Gone in 60 Milliseconds
This talk will be the first public anatomy of an attack on a server-less application deployed to AWS Lambda and AWS API Gateway. It'll be useful for any application developer looking to build a server-less application, and for any hacker who's come up against this interesting new class of application. First, we'll take a look at the current state of server-less architectures and show some common deployment patterns and how they're used in production, comparing the advantages and trade offs against traditional monolithic servers. Next, we'll explore the attack surface of a server-less application, showing that where Satan closes a door, he opens a window. Using exploitables in common server-less patterns, we'll use cloud event sources as a vector for delivering our obfuscated payload. Then, we'll use some undocumented features in AWS Lambda to persist our malware, explore the Lambda environment looking for secret keys and other buried treasures, and pillage a remote database. Finally, we'll use a few more tricks to sneak out of the VPC with our precious data in tow! And, of course, we'll tidy up after ourselves leaving the DevOps team none-the-wiser.