AppSec Europe 2018

With Lambda by Amazon, Cloud function by Google, and Azure functions by Microsoft, we are seeing more and more organizations leveraging the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.
We challenged our Checkmarx Research Team to implement the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as our first test subject, we were able to build a PoC where we showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome?
In this talk, we will present our findings along with some best practices and tips to ensuring security prevails in a serverless environment. The presentation will start by explaining serverless computing and its advantages. We will then start digging into the details of serverless computing and how the architecture is built by the different vendors.
Our next step will be to discuss how serverless computing impacts security and how functions can be leveraged to expose the platform to infections and data exfiltrations.
The presentation details the research we conducted and shows a step-by-step process of a completely new attack vector allowing attackers to exploit command injection to:
·         Gather sensitive information from the ephemeral machine
·         Persist a payload in a non-persistent environment (by leveraging S3 write permissions)
·         Infect co-located functions to get a viral effect of all-or-nothing in remediation efforts
We will demonstrate the attack steps on one or more platforms using a live web application.
People who will join this talk will:
·     Understand the architecture and advantages of a serverless computing environment
·     Learn the security challenges entailed in working in a serverless environment
·     View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment
·     See how we built self-duplicating attacks that survive persistently within the code
·     Watch as the attack is executed on platforms running on serverless environments