Cloud service providers (CSPs) offer immense and ever-growing functionality. While this greatly benefits organizations and their business, it also generates a much broader attack-surface compared to traditional application security research.

In this session, we share the methodologies and internally developed strategy we used to successfully uncover multiple critical vulnerabilities and design issues in the core of major CSPs. Covering the whole research process - from choosing a target to exploiting a remote code execution vulnerability on a managed service, we will explain how we found issues that affected thousands of cloud customers and organizations.

We will dive into the bits and bytes of some of our major findings (ChaosDB, OMIGOD, AWS confused deputy vulnerabilities, ExtraReplica and more), explain our mindset and approach and discuss common pitfalls to avoid performing a security audit of a target. Attendees should expect to better understand the fundamentals behind real-world cloud security exploits and gain practical tools to enhance their own independent cloud security research.

In this session, we will unveil new research on the unseen risk of "cloud middleware" - the proprietary software that bridges customers' virtual machines and cloud service providers' integrations. We found that this software is commonly installed on customers' virtual machines without the customer’s awareness or explicit consent and can often introduce new potential attack surfaces to cloud environments.

When Microsoft patched vulnerabilities found in the secretly installed agent Open Management Infrastructure (OMI), it was initially the customers' responsibility to update all the vulnerable agents running across their environments - agents they were not aware existed! Even today, the maintenance of implicitly-installed cloud agents does not perfectly fit the shared responsibility model. Are cloud service providers responsible for keeping the agents they are installing up-to-date as most customers expect? In our session, we will present unique statistics regarding how long cloud middleware agents remain vulnerable after exploits are made public, and discuss details about the patching process.