HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking
Pages 486 - 501
Abstract
With the increasing adoption of containerization in cloud services, container networking has become a critical concern, as it enables the agile deployment of microservices but also introduces new vulnerabilities susceptible to network attacks, posing a threat to container environments. While several security solutions have been introduced to address this concern, they unfortunately exhibit significant shortcomings, including security vulnerabilities and limited performance. We thus propose Helios, a novel hardware-based network security extension that addresses the security and performance limitations in existing solutions. Leveraging a smartNIC, Helios enhances both the security and performance facets of container networking through two key mechanisms: (i) the establishment of physically isolated container communication channels and (ii) the network security engines fully offloaded to the smartNIC. Our evaluation shows that Helios mitigates various network threats initiated from both container- and host-side while performing up to 3x faster than the existing solutions in container communication.
References
[1]
2008. PCI-SIG Single Root I/O Virtualization (SR-IOV) Support in Intel® Virtualization Technology for Connectivity. https://www.intel.com/content/www/us/en/pci-express/pci-sig-single-root-io-virtualization-support-in-virtualization-technology-for-connectivity-paper.html.
[2]
2013. Namespaces in Operation, Part 1: Namespaces Overview. https://lwn.net/Articles/531114/.
[3]
2014. wrk -- a HTTP Benchmarking Tool. https://github.com/wg/wrk.
[4]
2015. Kubernetes Performance Measurements and Roadmap. https://kubernetes.io/blog/2015/09/kubernetes-performance-measurements-and/.
[5]
2018. Flask Docker Container Image. https://hub.docker.com/r/jcdemo/flaskapp.
[6]
2019. CVE-2019-8341. https://nvd.nist.gov/vuln/detail/CVE-2019-8341/.
[7]
2020. CVE-2020-11100. https://nvd.nist.gov/vuln/detail/CVE-2020-11100/.
[8]
2021. State of Kubernetes Security Report. https://thechief.io/c/editorial/state-of-kubernetes-security-report.
[9]
2022. 7 Most Infamous Cloud Security Breaches. https://blog.storagecraft.com/7-infamous-cloud-security-breaches/.
[10]
2022. Amazon Web Services. https://aws.amazon.com/.
[11]
2023. AppArmor, Linux Kernel Security Module. https://apparmor.net/.
[12]
2023. bridge(8) --- Linux manual page. https://man7.org/linux/manpages/man8/bridge.8.html.
[13]
2023. Calio-felix. https://docs.projectcalico.org/reference/felix/.
[14]
2023. Cilim Envoy Extension. https://docs.cilium.io/en/v1.13/security/network/proxy/envoy/.
[15]
2023. Cilium. https://www.cilium.io/.
[16]
2023. Cilium-agent. https://docs.cilium.io/en/stable/cmdref/cilium-agent/.
[17]
2023. CNI: The container network interface. https://www.cni.dev/.
[18]
2023. Docker. https://www.docker.com.
[19]
2023. Docker host networking. https://docs.docker.com/network/host/.
[20]
2023. DockerHub: envoyproxy/envoy. https://hub.docker.com/r/envoyproxy/envoy.
[21]
2023. DockerHub: hashicorp/boundary. https://hub.docker.com/r/hashicorp/boundary.
[22]
2023. DockerHub: sysdig. https://hub.docker.com/r/sysdig/sysdig.
[23]
2023. eBPF Introduction, Tutorials. https://docs.cilium.io/en/stable/bpf/.
[24]
2023. Flannel-d. https://github.com/flannel-io/flannel.
[25]
2023. Google Cloud Platform (GCP). https://cloud.google.com/.
[26]
2023. HAProxy ingress controler. https://haproxy-ingress.github.io/.
[27]
2023. Hewlett Packard Enterprise. Netperf. https://hewlettpackard.github.io/netperf/.
[28]
2023. Host network driver. https://docs.docker.com/network/drivers/host/.
[29]
2023. iPerf. Network Bandwidth Measurement Tool. https://iperf.fr/iperf-download.php.
[30]
2023. Kubernetes. https://kubernetes.io.
[31]
2023. Kubernetes API Watcher Design. https://docs.openstack.org/kuryr/0.2.0/devref/k8s_api_watcher_design.html.
[32]
2023. Kubernetes: Considerations for large clusters. https://kubernetes.io/docs/setup/best-practices/cluster-large/.
[33]
2023. Kubernetes Privilege Escalation. https://i.blackhat.com/USA-22/Thursday/US-22-Avrahami-Kubernetes-Privilege-Escalation-Container-Escape-Cluster-Admin.pdf.
[34]
2023. Linux SYSSTAT. http://sebastien.godard.pagesperso-orange.fr/.
[35]
2023. Microsoft Azure. https://azure.microsoft.com/.
[36]
2023. Netronome Agilo CX smartNIC 2x40GbE. https://www.netronome.com/media/documents/PB_NFP-4000-7-20.pdf.
[37]
2023. Nginx Docker Container. https://hub.docker.com/_/nginx.
[38]
2023. OpenVPN Access Server. https://hub.docker.com/r/mace/openvpn-as.
[39]
2023. Project Calico. https://www.projectcalico.org/.
[40]
2023. Redis Docker Container. https://hub.docker.com/_/redis.
[41]
2023. Service | Kubernetes. https://kubernetes.io/docs/concepts/services-networking/service/.
[42]
2023. TCPdump manpage. https://www.tcpdump.org/manpages/.
[43]
2023. The Istio service mesh. https://istio.io/.
[44]
2023. The Linked servie mesh. https://linkerd.io/.
[45]
2023. veth -- Virtual Ethernet Device. https://man7.org/linux/manpages/man4/veth.4.html/.
[46]
Ali AlSabeh, Elie Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2022. P4DDPI: Securing P4-Programmable Data Plane Networks via DNS Deep Packet Inspection. In Proceedings of the 2022 Network and Distributed System Security (NDSS) Symposium. 1ś7.
[47]
Kelly Brady, Seung Moon, Tuan Nguyen, and Joel Coffman. 2020. Docker Container Security in Cloud Computing. In In Proceedings of Annual Computing and Communication Workshop and Conference. 975--980.
[48]
Gerald Budigiri, Christoph Baumann, Jan Tobias Mühlberg, Eddy Truyen, and Wouter Joosen. 2021. Network Policies in Kubernetes: Performance Evaluation and Security Analysis. In In proceedings of Joint European Conference on Networks and Communications & 6G Summit. 407--412.
[49]
Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of the Web Conference 2020. 939--950.
[50]
Ana Duarte and Nuno Antunes. 2018. An Empirical Study of Docker Vulnerabilities and of Static Code Analysis Applicability. In In Proceedings of Latin-American Symposium on Dependable Computing. 27--36.
[51]
William Findlay, David Barrera, and Anil Somayaji. 2021. BPFContain: Fixing the Soft Underbelly of Container Security. arXiv preprint arXiv:2102.06972 (2021).
[52]
Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses. 443--458.
[53]
Joel Hypolite, John Sonchack, Shlomo Hershkop, Nathan Dautenhahn, André DeHon, and Jonathan M Smith. 2020. DeepMatch: practical deep packet inspection in the data plane using network processors. In Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies. 336--350.
[54]
Theo Jepsen, Daniel Alvarez, Nate Foster, Changhoon Kim, Jeongkeun Lee, Masoud Moshref, and Robert Soulé. 2019. Fast string searching on pisa. In Proceedings of ACM Symposium on SDN Research. 21--28.
[55]
Jakub Kicinski and Nicolaas Viljoen. 2016. eBPF Hardware Offload to SmartNICs: cls bpf and XDP. Proceedings of netdev 1 (2016).
[56]
Abhinav Kommula, Yen-Hung Frank Hu, Mary Ann Hoppa, and Samuel Olatunbosun. 2020. Machine Learning Techniques to Enhance Container Network Security. In In proceedings of International Conference on Computational Science and Computational Intelligence. 622--627.
[57]
Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, and Qi Li. 2017. SPEAKER: Split-phase execution of application containers. In Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.
[58]
Wubin Li, Yves Lemieux, Jing Gao, Zhuofeng Zhao, and Yanbo Han. 2019. Service mesh: Challenges, state of the art, and future research opportunities. In Proceedings of IEEE International Conference on Service-Oriented System Engineering. 122--1225.
[59]
Xing Li, Xue Leng, and Yan Chen. 2021. Securing Serverless Computing: Challenges, Solutions, and Opportunities. arXiv preprint arXiv:2105.12581 (2021).
[60]
Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A measurement study on linux container security: Attacks and countermeasures. In Proceedings of Annual Computer Security Applications Conference. 418--429.
[61]
Coleman Link, Jesse Sarran, Garegin Grigoryan, Minseok Kwon, M Mustafa Rafique, and Warren R Carithers. 2019. Container Orchestration by Kubernetes for RDMA Networking. In Proceedings of IEEE International Conference on Network Protocols. 1--2.
[62]
Chang Liu, Longtao He, Gang Xiong, Zigang Cao, and Zhen Li. 2019. Fs-net: A flow sequence network for encrypted traffic classification. In IEEE INFOCOM 2019-IEEE Conference On Computer Communications. IEEE, 1171--1179.
[63]
Antony Martin, Simone Raponi, Théo Combe, and Roberto Di Pietro. 2018. Docker Ecosystem -- Vulnerability Analysis. Computer Communications 122 (2018), 30--43.
[64]
Jaehyun Nam, Seungsoo Lee, Phillip Porras, Vinod Yegneswaran, and Seungwon Shin. 2022. Secure Inter-Container Communications Using XDP/eBPF. IEEE/ACM Transactions on Networking 31, 2 (2022), 934--947.
[65]
Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. BASTION: A Security Enforcement Network Stack for Container Networks. In Proceedings of USENIX Annual Technical Conference. 81--95.
[66]
Salvatore Pontarelli, Roberto Bifulco, Marco Bonola, Carmelo Cascone, Marco Spaziani, Valerio Bruschi, Davide Sanvito, Giuseppe Siracusano, Antonio Capone, Michio Honda, et al. 2019. Flowblaze: Stateful packet processing in hardware. In Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019. USENIX ASSOC, 531--547.
[67]
Jamal Hadi Salim. 2015. Linux traffic control classifier-action subsystem architecture. Proceedings of Netdev 0.1 (2015).
[68]
Meng Shen, Jinpeng Zhang, Liehuang Zhu, Ke Xu, and Xiaojiang Du. 2021. Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Transactions on Information Forensics and Security 16 (2021), 2367--2380.
[69]
Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996.
[70]
Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. 2018. Security Namespace: Making Linux Security Frameworks Available to Containers. In Proceedings of USENIX Security Symposium. 1423--1439.
[71]
Kun Suo, Yong Zhao, Wei Chen, and Jia Rao. 2018. An analysis and empirical study of container networks. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 189--197.
[72]
Linyih Teng, Chi-Hsiang Hung, and Charles H-P Wen. 2022. P4SF: A High-Performance Stateful Firewall on Commodity P4-Programmable Switch. In NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--5.
[73]
Wei Wang, Ming Zhu, Jinlin Wang, Xuewen Zeng, and Zhongzhen Yang. 2017. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE international conference on intelligence and security informatics (ISI). IEEE, 43--48.
[74]
Jinli Yan, Lu Tang, Junnan Li, Xiangrui Yang, Wei Quan, Hongyi Chen, and Zhigang Sun. 2019. UniSec: a unified security framework with SmartNIC acceleration in public cloud. In Proceedings of the ACM Turing Celebration Conference-China. 1--6.
[75]
Zirak Zaheer, Hyunseok Chang, Sarit Mukherjee, and Jacobus Van der Merwe. 2019. Eztrust: Network-independent Zero-trust Perimeterization for Microservices. In Proceedings of the Symposium on SDN Research. 49--61.
Index Terms
- HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking
Recommendations
CNTC: A Container Aware Network Traffic Control Framework
Green, Pervasive, and Cloud ComputingAbstractAs a lightweight virtualization technology, containers are attracting much attention and widely deployed in the cloud data centers. To provide consistent and reliable performance, cloud providers should ensure resource isolation since each host ...
Janus: An Experimental Reconfigurable SmartNIC with P4 Programmability and SDN Isolation
FPGA '23: Proceedings of the 2023 ACM/SIGDA International Symposium on Field Programmable Gate ArraysDisparate deployment models of cloud computing pose varying requirements on cloud infrastructure components such as networking, storage, provisioning, and security. Infrastructure providers need to study these and often create custom infrastructure ...
SuperNIC: An FPGA-Based, Cloud-Oriented SmartNIC
FPGA '24: Proceedings of the 2024 ACM/SIGDA International Symposium on Field Programmable Gate ArraysWith CPU scaling slowing down in today's data centers, more functionalities are being offloaded from the CPU to auxiliary devices. One such device is the SmartNIC, which is being increasingly adopted in data centers. In today's cloud environment, VMs on ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
624 pages
ISBN:9798400703874
DOI:10.1145/3620678
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 31 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- ICT Challenge and Advanced Network of HRD support program, Ministry of Science and ICT, Korea
- Information Technology Research Center support program, Ministry of Science and ICT, Korea
Conference
Acceptance Rates
Overall Acceptance Rate 169 of 722 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 206Total Downloads
- Downloads (Last 12 months)206
- Downloads (Last 6 weeks)15
Reflects downloads up to 28 Sep 2024
Other Metrics
Citations
Cited By
View allView Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in