Análise de segurança dos orquestradores Kubernetes, Docker Swarm e Apache Mesos baseada no CVE / MITRE
Resumo
O uso de contêineres está crescendo expressivamente nosúltimos anos. Aplicações conteinerizadas consistem em uma quantidade expressiva de contêineres que necessita ser gerenciada. Neste contexto, a orquestração de contêineres é essencial para que aplicações possam ter seus contêineres administrados eficientemente. Entretanto, os orquestradores trazem novos elementos que podem introduzir novas vulnerabilidades. Assim, uma análise de aspectos de segurança dos orquestradores é essencial. Este artigo faz uma análise de segurança nos três principais orquestradores: Docker Swarm, Kubernetes e Apache Mesos. A análise é baseada em dados dos repositório das CVEs que são correlacionadas com as principais ameaças relacionadas pelo MITRE. Como resultado é apresentada uma matriz que correlaciona as CVEs com as ameaças MITRE, indicando os principais impactos que devem ser considerados na mitigação dos riscos.
Palavras-chave:
Kubernetes, Vunerabilidades, CVE, Segurança
Referências
Belagatti, P. (2019). ”Docker Swarm or Kubernetes?”: Is It the Right Question to Ask? https://dzone.com/articles/quotdocker-swarm-or-kubernetesquot-is-it-the-right.
Docker (2021a). Deploy to swarm. https://docs.docker.com/get-started/swarm-deploy/.
Docker (2021b). Engine api v1.24. https://docs.docker.com/engine/api/v1.24/.
Docker (2021c). Swarm mode key concepts. https://docs.docker.com/engine/swarm/key-concepts/.
Google Zero Project (2021). News and updates from the project zero team at google. https://googleprojectzero.blogspot.com/.
Hindman, B., Konwinski, A., Zaharia, M., Ghodsi, A., Joseph, A. D., Katz, R., Shenker, S., and Stoica, I. (2011). Mesos: A platform for ne-grained resource sharing in the data center. In 8th USENIX Symposium on Networked Systems Design and Implementation (NSDI 11), Boston, MA. USENIX Association.
Humayun, M., Niazi, M., Jhanjhi, N., Alshayeb, M., and Mahmood, S. (2020). Cyber security threats and vulnerabilities: A systematic mapping study. Arabian Journal for Science and Engineering, 45(4):3171–3189.
ISO (2009). Information technology – Security techniques – Information security management systems – Overview and vocabulary. Standard, International Organization for Standardization, Geneva, CH.
Kadivar, M. (2014). Cyber-attack attributes. Technology Innovation Management Review, 4:22–27.
Kronser, A. (2020). Common vulnerabilities and exposures : Analyzing the development of computer security threats. Master’s thesis, Helsingin yliopisto.
Kubernetes (2021). Kubernetes documentation. https://kubernetes.io/docs.
Malladi, S. S. and Subramanian, H. C. (2020). Bug bounty programs for cybersecurity: Practices, issues, and recommendations. IEEE Software, 37(1):31–39.
Manadhata, P. K. and Wing, J. M. (2011). An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371–386.
Marathe, N., Gandhi, A., and Shah, J. M. (2019). Docker swarm and kubernetes in In 2019 3rd International Conference on Trends in cloud computing environment. Electronics and Informatics (ICOEI), pages 179–184.
McQueen, M., Wright, J. L., and Wellman, L. (2011). Are vulnerability disclosure deadlines justied? In 2011 Third International Workshop on Security Measurements and Metrics, pages 96–101.
Meyerson, J. (2016). Ben hindman on apache mesos. IEEE Software, 33(1):117–120.
MITRE (CVE) (2021). Cve details. https://www.cvedetails.com/.
MITRE (CVE Terminology) (2021). Cve terminology. https://cve.mitre.org/about/terminology.html.
MITRE (CWE) (2021). Common weakness enumeration (cwe). https://cwe.mitre.org/.
MITRE (CWSS) (2021). Common weakness scoring system (cwss). https://cwe.mitre.org/cwss/cwss_v1.0.1.html.
Mytilinakis, P. (2020). Attack methods and defenses on kubernetes. Master’s thesis, Departamento de sistemas digitais.
National Vulnerability Database (2021). The common vulnerability scoring system (cvss). https://nvd.nist.gov/vuln-metrics/cvss.
Ramel, D. (2020). Hackers turn kubernetes machine learning to crypto mining in azure cloud. https://virtualizationreview.com/articles/2020/06/24/azure-cloud-exploit.aspx.
Research, . (2020). The state of container and kubernetes security.
Theisen, C., Munaiah, N., Al-Zyoud, M., Carver, J. C., Meneely, A., and Williams, L. (2018). Attack surface denitions: A systematic literature review. Information and Software Technology, 104:94–103.
Trend Micro (2021). A empresa. https://www.trendmicro.com/.
Weizman, Y. (2021). Secure containerized environments with updated threat matrix for kubernetes.
Woody, C. and Ellison, R. J. (2020). Attack surface analysis reduce system and organizational risk. Technical report, Software Engineering Institute, Carnegie Mellon University.
Docker (2021a). Deploy to swarm. https://docs.docker.com/get-started/swarm-deploy/.
Docker (2021b). Engine api v1.24. https://docs.docker.com/engine/api/v1.24/.
Docker (2021c). Swarm mode key concepts. https://docs.docker.com/engine/swarm/key-concepts/.
Google Zero Project (2021). News and updates from the project zero team at google. https://googleprojectzero.blogspot.com/.
Hindman, B., Konwinski, A., Zaharia, M., Ghodsi, A., Joseph, A. D., Katz, R., Shenker, S., and Stoica, I. (2011). Mesos: A platform for ne-grained resource sharing in the data center. In 8th USENIX Symposium on Networked Systems Design and Implementation (NSDI 11), Boston, MA. USENIX Association.
Humayun, M., Niazi, M., Jhanjhi, N., Alshayeb, M., and Mahmood, S. (2020). Cyber security threats and vulnerabilities: A systematic mapping study. Arabian Journal for Science and Engineering, 45(4):3171–3189.
ISO (2009). Information technology – Security techniques – Information security management systems – Overview and vocabulary. Standard, International Organization for Standardization, Geneva, CH.
Kadivar, M. (2014). Cyber-attack attributes. Technology Innovation Management Review, 4:22–27.
Kronser, A. (2020). Common vulnerabilities and exposures : Analyzing the development of computer security threats. Master’s thesis, Helsingin yliopisto.
Kubernetes (2021). Kubernetes documentation. https://kubernetes.io/docs.
Malladi, S. S. and Subramanian, H. C. (2020). Bug bounty programs for cybersecurity: Practices, issues, and recommendations. IEEE Software, 37(1):31–39.
Manadhata, P. K. and Wing, J. M. (2011). An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371–386.
Marathe, N., Gandhi, A., and Shah, J. M. (2019). Docker swarm and kubernetes in In 2019 3rd International Conference on Trends in cloud computing environment. Electronics and Informatics (ICOEI), pages 179–184.
McQueen, M., Wright, J. L., and Wellman, L. (2011). Are vulnerability disclosure deadlines justied? In 2011 Third International Workshop on Security Measurements and Metrics, pages 96–101.
Meyerson, J. (2016). Ben hindman on apache mesos. IEEE Software, 33(1):117–120.
MITRE (CVE) (2021). Cve details. https://www.cvedetails.com/.
MITRE (CVE Terminology) (2021). Cve terminology. https://cve.mitre.org/about/terminology.html.
MITRE (CWE) (2021). Common weakness enumeration (cwe). https://cwe.mitre.org/.
MITRE (CWSS) (2021). Common weakness scoring system (cwss). https://cwe.mitre.org/cwss/cwss_v1.0.1.html.
Mytilinakis, P. (2020). Attack methods and defenses on kubernetes. Master’s thesis, Departamento de sistemas digitais.
National Vulnerability Database (2021). The common vulnerability scoring system (cvss). https://nvd.nist.gov/vuln-metrics/cvss.
Ramel, D. (2020). Hackers turn kubernetes machine learning to crypto mining in azure cloud. https://virtualizationreview.com/articles/2020/06/24/azure-cloud-exploit.aspx.
Research, . (2020). The state of container and kubernetes security.
Theisen, C., Munaiah, N., Al-Zyoud, M., Carver, J. C., Meneely, A., and Williams, L. (2018). Attack surface denitions: A systematic literature review. Information and Software Technology, 104:94–103.
Trend Micro (2021). A empresa. https://www.trendmicro.com/.
Weizman, Y. (2021). Secure containerized environments with updated threat matrix for kubernetes.
Woody, C. and Ellison, R. J. (2020). Attack surface analysis reduce system and organizational risk. Technical report, Software Engineering Institute, Carnegie Mellon University.
Publicado
04/10/2021
Como Citar
JENSEN, Nikolas; MIERS, Charles Christian.
Análise de segurança dos orquestradores Kubernetes, Docker Swarm e Apache Mesos baseada no CVE / MITRE. In: WORKSHOP DE TRABALHOS DE INICIAÇÃO CIENTÍFICA E DE GRADUAÇÃO - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 151-163.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17349.
