Is Serverless Safe? ~Hacking AWS Lambda~

Transcript

1. Is Serverless Safe? ~ Hacking AWS Lambda ~ Yutaka Hiroyama

   Japan AWS Top Engineer since 2019

2. Who am I • Yutaka Hiroyama •iret, Inc. CISO Director

   of Internal Control Promotion Office & Deputy Division Director of Cloud Integration Division •AWS Well Architected Lead AWS Top Engineers - 2019 ~ •Many certifications holder about cloud computing (AWS e.t.c.), security, development and others.

3. Who is us Development Construct MSP※ Resale AWS：since 2010 Premium

   Consulting Partner Design App Development Infrastructure

4. Intro

5. Can you steal another one’s data via this AWS Lambda

   function? JNQPSU
   KTPO JNQPSU
   ZBNM EFG
   )BOEMFS FWFOU
   DPOUFYU  EBUB
   
   ZBNMMPBE FWFOU<lCPEZz><%BUB> TUPSF@EBUB EBUB SFUVSO
   \ TUBUVT$PEF
   
    CPEZ
   
   l0,z ^ JNQPSU
   KTPO JNQPSU
   ZBNM EFG
   )BOEMFS FWFOU
   DPOUFYU  EBUB
   
   ZBNMMPBE FWFOU<lCPEZz><%BUB>  TUPSF@EBUB EBUB SFUVSO
   \ TUBUVT$PEF
   
    CPEZ
   
   l0,z ^

6. Caution!! https://unit42.paloaltonetworks.com/gaining-persistency- vulnerable-lambdas/ What Iʼll talk how to attack is

   under this article. You should not try this attack for the otherʼs environment !!

7. Hacking

8. Architecture of AWS Lambda As below is keys of this

   session. • A container will be created when cold start happen. • A bootstrap (runtime) and a code which written by user (handler) exists in the same container. • A runtime continue to loop procedure that call handler and return the response. 引⽤） https://aws.amazon.com/jp/blogs/compute/the-serverless-lamp-stack-part-3-replacing-the-web-server/ https://medium.com/build-succeeded/deconstructing-aws-lambda-functions-d1597dd054cd

9. Overview of the technique The attack can be actualized by

   replace the bootstrap via the handler. It exploit a vulnerability of OS command injection. The evil bootstrap send received data to specified IP address just before call handler.

10. Procedure of replacing bootstrap The attacker can persistence as below.

    1. Attacker tampere bootstrap which stole requested data. 2. Attacker create YAML file which contains tampered bootstrap and scripts which can replace bootstrap process. 3. Attacker send the YAML file. 4. Handler load YAML file. 5. While loading, handler replace current healthy bootstrap process with evil one. The evil bootstrap send received data to specified IP address just before call handler.

11. Attacking diagram - prepare

12. Attacking diagram - steal data Replace !

13. Key points Evil bootstrap has been created based on official

    one. The lambda function behave normally. So, Users and operators are hardly acknowledged the bootstrap has been replaced.

14. Extract of evil bootstrap This bootstrap send attached data to

    attacker by POST method.

15. Sample code of replacing bootstrap process script

16. Sample of creating evil YAML file script This script constructs

    camouflaged YAML file which contains evil bootstrap and bootstrap process changer.

17. The capture of stolen data You can see by Base64

    decode

18. Who has responsibility?

19. Shared responsibility model on AWS Lambda IaaSとサーバーレス 引⽤） https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/the-shared-responsibility-

20. Shared responsibility model on AWS Lambda IaaSとサーバーレス

21. Analyze

22. About vulnerability CVE-2017-18342 vulnerability can cause OS command injection. PyYAML

    library ver 5.1 or less. CVSS 3 score is 9.8. It’s very dangerous. 引⽤） https://nvd.nist.gov/vuln/detail/CVE-2017-18342

23. JNQPSU
    KTPO JNQPSU
    ZBNM EFG
    )BOEMFS FWFOU
    DPOUFYU  EBUB
    
    ZBNMMPBE FWFOU<lCPEZz><%BUB>  TUPSF@EBUB

    EBUB SFUVSO
    \ TUBUVT$PEF
    
     CPEZ
    
    l0,z ^ Controversial code

24. How to protect

25. Protect types Shift Left (Scan, Separate Network, Encryption) Shield Right

    (WAF, IDS/IPS, CWPP, VPC FlowLog, GuardDuty) Quote) https://sysdig.com/blog/cnapp-runtime-insights-shift-left- shield-right/

26. Example of Amazon CodeGuru detection Detected !!

27. Example of AWS WAF protection Check “os.execv” word. This is

    the log of AWS WAF, when received the attack.

28. Important Both of shift Left and shield right are necessary!

    You should prevent not only protect.

29. Wrap-up

30. Is AWS Lambda dangerous？ No！but not safe with no countermeasure

    OS command injection is valid on IaaS or On-Prem environments. Or rather, it can easily to make it happen, because the attacker had not to know bootstrap process. Moreover, AWS Lambda automatically reconstruct environment by cold start.

31. You should • You should do vulnerability countermeasures on FaaS

    such as AWS Lambda. • (But the established attack may kill by automatically) • You had better acknowledge how to work your using service to protect your system. • To prevent (Shift left) and to protect / detect (Shield right) are important. You should both of them.