Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Security in AWS Lambdas - NavajaNegra CON 2018

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 224 Anuncio
Anuncio

Más Contenido Relacionado

Más de Daniel Garcia (a.k.a cr0hn) (16)

Más reciente (20)

Anuncio

Security in AWS Lambdas - NavajaNegra CON 2018

  1. 1. (IN)SECURITY IN AWS LAMBDAS: THE REVOLTING TRUTH Daniel García - @ggdaniel / http://bit.do/cr0hn Cesar Gallego - http://bit.do/cesar-gallego
  2. 2. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn <SPAM> ABOUT US </SPAM> Cesar Dani (cr0hn) Big data specialist. Expert in functional programming and had an innate twisted mind for security. BBVA-Labs Security researcher. I have a mixed profile in hacking and development. I am a little obsessed with the idea that not everything is invented yet. BBVA-Labs
  3. 3. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn <SPAM> ABOUT US </SPAM> Cesar Dani (cr0hn) Big data specialist. Expert in functional programming and had an innate twisted mind for security. BBVA-Labs Security researcher. I have a mixed profile in hacking and development. I am a little obsessed with the idea that not everything is invented yet. BBVA-Labs
  4. 4. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn <SPAM> ABOUT US </SPAM> Cesar Dani (cr0hn) Big data specialist. Expert in functional programming and had an innate twisted mind for security. BBVA-Labs Security researcher. I have a mixed profile in hacking and development. I am a little obsessed with the idea that not everything is invented yet. BBVA-Labs
  5. 5. WHAT’S A LAMBDA? A brief explanation
  6. 6. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A CAKE
  7. 7. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A CAKE Objetive
  8. 8. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A CAKE Objetive
  9. 9. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A CAKE Objetive
  10. 10. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Choices WHAT’S A LAMBDA? - WE WANT A CAKE
  11. 11. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Choices WHAT’S A LAMBDA? - WE WANT A CAKE
  12. 12. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Choices WHAT’S A LAMBDA? - WE WANT A CAKE
  13. 13. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Choices WHAT’S A LAMBDA? - WE WANT A CAKE
  14. 14. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  15. 15. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Order a cake 2. Eat the cake Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  16. 16. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Order a cake 2. Eat the cake Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  17. 17. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  18. 18. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  19. 19. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  20. 20. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  21. 21. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  22. 22. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  23. 23. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  24. 24. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  25. 25. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Get a kitchen 2. Get the ingredients 3. Get cookware 4. Cook 5. Eat cake 6. Clean Kitchen - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  26. 26. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Order a cake 2. Eat the cake Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  27. 27. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Order a cake 2. Eat the cake Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  28. 28. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Order a cake 2. Eat the cake Cake shop - Steps: WHAT’S A LAMBDA? - WE WANT A CAKE
  29. 29. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Cake shop WHAT’S A LAMBDA? - WE WANT A CAKE Kitchen
  30. 30. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Cake shop WHAT’S A LAMBDA? - WE WANT A CAKE Kitchen
  31. 31. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Cake shop WHAT’S A LAMBDA? - WE WANT A CAKE Kitchen
  32. 32. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambda WHAT’S A LAMBDA? - WE WANT A LAMBDA Do it yourself
  33. 33. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambda WHAT’S A LAMBDA? - WE WANT A LAMBDA Do it yourself
  34. 34. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambda WHAT’S A LAMBDA? - WE WANT A LAMBDA Do it yourself
  35. 35. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A LAMBDA Lambda
  36. 36. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A LAMBDA Lambda
  37. 37. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WE WANT A LAMBDA Lambda
  38. 38. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response WHAT’S A LAMBDA? - WE WANT A LAMBDA Lambda
  39. 39. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  40. 40. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  41. 41. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  42. 42. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  43. 43. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  44. 44. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  45. 45. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  46. 46. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  47. 47. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET?
  48. 48. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHAT’S THE SECRET? We share the resources with others. Use it. And release it ➤
  49. 49. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - HOW AMAZON DEFINES LAMBDAS
  50. 50. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Price
  51. 51. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Price
  52. 52. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Price
  53. 53. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Price
  54. 54. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Price
  55. 55. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS
  56. 56. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Pricing example ~10.000 users per day -> 300.000 users per month ~ 200 request per user and day ~ 200 ms per request WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS
  57. 57. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Pricing example ~10.000 users per day -> 300.000 users per month ~ 200 request per user and day ~ 200 ms per request WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS 10.000 * 200 = 2.000.000 Request per day 10.000 * 200 * 30 days = 60.000.000 Request per month
  58. 58. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Pricing example ~10.000 users per day -> 300.000 users per month ~ 200 request per user and day ~ 200 ms per request WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Costs: - 0,000000208$ per 100ms -> 0,000000416$ each user request - 2.000.000 * 0,000000416 = 0,832$ per day - 0,832 * 30 = 25$ per month 10.000 * 200 = 2.000.000 Request per day 10.000 * 200 * 30 days = 60.000.000 Request per month
  59. 59. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Pricing example ~10.000 users per day -> 300.000 users per month ~ 200 request per user and day ~ 200 ms per request WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Costs: - 0,000000208$ per 100ms -> 0,000000416$ each user request - 2.000.000 * 0,000000416 = 0,832$ per day - 0,832 * 30 = 25$ per month 10.000 * 200 = 2.000.000 Request per day 10.000 * 200 * 30 days = 60.000.000 Request per month
  60. 60. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Pricing example ~10.000 users per day -> 300.000 users per month ~ 200 request per user and day ~ 200 ms per request WHAT’S A LAMBDA? - WHY WE LIKE LAMBDAS Costs: - 0,000000208$ per 100ms -> 0,000000416$ each user request - 2.000.000 * 0,000000416 = 0,832$ per day - 0,832 * 30 = 25$ per month 10.000 * 200 = 2.000.000 Request per day 10.000 * 200 * 30 days = 60.000.000 Request per month
  61. 61. LAMBDA ARCHITECTURE Discovering lambdas
  62. 62. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS?
  63. 63. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS? ?
  64. 64. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS? ? Wha’ Amazon says?
  65. 65. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS? ? Wha’ Amazon says?
  66. 66. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS? ? Wha’ Amazon says?
  67. 67. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Request Response AWS LAMBDAS - HOW DOES A LAMBDA WORK IN AWS? ? Wha’ Amazon says?
  68. 68. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn We like lambdas and we need to ensure that they are safe AWS LAMBDA - WHY?
  69. 69. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Request Response
  70. 70. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Request Response
  71. 71. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Request Response
  72. 72. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Request Response Not confirmed 
 by Amazon
  73. 73. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE
  74. 74. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE How did we do the research?
  75. 75. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE
  76. 76. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Servers
  77. 77. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Storage systemServers
  78. 78. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Storage systemServers Communication system
  79. 79. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Storage systemServers Communication system Control & monitoring 
 system
  80. 80. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Virtualization or baremetal
  81. 81. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Virtualization or baremetal
  82. 82. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Virtualization or baremetal
  83. 83. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Virtualization or baremetal
  84. 84. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Virtualization or baremetal
  85. 85. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Lambda execution system
  86. 86. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Lambda execution system
  87. 87. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Lambda execution system
  88. 88. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Lambda execution system
  89. 89. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Lambda execution system System.d +
  90. 90. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating System on Host
  91. 91. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating System on Host
  92. 92. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating System on Host
  93. 93. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating System on Host
  94. 94. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating system inside lambda environment
  95. 95. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating system inside lambda environment
  96. 96. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating system inside lambda environment
  97. 97. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Operating system inside lambda environment https://docs.aws.amazon.com/es_es/lambda/latest/dg/current-supported-versions.html
  98. 98. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE
  99. 99. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Stack
  100. 100. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DISCOVERING LAMBDA ARCHITECTURE Stack …. chroot
  101. 101. LAMBDAS SECURITY Our concerns
  102. 102. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Reverse shell 2. User listing 3. Host fingerprinting 4. Temporary directory wiping 5. Modification of system execution limits 6. Arbitrary download and execution binaries 7. Raw socket creation disallowed 8. Outdated software inside lambda 9. Using lambdas to perform DoS attacks 10. DoS to services deployed as lambdas 11. DoS to economy of account 12. “Burning” lambda outgoing IPs 13. Conclusions of analysis of data traffic and connections LAMBDAS SECURITY - SUMMARY
  103. 103. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn It’s possible to open a remote and interactive inverse shell within a lambda LAMBDAS SECURITY - REVERSE SHELL
  104. 104. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL +
  105. 105. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  106. 106. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL /analysis/console/<remote_ip>/<remote_port>
  107. 107. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL /analysis/console/<remote_ip>/<remote_port>
  108. 108. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambda users can be listed and predicted LAMBDAS SECURITY - USERS INSIDE LAMBDAS
  109. 109. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ Qué hay en la caja negra de AWS? ➤ Cómo de segura es esa caja? -> no vamos a contestar ➤ Qué riesgos hay ante infraestructuras inciertas ➤ Y qué puedes hacer como usuario del servicio de lambdas -> hardening de lambdas ➤ Cómo hacer hacking a lambdas LAMBDAS SECURITY - USERS INSIDE LAMBDAS File: 
 
 /etc/passwd
  110. 110. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - USERS INSIDE LAMBDAS ➤ It appears that users are provisioned when the host machine is deployed. ➤ Each lambda is executed as a random user privileged of the “sbx_xxxx” user. ➤ It appears that the users names are sequential between new VM instances deployment. ➤ It appears that always was provided 126 ¨sbx¨ users. ➤ It appears that the user number matches with the maximum number of lambda execution can run in each host machine.
  111. 111. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Host machines could be fingerprinted LAMBDAS SECURITY - HARDWARE FINGERPRINTING
  112. 112. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - HARDWARE FINGERPRINTING
  113. 113. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - HARDWARE FINGERPRINTING
  114. 114. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - HARDWARE FINGERPRINTING
  115. 115. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - HARDWARE FINGERPRINTING
  116. 116. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - HARDWARE FINGERPRINTING Memory Another System IDs…+ +Users
 prefixes Hash: e7509a8c032f3bc2a8df1df476f8ef03436185fa CPU Flags +
  117. 117. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Each time lambdas runs temporarily directory is created LAMBDAS SECURITY - R/W FILE SYSTEM IS TEMPORARY
  118. 118. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - R/W FILE SYSTEM IS TEMPORARY Mounted devices inside a lambda:
  119. 119. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ You can download and store any information from anywhere in the /tmp folder ➤ Loop-mounted devices are different each time lambda restarts. In other words: if lambda is warm, loop is the same between executions. ➤ Loops are local to the execution machine. ➤ When a lambda is suspended and, reactivated, loop is changed. ➤ Each time a new loop is attached to a lambda, it is empty and wiped (doesn’t save information between executions). LAMBDAS SECURITY - R/W FILE SYSTEM IS TEMPORARY
  120. 120. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn System limits can’t be modified LAMBDAS SECURITY - MODIFYING LIMITS IS NOT ALLOWED
  121. 121. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - MODIFYING LIMITS IS NOT ALLOWED Listing environment limits
  122. 122. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - MODIFYING LIMITS IS NOT ALLOWED Listing kernel config
  123. 123. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - MODIFYING LIMITS IS NOT ALLOWED
  124. 124. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ Fork bombing gets no results. ➤ User of lambda can’t modify system limits. ➤ Exceed memory limit gets no results. LAMBDAS SECURITY - MODIFYING LIMITS IS NOT ALLOWED
  125. 125. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Arbitrary binaries can be downloaded and executed inside a lambda LAMBDAS SECURITY - ARBITRARY DOWNLOAD AND EXECUTION
  126. 126. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤You can download arbitrary file and save them into /tmp ➤/tmp has execution permissions. LAMBDAS SECURITY - ARBITRARY DOWNLOAD AND EXECUTION
  127. 127. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Raw socket can’t be created LAMBDAS SECURITY - RAW SOCKET CREATION
  128. 128. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - RAW SOCKET CREATION
  129. 129. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - RAW SOCKET CREATION
  130. 130. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Found outdated software inside lambda environment LAMBDAS SECURITY - OUTDATED LAMBDA AMI
  131. 131. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn hay en la caja negra de AWS? o de segura es esa caja? -> no vamos a contestar iesgos hay ante infraestructuras inciertas puedes hacer como usuario del servicio de lambdas -> ning de lambdas o hacer hacking a lambdas LAMBDAS SECURITY - OUTDATED LAMBDA AMI https://docs.aws.amazon.com/en_en/lambda/latest/dg/current-supported-versions.html
  132. 132. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn hay en la caja negra de AWS? o de segura es esa caja? -> no vamos a contestar iesgos hay ante infraestructuras inciertas puedes hacer como usuario del servicio de lambdas -> ning de lambdas o hacer hacking a lambdas LAMBDAS SECURITY - OUTDATED LAMBDA AMI https://docs.aws.amazon.com/en_en/lambda/latest/dg/current-supported-versions.html
  133. 133. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - OUTDATED LAMBDA AMI https://aws.amazon.com/amazon-linux-ami/
  134. 134. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - OUTDATED LAMBDA AMI https://aws.amazon.com/amazon-linux-ami/
  135. 135. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn It can’t be used to perform DoS attacks LAMBDAS SECURITY - USED TO DO PERFORM ATTACKS
  136. 136. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn If we launch a lot of lambda at the same time, we can perform hundred of parallel connections to the target LAMBDAS SECURITY - USED TO DO DOS ATTACK Hypothesis
  137. 137. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - USED TO DO DOS ATTACK Research process
  138. 138. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn External machine LAMBDAS SECURITY - USED TO DO DOS ATTACK Research process
  139. 139. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn External machine LAMBDAS SECURITY - USED TO DO DOS ATTACK Research process
  140. 140. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn External machine LAMBDAS SECURITY - USED TO DO DOS ATTACK Research process ~1000 concurrent
  141. 141. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn External machine LAMBDAS SECURITY - USED TO DO DOS ATTACK Research process ~1000 concurrent 1 thread
 1 process
  142. 142. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn After a lot of tests, we can’t successfully done a DoS attack. It’s appears that AWS limit the outgoing concurrent connection to a same target LAMBDAS SECURITY - USED TO DO DOS ATTACK Empirical results
  143. 143. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Services deployed as a lambda could be attacked by DoS LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS
  144. 144. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ By default, lambdas could “only” accept 1000 concurrent input connections. ➤ If you need more, they must be specifically reserved. And must be validated by AWS. LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS
  145. 145. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ Qué hay en la caja negra de AWS? ➤ Cómo de segura es esa caja? -> no vamos a contestar ➤ Qué riesgos hay ante infraestructuras inciertas ➤ Y qué puedes hacer como usuario del servicio de lambdas -> hardening de lambdas ➤ Cómo hacer hacking a lambdas LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS
  146. 146. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ Qué hay en la caja negra de AWS? ➤ Cómo de segura es esa caja? -> no vamos a contestar ➤ Qué riesgos hay ante infraestructuras inciertas ➤ Y qué puedes hacer como usuario del servicio de lambdas -> hardening de lambdas ➤ Cómo hacer hacking a lambdas LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS
  147. 147. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤Configure your API Gateway well ➤To avoid DoS connection you must follow good practices and perform a small hardening ➤AWS limits works very well, avoiding DoS attack using lambdas LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS Countermeasures
  148. 148. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤Configure your API Gateway well ➤To avoid DoS connection you must follow good practices and perform a small hardening ➤AWS limits works very well, avoiding DoS attack using lambdas LAMBDAS SECURITY - DOS WITH 1000 CONCURRENT CONNECTIONS Countermeasures (only one ‘D’!)
  149. 149. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS We can exhaust the billing limits of an AWS account
  150. 150. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  151. 151. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  152. 152. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  153. 153. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  154. 154. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  155. 155. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  156. 156. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS Pricing example ~ lambda with 512MB / RAM (Java) ~ 500 ms each execution - 1000 executions per second - 500 $$ -> 100,000,000 lambda calls
  157. 157. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS Pricing example ~ lambda with 512MB / RAM (Java) ~ 500 ms each execution - 1000 executions per second - 500 $$ -> 100,000,000 lambda calls Costs: - 100,000,000 (req) / 0.5 (ms) / 1000 (concurrent) / 3,600 (sec) = 55.6 h - 55.6 (hours) / 24 = 2.3 days
  158. 158. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS Pricing example ~ lambda with 512MB / RAM (Java) ~ 500 ms each execution - 1000 executions per second - 500 $$ -> 100,000,000 lambda calls Costs: - 100,000,000 (req) / 0.5 (ms) / 1000 (concurrent) / 3,600 (sec) = 55.6 h - 55.6 (hours) / 24 = 2.3 days
  159. 159. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  160. 160. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS
  161. 161. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS … if you don’t have billing limits It could be worse…
  162. 162. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - ECONOMIC DOS … if you don’t have billing limits It could be worse…
  163. 163. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Outgoing lambda IPs could be “burned” LAMBDAS SECURITY - BURNING OUTPUT IP
  164. 164. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP
  165. 165. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP
  166. 166. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP
  167. 167. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1
  168. 168. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1
  169. 169. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1 Throttling:
 1000
  170. 170. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP Throttling:
 1000
  171. 171. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1 1 request Throttling:
 999
  172. 172. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1 192.168.x.1 1 request 1 request Throttling:
 998
  173. 173. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1 192.168.x.1 … 1 request 1 request 998 requests Throttling:
 0
  174. 174. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - BURNING OUTPUT IP 192.168.x.1 192.168.x.1 192.168.x.1 … 1 request 1 request 998 requests 1 request Throttling:
 0
  175. 175. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤We can Burning Outgoing IPs of lambda machines. ➤Other lambda users can’t use these machines to access to these public services. ➤So… we can force each service to reach the throttling limit. LAMBDAS SECURITY - BURNING OUTPUT IP
  176. 176. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambdas are executed under water LAMBDAS SECURITY - GEOLOCATION AWS
  177. 177. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Lambdas are executed under water LAMBDAS SECURITY - GEOLOCATION AWS
  178. 178. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Research process
  179. 179. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Research process
  180. 180. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS
  181. 181. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS
  182. 182. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS
  183. 183. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin
  184. 184. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin San Jose (california)
  185. 185. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin San Jose (california) Londres
  186. 186. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin San Jose (california) Londres Ohio
  187. 187. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin San Jose (california) Londres Ohio Oregon
  188. 188. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - GEOLOCATION AWS Dubin San Jose (california) Londres Ohio Oregon Singapour
  189. 189. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn It was not possible to geolocate outgoing IPs locations LAMBDAS SECURITY - GEOLOCATION AWS
  190. 190. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Interesting hypothesis can be formulated from data analysis AWS LAMBDA - DATA ANALYSIS
  191. 191. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  192. 192. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 1: any given hostname always uses the same outgoing IP
  193. 193. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 1: any given hostname always uses the same outgoing IP Hypothesis 1: network configuration has 
 a correlation between hostname and outgoing IP
  194. 194. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  195. 195. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 2: the hostname reports several IPs
  196. 196. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 2: the hostname reports several IPs Hypothesis 2: the hostname can be in several machines
  197. 197. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  198. 198. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Hypothesis 1 + 2: the hostname is associated to a moving container.
  199. 199. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  200. 200. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 3: number of requests seems to appear in even numbers
  201. 201. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS Fact 3: number of requests seems to appear in even numbers Hypothesis 3: escalation algorithm grows machines by pairs
  202. 202. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  203. 203. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  204. 204. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  205. 205. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS LAMBDA - DATA ANALYSIS
  206. 206. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn AWS’ escalation algorithm can manage a very irregular traffic & stabilise it AWS LAMBDA - DATA ANALYSIS
  207. 207. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn DEMO TIME! YUHU! DEMO!
  208. 208. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  209. 209. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL First Demo….
  210. 210. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL First Demo…. … old school
  211. 211. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  212. 212. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  213. 213. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  214. 214. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  215. 215. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  216. 216. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  217. 217. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL
  218. 218. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn LAMBDAS SECURITY - REVERSE SHELL Maybe we must do
 the Demo like ancient guys
  219. 219. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn 1. Reverse shell 2. User listing 3. Host fingerprinting 4. Temporary directory wiping 5. Modification of system execution limits 6. Arbitrary download and execution binaries 7. Raw socket creation disallowed 8. Outdated software inside lambda 9. Using lambdas to perform DoS attacks 10. DoS to services deployed as lambdas 11. DoS to economy of account 12. “Burning” lambda outgoing IPs 13. Conclusions of analysis of data traffic and connections LAMBDAS SECURITY - SUMMARY
  220. 220. CONCLUSIONS Summary of reviews
  221. 221. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤Internal AWS orchestration. ➤Small services with only one purpose. ➤Heavy processes with long sleep time. ➤Lambdas are cheaper if your service is not too frequently used. CONCLUSIONS - WE LIKE LAMBDAS FOR…
  222. 222. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤Not very critical services that need an instant response (lambda needs to be warm) ➤Consuming remote services ➤Unpredictable time processing processes ➤Complex tasks CONCLUSIONS - WE DON’T LIKE LAMBDAS FOR…
  223. 223. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn ➤ https://www.denialof.services/lambda/ ➤ https://www.bbva.com/en/economics-of-serverless/ ➤ https://www.youtube.com/watch?reload=9&v=aZlrv-0PE_c REFERENCES
  224. 224. Cesar Gallego - http://bit.do/cesar-gallegoDaniel García - @ggdaniel // http://bit.do/cr0hn Thanks!

×