The Ten Three Most Critical Security Risks in Serverless Architectures 2018/04/26 Ӿઊ ଛလ@䆠䎦 1 

ᛔ૩奧Օ • Ӿઊ ଛလ • μ϶φϮϊϐϖ ϯϝαϸίϤϷςЄϠ φ᮱ • AWSϊϷϲЄτϴЀίЄκϓμϕ • ςЄϝЄςαϖεЀυϘί • GitHub: knakayama 2 

ψϐτϴЀٖ਻΁ͺ͚ͼ • αφ϶εϸ΄PureSecᐒ1 ͢ڊͭ͵White Paper΄ٖ਻Ψ䝏壧ͭͼͪ奧Օ • ͩ΄White Paper΅ςЄϝЄϹφίϤϷξЄτϴЀͽ䶲ΨͺͧΡΏͣψ κϲϷϓΰΨ10㮆奧Օͭ͵Θ΄ • ᇙ΁岉ޱႮ͡͹͵3ͺΨ奧Օ • ΞΠ托ͭͥ΅ܻ෈݇ᆙ2 2 https://www.puresec.io/resource-download 1 https://www.puresec.io/ 3 

ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication 4. Functions Execution Flow Manipulation 4 

ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication 4. Functions Execution Flow Manipulation 5 

ςЄϝЄϹφίϤϷξЄ τϴЀ;ψκϲϷϓΰ • ϳЄσ͢ᓕቘͯΡ᮱ړ͢੝΀͚ݍᶎ̵ͽͣΡ ͩ;Θ੝΀͚ • ͺΔΠ̵䕪๶ጱ΀ψκϲϷϓΰ΄ᘍ͞ො͢ͳ ΄ΔΔၞአͭͻΟ͚ • εЄυδЀϕαЀφϕЄϸ僻ቘ • ψκϲϷϓΰ΄ϓφϕͿ͜ΚΡҘ • ͫΟ΁ΔͶΔͶ咲઀Ӿ΄ದ悬ړᰀ΀΄ͽ̵ϔ ϢήμϕφόЀύЄϖጱ΀枣຃䯤౮Θ΀ͫͳ ͜ 6 

ΕΩ΀Ϳ͜ψκϲί΁ͯΡ͡ ಋറΠ΀ᇫ䙪͹Γ͚ 7 

͵Ͷဳ఺ͯΏͣᅩ΅ ͩ΄White Paper͡Ο憎͞Ρ͡Θ 8 

ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection ! 3. Broken Authentication 4. Functions Execution Flow Manipulation 9 

Function Event-Data Injection • ςЄϝЄϹφίϤϷξЄτϴЀ΅αϦЀϕϖϷϣЀ΁㳌ቘ͢ᤈΥ΢Ρ • ֺ: S3 -> Lambda -> DynamoDB • ͩ΄檭̵ڹྦྷ΄αϦЀϕ͡ΟჁͫ΢͵ఘ䁭Ψ͚Σ͚ΣےૡͭͼOutputͯ Ρ̵;͚͜΄͢ΞֵͥΥ΢ΡϞόЄЀ • ͵Ͷ̵ͭͩ΄ϔЄόΨͳ΄ΔΔֵ͹ͼͭΔ͜;ψκϲϷϓΰ΄㺔氂΁΀ Π஑Ρ • ᥝͯΡ΁̵فێ㮔Ψͭ͹͡ΠϝϷϔЄτϴЀͭΔͭΝ͜;͚͜扖 10 

S3 Event Notification΄ֺ { "Records": [ { ... "s3": { "s3SchemaVersion": "1.0", "configurationId": "testConfigRule", "bucket": { "name": "example-bucket", "ownerIdentity": { "principalId": "EXAMPLE" }, "arn": "arn:aws:s3:::example-bucket" }, "object": { "key": "example-object", "size": 1024, "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901" } } } ] } 11 

ύϮύϮ΀ֺ • ηϣυδμϕ΄Ӿ᫝ͩ͢Ω΀Ͷ͹͵Ο {"username":"foobar"+require('child_process').exec('uname -a')} 12 

ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication ! 4. Functions Execution Flow Manipulation 13 

Broken Authentication • API Gateway + CognitoͽϳЄσ扯戣䌙فͭͼͼΘ՜΄᮱ړͽᑩ ᑮ͚ͼ͵Ο఺ޱ΀͚ͽͯΞ΃ • S3ϝξϐϕΨ僻洏΁ϞϣϷϐμ΁ͭͼ΀͚ͽͯ͡Ҙ • ϔϤϺαϮЀϕϞϐξЄυل樄ͭͷΙ͹ͼ΀͚ͽͯ͡Ҙ • ͷΙΩ;IAM戔ਧͭΞ͜ 14 

ύϮύϮ΀ֺ 15 

ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication 4. Functions Execution Flow Manipulation 16 

Functions Execution Flow Manipulation • ίϤϷξЄτϴЀ΄ϺυϐμΨ୓͹ͼ䘂ͫͯΡ;͚͜Θ΄ • ςЄϝЄϹφίϤϷξЄτϴЀ΄䁰ݳ̵愢හ΄AWSϷϊЄφ͢ 奲ΕݳΥͫ͹ͼ㵕ͥ;͚͜ᇙ௔Ӥ̵1ͺͽΘᑩ͘͢Ρ;䘂ͫͭ Κ͚ͯ᮱ړ΅͵ͭ͡΁͘Πͳ͜ • ͩ͹ͷΘݶͮΞ͜΁IAM΄戔ਧͭͼ䘂ͫͽͣ΀͚Ξ͜΁ͭΔ ͭΝ͜;͚͜͠扖 17 

Manipulation΄ֺ 18 

Δ;Η • White Paper΁䨗͚ͼ͘Ρͩ;΅奾䯤୮͵Πڹ΄ͩ;ͭ͡䨗͚ͼ ΀͚ • ͵Ͷ̵ͭ୮͵Πڹ΄ͩ;Ψ୮͵Πڹ΁ͯΡ΄΅఺क़;櫞͚ͭ • ͘͞ͼݷڹΨͺͧΡͩ;ͽͳ΄㺔氂Ψ扯挷̵ͭ఺挷ͭΚͯͥͯ Ρ΄΅᯿ᥝ • 䌏ᒽΘͷΙΩ;䨗͚ͼ͘Ρ΄ͽӞଶ抎ΩͽΕͼ΅ 19