1 / 15

Image Nascent Notions on Server less Computing

The most fascinating thing about technology is that, it never stops growing. It stuns people each and every time with its new inventions. One such feat of technology is Server less computing. Itu2019s an emerging trend in the town and has been attaining a mass attention over a past couple of years.

briskinfosec
Download Presentation

Image Nascent Notions on Server less Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. N A S C E N T N O T I O N S O N S E R V E R L E S S C O M P U T I N G W H I T E P A P E R PREPARED BY PRESENTED BY Mr. AlexXavier SecurityEngineer @briskinfosecBintlab www.briskinfosec.com. NCDRC (NationalCyberDefence ResearchCentre) incollabrationwith BINTLab www.ncdrc.res.in.

  2. Nascent Notions On Serverless Computing CONTENTS Introduction 1 2 Serverless Computing Server Based Model vs Serverless Model 3 4 Why to use Serverless? Leading Serverless providers 5 6 The Serverless Application Function Serverless Frameworks 7 8 What can be done with Serverless? 9 Pros of Serverless Cons of Serverless 10 Possible attack vectors in Serverless 11 Top 10 Critical Risks in Serverless Architecture 12 Conclusion 13 WWW.BRISKINFOSEC.COM

  3. Nascent Notions On Serverless Computing 1. INTRODUCTION Themostfascinatingthingabouttechnologyisthat, itneverstops growing. Itstunspeopleeachandeverytimewithitsnewinventions. OnesuchfeatoftechnologyisServerlesscomputing. It’sanemerging trendinthetownandhasbeenattainingamassattentionoverapast coupleofyears. Both, thefresherandveteranenterprisesintech industryareadoptingtheServerlesscomputingfeaturewithcloud service. Itisn’tjustahypebutpromisestheorganizationwithhigh productivityonalow-costbudget. 2. SERVERLESS COMPUTING Thereisacommonmisconceptionaboutserverless, presumingas “No server”, butitisn’t. Well, serversareinvolved, butlessused. ServerlessisaFunctionasaService (FaaS) softwaredesignpattern whereapplicationsarehostedbyathird-partyservice, eliminatingthe needforserversoftwareandhardwaremanagementbythedeveloper. Applicationsarebrokenupintoindividualfunctionsthatcanbe invokedandscaledindividually. 3. SERVER BASED MODEL VS SERVERLESS MODEL Foratraditionalapplication, itmustfirstbedevelopedandthen deployedontheserverwithvariousneedslikespecificcapacity planning, installingofserversoftwareandhardware, andalsothe constantmonitoringofit. Thismightconsumefewweekstomonths, andalsoinvolvesalotofCapitalandOperationalexpenses. Whereas, Serverlessapplicationallowsyoutobuildandrun applicationsandservicesbyremovingawaytheinfrastructure requirementsandrelievingthedeveloperfromtheoperational complexitiesofrunningtheapplication. Inserverless, youhaveto provideonlythecodeandfunctionallogicforyourapplicationand thenpublishittothecloud. WWW.BRISKINFOSEC.COM

  4. Nascent Notions On Serverless Computing Therestisautomatically takencareofbythecloud vendor. Theywilllookafter provisioningtheserverand deploythefunctiononit. As thedemandforthefunction goesup, thecloudvendor willsupportwithmore serversandinactivatethe servicewhenthedemand goesdown. Allofthiswill betransparenttotheend user. 4. WHY TO USE SERVERLESS? Serverlessfacilitatesthedeveloperstofocusmoreontheirapplication’s corelogicandresourceutilizationoptimallyfortheapplicationaswell, buildingitwithhighavailability, virtuallyatanyscalewithoutworrying aboutanyservers. Serverlessonlyfeesfortheactualamountofresource consumedbyanapplicationratherthanonpre-purchasedunitof capacity. 5. LEADING SERVERLESS PROVIDERS Manycloudprovidershaveheavilyinvestedinserverless. Someofthem areasfollows: WWW.BRISKINFOSEC.COM

  5. Nascent Notions On Serverless Computing 6. THE SERVERLESS APPLICATION FUNCTION AServerlesssolutionconsistsofawebserver, Lambdafunctions (FaaS), SecurityTokenService (STS), userauthenticationanddatabase. ClientApplication — Server-clientapplicationistheUIofyour applicationthatisrenderedclientsideinModernfront-end JavaScriptApp. Thisenablesustouseasimplestaticwebserver. WebServer— Server-clientwebserveristhesimplewebserverthat isofferedbytheserviceprovider (E.g. AmazonS3). Allthestatic contentsoftheapplicationareservedfromhere (S3) (E.g. contents likeHTML, CSS, JSfiles). Lambdafunctions (FaaS) — ActsastheFaaSandisalso, thekey enablersinserverlessarchitecture (E.g. AWSLambda, Microsoft AzureFunction, GoogleCloudFunction). TheLoginandData accessingoftheapplicationserviceswillbebuiltintheFaaS (Lambdafunctions). ThisfunctionwillREADandWRITEfromthe databaseaswell, providetheJSONresponsesinreply. SecurityTokenService (STS) — STSwillgeneratethetemporary Credentials - APIkeyandasecretkey (E.g. AWSCredentialsforthe usersoftheapplication. Theclientapplicationusesthese temporarycredentialstoinvokeAWSAPI). WWW.BRISKINFOSEC.COM

  6. Nascent Notions On Serverless Computing UserAuthentication— UserAuthenticationprovidestheIdentity ManagementSystemoftheapplication. Itenablestheuserstosign- upandsign-intotheapplicationviamobileandwebapplications. (E.g. HereAWSCognitoidentityserviceisintegratedwithAWS Lambdatoauthenticateusersintotheapplication. Bydoingso, it providesoptionsfortheusertosign-inandsign-upviasocial identityproviderslikeFacebook, Twitter, orAmazon. Database— AWSDynamoDBprovidesafullymanagedNoSQL database. DynamoDBisnotessentialforaserverlessapplicationbut isusedasanexamplehere. 7. SERVERLESS FRAMEWORKS Serverlessplatformsneedabasetogetexecuted. Theyalsoneedawayto defineanddeployServerlesscodesonvariouscloudplatformsor commercialservices. SomeoftheServerlessframeworksarecitedbelow: ServerlessFramework (Javascript, Python, Golang) Apex (Javascript) ClaudiaJS (Javascript) Sparta (Golang) Gordon (Javascript) Zappa (Python) Up (Javascript, Python, Golang, Crystal) 8. WHAT CAN BE DONE WITH SERVERLESS? Staticwebsites E-commerceplatforms Imagerichapplications Chatbots IoTservices BigDataapplications Event-Drivensystems WWW.BRISKINFOSEC.COM

  7. Nascent Notions On Serverless Computing 9. PROS OF SERVERLESS Simplifiesthepackaginganddeployment. Requiresnonecessityto maintainserversandoperatingsystemadministration. Easyandefficientauto-scaling. Highavailabilityandfaulttolerance. Noidlecapacity (payonlyforwhatyouuse). Fastertimetomarketandquickersoftwarerelease. Lowerstheoperationalanddevelopmentcosts. Utilizationofresourceandtimetodevelopandimprovecustomer- facingfeatures. Reducesthecomplexityofthesoftware. 10. CONS OF SERVERLESS VendorLock-incomplexity. Managingstateisrelativelycomplex. Highlatency. Testinglocallyisariskyone. Unsuitableforlong-termtasks. Fearofsecuritybreachifitsupportsmulti-tenancyarchitecture. Costisunpredictablebecausethecountofyourcodeexecutionisnot predefined. 11. POSSIBLE ATTACK VECTORS IN SERVERLESS ServerlessComputingreplacesanumberoflegacyapplications. However, thesecurityconcernsandresponsibilitiesgettransferredto thecloudprovider. Atthesametime, usersarestillresponsiblefor runningtheircodestothesecloudplatforms. Theyarelistedbelow: IncreasedAttackSurface: Asserverlessfunctionsconsumedatafrom multipleeventsourceslikeHTTPAPI’s, messagequeues, cloudstorage, andIoTdevicecommunications, theattackvectorswilltriggerprotocols andcomplexmessagestructuresthatareverydifficulttobeexamined byaconventionalWebApplicationFirewall (WAF). MaliciousInjectionVulnerabilities: Aninjectionattackmayoccurfrom aneventthattheserverlessfunctioncallstoexecute. Ausersupplied datashouldbenevertrustedblindly. Animproperinputvalidationmay resultintheexecutionofmaliciouscodesthatmaycrashthe applicationfunctionality. WWW.BRISKINFOSEC.COM

  8. Nascent Notions On Serverless Computing DenialofServiceAttack: Ifanattackerfindsawaytoexecuteavast numberofserverlessevents, theymaydenyordisrupttheservice requestofalegitimateuser. Also, theymayinfluenceandconsume thecloudcomputingresourcesandmaymisuseit. SecurityMisconfiguration:Developersmayfailtosecurethe sensitivedatacredentialssuchastokens, passwords, useridsby callingorinvokingthemdirectlyintothefunctionwithout protectingitandifso, thentheprobabilityofmisconfigurationis veryhigh. IncorrectPermissions:Generally, serverlessfunctionsarepermitted thesamepermissionasaservermightget. Leastprivilege permissionisenoughforaserverlessfunctiontowork, asgrantinga fullpermissiontoanapplicationcouldcausepotentialrisks. WeakEncryption: Anincorrectorweakencryptionmayrevealthe sensitivedataofanapplication. Serverlessfunctionsoftencallthe databaseandtherequestedresource, viaAPI’sandetc. Ifthe connectionisn’tencrypted, itwillopenupthefunctiontoa potentialrisk. ComponentVulnerabilities:Inaserverlessapplication, every functionisbuiltonlibraries, andcomponentsareprovidedbya third-partyvendor. Ifthere’sanyknownorunknownvulnerabilities inoneofthecomponents, theserverlessfunctioncouldbe exploited. Lackofpropersecuritytesting: Auditingthesecurityaspectsof serverlessapplicationsarefarmorecomplexthanthetraditional applications. Evenscannersaren’tadaptedtoscanserverless applicationsyet. WWW.BRISKINFOSEC.COM

  9. Nascent Notions On Serverless Computing 12. TOP 10 CRITICAL RISKS IN SERVERLESS ARCHITECTURE: (SAS-1) — FunctionEventDataInjection (SAS-2) — BrokenAuthentication (SAS-3) — InsecureServerlessDeploymentConfiguration (SAS-4) — Over-PrivilegedFunctionPermissionsandRoles (SAS-5) — InadequateFunctionMonitoringandLogging (SAS-6) — Insecure3rdPartyDependencies (SAS-7) — InsecureApplicationSecretsStorage (SAS-8) — DenialofServiceandFinancialResourceExhaustion (SAS-9) — ServerlessFunctionExecutionFlowManipulation (SAS-10) — ImproperExceptionHandlingandVerboseErrorMessages 12.1 (SAS-1) — FUNCTION EVENT-DATA INJECTION InjectionflawsarealwaystoppingtheOWASPTOP10list. Mainreasonfor injectionflawtooccuris, whenanuntrustedusersuppliedinputispassed directlytoaninterpreterandgetsexecutedorevaluated. Mostserverlessarchitecturesprovidesamultitudeofeventsources, which caninducetheserverlessfunctionexecution. Thissetofeventsources increasesthepotentialattacksurfaceandintroducescomplexitieswhen tryingtosafeguardtheserverlessfunctionfrominjectionflaws. Theyare noteasyastraditionalwebenvironmentswheredevelopersknowwhich areaisvulnerabletoinjectionattacks. (E.g. GET/POSTparameters, HTTP Headersetc.) ThetoolwasusedtosendacontinuousstreamofTCPorUDPpacketstoa singleserverorwebsite. Therecipient, uponhavingreceivedeachpacket, willneedtoprocessandrespondaccordinglyandeventually, stoppingto respondforlegitimaterequests. WWW.BRISKINFOSEC.COM

  10. Nascent Notions On Serverless Computing SOME EXAMPLES INCLUDE Cloudstorageevents (e.g. AWSS3, AzureBlobStorage, GoogleCloud Storage) NoSQLdatabaseevents (e.g. AWSDynamoDB, AzurecosmosDB) SQLdatabaseevents Streamprocessingevents (e.g. AWSKinesis) Codechangesandnewrepositorycodecommits HTTPAPIcalls IoTdevicetelemetrysignals Messagequeueevents SMSmessagenotifications, PUSHnotifications, emails, etc. TYPES OF INJECTION FLAWS IN SERVERLESS ARCHITECTURE OperatingSystem (OS) commandinjection Functionruntimecodeinjection (e.g. Node.js/JavaScript, Python, Java, C#, Golang) SQLinjection NoSQLinjection Pub/SubMessageDataTampering (e.g. MQTTdatainjection) Objectdeserializationattacks XMLExternalEntity (XXE) Server-SideRequestForgery (SSRF) 12.2 (SAS-2) — BROKEN AUTHENTICATION InaDistributedDenial-of-Service (DDoS) attack, thevictimreceivesa continuousstreamofunsolicitedmessagesfrommultiplesources. This typeofattackissimilartotheamplifiedattack. On1st March2018, the HackerNews (www.thehackernews.com) reportedoneofthebiggestDDoS attackstoevertakeplace. Thiswas1.35TBhumongous, whichhitthe famousGitHubwebsite (www.github.com). Serverlessapplicationswerebuiltlikemicroserviceskindofsystemdesign, containinghundredsofdistinctserverlessfunctionswithitsownpurpose. Duetothis, somemayleakpublicwebAPIs, whileothersmayserveasa proxytodifferentfunctions. Itisnecessarytoenforcestrictauthenticationmechanismsthatwill provideproperaccesscontrolandprotectiontoeveryrelevantfunction andeventtype. Exampleforsuchanattackwouldbe "Exposing unauthenticatedentrypointviaS3bucketwithpublicaccess." WWW.BRISKINFOSEC.COM

  11. Nascent Notions On Serverless Computing 12.3 (SAS-3) — INSECURE SERVERLESS DEPLOYMENT CONFIGURATION Theprobabilityofmisconfigurationandcriticalconfigurationsetting inserverlessfunctionsarequitehighanditmaycausetragicdata losses, astheserverlessarchitecturesupportsandoffersmanynew customer-demandingfeatures, customizationandconfiguration settingforspecificneeds, tasks, andenvironment. Itisnecessarytosafeguardthesensitivedataofafunctiontoany unauthorizedpersonnel. Hence, it’sbettertoimplementaStrict AccessControlList (ACL) andCloudhardeningmechanismstoavoid servermisconfigurationissues. 12.4 (SAS-4) — OVER PRIVILEGED FUNCTION PERMISSIONS AND ROLES Itisalwayswisetofollowtheprincipleof “LeastPrivilege”. Technically, thismeanslimitingthepermissionorprivilegeforan individual. Grantingoverprivilegetoaserverlessfunctionpavesway tocarryoutunintendeddestructiveactions. (E.g. ExecutingSystem Functions) 12.5 (SAS-5) — INADEQUATE FUNCTION MONITORING AND LOGGING Itisimportantforanorganizationtologandmonitorthesecurity eventsinreal-time, in-ordertodetecttheintrusionandsecurity breachoccurrenceeffectively. Oneofthemainaspectsofserverless architectureisthattheLoggingandMonitoringresidesinthecloud environment, outsideoftheorganizationaldatacenterperimeter. Serverlessserviceprovidersprovideefficientloggingandmonitoring facilities. Theselogsareinout-of-the-boxconfigurationandaren’t suitableforcompletesecurityassessment. Forthisserverlessapplication, DevelopersandtheirDevOpsteamare requiredtoworktogetheraccordingtotheirorganizational requirements (E.g. collectingthereal-timelogsfromvariousevents, submittingtheselogstoaneffectiveremotesecurityinformationand eventmanagementsystem (SIEM)). Thiswilloften, attimes, require youtostorethelogsinanintermediarycloudstorageservice. TheSANSsixcategoriesofcriticalloginformationpaperrecommend thatthefollowinglogreportsshouldbecollected: WWW.BRISKINFOSEC.COM

  12. Nascent Notions On Serverless Computing AuthenticationandAuthorizationreports Changereports Networkactivityreports Resourceaccessreports Malwareactivityreports Criticalerrorsandfailuresreports 12.6 (SAS-6) — INSECURE 3RD PARTY DEPENDENCIES Aserverlessfunctionisasmallpieceofcodethatperformsasingle discretetask. In-ordertoperformthistask, theserverlessfunction reliesuponthethird-partysoftwarepackages, open-sourcelibraries, 3rdpartyAPIcalls, etc. Itisrecommendedtoverifythethird-party dependenciesbeforeimportingtheircode. Ifthereisanyknownor unknownvulnerabilityinoneofthesecomponents, thenthe serverlessfunctioncouldbeexploited. 12.7 (SAS-7) — INSECURE APPLICATION SECRETS STORAGE AstheServerlessapplicationsareexpandingatalargescale, theneed forstoringandmaintainingtheapplicationsecretsarecritical. (E.g. Username, Passwords, APIkeys, Databasecredentials, Encryptionkeys, Configurationfiles, etc.) Themostcommonmistakeisstoringthe application’svitalinformationinplaintextwithintheconfiguration filesorinthedatabase. Ifapplication’ssensitivedataweren’tencrypted, itwillbevisiblefor anyoneandanattackercanattempttogainaccesstotheapplication andcausedestruction. (E.g. Anyuserwith "Read" permissionscan gainaccesstothesesecrets). Itisalwaysrecommendedtoencryptthe sensitivedataandnottostoreinplaintext. 12.8 (SAS-8) — DENIAL OF SERVICE AND FINANCIAL RESOURCE EXHAUSTION DenialofServiceattackisacommonthreatvectorforbothserver- basedandserverlessarchitecture. DOSattackonserverless applicationcancausefinancialandresourceunavailabilityissues. Itisnecessaryforthedeveloperstostrictlydefinetheexecutionlimits whendeployingtheserverlessapplicationinthecloud. (E.g. per executionmemoryallocation, maximumexecutiondurationper function). WWW.BRISKINFOSEC.COM

  13. Nascent Notions On Serverless Computing 12.9 (SAS-9) — FUNCTIONS EXECUTION FLOW MANIPULATION Applicationflowmanipulationiscommontoserverlessarchitecture. Themainreasonforthisvulnerabilityisthatserverlesssupports multipletypesofsoftware. Theyaremicroservicedesignmodel containingaclusterofdiscretefunctions, coupledandcombined togetherinaspecificorder, representingtheoverallapplication’s logic.Asfunctionsarechained, invokingaspecificfunctionmay invokeanotherfunction. Theorderofinvocationiscriticalfor achievingthedesiredlogic. Breakingtheapplicationflowwillhelpanattackertodestroythe application’scorelogicbybypassingaccesscontrols, escalatingthe userprivileges, andevenit’spossibletocauseaDenialofService (DOS) attack. 12.10(SAS-10) — IMPROPER EXCEPTION HANDLING AND VERBOSE ERROR MESSAGES Serverlessapplicationsarenotaseasyastraditionalapplications. Theyinvolveline-by-linedebuggingandalsoarecomplicatedand limited. However, theabovefactorforcesthedeveloperstoadoptthe useofverboseerrormessagesandinenablingdebugging environmentvariables. Theymightevenforgettoremoveorhidethe codewhilemovingittotheproductionenvironment, whichisan obviousflaw. Theseerrormessagesmayrevealsomeinternalcodes, logicand technologydetailsabouttheapplicationbeingopentoeveryone. (E.g. verboseerrormessage, stacktraces, syntaxerror.) 13. CONCLUSION Serverlesscomputingremainsasanexcitingnewtechnology. Itoffers hugebusinessbenefitsandservicetotheorganizations. Therewillbe manyadvancesinthefieldoverupcomingyears. Inthefollowing years, itispredictedthatserverlesscomputingwillbedeployedand usedbymanyorganizationsworldwide. Justlikedigitaltookover analog, itisbelievedthatserver-basedcomputingwillbedominated byserverlesscomputing. WWW.BRISKINFOSEC.COM

  14. YOUMAYBEINTERESTEDONOURPREVIOUSWHITEPAPER YOUMAYBEINTERESTEDONOURPREVIOUSWORKS REFERENCESABOUTBRISKINFOSEC BLOGS RESEARCH COMPLIANCES SERVICES CASESTUDIES SOLUTIONS

  15. This White Paper is proudly presented by BRISKINFOSEC TECHNOLOGY AND CONSULTING PVT LTD Feel free to reach us for all your cybersecurity needs contact@briskinfosec.com | www.briskinfosec.com |USA|INDIA|UK

More Related