puresec / functionshield Goto Github PK
View Code? Open in Web Editor NEWA Serverless Security Library for Developers. Regain Control Over Your AWS Lambda & Google Cloud Functions Runtimes.
License: Other
functionshield's People
Contributors
Stargazers
Watchers
Forkers
naripok deepikan2000 arunslb123 yahyaberkdar fasere75 rjweyers-luma savobit hecg119 kyle9021 mdclarkson roetherbfunctionshield's Issues
Will there be any issues with the new lambda upgrades?
AWS just announced that they will be making changes to their lambda: https://aws.amazon.com/blogs/compute/upcoming-updates-to-the-aws-lambda-execution-environment/ . Do you foresee there being any potential issues?
What prevents Malicious code from disabling Function Shield?
As it seems you're allowed to call FunctionShield.configure multiple times, what prevents Malicious code from re-allowing accesses before trying to make outbound network calls?
Buffer overflow
Hey guys,
Seems like something bad happened....
I got a buffer overflow on a lambda that just calls an api and returns, while using your product.
May you guys take a look? It seems to be related with your service.
Here is the cloudWatch dump:
START RequestId: eb57821e-dfbb-44b8-8876-bbe23af6f72e Version: $LATEST
*** buffer overflow detected ***: /var/lang/bin/python3.7 terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f82580fda57]
/lib64/libc.so.6(+0x115bd2)[0x7f82580fbbd2]
/lib64/libc.so.6(+0x114b9b)[0x7f82580fab9b]
/var/task/function_shield/lib/libfunctionshieldcore.so(functionshieldcore_configure+0xc9)[0x7f824b44f9f9]
/usr/lib64/libffi.so.6(ffi_call_unix64+0x4c)[0x7f824b676cec]
/usr/lib64/libffi.so.6(ffi_call+0x1f5)[0x7f824b676615]
/var/lang/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so(_ctypes_callproc+0x283)[0x7f824b88a973]
/var/lang/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so(+0x8dcf)[0x7f824b881dcf]
/var/lang/lib/libpython3.7m.so.1.0(_PyObject_FastCallKeywords+0x114)[0x7f8258d6fd54]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x6a52)[0x7f8258d48852]
/var/lang/lib/libpython3.7m.so.1.0(+0x68c50)[0x7f8258d40c50]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x8f90)[0x7f8258d4ad90]
/var/lang/lib/libpython3.7m.so.1.0(+0x68c50)[0x7f8258d40c50]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x85c2)[0x7f8258d4a3c2]
/var/lang/lib/libpython3.7m.so.1.0(+0x68c50)[0x7f8258d40c50]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x85c2)[0x7f8258d4a3c2]
/var/lang/lib/libpython3.7m.so.1.0(+0x68c50)[0x7f8258d40c50]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x85c2)[0x7f8258d4a3c2]
/var/lang/lib/libpython3.7m.so.1.0(+0x68c50)[0x7f8258d40c50]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalFrameDefault+0x85c2)[0x7f8258d4a3c2]
/var/lang/lib/libpython3.7m.so.1.0(_PyEval_EvalCodeWithName+0xa18)[0x7f8258e56b78]
/var/lang/lib/libpython3.7m.so.1.0(PyEval_EvalCodeEx+0x6d)[0x7f8258e56ccd]
/var/lang/lib/libpython3.7m.so.1.0(PyEval_EvalCode+0x3b)[0x7f8258e56d1b]
/var/lang/lib/libpython3.7m.so.1.0(PyRun_FileExFlags+0xb2)[0x7f8258e91e02]
/var/lang/lib/libpython3.7m.so.1.0(PyRun_SimpleFileExFlags+0xe7)[0x7f8258e91f67]
/var/lang/lib/libpython3.7m.so.1.0(+0x1dccc3)[0x7f8258eb4cc3]
/var/lang/lib/libpython3.7m.so.1.0(_Py_UnixMain+0x2d)[0x7f8258eb4fad]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f8258008445]
/var/lang/bin/python3.7[0x400701]
======= Memory map: ========
00400000-00401000 r-xp 00000000 ca:01 156464 /var/lang/bin/python3.7
00600000-00601000 rw-p 00000000 ca:01 156464 /var/lang/bin/python3.7
00b8e000-01205000 rw-p 00000000 00:00 0 [heap]
7f824a975000-7f824a98a000 r-xp 00000000 ca:01 405286 /lib64/libgcc_s-4.8.3-20140911.so.1
7f824a98a000-7f824ab8a000 ---p 00015000 ca:01 405286 /lib64/libgcc_s-4.8.3-20140911.so.1
7f824ab8a000-7f824ab8b000 rw-p 00015000 ca:01 405286 /lib64/libgcc_s-4.8.3-20140911.so.1
7f824ab8b000-7f824abcb000 rw-p 00000000 00:00 0
7f824ac2c000-7f824acac000 rw-p 00000000 00:00 0
7f824ad2c000-7f824b0ac000 rw-p 00000000 00:00 0
7f824b0c2000-7f824b242000 rw-p 00000000 00:00 0
7f824b242000-7f824b247000 r-xp 00000000 ca:01 405063 /lib64/libnss_dns-2.17.so
7f824b247000-7f824b447000 ---p 00005000 ca:01 405063 /lib64/libnss_dns-2.17.so
7f824b447000-7f824b448000 r--p 00005000 ca:01 405063 /lib64/libnss_dns-2.17.so
7f824b448000-7f824b449000 rw-p 00006000 ca:01 405063 /lib64/libnss_dns-2.17.so
7f824b449000-7f824b468000 r-xp 00000000 07:07 2402 /var/task/function_shield/lib/libfunctionshieldcore.so
7f824b468000-7f824b667000 ---p 0001f000 07:07 2402 /var/task/function_shield/lib/libfunctionshieldcore.so
7f824b667000-7f824b668000 r--p 0001e000 07:07 2402 /var/task/function_shield/lib/libfunctionshieldcore.so
7f824b668000-7f824b66f000 rw-p 0001f000 07:07 2402 /var/task/function_shield/lib/libfunctionshieldcore.so
7f824b66f000-7f824b671000 rw-p 00000000 00:00 0
7f824b671000-7f824b678000 r-xp 00000000 ca:01 281189 /usr/lib64/libffi.so.6.0.1
7f824b678000-7f824b878000 ---p 00007000 ca:01 281189 /usr/lib64/libffi.so.6.0.1
7f824b878000-7f824b879000 rw-p 00007000 ca:01 281189 /usr/lib64/libffi.so.6.0.1
7f824b879000-7f824b894000 r-xp 00000000 ca:01 15728 /var/lang/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so
7f824b894000-7f824ba94000 ---p 0001b000 ca:01 15728 /var/lang/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so
7f824ba94000-7f824ba98000 rw-p 0001b000 ca:01 15728 /var/lang/lib/python3.7/lib-dynload/_ctypes.cpython-37m-x86_64-linux-gnu.so
7f824ba98000-7f824bc18000 rw-p 00000000 00:00 0
7f824bc18000-7f824bc58000 rw-p 00000000 00:00 0
7f824bc58000-7f824bc5c000 r-xp 00000000 ca:01 15771 /var/lang/lib/python3.7/lib-dynload/termios.cpython-37m-x86_64-linux-gnu.so
7f824bc5c000-7f824be5c000 ---p 00004000 ca:01 15771 /var/lang/lib/python3.7/lib-dynload/termios.cpython-37m-x86_64-linux-gnu.so
7f824be5c000-7f824be5e000 rw-p 00004000 ca:01 15771 /var/lang/lib/python3.7/lib-dynload/termios.cpython-37m-x86_64-linux-gnu.so
7f824be5e000-7f824be99000 r-xp 00000000 ca:01 15749 /var/lang/lib/python3.7/lib-dynload/pyexpat.cpython-37m-x86_64-linux-gnu.so
7f824be99000-7f824c098000 ---p 0003b000 ca:01 15749 /var/lang/lib/python3.7/lib-dynload/pyexpat.cpython-37m-x86_64-linux-gnu.so
7f824c098000-7f824c09c000 rw-p 0003a000 ca:01 15749 /var/lang/lib/python3.7/lib-dynload/pyexpat.cpython-37m-x86_64-linux-gnu.so
7f824c09c000-7f824c0aa000 r-xp 00000000 ca:01 15737 /var/lang/lib/python3.7/lib-dynload/_elementtree.cpython-37m-x86_64-linux-gnu.so
7f824c0aa000-7f824c2aa000 ---p 0000e000 ca:01 15737 /var/lang/lib/python3.7/lib-dynload/_elementtree.cpython-37m-x86_64-linux-gnu.so
7f824c2aa000-7f824c2ac000 rw-p 0000e000 ca:01 15737 /var/lang/lib/python3.7/lib-dynload/_elementtree.cpython-37m-x86_64-linux-gnu.so
7f824c2ac000-7f824c4ac000 rw-p 00000000 00:00 0
7f824c4ac000-7f824c4ae000 r-xp 00000000 ca:01 15731 /var/lang/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f824c4ae000-7f824c6ae000 ---p 00002000 ca:01 15731 /var/lang/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f824c6ae000-7f824c6af000 rw-p 00002000 ca:01 15731 /var/lang/lib/python3.7/lib-dynload/grp.cpython-37m-x86_64-linux-gnu.so
7f824c6af000-7f824c6d2000 r-xp 00000000 ca:01 281761 /usr/lib64/liblzma.so.5.0.99
7f824c6d2000-7f824c8d2000 ---p 00023000 ca:01 281761 /usr/lib64/liblzma.so.5.0.99
7f824c8d2000-7f824c8d3000 rw-p 00023000 ca:01 281761 /usr/lib64/liblzma.so.5.0.99
7f824c8d3000-7f824c8da000 r-xp 00000000 ca:01 15723 /var/lang/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f824c8da000-7f824cada000 ---p 00007000 ca:01 15723 /var/lang/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f824cada000-7f824cadc000 rw-p 00007000 ca:01 15723 /var/lang/lib/python3.7/lib-dynload/_lzma.cpython-37m-x86_64-linux-gnu.so
7f824cadc000-7f824caec000 r-xp 00000000 ca:01 405067 /lib64/libbz2.so.1.0.6
7f824caec000-7f824cceb000 ---p 00010000 ca:01 405067 /lib64/libbz2.so.1.0.6
7f824cceb000-7f824cced000 rw-p 0000f000 ca:01 405067 /lib64/libbz2.so.1.0.6
7f824cced000-7f824ccf1000 r-xp 00000000 ca:01 15742 /var/lang/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f824ccf1000-7f824cef0000 ---p 00004000 ca:01 15742 /var/lang/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f824cef0000-7f824cef2000 rw-p 00003000 ca:01 15742 /var/lang/lib/python3.7/lib-dynload/_bz2.cpython-37m-x86_64-linux-gnu.so
7f824cef2000-7f824d003000 rw-p 00000000 00:00 0
7f824d003000-7f824d009000 r-xp 00000000 ca:01 15711 /var/lang/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f824d009000-7f824d209000 ---p 00006000 ca:01 15711 /var/lang/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f824d209000-7f824d20b000 rw-p 00006000 ca:01 15711 /var/lang/lib/python3.7/lib-dynload/zlib.cpython-37m-x86_64-linux-gnu.so
7f824d20b000-7f824d24b000 rw-p 00000000 00:00 0
7f824d24b000-7f824d24d000 r-xp 00000000 ca:01 15748 /var/lang/lib/python3.7/lib-dynload/_queue.cpython-37m-x86_64-linux-gnu.so
7f824d24d000-7f824d44d000 ---p 00002000 ca:01 15748 /var/lang/lib/python3.7/lib-dynload/_queue.cpython-37m-x86_64-linux-gnu.so
7f824d44d000-7f824d44e000 rw-p 00002000 ca:01 15748 /var/lang/lib/python3.7/lib-dynload/_queue.cpython-37m-x86_64-linux-gnu.so
7f824d44e000-7f824d48e000 rw-p 00000000 00:00 0
7f824d48e000-7f824d48f000 r-xp 00000000 ca:01 15773 /var/lang/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f824d48f000-7f824d68f000 ---p 00001000 ca:01 15773 /var/lang/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f824d68f000-7f824d690000 rw-p 00001000 ca:01 15773 /var/lang/lib/python3.7/lib-dynload/_opcode.cpython-37m-x86_64-linux-gnu.so
7f824d690000-7f824d6d0000 rw-p 00000000 00:00 0
7f824d6d0000-7f824d6d3000 r-xp 00000000 ca:01 15719 /var/lang/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f824d6d3000-7f824d8d3000 ---p 00003000 ca:01 15719 /var/lang/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f824d8d3000-7f824d8d4000 rw-p 00003000 ca:01 15719 /var/lang/lib/python3.7/lib-dynload/_posixsubprocess.cpython-37m-x86_64-linux-gnu.so
7f824d8d4000-7f824d914000 rw-p 00000000 00:00 0
7f824d914000-7f824d9f9000 r-xp 00000000 ca:01 15721 /var/lang/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f824d9f9000-7f824dbf9000 ---p 000e5000 ca:01 15721 /var/lang/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f824dbf9000-7f824dc17000 rw-p 000e5000 ca:01 15721 /var/lang/lib/python3.7/lib-dynload/unicodedata.cpython-37m-x86_64-linux-gnu.so
7f824dc17000-7f824dc57000 rw-p 00000000 00:00 0
7f824dc57000-7f824dca4000 r-xp 00000000 ca:01 15712 /var/lang/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f824dca4000-7f824dea3000 ---p 0004d000 ca:01 15712 /var/lang/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f824dea3000-7f824deac000 rw-p 0004c000 ca:01 15712 /var/lang/lib/python3.7/lib-dynload/_decimal.cpython-37m-x86_64-linux-gnu.so
7f824deac000-7f824deec000 rw-p 00000000 00:00 0
7f824deec000-7f824df05000 r-xp 00000000 ca:01 15765 /var/lang/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f824df05000-7f824e104000 ---p 00019000 ca:01 15765 /var/lang/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f824e104000-7f824e10a000 rw-p 00018000 ca:01 15765 /var/lang/lib/python3.7/lib-dynload/_ssl.cpython-37m-x86_64-linux-gnu.so
7f824e10a000-7f824e18a000 rw-p 00000000 00:00 0
7f824e18a000-7f824e1a2000 r-xp 00000000 ca:01 15759 /var/lang/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f824e1a2000-7f824e3a1000 ---p 00018000 ca:01 15759 /var/lang/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f824e3a1000-7f824e3a4000 rw-p 00017000 ca:01 15759 /var/lang/lib/python3.7/lib-dynload/_datetime.cpython-37m-x86_64-linux-gnu.so
7f824e3a4000-7f824e3e4000 rw-p 00000000 00:00 0
7f824e3e4000-7f824e3e9000 r-xp 00000000 ca:01 15717 /var/lang/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f824e3e9000-7f824e5e8000 ---p 00005000 ca:01 15717 /var/lang/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f824e5e8000-7f824e5ea000 rw-p 00004000 ca:01 15717 /var/lang/lib/python3.7/lib-dynload/select.cpython-37m-x86_64-linux-gnu.so
7f824e5ea000-7f824e5ff000 r-xp 00000000 ca:01 15762 /var/lang/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f824e5ff000-7f824e7fe000 ---p 00015000 ca:01 15762 /var/lang/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f824e7fe000-7f824e804000 rw-p 00014000 ca:01 15762 /var/lang/lib/python3.7/lib-dynload/_socket.cpython-37m-x86_64-linux-gnu.so
7f824e804000-7f824e807000 r-xp 00000000 ca:01 15757 /var/lang/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f824e807000-7f824ea06000 ---p 00003000 ca:01 15757 /var/lang/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f824ea06000-7f824ea07000 rw-p 00002000 ca:01 15757 /var/lang/lib/python3.7/lib-dynload/_random.cpython-37m-x86_64-linux-gnu.so
7f824ea07000-7f824ea09000 r-xp 00000000 ca:01 15764 /var/lang/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f824ea09000-7f824ec09000 ---p 00002000 ca:01 15764 /var/lang/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f824ec09000-7f824ec0a000 rw-p 00002000 ca:01 15764 /var/lang/lib/python3.7/lib-dynload/_bisect.cpython-37m-x86_64-linux-gnu.so
7f824ec0a000-7f824ec1c000 r-xp 00000000 ca:01 15766 /var/lang/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f824ec1c000-7f824ee1b000 ---p 00012000 ca:01 15766 /var/lang/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f824ee1b000-7f824ee1d000 rw-p 00011000 ca:01 15766 /var/lang/lib/python3.7/lib-dynload/_sha3.cpython-37m-x86_64-linux-gnu.so
7f824ee1d000-7f824ee26000 r-xp 00000000 ca:01 15738 /var/lang/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f824ee26000-7f824f026000 ---p 00009000 ca:01 15738 /var/lang/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f824f026000-7f824f028000 rw-p 00009000 ca:01 15738 /var/lang/lib/python3.7/lib-dynload/_blake2.cpython-37m-x86_64-linux-gnu.so
7f824f028000-7f824f046000 r-xp 00000000 ca:01 279273 /usr/lib64/libselinux.so.1
7f824f046000-7f824f245000 ---p 0001e000 ca:01 279273 /usr/lib64/libselinux.so.1
7f824f245000-7f824f246000 r--p 0001d000 ca:01 279273 /usr/lib64/libselinux.so.1
7f824f246000-7f824f247000 rw-p 0001e000 ca:01 279273 /usr/lib64/libselinux.so.1
7f824f247000-7f824f249000 rw-p 00000000 00:00 0
7f824f249000-7f824f25f000 r-xp 00000000 ca:01 405271 /lib64/libresolv-2.17.so
7f824f25f000-7f824f45e000 ---p 00016000 ca:01 405271 /lib64/libresolv-2.17.so
7f824f45e000-7f824f45f000 r--p 00015000 ca:01 405271 /lib64/libresolv-2.17.so
7f824f45f000-7f824f460000 rw-p 00016000 ca:01 405271 /lib64/libresolv-2.17.so
7f824f460000-7f824f462000 rw-p 00000000 00:00 0
7f824f462000-7f824f465000 r-xp 00000000 ca:01 405199 /lib64/libkeyutils.so.1.5
7f824f465000-7f824f664000 ---p 00003000 ca:01 405199 /lib64/libkeyutils.so.1.5
7f824f664000-7f824f665000 rw-p 00002000 ca:01 405199 /lib64/libkeyutils.so.1.5
7f824f665000-7f824f672000 r-xp 00000000 ca:01 281257 /usr/lib64/libkrb5support.so.0.1
7f824f672000-7f824f872000 ---p 0000d000 ca:01 281257 /usr/lib64/libkrb5support.so.0.1
7f824f872000-7f824f873000 r--p 0000d000 ca:01 281257 /usr/lib64/libkrb5support.so.0.1
7f824f873000-7f824f874000 rw-p 0000e000 ca:01 281257 /usr/lib64/libkrb5support.so.0.1
7f824f874000-7f824f88d000 r-xp 00000000 ca:01 281634 /usr/lib64/libk5crypto.so.3.1
7f824f88d000-7f824fa8c000 ---p 00019000 ca:01 281634 /usr/lib64/libk5crypto.so.3.1
7f824fa8c000-7f824fa8e000 r--p 00018000 ca:01 281634 /usr/lib64/libk5crypto.so.3.1
7f824fa8e000-7f824fa8f000 rw-p 0001a000 ca:01 281634 /usr/lib64/libk5crypto.so.3.1
7f824fa8f000-7f824fa92000 r-xp 00000000 ca:01 280809 /usr/lib64/libcom_err.so.2.1
7f824fa92000-7f824fc91000 ---p 00003000 ca:01 280809 /usr/lib64/libcom_err.so.2.1
7f824fc91000-7f824fc92000 rw-p 00002000 ca:01 280809 /usr/lib64/libcom_err.so.2.1
7f824fc92000-7f824fd6b000 r-xp 00000000 ca:01 281226 /usr/lib64/libkrb5.so.3.3
7f824fd6b000-7f824ff6a000 ---p 000d9000 ca:01 281226 /usr/lib64/libkrb5.so.3.3
7f824ff6a000-7f824ff78000 r--p 000d8000 ca:01 281226 /usr/lib64/libkrb5.so.3.3
7f824ff78000-7f824ff7b000 rw-p 000e6000 ca:01 281226 /usr/lib64/libkrb5.so.3.3
7f824ff7b000-7f824ffc5000 r-xp 00000000 ca:01 280810 /usr/lib64/libgssapi_krb5.so.2.2
7f824ffc5000-7f82501c5000 ---p 0004a000 ca:01 280810 /usr/lib64/libgssapi_krb5.so.2.2
7f82501c5000-7f82501c6000 r--p 0004a000 ca:01 280810 /usr/lib64/libgssapi_krb5.so.2.2
7f82501c6000-7f82501c8000 rw-p 0004b000 ca:01 280810 /usr/lib64/libgssapi_krb5.so.2.2
7f82501c8000-7f82503f9000 r-xp 00000000 ca:01 156483 /var/lang/lib/libcrypto.so.10
7f82503f9000-7f82505f9000 ---p 00231000 ca:01 156483 /var/lang/lib/libcrypto.so.10
7f82505f9000-7f8250615000 r--p 00231000 ca:01 156483 /var/lang/lib/libcrypto.so.10
7f8250615000-7f8250622000 rw-p 0024d000 ca:01 156483 /var/lang/lib/libcrypto.so.10
7f8250622000-7f8250626000 rw-p 00000000 00:00 0
7f8250626000-7f825068c000 r-xp 00000000 ca:01 156481 /var/lang/lib/libssl.so.10
7f825068c000-7f825088c000 ---p 00066000 ca:01 156481 /var/lang/lib/libssl.so.10
7f825088c000-7f8250890000 r--p 00066000 ca:01 156481 /var/lang/lib/libssl.so.10
7f8250890000-7f8250897000 rw-p 0006a000 ca:01 156481 /var/lang/lib/libssl.so.10
7f8250897000-7f825089d000 r-xp 00000000 ca:01 15752 /var/lang/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f825089d000-7f8250a9d000 ---p 00006000 ca:01 15752 /var/lang/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8250a9d000-7f8250a9e000 rw-p 00006000 ca:01 15752 /var/lang/lib/python3.7/lib-dynload/_hashlib.cpython-37m-x86_64-linux-gnu.so
7f8250a9e000-7f8250aa9000 r-xp 00000000 ca:01 15736 /var/lang/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8250aa9000-7f8250ca8000 ---p 0000b000 ca:01 15736 /var/lang/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8250ca8000-7f8250cab000 rw-p 0000a000 ca:01 15736 /var/lang/lib/python3.7/lib-dynload/math.cpython-37m-x86_64-linux-gnu.so
7f8250cb4000-7f8250d34000 rw-p 00000000 00:00 0
7f8250d34000-7f8250d3d000 r-xp 00000000 ca:01 15716 /var/lang/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f8250d3d000-7f8250f3c000 ---p 00009000 ca:01 15716 /var/lang/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f8250f3c000-7f8250f3f000 rw-p 00008000 ca:01 15716 /var/lang/lib/python3.7/lib-dynload/_struct.cpython-37m-x86_64-linux-gnu.so
7f8250f3f000-7f8250f54000 r-xp 00000000 ca:01 405306 /lib64/libz.so.1.2.8
7f8250f54000-7f8251153000 ---p 00015000 ca:01 405306 /lib64/libz.so.1.2.8
7f8251153000-7f8251154000 r--p 00014000 ca:01 405306 /lib64/libz.so.1.2.8
7f8251154000-7f8251155000 rw-p 00015000 ca:01 405306 /lib64/libz.so.1.2.8
7f8251155000-7f825115a000 r-xp 00000000 ca:01 15769 /var/lang/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f825115a000-7f825135a000 ---p 00005000 ca:01 15769 /var/lang/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f825135a000-7f825135b000 rw-p 00005000 ca:01 15769 /var/lang/lib/python3.7/lib-dynload/binascii.cpython-37m-x86_64-linux-gnu.so
7f825135b000-7f825141b000 rw-p 00000000 00:00 0
7f825141b000-7f8251424000 r-xp 00000000 ca:01 15722 /var/lang/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8251424000-7f8251624000 ---p 00009000 ca:01 15722 /var/lang/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8251624000-7f8251625000 rw-p 00009000 ca:01 15722 /var/lang/lib/python3.7/lib-dynload/_json.cpython-37m-x86_64-linux-gnu.so
7f8251625000-7f8251665000 rw-p 00000000 00:00 0
7f8251665000-7f8251667000 r-xp 00000000 ca:01 15747 /var/lang/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f8251667000-7f8251867000 ---p 00002000 ca:01 15747 /var/lang/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f8251867000-7f8251869000 rw-p 00002000 ca:01 15747 /var/lang/lib/python3.7/lib-dynload/_heapq.cpython-37m-x86_64-linux-gnu.so
7f8251869000-7f82518a9000 rw-p 00000000 00:00 0
7f82518a9000-7f82518b5000 r-xp 00000000 ca:01 405341 /lib64/libnss_files-2.17.so
7f82518b5000-7f8251ab4000 ---p 0000c000 ca:01 405341 /lib64/libnss_files-2.17.so
7f8251ab4000-7f8251ab5000 r--p 0000b000 ca:01 405341 /lib64/libnss_files-2.17.so
7f8251ab5000-7f8251ab6000 rw-p 0000c000 ca:01 405341 /lib64/libnss_files-2.17.so
7f8251ab6000-7f8251abc000 rw-p 00000000 00:00 0
7f8251abc000-7f8257fe6000 r--p 00000000 ca:01 279226 /usr/lib/locale/locale-archive
7f8257fe6000-7f8258054000 r-xp 00000000 ca:01 405297 /lib64/libc-2.17.so
7f8258054000-7f8258055000 r-xp 0006e000 ca:01 405297 /lib64/libc-2.17.so
7f8258055000-7f82580ab000 r-xp 0006f000 ca:01 405297 /lib64/libc-2.17.so
7f82580ab000-7f82580ac000 r-xp 000c5000 ca:01 405297 /lib64/libc-2.17.so
7f82580ac000-7f82580cc000 r-xp 000c6000 ca:01 405297 /lib64/libc-2.17.so
7f82580cc000-7f82580cd000 r-xp 000e6000 ca:01 405297 /lib64/libc-2.17.so
7f82580cd000-7f82581a8000 r-xp 000e7000 ca:01 405297 /lib64/libc-2.17.so
7f82581a8000-7f82583a8000 ---p 001c2000 ca:01 405297 /lib64/libc-2.17.so
7f82583a8000-7f82583ac000 r--p 001c2000 ca:01 405297 /lib64/libc-2.17.so
7f82583ac000-7f82583ae000 rw-p 001c6000 ca:01 405297 /lib64/libc-2.17.so
7f82583ae000-7f82583b3000 rw-p 00000000 00:00 0
7f82583b3000-7f82584b4000 r-xp 00000000 ca:01 405328 /lib64/libm-2.17.so
7f82584b4000-7f82586b3000 ---p 00101000 ca:01 405328 /lib64/libm-2.17.so
7f82586b3000-7f82586b4000 r--p 00100000 ca:01 405328 /lib64/libm-2.17.so
7f82586b4000-7f82586b5000 rw-p 00101000 ca:01 405328 /lib64/libm-2.17.so
7f82586b5000-7f82586b7000 r-xp 00000000 ca:01 405089 /lib64/libutil-2.17.so
7f82586b7000-7f82588b6000 ---p 00002000 ca:01 405089 /lib64/libutil-2.17.so
7f82588b6000-7f82588b7000 r--p 00001000 ca:01 405089 /lib64/libutil-2.17.so
7f82588b7000-7f82588b8000 rw-p 00002000 ca:01 405089 /lib64/libutil-2.17.so
7f82588b8000-7f82588ba000 r-xp 00000000 ca:01 405086 /lib64/libdl-2.17.so
7f82588ba000-7f8258aba000 ---p 00002000 ca:01 405086 /lib64/libdl-2.17.so
7f8258aba000-7f8258abb000 r--p 00002000 ca:01 405086 /lib64/libdl-2.17.so
7f8258abb000-7f8258abc000 rw-p 00003000 ca:01 405086 /lib64/libdl-2.17.so
7f8258abc000-7f8258aca000 r-xp 00000000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258aca000-7f8258acb000 r-xp 0000e000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258acb000-7f8258ad3000 r-xp 0000f000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258ad3000-7f8258cd2000 ---p 00017000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258cd2000-7f8258cd3000 r--p 00016000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258cd3000-7f8258cd4000 rw-p 00017000 ca:01 405081 /lib64/libpthread-2.17.so
7f8258cd4000-7f8258cd8000 rw-p 00000000 00:00 0
7f8258cd8000-7f8258fab000 r-xp 00000000 ca:01 156479 /var/lang/lib/libpython3.7m.so.1.0
7f8258fab000-7f82591aa000 ---p 002d3000 ca:01 156479 /var/lang/lib/libpython3.7m.so.1.0
7f82591aa000-7f8259219000 rw-p 002d2000 ca:01 156479 /var/lang/lib/libpython3.7m.so.1.0
7f8259219000-7f825923b000 rw-p 00000000 00:00 0
7f825923b000-7f825925d000 r-xp 00000000 ca:01 405334 /lib64/ld-2.17.so
7f825925d000-7f825925e000 r-xp 00000000 00:00 0
7f825926a000-7f82592ea000 rw-p 00000000 00:00 0
7f8259309000-7f825930c000 rw-p 00000000 00:00 0
7f825930c000-7f825930e000 rw-s 00000000 07:06 11 /tmp/function_shield_state_zRNBpd
7f825930e000-7f825930f000 rwxp 00000000 00:00 0
7f825930f000-7f825944f000 rw-p 00000000 00:00 0
7f825944f000-7f8259456000 r--s 00000000 ca:01 280886 /usr/lib64/gconv/gconv-modules.cache
7f8259456000-7f825945c000 rw-p 00000000 00:00 0
7f825945c000-7f825945d000 r--p 00021000 ca:01 405334 /lib64/ld-2.17.so
7f825945d000-7f825945e000 rw-p 00022000 ca:01 405334 /lib64/ld-2.17.so
7f825945e000-7f825945f000 rw-p 00000000 00:00 0
7ffcc3092000-7ffcc30b6000 rwxp 00000000 00:00 0 [stack]
7ffcc30b6000-7ffcc30b9000 r--p 00000000 00:00 0 [vvar]
7ffcc30b9000-7ffcc30bb000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Unsupported environment: can detect handler path
cannot detect handler path. read_handler protection disabled
Unsupported environment: can detect handler path
cannot detect handler path. read_handler protection disabled
Unsupported environment: can detect handler path
cannot detect handler path. read_handler protection disabled
Unsupported environment: can detect handler path
cannot detect handler path. read_handler protection disabled
END RequestId: eb57821e-dfbb-44b8-8876-bbe23af6f72e
Thanks in advance.
I'm available for any questions or help you guys need.
Cheers!
Problem running command in combination with FunctionShield
Problem
We created a lambda layer containing the following program because we use in multiple lambda's https://www.princexml.com/
We also have FunctionShield running in the same lambda to log all outgoing requests and this worked fine running on node 8 (More details below). When we tried upgrading Functionshield from v1 to v2 we ran into the following error.
ERROR { Error: Command failed: /opt/prince/bin/prince --javascript --verbose --structured-log=normal /tmp/tmp.html -o /tmp/tmp-1.pdf
at ChildProcess.exithandler (child_process.js:294:12)
at ChildProcess.emit (events.js:198:13)
at ChildProcess.EventEmitter.emit (domain.js:448:20)
at maybeClose (internal/child_process.js:982:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
at Process.eval [as onexit] (webpack:////Users/kvgeert/workspace/inventive-designers/designer/node_modules/async-listener/glue.js?:188:31)
killed: false,
code: 1,
signal: null,
cmd:
'/opt/prince/bin/prince --javascript --verbose --structured-log=normal /tmp/tmp.html -o /tmp/tmp-1.pdf',
stdout: 'Unsupported execution environment\n',
stderr: '' }
We tried upgrading to node 10 and playing around with multiple settings but no luck. Disabling Function shield does the trick but we don't want to do that. Does this error originate from FunctionShield? Which steps can we take to debug this issue further?
Details:
Before:
Lambda version: 8
Version Prince: 12.3
Version FunctionShield: 1.2.6
After:
Lambda version: 10.x or 8
Version Prince: 12.3
Version FunctionShield: 2.0.6
Couldn't switch the policy back to 'alert' mode
I have added the function shield using Java in the static block of the handler. Configured the policy initially with 'block' mode and then changed it to 'alert' in a specific portion of code. But, it was not reflected. Still, seeing the 'block' mode error. Any idea about this issue?
Allow whitelist hosts for outbound connection
Is that possible to configure whitelist hosts that allow outbound connection without update policy? Sometimes we need to send an outbound request to a well-known host (trusted host), so it would explicitly allowed
How do I know FunctionShield does what it says?
Hi,
This looks very promising for our needs. However it's a lot to ask users to trust a closed source library like this. Can you please look into making the source code for libfunctionshieldcore.so available?
Guidance with an Express app running on AWS Lambda
Hello,
I just tried the function shield with a simple function. And it worked. To test I'd added it correctly, I tried writing to /tmp. Sure enough, when I do that right after adding this block ...
const FunctionShield = require('@puresec/function-shield'); FunctionShield.configure({ policy: { // 'block' mode => active blocking // 'alert' mode => log only // 'allow' mode => allowed, implicitly occurs if key does not exist outbound_connectivity: "alert", read_write_tmp: "block", create_child_process: "block", read_handler: "alert" }, token: 'tokenhere' });
... it works. The write to /tmp is blocked. Nice.
But then I want to protect all routes and files as Express uses multiple ones. Not just one file with a function in. So I tried a write to /tmp in the app's routes file (it uses serverless-http to run it). And that write to /tmp wasn't blocked. So ... does that mean that block of code above needs including in every file? I'd assumed it kind of "wrapped" the function by putting it in the index file that serverless-http uses. But sounds like that's not the case. I just wondered if you had experience with running Express on Lambda and any thoughts about the best approach?
(I'm not particularly concerned about /tmp, that was just a test of the process. Since if it stops that, it must be working.)
Thanks!
nevermind
Internal AWS requests blocked in china region
I'm trying to run FunctionShield in a AWS Lambda in the china region and calls to internal aws resources are getting blocked as outbound connections. I know aws in china is a very special case but is there any recommended workarounds/fixes for this?
{
"details": {
"host": "dynamodb.cn-northwest-1.amazonaws.com.cn",
"ip": "52.82.187.2"
},
"function_shield": true,
"timestamp": "2020-01-17T09:12:28.573156Z",
"policy": "outbound_connectivity",
"mode": "block"
}Support for Node 10.x
Getting this build error on node 10.x:
No native build was found for platform=darwin arch=x64 runtime=node abi=64 uv=1 libc=glibc
Are there plans to support 10.x in the near future with the aws lambda node8 runtime EOL approaching?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.