BSides Cyprus: Cloud… Just somebody else’s computer
Just noticed that I haven’t published much for the last few talks I’ve been giving and this is one of them…
That was my 8th, and last, talk for 2021. It was a research more on the cloud security architect/engineering side. That was my second time participating in BSides Cyprus, and as always, it was an amazing event with amazing people. The organizers of BSides Cyprus did a remarkable job. From the set up of the remote event, to the CTF, the prizes for the CTF participants, and the overall atmosphere, it was an excellent event.
Now specifically on my talk, that was a subject that I was preparing for around a year and I’m glad I got to talk about it in BSides Cyprus. For various reasons, public cloud providers are intentionally abstracting lots of the plumbing on how everything is put together and how does this affect security.
So, in this talk I picked up a few services from AWS, GCP, and Azure and dissected them to demonstrate that:
- It’s just computers and software under the hood
- How having this “inner” architectural understanding helps you uncover vulnerabilities (using some publicly available ones in the examples, no 0days or embargoed issues revealed)
My goal with this talk wasn’t to uncover some significant design flaw or claim that public cloud is bad. Just to raise awareness and change the mindset of security engineers when working with public cloud to think beyond what the vendor’s documentation says. If you’d like to have a look, you can find my slides here.
xorl %eax, %eax 
Leave a comment