research-article

ProSPEC: Proactive Security Policy Enforcement for Containers

Authors:

Hugo Kermabon-Bobinnec,

Mahmood Gholipourchoubeh,

Suryadipta Majumdar,

Makan Pourzandi,

Lingyu WangAuthors Info & Claims

CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy

Pages 155 - 166

https://doi.org/10.1145/3508398.3511515

Published: 15 April 2022 Publication History

Abstract

By providing lightweight and portable support for cloud native applications, container environments have gained significant momentum lately. A container orchestrator such as Kubernetes can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this paper, we tackle this key security challenge to container environments through a proactive approach, namely, ProSPEC. Our approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, ProSPEC can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (up to 800 Pods).

Supplementary Material

MP4 File (ProSPEC.mp4)

Presentation video of ProSPEC: Proactive Security Policy Enforcement for Containers at ACM CODASPY 2022.

Download
70.98 MB

References

[1]

2015. OpenStack Congress. https://wiki.openstack.org/wiki/Congress/ Retrieved July 09, 2021 from

[2]

2018. Falco. https://falco.org/ Retrieved June 15, 2021 from

[3]

2018. Sysdig. https://sysdig.com/ Retrieved June 15, 2021 from

[4]

2019. Benchmark results of Kubernetes CNI over 10Gbit/s network. https://itnext.io/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-august-2020--6e1b757b9e49 Retrieved July, 2021 from

[5]

2019. Open Policy Agent/Gatekeeper. https://open-policy-agent.github.io/gatekeeper/ Retrieved July, 2021 from

[6]

2019. Report on the Enhancements of the NFV architecture towards"Cloud-native" and "PaaS", ETSI GR NFV-IFA 029 . Technical Report. ETSI.

[7]

2020. Calico: Open source networking solution for Kubernetes. https://docs.projectcalico.org/ Retrieved August 09, 2021 from

[8]

2020. Cloud Native Computing Foundation 2020 Survey Report. www.cncf.io/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf Retrieved September, 2021 from

[9]

2020. CVE-2020--8554: Man in the middle in Kubernetes. https://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/ Retrieved July 10, 2021 from

[10]

2020. Torin Sandall, OPA: Top 5 Kubernetes Admission Control Policies. https://thenewstack.io/open-policy-agent-the-top-5-kubernetes-admission-control-policies/ Retrieved July 20, 2021 from

[11]

2021. 'Azurescape' Kubernetes Attack Allows Cross-Container Cloud Compromise. https://threatpost.com/azurescape-kubernetes-attack-container-cloud-compromise/169319/ Retrieved October, 2021 from

[12]

2021. Container Runtimes. https://kubernetes.io/docs/setup/production-environment/container-runtimes/#cgroup-drivers Retrieved June, 2021 from

[13]

2021. CVE-2021--43979. https://nvd.nist.gov/vuln/detail/CVE-2021--43979 Retrieved January, 2022 from

[14]

2021. Docker authorization with OPA. www.openpolicyagent.org/docs/latest/docker-authorization/ Retrieved August 19, 2021 from

[15]

2021. Docker Swarm. https://docs.docker.com/engine/swarm/ Retrieved September 15, 2021 from

[16]

2021. Dynamic Admission Control. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ Retrieved September 30, 2021 from

[17]

2021. Installing kubeadm. https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ Retrieved June, 2021 from

[18]

2021 a. Kubernetes. https://kubernetes.io Retrieved September 15, 2021 from

[19]

2021 b. Kubernetes API Reference. https://v1--18.docs.kubernetes.io/docs/reference/ Retrieved September 20, 2021 from

[20]

2021 c. Kubernetes Audit Logs. https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ Retrieved September 09, 2021 from

[21]

2021. Logstash CVE-2020--8554. www.elastic.co/logstash/ Retrieved June 13, 2021 from

[22]

2021. OpenShift. https://docs.openshift.com/ Retrieved September 15, 2021 from

[23]

Waheeda Syed Shameem Ahamed, Pavol Zavarsky, and Bobby Swar. 2021. Security Audit of Docker Container Images in Cloud Architecture. In ICSCCC. IEEE.

[24]

Ankur Ankan and Abinash Panda. 2015. pgmpy: Probabilistic graphical models using python. In SCIPY. Citeseer.

[25]

Mihir Bellare and Bennet Yee. 1997. Forward integrity for secure audit logs . Technical Report. Citeseer.

[26]

Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. 2015. Proactive security analysis of changes in virtualized infrastructures. In ACSAC .

[27]

Thomas H Cormen, Charles E Leiserson, Ronald L Rivest, and Clifford Stein. 2009. Introduction to algorithms .MIT press. 594--602 pages.

[28]

Marco De Benedictis and Antonio Lioy. 2019. Integrity verification of Docker containers for a lightweight cloud environment. Future Generation Computer Systems, Vol. 97 (2019), 236--246.

Digital Library

[29]

Miguel Grinberg. 2018. Flask web development: developing web applications with python ." O'Reilly Media, Inc.".

[30]

Richard D Hipp. 2020. SQLite . https://www.sqlite.org/index.html

[31]

Min Li, Wanyu Zang, Kun Bai, Meng Yu, and Peng Liu. 2013. MyCloud: supporting user-configured privacy protection in cloud computing. In ACSAC .

[32]

Wu Luo, Qingni Shen, Yutang Xia, and Zhonghai Wu. 2019. Container-IMA: a privacy-preserving integrity measurement architecture for containers. In RAID .

[33]

Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. Proactive verification of security compliance for clouds through pre-computation: Application to OpenStack. In ESORICS. Springer.

[34]

Suryadipta Majumdar, Yosr Jarraya, Momen Oqaily, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2017. LeaPS: Learning-based proactive security auditing for clouds. In ESORICS. Springer.

[35]

Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2019. Proactivizer: Transforming existing verification tools into efficient solutions for runtime security enforcement. In ESORICS. Springer.

[36]

Richard E Neapolitan et almbox. 2004. Learning bayesian networks . Vol. 38. Pearson Prentice Hall Upper Saddle River, NJ. 550 pages.

[37]

d Shazibul Islam Shamim, Farzana Ahamed Bhuiyan, and Akond Rahman. 2020. XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices. In SecDev. IEEE.

[38]

Chin-Wei Tien, Tse-Yung Huang, Chia-Wei Tien, Ting-Chun Huang, and Sy-Yen Kuo. 2019. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches. Engineering Reports, Vol. 1, 5 (2019), e12080.

[39]

Ioannis Tsamardinos, Laura E Brown, and Constantin F Aliferis. 2006. The max-min hill-climbing Bayesian network structure learning algorithm. Machine learning, Vol. 65, 1 (2006), 31--78.

[40]

Wes McKinney. 2010. Data Structures for Statistical Computing in Python. In SCIPY, Stéfan van der Walt and Jarrod Millman (Eds.).

[41]

Stephen S Yau, Arun Balaji Buduru, and Vinjith Nagaraja. 2015. Protecting critical cloud infrastructures with predictive capability. In CLOUD. IEEE.

Cited By

GholipourChoubeh MKermabon-Bobinnec HMajumdar SJarraya YWang LNour BPourzandi MVilela JSchulmann HLi N(2024)CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes ClustersProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653253(79-90)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653253
Bagheri SKermabon-Bobinnec HKabir MMajumdar SWang LJarraya YNour BPourzandi M(2024)ACE-WARP: A Cost-Effective Approach to Proactive and Non-Disruptive Incident Response in Kubernetes ClustersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.344903819(8204-8219)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3449038
Ugale SPotgantwar A(2023)Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOpsRAiSE-202310.3390/engproc2023059057(57)Online publication date: 18-Dec-2023
https://doi.org/10.3390/engproc2023059057
Show More Cited By

Index Terms

ProSPEC: Proactive Security Policy Enforcement for Containers
1. Security and privacy

Recommendations

Security policy enforcement for networked smart objects

In the Internet of Things (IoT) heterogeneous technologies concur to the provisioning of customized services able to bridge the gap between the physical and digital realms. Security, privacy and data quality are acknowledged to represent key issues to ...
A review of security risks and countermeasures in containers

Containers are environments that allow software developers to package applications, along with their libraries, dependencies, and all the resources necessary for their operation. Due to the advantages of containers, compared to virtual machines, their use ...
Cross-application data provenance and policy enforcement

We present a new technique that can trace data provenance and enforce data access policies across multiple applications and machines. We have developed Garm, a tool that uses binary rewriting to implement this technique on arbitrary binaries. Users can ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '22: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy

April 2022

392 pages

ISBN:9781450392204

DOI:10.1145/3508398

General Chair:
Anupam Joshi
University of Maryland, Baltimore County, USA
,
Program Chairs:
Maribel Fernandez
King's College London, UK
,
Rakesh M. Verma
University of Houston, USA

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Natural Sciences and Engineering Research Council of Canada and Ericsson Canada

Conference

CODASPY '22

Sponsor:

SIGSAC

CODASPY '22: Twelveth ACM Conference on Data and Application Security and Privacy

April 24 - 27, 2022

MD, Baltimore, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
276
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)5

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

GholipourChoubeh MKermabon-Bobinnec HMajumdar SJarraya YWang LNour BPourzandi MVilela JSchulmann HLi N(2024)CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes ClustersProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653253(79-90)Online publication date: 19-Jun-2024
https://dl.acm.org/doi/10.1145/3626232.3653253
Bagheri SKermabon-Bobinnec HKabir MMajumdar SWang LJarraya YNour BPourzandi M(2024)ACE-WARP: A Cost-Effective Approach to Proactive and Non-Disruptive Incident Response in Kubernetes ClustersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.344903819(8204-8219)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3449038
Ugale SPotgantwar A(2023)Container Security in Cloud Environments: A Comprehensive Analysis and Future Directions for DevSecOpsRAiSE-202310.3390/engproc2023059057(57)Online publication date: 18-Dec-2023
https://doi.org/10.3390/engproc2023059057
Bagheri SKermabon-Bobinnec HMajumdar SJarraya YWang LPourzandi M(2023)Warping the Defence Timeline: Non-Disruptive Proactive Attack Mitigation for Kubernetes ClustersICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278632(777-782)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278632
Nour BPourzandi MDebbabi M(2023)A Survey on Threat Hunting in Enterprise NetworksIEEE Communications Surveys & Tutorials10.1109/COMST.2023.329951925:4(2299-2324)Online publication date: 14-Aug-2023
https://dl.acm.org/doi/10.1109/COMST.2023.3299519
Lee SNam J(2023)Kunerva: Automated Network Policy Discovery Framework for ContainersIEEE Access10.1109/ACCESS.2023.331028111(95616-95631)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3310281
Samir AAl-Wosabi AKhan MDagenborg H(2023)A Multi-pronged Self-adaptive Controller for Analyzing Misconfigurations for Kubernetes Clusters and IoT Edge DevicesService-Oriented and Cloud Computing10.1007/978-3-031-46235-1_10(153-169)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-46235-1_10

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents