Threat Model Analysis for openfaas/faas

Threat: Unauthenticated Gateway Access

Description: Attacker bypasses authentication mechanisms (or lack thereof) on the OpenFaaS Gateway to directly access and invoke functions. This could be done by directly sending requests to the Gateway endpoint without providing valid credentials.
Impact: Unauthorized function execution, potentially leading to data breaches if functions access sensitive data, resource abuse by running functions for malicious purposes, and denial of service by overloading the system.
Affected Component: OpenFaaS Gateway
Risk Severity: Critical
Mitigation Strategies:
- Implement strong authentication on the Gateway using mechanisms like API keys, OAuth 2.0, or OpenID Connect.
- Enforce authorization policies to control which users or services can invoke specific functions.

Description: Attacker floods the OpenFaaS Gateway with a large volume of requests, exceeding its capacity to handle legitimate traffic. This can be achieved using botnets or simple scripting tools to send numerous requests to function invocation endpoints.
Impact: Denial of service, making functions unavailable to legitimate users. This can disrupt critical services and impact business operations.
Affected Component: OpenFaaS Gateway
Risk Severity: High
Mitigation Strategies:
- Implement rate limiting on the Gateway to restrict the number of requests from a single source within a given timeframe.
- Deploy Web Application Firewall (WAF) in front of the Gateway to filter malicious traffic and detect DoS attacks.

Description: Attacker exploits misconfigurations in the OpenFaaS Gateway setup, such as exposed management ports, weak TLS settings, or overly permissive access control lists. This could involve scanning for open ports or analyzing publicly accessible configuration files.
Impact: Unauthorized access to the Gateway management interface, potential data exposure if TLS is misconfigured, and ability to manipulate Gateway settings, potentially leading to platform compromise.
Affected Component: OpenFaaS Gateway Configuration
Risk Severity: High
Mitigation Strategies:
- Follow security best practices for Gateway configuration, including disabling unnecessary features and ports.
- Enforce strong TLS configuration with up-to-date certificates and secure cipher suites.
- Implement strict network access controls to limit access to management interfaces.

Description: Attacker injects malicious code into a function, often by exploiting vulnerabilities in how the function processes user input or external data. This could involve manipulating input parameters to execute arbitrary commands or perform SSRF attacks.
Impact: Unauthorized code execution within the function environment, potentially leading to data breaches, access to internal resources, and compromise of the underlying system.
Affected Component: Function Code
Risk Severity: Critical
Mitigation Strategies:
- Implement robust input validation and sanitization for all function inputs.
- Avoid dynamically generating code based on untrusted input.
- Follow secure coding practices to prevent common injection vulnerabilities.

Description: Attacker exploits known vulnerabilities in third-party libraries or dependencies used by functions. This can be done by identifying outdated or vulnerable packages used in the function's deployment.
Impact: Similar to code injection, potentially leading to unauthorized code execution, data breaches, and system compromise within the function environment.
Affected Component: Function Dependencies
Risk Severity: High
Mitigation Strategies:
- Regularly scan function dependencies for known vulnerabilities using vulnerability scanning tools.
- Keep function dependencies up-to-date with the latest security patches.

Description: Attacker gains access to sensitive secrets (API keys, passwords, database credentials) used by functions. This could happen if secrets are hardcoded in function code, logged insecurely, or stored in environment variables without proper protection.
Impact: Unauthorized access to external services or databases, data breaches, and potential compromise of linked systems.
Affected Component: Function Secrets Management
Risk Severity: Critical
Mitigation Strategies:
- Use secure secrets management solutions provided by OpenFaaS or the underlying orchestrator (e.g., Kubernetes Secrets).
- Avoid hardcoding secrets in function code or configuration files.
- Encrypt secrets at rest and in transit.

Description: Attacker gains unauthorized access to the function store or registry where function container images are stored. This could be due to weak access controls, misconfigurations, or vulnerabilities in the registry software.
Impact: Intellectual property theft by accessing function code, deployment of malicious functions by modifying or replacing existing images, and potential compromise of the OpenFaaS platform.
Affected Component: Function Store/Registry
Risk Severity: High
Mitigation Strategies:
- Implement strong authentication and authorization for access to the function store/registry.
- Use private registries and restrict access to authorized users and services.

Description: Attacker exploits weak or default credentials or vulnerabilities in authentication mechanisms for OpenFaaS management interfaces (e.g., faas-cli, UI). This could involve brute-force attacks, credential stuffing, or exploiting known authentication bypass vulnerabilities.
Impact: Unauthorized access to management interfaces, allowing attackers to deploy malicious functions, modify configurations, and potentially take control of the OpenFaaS platform.
Affected Component: OpenFaaS Management Interfaces (faas-cli, UI)
Risk Severity: High
Mitigation Strategies:
- Enforce strong password policies and multi-factor authentication for all management interfaces.
- Disable default accounts and change default passwords.
- Restrict access to management interfaces to authorized users and networks.