Top

Published in:

2018 | OriginalPaper | Chapter

Integrity Protection Against Insiders in Microservice-Based Infrastructures: From Threats to a Security Framework

Authors : Mohsen Ahmadvand, Alexander Pretschner, Keith Ball, Daniel Eyring

Published in: Software Technologies: Applications and Foundations

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Building microservices involves continuous modifications at design, deployment, and run times. The DevOps notion together with the “you built it, you run it” paradigm often result in a much larger number of developers with direct access to the production pipeline than in the case of monolithic systems. Reproducible builds and continuous delivery entail practices that further worsen this situation as they grant insiders with indirect accesses (scripted processes) to production machines. Moreover, managing microservices is heavily aided by governance tools (such as Kubernetes) that are configured and controlled by insiders. In this setting, accounting for malicious insiders quickly becomes a major concern. In this paper, we identify representative integrity threats to microservice-based systems in the broader context of a development process by analyzing real-world microservice-based systems. We show that even end-to-end encryption may fall short without adequate integrity protections. From the identified threats, we then derive a set of security requirements for holistic protection. Finally, we propose a framework that serves as a blueprint for insider-resistant integrity protection in microservices.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Ambient Intelligence Users in the Loop: Towards a Model-Driven Approach

next chapter The Aspect of Resilience in Microservices-Based Software Design

Ahmadvand, M., Ibrahim, A.: Requirements reconciliation for scalable and secure microservice (de)composition. In: 2016 IEEE 3rd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE). IEEE (2016)

Ahmadvand, M., Pretschner, A., Kelbert, F.: A taxonomy of software integrity protection techniques. In: Advances in Computers. Elsevier (2018)

Ahmadvand, M., Scemama, A., Ochoa, M., Pretschner, A.: Enhancing operation security using secret sharing. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016), pp. 446–451. INSTICC/SciTePress (2016)

Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI), vol. 16, pp. 689–703. USENIX Association, Savannah, GA (2016)

Banescu, S., Pretschner, A., Battré, D., Cazzulani, S., Shield, R., Thompson, G.: Software-based protection against changeware. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 231–242. ACM (2015)

Baumann, A., Peinado, M., Hunt, G.: Shielding applications from an untrusted cloud with Haven. ACM Trans. Comput. Syst. (TOCS) 33(3), 8 (2015)CrossRef

Brenner, S., Hundt, T., Mazzeo, G., Kapitza, R.: Secure cloud micro services using Intel SGX. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 177–191. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59665-5_13CrossRef

Callegati, F., Giallorenzo, S., Melis, A., Prandini, M.: Cloud-of-things meets mobility-as-a-service: an insider threat perspective. Comput. Secur. 74, 277–295 (2018)CrossRef

Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation-tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)CrossRef

10.

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptology ePrint Archive 2016:86 (2016)

11.

Dewan, P., Durham, D., Khosravi, H., Long, M., Nagabhushan, G.: A hypervisor-based system for protecting software runtime memory and persistent storage, pp. 828–835. Society for Computer Simulation International (2008)

12.

Dragoni, N., et al.: Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering, pp. 195–216. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67425-4_12CrossRef

13.

Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: a virtual machine-based platform for trusted computing. In: ACM SIGOPS Operating Systems Review, vol. 37, pp. 193–206. ACM (2003)CrossRef

14.

Jakobsson, M., Johansson, K.-A.: Practical and secure software-based attestation. In: 2011 Workshop on Lightweight Security & Privacy: Devices, Protocols and Applications (LightSec), pp. 1–9. IEEE (2011)

15.

Jin, H., Lotspiech, J.: Forensic analysis for tamper resistant software. In: 14th International Symposium on Software Reliability Engineering, ISSRE 2003, pages 133–142. IEEE (2003)

16.

Kalske, M., Mäkitalo, N., Mikkonen, T.: Challenges when moving from monolith to microservice architecture. In: Garrigós, I., Wimmer, M. (eds.) ICWE 2017. LNCS, vol. 10544, pp. 32–47. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74433-9_3CrossRef

17.

Kandias, M., Virvilis, N., Gritzalis, D.: The insider threat in cloud computing. In: Bologna, S., Hämmerli, B., Gritzalis, D., Wolthusen, S. (eds.) CRITIS 2011. LNCS, vol. 6983, pp. 93–103. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41476-3_8CrossRef

18.

Liang, X., Shetty, S., Zhang, L., Kamhoua, C., Kwiat, K.: Man in the cloud (MITC) defender: SGX-based user credential protection for synchronization applications in cloud computing platform. In: 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), pp. 302–309, June 2017

19.

Lind, J., et al.: Glamdring: automatic application partitioning for Intel SGX. In: 2017 USENIX Annual Technical Conference (USENIX ATC 17), Santa Clara, CA, pp. 285–298. USENIX Association (2017)

20.

Martignoni, L., Paleari, R., Bruschi, D.: Conqueror: tamper-proof code execution on legacy systems. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 21–40. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_2CrossRef

21.

Neisse, R., Holling, D., Alexander, P.: Implementing trust in cloud infrastructures. In: Proceedings of the 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 524–533. IEEE Computer Society (2011)

22.

Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security, vol. 39, pp. 69–90. Springer, US, Boston (2008). https://doi.org/10.1007/978-0-387-77322-3_5CrossRef

23.

Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, Hot-Cloud 2009, Berkeley, CA, USA. USENIX Association (2009)

24.

Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)CrossRef

25.

Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems. ACM SIGOPS Oper. Syst. Rev. 39, 1–16 (2005)CrossRef

26.

De Sutter, B., et al.: A reference architecture for software protection, pp. 291–294, April 2016

27.

Zawoad, S., Dutta, A.K., Hasan, R.: SecLaaS: secure logging-as-a-service for cloud forensics. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 219–230. ACM, New York (2013)

Title: Integrity Protection Against Insiders in Microservice-Based Infrastructures: From Threats to a Security Framework
Authors: Mohsen Ahmadvand
Alexander Pretschner
Keith Ball
Daniel Eyring
Publisher: Springer International Publishing
Book: Software Technologies: Applications and Foundations
Print ISBN: 978-3-030-04770-2

Electronic ISBN: 978-3-030-04771-9

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-030-04771-9_43

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner