STATE OF IDENTITY SECURITY Permiso has released the 2024 Survey Report

[GET THE REPORT]
Illustration Cloud

Introducing SkyScalpel: An Open-Source Tool to Combat Policy Obfuscation in Cloud Environments

At Permiso Security, we're committed to building and providing tools that empower teams to maintain high standards of cloud and identity security. Often inspired by a small mixture of in-the-wild observations and always driven by a heaping dose of curiosity, our team performs research to solve today’s challenges for our customers while enumerating the problem spaces of tomorrow.

In this spirit, today we are excited to announce the release of SkyScalpel - an open-source tool that obfuscates, deobfuscates and detects obfuscated JSON documents with an additional focus on IAM policies used to control permissions in AWS cloud environments.

SkyScalpel1

SkyScalpel Intro

JSON-based IAM policies in cloud environments, particularly in AWS, dictate what resources users and systems can access and the actions they can perform. However, these policies can be susceptible to obfuscation—a technique where bad actors manipulate the policy’s syntax and semantics to hide their true intentions. This makes it difficult for security teams to detect and prevent unauthorized access effectively.

SkyScalpel addresses this issue by providing a robust solution for parsing, normalizing and deobfuscating policies. It ensures that security teams can quickly identify and rectify policies that may compromise the security of their cloud environments.

Its foundation is a 100% custom-built C# JSON parser that handles tokenization and syntax tree parsing. This custom parser is what enables surgical precision when dissecting any JSON document, policy-specific wildcard evaluation and nested JSON path traversal that slices through JSON-level syntactical obfuscation. The rest of the project is a PowerShell wrapper designed for maximum flexibility, randomization and pipeline capabilities for seamlessly connecting all desired functions in a single command.

Given a simple policy containing some light obfuscation, the custom tokenizer parses and decodes the syntactical obfuscation techniques - enabling access to the underlying values while still preserving the original values for comparison (or reassembly of the original input policy).

SkyScalpel2

SkyScalpel3

Understanding the Need for SkyScalpel in Combatting IAM Policy Obfuscation

Attackers attempting to evade policy-focused detections can apply evasive techniques at the syntactical JSON level, syntactical IAM policy level and logic policy level. Several of the tricks we outline in this research are also heavily influenced by the context and tooling used to create or query the policies or runtime events related to policy updates.

Besides generic JSON obfuscation tricks like Unicode encoding and whitespace output tricks that certain rendering engines are susceptible to based on the JSON RFC’s liberal definition of “insignificant whitespace” (which turns out to be rather significant after all), policy-specific logic evasions are also possible.

Here are some more notable obfuscation techniques that SkyScalpel can introduce, identify and/or resolve:

  1. Single-Element Action Array
    • Some policy properties that support a list of values can have the list syntax removed (or added) if only a single value is present.
  2. Reorder Properties
    • JSON supports reordering of properties, so multi-properties string-based detections can potentially be fooled by this property-tumbling approach.
  3. Reorder Action Array Elements
    • While not officially supported by JSON, IAM policies support reordering values in the Action/NotAction, Principal/NotPrincipal and Resource/NotResource properties (as long as the final value is not proceeded by a comma).
  4. Action Wildcards ( * and ? )
    • The use of wildcards can unseemingly expand permissions, potentially enabling unintended access. This syntax is semi-commonly used in some cloud environments, though is often not employed to any notably sophisticated and evasive degree. For example, there is a big difference (even visually) between a policy containing the Action value iam:Create* and iam:Cr?a*P*y.
  5. Random Casing
    • Varying the capitalization of eligible properties and/or property values within policy documents can bypass tools designed to detect specific case-sensitive strings, allowing risky policies to go unnoticed.
  6. Unicode Encoding
    • Incorporating Unicode characters in policy elements can be used to evade detection mechanisms that fail to properly decode or interpret Unicode, masking potential threats. The defender’s familiarity with the employed toolset is of utmost importance for countering this technique’s evasive qualities since there are subtle differences in automatic normalization between AWS’ official CLI and SDKs. Differences also exist when comparing the static data of a policy queried via the appropriate API and the policy contents present in the runtime event of the policy creation or modification.
  7. Insignificant Whitespace
    • Misleading use of whitespace can make policies difficult to read and interpret accurately, sometimes hiding portions of the policy from being displayed when the carriage return character is used (one of the less-known valid “insignificant whitespace” characters supported by JSON).

Below is an example of the same small policy with each of the above obfuscation techniques applied:

SkyScalpel4

Detecting Obfuscated IAM Policies Using SkyScalpel

While a significant portion of SkyScalpel is dedicated to the randomized obfuscation and deobfuscation of JSON documents and IAM policies using the aforementioned techniques, detection is the ultimate goal of this research.

Simple detection building blocks can benefit from targeted expansion of Action/NotAction values containing wildcard characters (* and ?) as shown below:

SkyScalpel5

We also codified identification of the above concepts and more syntactical obfuscation techniques in the detection ruleset we released with this research, neatly encapsulated in a single Find-Evil function shown below (complete with scoring, priority and color-coded summaries):

SkyScalpel6

In a future blog post we will go into more detailed examples of unique ways SkyScalpel can help us solve old and new problems. But for those who cannot wait and want to try it out for themselves, then check out the technical examples in the project’s README.

Conclusion

Permiso Security invests significant research efforts into identifying and exploring the biggest pain points of cloud and identity security. We leverage our incident response and threat hunting backgrounds when designing and developing the Permiso platform to solve our customers’ biggest challenges, and when possible we share this research and corresponding open-source tooling for the benefit of the entire community.

We hope SkyScalpel helps many organizations to extend their red team evasion capabilities and to more thoroughly test current detection capabilities for policy obfuscation or any JSON-document-based evasion technique.

You can access SkyScalpel on GitHub: https://github.com/Permiso-io-tools/SkyScalpel

Illustration Cloud

Related Articles

How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables

Introduction In cloud computing, the evolution of serverless technology has significantly transformed how developers build and run applications. Over the years, the adoption of serverless computing has grown rapidly, with developers and

INTRODUCING CAPICHE DETECTION FRAMEWORK: AN OPEN-SOURCE TOOL TO SIMPLIFY CLOUD API-BASED HUNTING

Intro Attacks on cloud infrastructure have been steadily increasing in quantity, sophistication and scope. Common cryptomining attacks still exists, but the proliferation of BEC (Business Email Compromise) and SMS spamming along with full-bore

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Introduction In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud environment, but simply enabling it isn't enough.

View more posts