Um Mecanismo de aprovisionamento de Identidades para Microsserviços Baseado na Integridade do Ambiente de Execução
Abstract
This work proposes a new mechanism for microservices identity provisioning based on integrity evidences. The proposed solution relies on the verification of containers' integrity, building a chain of trust based on a TPM chip. We implemented the mechanism as an attestation plugin, following a standard framework for issuing identities. Evaluations were carried out to analyze the overhead imposed on the system. The results show the efficient performance of the solution, with an average time for provisioning an identity in 252 ms, considering 150 microservices being attested in parallel in the same node.
References
Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’Keeffe, D., Stillwell, M. L., Goltzsche, D., Eyers, D., Kapitza, R., Pietzuch, P., and Fetzer, C. (2016). SCONE: Secure linux containers with intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 689–703, Savannah, GA. USENIX Association.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger (2016). Virtual tpm proxy driver for linux containers. [link]. em 08/04/2021.
da Silva, M. S. L., de Oliveira Silva, F. F., and Brito, A. (2019). Squad: A secure, simple storage service for sgx-based microservices. In 2019 9th Latin-American Symposium on Dependable Computing (LADC), pages 1–9.
De Benedictis, M. and Lioy, A. (2019). Integrity verification of docker containers for a lightweight cloud environment. Future Generation Computer Systems, 97:236–246.
George, V. M. and Mahmoud, Q. H. (2017). Claimsware: A claims-based middleware for securing iot services. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 649–654. IEEE.
Hannousse, A. and Yahiouche, S. (2020). Securing microservices and microservice architectures: A systematic mapping study. arXiv preprint arXiv:2003.07262.
Hosseinzadeh, S., Laurén, S., and Leppänen, V. (2016). Security in container-based virtualization through vtpm. In Proceedings of the 9th International Conference on Utility and Cloud Computing, pages 214–219.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on linux container security: Attacks and countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 418–429.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Nehme, A., Jesus, V., Mahbub, K., and Abdallah, A. (2019). Securing microservices. IT Professional, 21(1):42–49.
Nkomo, P. and Coetzee, M. (2019). Software development activities for secure microservices. In International Conference on Computational Science and Its Applications, pages 573–585. Springer.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sabt, M., Achemlal, M., and Bouabdallah, A. (2015). Trusted execution environment: In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, what it is, and what it is not. pages 57–64. IEEE.
Salibindla, J. (2018). Microservices api security. International Journal of Engineering Research & Technology, 7(1):277–281.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Taibi, D., Lenarduzzi, V., and Pahl, C. (2020). Microservices anti-patterns: A taxonomy. In Microservices, pages 111–128. Springer.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Yarygina, T. and Otterstad, C. (2018). A game of microservices: Automated intrusion response. In IFIP International Conference on Distributed Applications and Interoperable Systems, pages 169–177. Springer.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger (2016). Virtual tpm proxy driver for linux containers. [link]. em 08/04/2021.
da Silva, M. S. L., de Oliveira Silva, F. F., and Brito, A. (2019). Squad: A secure, simple storage service for sgx-based microservices. In 2019 9th Latin-American Symposium on Dependable Computing (LADC), pages 1–9.
De Benedictis, M. and Lioy, A. (2019). Integrity verification of docker containers for a lightweight cloud environment. Future Generation Computer Systems, 97:236–246.
George, V. M. and Mahmoud, Q. H. (2017). Claimsware: A claims-based middleware for securing iot services. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 649–654. IEEE.
Hannousse, A. and Yahiouche, S. (2020). Securing microservices and microservice architectures: A systematic mapping study. arXiv preprint arXiv:2003.07262.
Hosseinzadeh, S., Laurén, S., and Leppänen, V. (2016). Security in container-based virtualization through vtpm. In Proceedings of the 9th International Conference on Utility and Cloud Computing, pages 214–219.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on linux container security: Attacks and countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 418–429.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Nehme, A., Jesus, V., Mahbub, K., and Abdallah, A. (2019). Securing microservices. IT Professional, 21(1):42–49.
Nkomo, P. and Coetzee, M. (2019). Software development activities for secure microservices. In International Conference on Computational Science and Its Applications, pages 573–585. Springer.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sabt, M., Achemlal, M., and Bouabdallah, A. (2015). Trusted execution environment: In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, what it is, and what it is not. pages 57–64. IEEE.
Salibindla, J. (2018). Microservices api security. International Journal of Engineering Research & Technology, 7(1):277–281.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Taibi, D., Lenarduzzi, V., and Pahl, C. (2020). Microservices anti-patterns: A taxonomy. In Microservices, pages 111–128. Springer.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Yarygina, T. and Otterstad, C. (2018). A game of microservices: Automated intrusion response. In IFIP International Conference on Distributed Applications and Interoperable Systems, pages 169–177. Springer.
Published
2021-08-16
How to Cite
TASSYANY, Marcela; SARMENTO, Ramon; FALCÃO, Eduardo; GOMES, Reinaldo; BRITO, Andrey.
Um Mecanismo de aprovisionamento de Identidades para Microsserviços Baseado na Integridade do Ambiente de Execução. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 39. , 2021, Uberlândia.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 714-727.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2021.16758.
