[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3508398.3511515acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

ProSPEC: Proactive Security Policy Enforcement for Containers

Published: 15 April 2022 Publication History

Abstract

By providing lightweight and portable support for cloud native applications, container environments have gained significant momentum lately. A container orchestrator such as Kubernetes can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this paper, we tackle this key security challenge to container environments through a proactive approach, namely, ProSPEC. Our approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, ProSPEC can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (up to 800 Pods).

Supplementary Material

MP4 File (ProSPEC.mp4)
Presentation video of ProSPEC: Proactive Security Policy Enforcement for Containers at ACM CODASPY 2022.

References

[1]
2015. OpenStack Congress. https://wiki.openstack.org/wiki/Congress/ Retrieved July 09, 2021 from
[2]
2018. Falco. https://falco.org/ Retrieved June 15, 2021 from
[3]
2018. Sysdig. https://sysdig.com/ Retrieved June 15, 2021 from
[4]
2019. Benchmark results of Kubernetes CNI over 10Gbit/s network. https://itnext.io/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-august-2020--6e1b757b9e49 Retrieved July, 2021 from
[5]
2019. Open Policy Agent/Gatekeeper. https://open-policy-agent.github.io/gatekeeper/ Retrieved July, 2021 from
[6]
2019. Report on the Enhancements of the NFV architecture towards"Cloud-native" and "PaaS", ETSI GR NFV-IFA 029 . Technical Report. ETSI.
[7]
2020. Calico: Open source networking solution for Kubernetes. https://docs.projectcalico.org/ Retrieved August 09, 2021 from
[8]
2020. Cloud Native Computing Foundation 2020 Survey Report. www.cncf.io/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf Retrieved September, 2021 from
[9]
2020. CVE-2020--8554: Man in the middle in Kubernetes. https://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/ Retrieved July 10, 2021 from
[10]
2020. Torin Sandall, OPA: Top 5 Kubernetes Admission Control Policies. https://thenewstack.io/open-policy-agent-the-top-5-kubernetes-admission-control-policies/ Retrieved July 20, 2021 from
[11]
2021. 'Azurescape' Kubernetes Attack Allows Cross-Container Cloud Compromise. https://threatpost.com/azurescape-kubernetes-attack-container-cloud-compromise/169319/ Retrieved October, 2021 from
[12]
2021. Container Runtimes. https://kubernetes.io/docs/setup/production-environment/container-runtimes/#cgroup-drivers Retrieved June, 2021 from
[13]
2021. CVE-2021--43979. https://nvd.nist.gov/vuln/detail/CVE-2021--43979 Retrieved January, 2022 from
[14]
2021. Docker authorization with OPA. www.openpolicyagent.org/docs/latest/docker-authorization/ Retrieved August 19, 2021 from
[15]
2021. Docker Swarm. https://docs.docker.com/engine/swarm/ Retrieved September 15, 2021 from
[16]
2021. Dynamic Admission Control. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ Retrieved September 30, 2021 from
[17]
2021. Installing kubeadm. https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ Retrieved June, 2021 from
[18]
2021 a. Kubernetes. https://kubernetes.io Retrieved September 15, 2021 from
[19]
2021 b. Kubernetes API Reference. https://v1--18.docs.kubernetes.io/docs/reference/ Retrieved September 20, 2021 from
[20]
2021 c. Kubernetes Audit Logs. https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Retrieved September 09, 2021 from
[21]
2021. Logstash CVE-2020--8554. www.elastic.co/logstash/ Retrieved June 13, 2021 from
[22]
2021. OpenShift. https://docs.openshift.com/ Retrieved September 15, 2021 from
[23]
Waheeda Syed Shameem Ahamed, Pavol Zavarsky, and Bobby Swar. 2021. Security Audit of Docker Container Images in Cloud Architecture. In ICSCCC. IEEE.
[24]
Ankur Ankan and Abinash Panda. 2015. pgmpy: Probabilistic graphical models using python. In SCIPY. Citeseer.
[25]
Mihir Bellare and Bennet Yee. 1997. Forward integrity for secure audit logs . Technical Report. Citeseer.
[26]
Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In ACSAC .
[27]
Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, and Clifford Stein. 2009. Introduction to algorithms .MIT press. 594--602 pages.
[28]
Marco De Benedictis and Antonio Lioy. 2019. Integrity verification of Docker containers for a lightweight cloud environment. Future Generation Computer Systems, Vol. 97 (2019), 236--246.
[29]
Miguel Grinberg. 2018. Flask web development: developing web applications with python ." O'Reilly Media, Inc.".
[30]
Richard D Hipp. 2020. SQLite . https://www.sqlite.org/index.html
[31]
Min Li, Wanyu Zang, Kun Bai, Meng Yu, and Peng Liu. 2013. MyCloud: supporting user-configured privacy protection in cloud computing. In ACSAC .
[32]
Wu Luo, Qingni Shen, Yutang Xia, and Zhonghai Wu. 2019. Container-IMA: a privacy-preserving integrity measurement architecture for containers. In RAID .
[33]
Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack. In ESORICS. Springer.
[34]
Suryadipta Majumdar, Yosr Jarraya, Momen Oqaily, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2017. LeaPS: Learning-based proactive security auditing for clouds. In ESORICS. Springer.
[35]
Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2019. Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement. In ESORICS. Springer.
[36]
Richard E Neapolitan et almbox. 2004. Learning bayesian networks . Vol. 38. Pearson Prentice Hall Upper Saddle River, NJ. 550 pages.
[37]
d Shazibul Islam Shamim, Farzana Ahamed Bhuiyan, and Akond Rahman. 2020. XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices. In SecDev. IEEE.
[38]
Chin-Wei Tien, Tse-Yung Huang, Chia-Wei Tien, Ting-Chun Huang, and Sy-Yen Kuo. 2019. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches. Engineering Reports, Vol. 1, 5 (2019), e12080.
[39]
Ioannis Tsamardinos, Laura E Brown, and Constantin F Aliferis. 2006. The max-min hill-climbing Bayesian network structure learning algorithm. Machine learning, Vol. 65, 1 (2006), 31--78.
[40]
Wes McKinney. 2010. Data Structures for Statistical Computing in Python. In SCIPY, Stéfan van der Walt and Jarrod Millman (Eds.).
[41]
Stephen S Yau, Arun Balaji Buduru, and Vinjith Nagaraja. 2015. Protecting critical cloud infrastructures with predictive capability. In CLOUD. IEEE.

Cited By

View all
  • (2024)CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes ClustersProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653253(79-90)Online publication date: 19-Jun-2024
  • (2024)ACE-WARP: A Cost-Effective Approach to Proactive and Non-Disruptive Incident Response in Kubernetes ClustersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.344903819(8204-8219)Online publication date: 2024
  • (2023)Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOpsRAiSE-202310.3390/engproc2023059057(57)Online publication date: 18-Dec-2023
  • Show More Cited By

Index Terms

  1. ProSPEC: Proactive Security Policy Enforcement for Containers

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy
    April 2022
    392 pages
    ISBN:9781450392204
    DOI:10.1145/3508398
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 15 April 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. container security
    2. policy enforcement
    3. proactive security

    Qualifiers

    • Research-article

    Funding Sources

    • Natural Sciences and Engineering Research Council of Canada and Ericsson Canada

    Conference

    CODASPY '22
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 149 of 789 submissions, 19%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)69
    • Downloads (Last 6 weeks)5
    Reflects downloads up to 27 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes ClustersProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653253(79-90)Online publication date: 19-Jun-2024
    • (2024)ACE-WARP: A Cost-Effective Approach to Proactive and Non-Disruptive Incident Response in Kubernetes ClustersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.344903819(8204-8219)Online publication date: 2024
    • (2023)Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOpsRAiSE-202310.3390/engproc2023059057(57)Online publication date: 18-Dec-2023
    • (2023)Warping the Defence Timeline: Non-Disruptive Proactive Attack Mitigation for Kubernetes ClustersICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278632(777-782)Online publication date: 28-May-2023
    • (2023)A Survey on Threat Hunting in Enterprise NetworksIEEE Communications Surveys & Tutorials10.1109/COMST.2023.329951925:4(2299-2324)Online publication date: 14-Aug-2023
    • (2023)Kunerva: Automated Network Policy Discovery Framework for ContainersIEEE Access10.1109/ACCESS.2023.331028111(95616-95631)Online publication date: 2023
    • (2023)A Multi-pronged Self-adaptive Controller for Analyzing Misconfigurations for Kubernetes Clusters and IoT Edge DevicesService-Oriented and Cloud Computing10.1007/978-3-031-46235-1_10(153-169)Online publication date: 24-Oct-2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media