AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
Back To Schedule
Friday, July 6 • 3:30pm - 4:15pm
Serverless Infections - Malware Just Found a New Home LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

With Lambda by Amazon, Cloud function by Google, and Azure functions by Microsoft, we are seeing more and more organizations leveraging the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.
We challenged our Checkmarx Research Team to implement the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as our first test subject, we were able to build a PoC where we showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome?
In this talk, we will present our findings along with some best practices and tips to ensuring security prevails in a serverless environment. The presentation will start by explaining serverless computing and its advantages. We will then start digging into the details of serverless computing and how the architecture is built by the different vendors.
Our next step will be to discuss how serverless computing impacts security and how functions can be leveraged to expose the platform to infections and data exfiltrations.
The presentation details the research we conducted and shows a step-by-step process of a completely new attack vector allowing attackers to exploit command injection to:
·         Gather sensitive information from the ephemeral machine
·         Persist a payload in a non-persistent environment (by leveraging S3 write permissions)
·         Infect co-located functions to get a viral effect of all-or-nothing in remediation efforts
We will demonstrate the attack steps on one or more platforms using a live web application.
People who will join this talk will:
·     Understand the architecture and advantages of a serverless computing environment
·     Learn the security challenges entailed in working in a serverless environment
·     View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment
·     See how we built self-duplicating attacks that survive persistently within the code
·     Watch as the attack is executed on platforms running on serverless environments

avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →
avatar for Shimi Eshkenazi

Shimi Eshkenazi

Research Team, Checkmarx

Friday July 6, 2018 3:30pm - 4:15pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE