Expressive Policies For Microservice Networks
Pages 280 - 286
Abstract
Microservice-based application deployments need to administer safety properties while serving requests. However, today such properties can be specified only in limited ways that can lead to overly permissive policies and the potential for illegitimate flow of information across microservices, or ad hoc policy implementations.
We argue that a range of use cases require safety properties for the flow of requests across the whole microservice network, rather than only between adjacent hops. To begin specifying such expressive policies, we propose a system for declaring and deploying service tree policies. These policies are compiled down into declarative filters that are inserted into microservice deployment manifests. We use a light-weight dynamic monitor based enforcement mechanism, using ideas from automata theory. Experiments with our preliminary prototype show that we can capture a wide class of policies that we describe as case studies.
References
[1]
Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagiv, Thomas Schmitz, and Keith Winstein. 2018. Secure Serverless Computing Using Dynamic Information Flow Control. Proceedings of the ACM on Programming Languages 2, OOPSLA, Article 118, 26 pages. https://doi.org/10.1145/3276488
[2]
Sachin Ashok, P. Brighten Godfrey, and Radhika Mittal. 2021. Leveraging Service Meshes as a New Network Layer. In Proceedings of the Twentieth ACM Workshop on Hot Topics in Networks (HotNets'21). Association for Computing Machinery, New York, NY, USA, 229--236. https://doi.org/10.1145/3484266.3487379
[3]
Ryan Beckett, Xuan Kelvin Zou, Shuyuan Zhang, Sharad Malik, Jennifer Rexford, and David Walker. 2014. An Assertion Language for Debugging SDN Applications. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (HotSDN '14). Association for Computing Machinery, New York, NY, USA, 91--96. https://doi.org/10.1145/2620728.2620743
[4]
Cilium. 2023. Cilium. https://cilium.io/. (June 2023). Accessed: 2023-06-30.
[5]
Envoy. 2023. Envoy Proxy. https://docs.cilium.io/en/stable/security/network/proxy/envoy/. (June 2023). Accessed: 2023-06-30.
[6]
Istio. 2023. Service Mesh. https://istio.io/. (June 2023). Accessed: 2023-06-30.
[7]
Jaeger. 2023. Jaeger Tracing. https://www.jaegertracing.io/. (June 2023). Accessed: 2023-06-30.
[8]
Kubernetes. 2023. Service Traffic Policy. https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/. (June 2023). Accessed: 2023-06-30.
[9]
Jed Liu, Owen Arden, Michael D. George, Andrew C. Myers, Toby Murray, Andrei Sabelfeld, and Lujo Bauer. 2017. Fabric: Building Open Distributed Systems Securely by Construction. Journal of Computer Security 25, 4--5 (Jan 2017), 367--426. https://doi.org/10.3233/JCS-15805
[10]
Mark Reitblatt, Marco Canini, Arjun Guha, and Nate Foster. 2013. FatTire: Declarative Fault Tolerance for Software-Defined Networks. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN '13). Association for Computing Machinery, New York, NY, USA, 109--114. https://doi.org/10.1145/2491185.2491187
[11]
Michael Sipser. 1997. Introduction to the theory of computation. PWS Publishing Company.
[12]
Robert Soulé, Shrutarshi Basu, Parisa Jalili Marandi, Fernando Pedone, Robert Kleinberg, Emin Gun Sirer, and Nate Foster. 2014. Merlin: A Language for Provisioning Network Resources. In Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies (CoNEXT '14). Association for Computing Machinery, New York, NY, USA, 213--226. https://doi.org/10.1145/2674005.2674989
[13]
Tigera. 2023. Project Calico. https://www.tigera.io/project-calico/. (Oct. 2023). Accessed: 2023-10-22.
[14]
Yifei Yuan, Dong Lin, Ankit Mishra, Sajal Marwaha, Rajeev Alur, and Boon Thau Loo. 2017. Quantitative Network Monitoring with NetQRE. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (SIGCOMM '17). Association for Computing Machinery, New York, NY, USA, 99--112. https://doi.org/10.1145/3098822.3098830
[15]
Zipkin. 2023. Zipkin. https://zipkin.io/. (June 2023). Accessed: 2023-06-30.
Index Terms
- Expressive Policies For Microservice Networks
Recommendations
Run-Time Enforcement of Nonsafety Policies
A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is ...
Enforceable security policies
A precise characterization is given for the class of security policies enforceable with mechanisms that work by monitoring system execution, and automata are introduced for specifying exactly that class of security policies. Techniques to enforce ...
Composing security policies with polymer
PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementationWe introduce a language and system that supports definition and composition of complex run-time security policies for Java applications. Our policies are comprised of two sorts of methods. The first is query methods that are called whenever an untrusted ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2023
306 pages
ISBN:9798400704154
DOI:10.1145/3626111
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
HotNets '23
Sponsor:
HotNets '23: The 22nd ACM Workshop on Hot Topics in Networks
November 28 - 29, 2023
MA, Cambridge, USA
Acceptance Rates
Overall Acceptance Rate 110 of 460 submissions, 24%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 72Total Downloads
- Downloads (Last 12 months)72
- Downloads (Last 6 weeks)4
Reflects downloads up to 20 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in