IT-SPIRE: Improving the Resilience of the SPIFFE/SPIRE Architecture with an Intrusion-Tolerant Server

Resumo

SPIRE is the reference implementation of SPIFFE, a framework for managing software identities in dynamic and heterogeneous environments. The SPIRE architecture contains some critical components that are fully trusted and can severely affect the security of a system if their availability or integrity is compromised. To improve the resilience of the SPIRE architecture, in this paper, we introduce IT-SPIRE, an intrusion-tolerant SPIRE Server based on Byzantine fault-tolerant state machine replication. Two important characteristics of IT-SPIRE are (i) its use of proxies that encapsulate the BFT machinery, which allows us to minimize changes to the SPIRE code, and (ii) allowing clients to use unmodified identity tokens/certificates (SVIDs). We implemented a prototype of IT-SPIRE to demonstrate its feasibility and gauge its performance impact. We observed that IT-SPIRE has a longer initialization time than SPIRE, with a comparable synchronization time. We conclude that IT-SPIRE has reasonable performance costs that are compatible with its enhanced security.