The ~~Ten~~ Three Most Critical Security Risks in Serverless Architectures

Transcript

1. The Ten Three Most Critical Security Risks in Serverless Architectures

   2018/04/26 Ӿઊ ଛလ@䆠䎦 1

2. ᛔ૩奧Օ • Ӿઊ ଛလ • μ϶φϮϊϐϖ ϯϝαϸίϤϷςЄϠ φ᮱ • AWSϊϷϲЄτϴЀίЄκϓμϕ

   • ςЄϝЄςαϖεЀυϘί • GitHub: knakayama 2

3. ψϐτϴЀٖ਻΁ͺ͚ͼ • αφ϶εϸ΄PureSecᐒ1 ͢ڊͭ͵White Paper΄ٖ਻Ψ䝏壧ͭͼͪ奧Օ • ͩ΄White Paper΅ςЄϝЄϹφίϤϷξЄτϴЀͽ䶲ΨͺͧΡΏͣψ κϲϷϓΰΨ10㮆奧Օͭ͵Θ΄ •

   ᇙ΁岉ޱႮ͡͹͵3ͺΨ奧Օ • ΞΠ托ͭͥ΅ܻ෈݇ᆙ2 2 https://www.puresec.io/resource-download 1 https://www.puresec.io/ 3

4. ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication

   4. Functions Execution Flow Manipulation 4

5. ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication

   4. Functions Execution Flow Manipulation 5

6. ςЄϝЄϹφίϤϷξЄ τϴЀ;ψκϲϷϓΰ • ϳЄσ͢ᓕቘͯΡ᮱ړ͢੝΀͚ݍᶎ̵ͽͣΡ ͩ;Θ੝΀͚ • ͺΔΠ̵䕪๶ጱ΀ψκϲϷϓΰ΄ᘍ͞ො͢ͳ ΄ΔΔၞአͭͻΟ͚ • εЄυδЀϕαЀφϕЄϸ僻ቘ

   • ψκϲϷϓΰ΄ϓφϕͿ͜ΚΡҘ • ͫΟ΁ΔͶΔͶ咲઀Ӿ΄ದ悬ړᰀ΀΄ͽ̵ϔ ϢήμϕφόЀύЄϖጱ΀枣຃䯤౮Θ΀ͫͳ ͜ 6

7. ΕΩ΀Ϳ͜ψκϲί΁ͯΡ͡ ಋറΠ΀ᇫ䙪͹Γ͚ 7

8. ͵Ͷဳ఺ͯΏͣᅩ΅ ͩ΄White Paper͡Ο憎͞Ρ͡Θ 8

9. ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection ! 3. Broken

   Authentication 4. Functions Execution Flow Manipulation 9

10. Function Event-Data Injection • ςЄϝЄϹφίϤϷξЄτϴЀ΅αϦЀϕϖϷϣЀ΁㳌ቘ͢ᤈΥ΢Ρ • ֺ: S3 -> Lambda

    -> DynamoDB • ͩ΄檭̵ڹྦྷ΄αϦЀϕ͡ΟჁͫ΢͵ఘ䁭Ψ͚Σ͚ΣےૡͭͼOutputͯ Ρ̵;͚͜΄͢ΞֵͥΥ΢ΡϞόЄЀ • ͵Ͷ̵ͭͩ΄ϔЄόΨͳ΄ΔΔֵ͹ͼͭΔ͜;ψκϲϷϓΰ΄㺔氂΁΀ Π஑Ρ • ᥝͯΡ΁̵فێ㮔Ψͭ͹͡ΠϝϷϔЄτϴЀͭΔͭΝ͜;͚͜扖 10

11. S3 Event Notification΄ֺ { "Records": [ { ... "s3": {

    "s3SchemaVersion": "1.0", "configurationId": "testConfigRule", "bucket": { "name": "example-bucket", "ownerIdentity": { "principalId": "EXAMPLE" }, "arn": "arn:aws:s3:::example-bucket" }, "object": { "key": "example-object", "size": 1024, "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901" } } } ] } 11

12. ύϮύϮ΀ֺ • ηϣυδμϕ΄Ӿ᫝ͩ͢Ω΀Ͷ͹͵Ο {"username":"foobar"+require('child_process').exec('uname -a')} 12

13. ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication

    ! 4. Functions Execution Flow Manipulation 13

14. Broken Authentication • API Gateway + CognitoͽϳЄσ扯戣䌙فͭͼͼΘ՜΄᮱ړͽᑩ ᑮ͚ͼ͵Ο఺ޱ΀͚ͽͯΞ΃ • S3ϝξϐϕΨ僻洏΁ϞϣϷϐμ΁ͭͼ΀͚ͽͯ͡Ҙ

    • ϔϤϺαϮЀϕϞϐξЄυل樄ͭͷΙ͹ͼ΀͚ͽͯ͡Ҙ • ͷΙΩ;IAM戔ਧͭΞ͜ 14

15. ύϮύϮ΀ֺ 15

16. ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication

    4. Functions Execution Flow Manipulation 16

17. Functions Execution Flow Manipulation • ίϤϷξЄτϴЀ΄ϺυϐμΨ୓͹ͼ䘂ͫͯΡ;͚͜Θ΄ • ςЄϝЄϹφίϤϷξЄτϴЀ΄䁰ݳ̵愢හ΄AWSϷϊЄφ͢ 奲ΕݳΥͫ͹ͼ㵕ͥ;͚͜ᇙ௔Ӥ̵1ͺͽΘᑩ͘͢Ρ;䘂ͫͭ Κ͚ͯ᮱ړ΅͵ͭ͡΁͘Πͳ͜

    • ͩ͹ͷΘݶͮΞ͜΁IAM΄戔ਧͭͼ䘂ͫͽͣ΀͚Ξ͜΁ͭΔ ͭΝ͜;͚͜͠扖 17

18. Manipulation΄ֺ 18

19. Δ;Η • White Paper΁䨗͚ͼ͘Ρͩ;΅奾䯤୮͵Πڹ΄ͩ;ͭ͡䨗͚ͼ ΀͚ • ͵Ͷ̵ͭ୮͵Πڹ΄ͩ;Ψ୮͵Πڹ΁ͯΡ΄΅఺क़;櫞͚ͭ • ͘͞ͼݷڹΨͺͧΡͩ;ͽͳ΄㺔氂Ψ扯挷̵ͭ఺挷ͭΚͯͥͯ Ρ΄΅᯿ᥝ

    • 䌏ᒽΘͷΙΩ;䨗͚ͼ͘Ρ΄ͽӞଶ抎ΩͽΕͼ΅ 19