Gone in 60 Milliseconds: Intrusion and Exfiltration in Server-less Architectures

Presented at 33C3 (2016), Dec. 28, 2016, 1:45 p.m. (30 minutes)

<p>More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for <i>60 milliseconds</i>?</p> <p>This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud. </p> <p>This talk will be the first public anatomy of an attack on a server-less application deployed to AWS Lambda and AWS API Gateway. It'll be useful for any application developer looking to build a server-less application, and for any hacker who's come up against this interesting new class of application.</p> <p>First, we'll take a look at the current state of server-less architectures and show some common deployment patterns and how they're used in production, comparing the advantages and trade offs against traditional monolithic servers.</p> <p>Next, we'll explore the attack surface of a server-less application, showing that where Satan closes a door, he opens a window. Using exploitables in common server-less patterns, we'll use cloud event sources as a vector for delivering our obfuscated payload.</p> <p>Then, we'll use some undocumented features in AWS Lambda to persist our malware, explore the Lambda environment looking for secret keys and other buried treasures, and pillage a remote database.</p> <p>Finally, we'll use a few more tricks to sneak out of the VPC with our precious data in tow! And, of course, we'll tidy up after ourselves leaving the DevOps team none-the-wiser.</p>


  • Rich Jones
    Rich Jones develops security, privacy and peer-to-peer file sharing tools. Lately, his work has been on Zappa, the server-less Python framework. Champagne, python, explosions, trap music. Rich Jones is a Bay Area technologist, entrepreneur and journalist. He has been developing free software since 2004 and is extremely passionate about building empowering media tools. As a mobile developer, he has developed applications used by millions of people all around the world, including the first Android BitTorrent client, and OpenWatch, a global police monitoring tool, as well as applications for the American Civil Liberties Union. As as web and backend server developer, he developed Gun.io, a job network for freelance hackers which has handled tens of millions of dollars in payment transfers, and was most recently a founder and backend developer for Kickflip.io, a mobile live video streaming SDK and CDN. He has also worked on numerous peer to peer content delivery systems including the Anomos anonymity system and the DirtyShare filesharing system. He has also worked as a researcher and malware analyst at Harvard Law School's Berkman Center for Internet and Society and is a graduate of Boston University, where he studied Cognitive and Neural Systems. His work has been profiled in Forbes, Wired, on the BBC, as well as in the book This Machine Kills Secrets: How Wikileaks, Cypherpunks, and Hacktivists Aim to Free the World's Information, and he recently appeared as a "Deep Web" security expert on the Al-Jazeera America program, America Tonight. He is an American-sounding British national who has visited and worked in many countries around the world, including China, Morocco, Mexico and North Korea. He lives on GitHub: https://github.com/Miserlou/


Similar Presentations: