back

Gone in 60 Milliseconds

Intrusion and Exfiltration in Server-less Architectures

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:33:01
Language
English
Abstract
<p>More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds?</p>

<p>This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud. </p>

<p>This talk will be the first public anatomy of an attack on a server-less application deployed to AWS Lambda and AWS API Gateway. It'll be useful for any application developer looking to build a server-less application, and for any hacker who's come up against this interesting new class of application.</p>

<p>First, we'll take a look at the current state of server-less architectures and show some common deployment patterns and how they're used in production, comparing the advantages and trade offs against traditional monolithic servers.</p>

<p>Next, we'll explore the attack surface of a server-less application, showing that where Satan closes a door, he opens a window. Using exploitables in common server-less patterns, we'll use cloud event sources as a vector for delivering our obfuscated payload.</p>

<p>Then, we'll use some undocumented features in AWS Lambda to persist our malware, explore the Lambda environment looking for secret keys and other buried treasures, and pillage a remote database.</p>

<p>Finally, we'll use a few more tricks to sneak out of the VPC with our precious data in tow! And, of course, we'll tidy up after ourselves leaving the DevOps team none-the-wiser.</p>

Talk ID
7865
Event:
33c3
Day
2
Room
Saal 1
Start
1:45 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
Rich Jones
Talk Slug & media link
33c3-7865-gone_in_60_milliseconds

Talk & Speaker speed statistics

Very rough underestimation:
143.8 wpm
800.0 spm
149.3 wpm
830.4 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
143.8 wpm
800.0 spm
lambdafunctioncodeaccessprettysystemawsakaserverstuffamazonvpcapplicationnetworks3functionscoolgoodcreateeventcloudapplauseexecutionreadbasicallymemorytimecontainersingleinstanceattackdatarichcallenvironmentservicessourceuserrequestisolateddatabasebigkeyswebfigureinterestingcommonthingsworkservice
Rich Jones:
149.3 wpm
830.4 spm
lambdafunctioncodeaccessprettyawssystemstuffakaservers3amazonapplicationnetworkvpccoolfunctionscreateeventgoodcloudexecutioncallbasicallyattackservicesdatainstanceenvironmentreadmemorysinglecontainertimebugkeysuserdatabasesourcefigureservicewebthingscalledworksupercommoninterestingrequestisolated