fwd:cloudsec 2023

fwd:cloudsec 2023

Liv Matan

Liv Matan is a cloud security researcher at Ermetic, where he specializes in application and web security. He previously served in the 8200 Intelligence Corps unit as a software developer. As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure web services, Facebook and Gitlab.
In his free time, Liv boxes, lifts and plays Capture the Flag (CTF).
Liv studied computer science at the Weizmann Institute of Science, in Israel.


Session

06-12
09:50
20min
IMDS: The Gatekeeper to Your Cloud Castles (And How to Keep the Dragons Out)
Liv Matan, Lior Zatlavi

Most of us know IMDS as a tool for seamlessly maintaining and supplying credentials for applications running on instances to access resources in cloud environments. However, a deep understanding of IMDS implementations across cloud providers is what separates the security novices from the advanced practitioners - and can be crucial for the security of your cloud environment.

During this talk we’ll take a deep dive into the protections offered by different cloud service providers for the IMDS used by computing instances, and how they have evolved over time. We’ll demonstrate how these mechanisms could mean the difference between a critical and non-critical vulnerability, through the story of a real-life vulnerability we found in a leading cloud provider. We’ll talk about the customer’s part of the shared responsibility model in this context - and how that must evolve as well.

We’ll demonstrate how vulnerable software may be leveraged by an attacker to gain access to credentials and talk about the kind of compensating controls which may be used to mitigate this risk.

Inside & Outside
Salon C