This document discusses serverless security for multi-cloud environments. It provides an overview of serverless computing and cloud security models. It also describes security services available on AWS, GCP and Azure clouds and discusses how to harden functions as a service (FaaS) by disabling outbound internet access, restricting access to temporary directories and disabling child process execution. Specific exploits like accessing function handlers and manipulating temporary files are demonstrated. The talk recommends provisioning FaaS within private networks and using techniques like monkey patching to dynamically update code behavior and enhance security.
2. Next 30 mins…
✓ Serverless & generic cloud security overview
✓ Security services from GCP, AWS & Azure
✓ Shared Responsibility Model
✓ Scenarios for FaaS hardening
❑ Disable outbound internet connectivity
❑ Disable read/write on the /tmp directory
❑ Disable child process execution
❑ Disable read access to the function’s handler
3. Career
➢ Principal SDE, SONICWALL, ~17 yrs. industry experience primarily
in systems, cloud (private/public), security, networking
➢ 8x certified in AWS, GCP & Azure
➢ Patent (India) in cloud security around distributed data storage
➢ Interest around serverless, containers and cloud native
technologiesofferings. Firm believer of a multi-hybrid cloud future
Community
➢ Community leader - AWS User Group, GDG Cloud & Cloud Native
➢ Regular speaker at domestic and international cloud/tech
conferences
➢ Multiple hackathon wins in cloud/security topics
➢ Recognized by Google as a community influencer
[~]$ whoami
runcyoommen
https://runcy.me
roommen
4. “Serverless computing is a cloud computing
execution model where cloud provider runs
the server, and dynamically manages the
resources.”
Reference:
https://en.wikipedia.org/wiki/Serverless_computing
Defining “Serverless”
10. Let’s define “Cloud security”
Set of policies, technologies, applications and
controls utilized to protect virtualized IP, data,
applications, services and the associated
infrastructure of cloud computing
Reference:
https://en.wikipedia.org/wiki/Cloud_computing_security
14. So, how exactly should cloud security
differ from traditional network security?
15. Ubiquitous
The cloud is always reachable from
anywhere, any time, any device
Scalable
You can add new features and
thousands of users without breaking a
sweat
Integrated
Security and other services talk to
each other for full visibility
Comprehensive
The Cloud scans every byte – ingress
and egress – including SSL & CDN
Intelligent
The cloud learns from every user and
connection; any new threat is blocked for all
Important facets of cloud
16. Early day cloud mindset
Move Fast OR Stay Secure
Modern day cloud mindset
Move Fast AND Stay Secure
24. ❑ Resources provisioned in cloud reside inside Virtual Private
Cloud (VPC)
❑ FaaS should also be provisioned within this SDN wrapper
dictated by network routes/configs/firewall rules
27. Functionality
CV filtering app that accepts
PDF file to perform text analysis
Assumption
Users will provide legitimate
PDF filenames for processing
Weakness
Filename embedded into shell
for direct shell command
invocations
Sample exploit
runcyoommenhttps://tinyurl.com/infoleaksample
28. Exploit #1: Sub-process invocation at will from the execution context
AWS Lambda
Google Cloud
Function
https://tinyurl.com/faasexploits runcyoommen
1
2
3
1
2
3
29. Exploit #2: Access function handler of serverless function
AWS Lambda
https://tinyurl.com/faasexploits runcyoommen
1
30. Exploit #3: Access /tmp to manipulate contents during execution
time
Google Cloud Function
https://tinyurl.com/faasexploits runcyoommen
1
2
1
2
AWS Lambda
31. Let’s do some “Monkey Patching”
What?
Technique to dynamically update
the behavior of a piece of code
Why?
Extend the behavior of modules,
classes or methods without actual
modification of source code
When?
• Extend or modify behavior at
runtime of libraries/methods
• During testing to mock behavior of
libs, modules, objects
• Quickly fix issues, if we don’t have
resources to roll proper fix
32. https://tinyurl.com/faasexploits
➢ Eclipsed the original
definition of os.system()
with a custom one
➢ Created a new
safe_system() which is
known only to us
➢ Use this new definition
and repeat this for
other definitions that
are not required to be
supported for your FaaS
runcyoommen
Sample patch