Um Mecanismo de aprovisionamento de Identidades para Microsserviços Baseado na Integridade do Ambiente de Execução
Resumo
Este trabalho propõe um novo mecanismo para aprovisionamento de identidade para microsserviços baseado em evidências de integridade. A solução proposta se baseia em um mecanismo de verificação de integridade para contêineres, cuja cadeia de confiança é construída a partir de um chip TPM. Implementamos o modelo como um plugin em um framework de atestação, seguindo um padrão para emissão de identidades. Avaliações foram realizadas a fim de analisar a sobrecarga imposta ao sistema. Os resultados evidenciam o desempenho eficiente da solução, com o tempo médio de aprovisionamento de uma identidade em 252 ms, considerando 150 microsserviços sendo atestados paralelamente em um mesmo nó.
Referências
Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’Keeffe, D., Stillwell, M. L., Goltzsche, D., Eyers, D., Kapitza, R., Pietzuch, P., and Fetzer, C. (2016). SCONE: Secure linux containers with intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16), pages 689–703, Savannah, GA. USENIX Association.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger (2016). Virtual tpm proxy driver for linux containers. [link]. em 08/04/2021.
da Silva, M. S. L., de Oliveira Silva, F. F., and Brito, A. (2019). Squad: A secure, simple storage service for sgx-based microservices. In 2019 9th Latin-American Symposium on Dependable Computing (LADC), pages 1–9.
De Benedictis, M. and Lioy, A. (2019). Integrity verification of docker containers for a lightweight cloud environment. Future Generation Computer Systems, 97:236–246.
George, V. M. and Mahmoud, Q. H. (2017). Claimsware: A claims-based middleware for securing iot services. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 649–654. IEEE.
Hannousse, A. and Yahiouche, S. (2020). Securing microservices and microservice architectures: A systematic mapping study. arXiv preprint arXiv:2003.07262.
Hosseinzadeh, S., Laurén, S., and Leppänen, V. (2016). Security in container-based virtualization through vtpm. In Proceedings of the 9th International Conference on Utility and Cloud Computing, pages 214–219.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on linux container security: Attacks and countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 418–429.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Nehme, A., Jesus, V., Mahbub, K., and Abdallah, A. (2019). Securing microservices. IT Professional, 21(1):42–49.
Nkomo, P. and Coetzee, M. (2019). Software development activities for secure microservices. In International Conference on Computational Science and Its Applications, pages 573–585. Springer.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sabt, M., Achemlal, M., and Bouabdallah, A. (2015). Trusted execution environment: In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, what it is, and what it is not. pages 57–64. IEEE.
Salibindla, J. (2018). Microservices api security. International Journal of Engineering Research & Technology, 7(1):277–281.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Taibi, D., Lenarduzzi, V., and Pahl, C. (2020). Microservices anti-patterns: A taxonomy. In Microservices, pages 111–128. Springer.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Yarygina, T. and Otterstad, C. (2018). A game of microservices: Automated intrusion response. In IFIP International Conference on Distributed Applications and Interoperable Systems, pages 169–177. Springer.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger (2016). Virtual tpm proxy driver for linux containers. [link]. em 08/04/2021.
da Silva, M. S. L., de Oliveira Silva, F. F., and Brito, A. (2019). Squad: A secure, simple storage service for sgx-based microservices. In 2019 9th Latin-American Symposium on Dependable Computing (LADC), pages 1–9.
De Benedictis, M. and Lioy, A. (2019). Integrity verification of docker containers for a lightweight cloud environment. Future Generation Computer Systems, 97:236–246.
George, V. M. and Mahmoud, Q. H. (2017). Claimsware: A claims-based middleware for securing iot services. In 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), volume 1, pages 649–654. IEEE.
Hannousse, A. and Yahiouche, S. (2020). Securing microservices and microservice architectures: A systematic mapping study. arXiv preprint arXiv:2003.07262.
Hosseinzadeh, S., Laurén, S., and Leppänen, V. (2016). Security in container-based virtualization through vtpm. In Proceedings of the 9th International Conference on Utility and Cloud Computing, pages 214–219.
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., and Zhou, Q. (2018). A measurement study on linux container security: Attacks and countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference, pages 418–429.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Nehme, A., Jesus, V., Mahbub, K., and Abdallah, A. (2019). Securing microservices. IT Professional, 21(1):42–49.
Nkomo, P. and Coetzee, M. (2019). Software development activities for secure microservices. In International Conference on Computational Science and Its Applications, pages 573–585. Springer.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sabt, M., Achemlal, M., and Bouabdallah, A. (2015). Trusted execution environment: In 2015 IEEE Trustcom/BigDataSE/ISPA, volume 1, what it is, and what it is not. pages 57–64. IEEE.
Salibindla, J. (2018). Microservices api security. International Journal of Engineering Research & Technology, 7(1):277–281.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Taibi, D., Lenarduzzi, V., and Pahl, C. (2020). Microservices anti-patterns: A taxonomy. In Microservices, pages 111–128. Springer.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Yarygina, T. and Otterstad, C. (2018). A game of microservices: Automated intrusion response. In IFIP International Conference on Distributed Applications and Interoperable Systems, pages 169–177. Springer.
Publicado
16/08/2021
Como Citar
TASSYANY, Marcela; SARMENTO, Ramon; FALCÃO, Eduardo; GOMES, Reinaldo; BRITO, Andrey.
Um Mecanismo de aprovisionamento de Identidades para Microsserviços Baseado na Integridade do Ambiente de Execução. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 39. , 2021, Uberlândia.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 714-727.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2021.16758.
