{"id":22799178,"url":"https://github.com/dhammon/lambda-rasp","last_synced_at":"2025-03-30T19:15:10.785Z","repository":{"id":240478708,"uuid":"744308509","full_name":"dhammon/lambda-rasp","owner":"dhammon","description":"AWS Lambda runtime application self-protection (RASP).  Free and opensource.","archived":false,"fork":false,"pushed_at":"2024-05-19T05:17:29.000Z","size":717,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-05T21:43:06.313Z","etag":null,"topics":["aws-security","cloud-security","lambda","rasp","serverless-security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dhammon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-17T03:00:23.000Z","updated_at":"2024-05-19T17:07:18.000Z","dependencies_parsed_at":null,"dependency_job_id":"c8590275-4969-4b3e-8331-2ede52b4cddf","html_url":"https://github.com/dhammon/lambda-rasp","commit_stats":null,"previous_names":["dhammon/lambda-rasp"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhammon%2Flambda-rasp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhammon%2Flambda-rasp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhammon%2Flambda-rasp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhammon%2Flambda-rasp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dhammon","download_url":"https://codeload.github.com/dhammon/lambda-rasp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246365650,"owners_count":20765549,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-security","cloud-security","lambda","rasp","serverless-security"],"created_at":"2024-12-12T07:08:14.160Z","updated_at":"2025-03-30T19:15:10.770Z","avatar_url":"https://github.com/dhammon.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Lambda RASP\nThis runtime application self-protection (RASP) solution is designed for AWS Lambda functions.  Lambda-rasp is added to existing functions as a layer/extension and runs within the targeted function.  When the function is initialized, the lambda-rasp layer modifies the container's memory replacing AWS's native runtime API with a new socket value pointing to a local web server.  Events passed to the function then go directly to lambda-rasp *before* reaching the function's application handler.  This positions lambda-rasp as an inspection point where many OWASP ModSecurity regex rules have been hardcoded to check incoming events for malicious strings.  If a malicious string is detected lambda-rasp will describe the rules violated as standard output and kill further processing *before* the event would be passed to the function's application.\n\n\n# Configuration\n\u003e Consider the Performance section for config setting guidance\nThe following constants are set in `src/main.rs` and are used to tune and troubleshoot lambda-rasp deployments based on your needs:\n- `VERBOSE`: display debug messages\n- `FAIL_OPEN`: run lambda if layer fails\n- `BLOCKING_MODE`: Kill lambda if rule violated\n- `RULE_MODE`: Performance vs security tuning:  0=performance, rule run durations 0-10ms;  1=balanced, rule run duration 11-99ms;  2=paranoid, rule run durations 100+ms\n- `RULE_CLASS`: Set the classes of rules to apply.  Limited by RULE_MODE.  For example, if RFI RULE_CLASS is selected with RULE_MODE 0, only the RFI rules in mode 0 will be used.\n\n**Class counts by mode**\n| Class | Mode 0 | Mode 1 | Mode 2 |\n| --- | --- | --- | --- |\n| LFI      | 0 | 1 | 0 |\n| RFI      | 1 | 3 | 0 |\n| RCE      | 14 | 13 | 5 |\n| DESERIAL | 5 | 0 | 0 |\n| PP       | 1 | 0 | 0 |\n| DOS      | 0 | 1 | 0 |\n| SSRF     | 0 | 1 | 0 |\n| XSS      | 10 | 4 | 1 |\n| TEMPLATE | 1 | 0 | 0 |\n| SQLI     | 22 | 23 | 1 |\n| NOSQLI   | 1 | 0 | 0 |\n| FIXATION | 0 | 2 | 0 |\n| UPLOAD   | 1 | 0 | 0 |\n\n\n# Performance\nThe following table offers example time costs of running lambda-rasp using various settings.\n| Mode | Classes | Duration |\n| --- | --- | --- |\n| 0 | null | ~8ms |\n| 0 | RCE | ~148ms |\n| 0 | RCE, SQLI | ~310ms |\n| 1 | RCE, SQLI | ~1100ms |\n| 1 | all | ~1579ms |\n| 2 | all | ~2419ms |\n\n\n# Deploy\n1. Create function that you want to protect\n2. Create a layer with x86_64 arch (no arm supported)\n3. Update deploy-test.sh function variable with the name of the function from step 1.\n4. Update deploy-test.sh layer variable with the arn of the layer created in step 2.\n5. Update deploy-test.sh runtimes variable as needed\n6. Configure AWS credentials (eg profile, environment variables, etc)\n7. Run deploy-test.sh\n\n\n# Example\nRunning benign payload scenario.  Deployed function (top pane), function events (bottom pane) displays \"lambda hit!\" which is from a Python print statement as a placeholder for the function's app.\n![](images/deploy.png)\n\nRunning malicious payload scenario.  Same deployment as above but this invoking the function with a SQL Injection payload.\n![](images/block.png)\n\n\n# Local Test Environment\nUsing [Cargo Lambda](https://www.cargo-lambda.info/commands/watch.html#working-with-extensions) to build a lambda extension.\n\nInstall Cargo Lambda:\n```\nbrew tap cargo-lambda/cargo-lambda\nbrew install cargo-lambda\n```\n\nSetup Test Function:\n```\ncargo lambda new --no-interactive test-function\ncargo lambda watch -v\n```\n\nAttach Extension:\n```\n#from within extension directory\nexport AWS_LAMBDA_RUNTIME_API=http://[::]:9000/.rt\ncargo run\n#observe running test function log\n```\n\nTest Running Function+Extension:\n```\ncargo lambda invoke --data-ascii '{\"command\": \"hi\"}'\n```\n\nDeploy Extension\n```\ncargo lambda build --extension --release\ncargo lambda deploy --extension --compatible-runtimes python3.8 --layer-arn arn:aws:lambda:us-east-1:134672723840:function:deleteme\n```\n\n## Local Test Notes\nRun tests as root :(\nRun tests with RULE_MODE=2 (paranoid)\n`cargo check`\n`cargo test -- --nocapture`\n`cargo test rule_xss --`\n1. Update memory.rs proc 1 heap (dec) memory address\n    `printf \"%d\\n\" 0x$(sudo cat /proc/1/maps | grep heap | awk -F\"-\" '{print $1}')`\n2. start python web server on port 9001\n\n\n## Remote Test Notes\nRequires lambda function in account\nRequires aws cli + default profile\n1. Build extension: `cargo lambda build --extension --release`\n2. Run `aws logs tail /aws/lambda/deleteme --follow`\n3. Run ./deploy-test.sh\nManual remote test:\n`aws lambda invoke --function-name deleteme --cli-binary-format raw-in-base64-out --payload '{\"key1\":\"value1\"}' /tmp/lambda_invoke.log`\n\n# Credits\n- AWS ![Lambda runtime API](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) great docs on how Lambda runtime operates.\n- Clearvector's ![lambda-rasp](https://github.com/clearvector/lambda-spy) repository.  Inspired the use of the memory/webserver design that underpins lambda-rasp.  Great research!\n- OWASP's ![ModSecurity](https://github.com/owasp-modsecurity/ModSecurity) repository.  Where the rules were pulled from.  Love ModSecurity WAF.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhammon%2Flambda-rasp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdhammon%2Flambda-rasp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhammon%2Flambda-rasp/lists"}