerful, yet ListTables
hard to get right
DeleteItem
▪DeleteTable
Human factor QUICK QUIZ: ListTagsOfResource
PurchaseReservedCapacityOfferings
DescribeLimits Query
C O N F I GU RATI O N

NAME &issues
▪ ‘Over-privileged’ SPELL
are theTHE
most CORRECT IAM PERMISSION
common mistake in serverless applications
DescribeReservedCapacity Scan
DescribeReservedCapacityOfferings TagResource
https://ubm.io/2FIrKq2
DescribeStream UntagResource
DescribeTable UpdateItem
GetItem UpdateTable
GetRecords
Least-privileged IAM roles are like bulkheads. They will contain
attackers to a specific vulnerable function in case of a breach
PutItem
How We Hacked Lambdashell.com ( http://bit.ly/lambda-shell-hack )
Challenge accepted!
Get The Environment Variables
Impersonate The Lambda Function
I’m the smartest man
alive!
Fail Miserably – Strict IAM Permissions
We’re Doomed!
Maybe There’s An S3 Bucket Involved?
There’s Always An S3 Bucket!
List the Contents of the Bucket
Do I Have “WRITE” Permissions?

That’s odd?!@# Oh, wait …oh no….

YOU DID WHAT
?!@#?!@
 GETTING IAM PERMISSIONS RIGHT

▪ Adopt ‘Role-per-Function’ model

▪ Think twice before hitting SHIFT +

▪ Use SAM managed policies

▪ SLS: use custom roles per function, ‘role-per-

function’ plugin

▪ Use the free PureSec ‘least-privileged’ IAM

automatic role generator

https://bit.ly/2S0jd7H
Corey Quinn ( @QuinnyPig )

“I doubt you will find anything

interesting, but give it your best
shot!”
Email Parsing with email.utils.parseaddr()
Parse This!

"Bar, Foo" <foo@bar.site> ➔ RFC 2822

<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>
@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>
x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a
>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<
>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x<
a>@<>x<a>@<>x<a>@<>x<a>@<>x<a>@<>x...

Wait, that’s not a serverless attack!...

POST x1000, rinse, repeat… now it is!
 Mission Accomplished

@QuinnyPig:
More App-DoS (ReDoS)

35
More App-DoS (ReDoS)

36
More App-DoS (ReDoS)

37
More App-DoS (ReDoS)
 DEMO //

AWS SES AWS SNS

Candidate LAMBDA

1. Candidate sends CV as PDF in email

2. SES receives email, creates SNS message
3. SNS invokes the function
4. Function converts PDF to text + stores AWS DynamoDB

results in DynamoDB
5. Function sends receipt to candidate
12 Most Critical Risks for Serverless (CSA) http://bit.ly/csa-top-12

AWS Lambda Security Best-Practices eBook http://bit.ly/aws-lambda-security

OWASP Serverless-Goat http://bit.ly/owasp-serverless-goat

Tame OSS packages w/ Function-Shield (free) https://puresec.io/function-shield

Deploy a Serverless Security Platform https://www.puresec.io/get-puresec