6 research outputs found
Security challenges of microservices
Abstract. Security issues regarding microservice are well researched, however the different security issues and solutions have not been brought together as yet. This study searched through academic databases to find out what security issues and proposed solutions or mitigation methods can be found in existing literature. It found several security issues and methods in literature. Most security issues are raised regarding microservice that externally facing or in open environment. Majority of sources addressed security monitoring and authentication and authorization issues, fewer studies on implementation and bug-related issues such as container implementation and -bugs and some on networking related issues. This study found also that there is some amount of disconnect in literature when it comes to addressing security issues and their solutions and mitigation methods. The study offers a more detailed account of existing microservice security issues and solutions
Lic-Sec: an enhanced AppArmor Docker security profile generator
Along with the rapid development of cloud computing technology,
containerization technology has drawn much attention from both industry and
academia. In this paper, we perform a comparative measurement analysis of
Docker-sec, which is a Linux Security Module proposed in 2018, and a new
AppArmor profile generator called Lic-Sec, which combines Docker-sec with a
modified version of LiCShield, which is also a Linux Security Module proposed
in 2015. Docker-sec and LiCShield can be used to enhance Docker container
security based on mandatory access control and allows protection of the
container without manually configurations. Lic-Sec brings together their
strengths and provides stronger protection. We evaluate the effectiveness and
performance of Docker-sec and Lic-Sec by testing them with real-world attacks.
We generate an exploit database with 42 exploits effective on Docker containers
selected from the latest 400 exploits on Exploit-db. We launch these exploits
on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations
show that for demanding images, Lic-Sec gives protection for all privilege
escalation attacks for which Docker-sec failed to give protection
Monintainer : a monitoring approach for container-based services
Tese de Mestrado, Informática, 2023, Universidade de Lisboa, Faculdade de CiênciasContainerization has recently gained popularity due to its low overhead in terms of resources,
which results in higher efficiency and performance compared to virtual machines. The rise of this
technology can be attributed to the advancement of cloud computing and the adoption of microservices architecture. Both can be leveraged through containerization to offer a more efficient and
fine-grained system design through the benefits of properties such as isolation, portability, and performance. However, container-based systems have created new challenges in the monitoring scope
due to their distributed approaches, automated flexibility, ephemerality, and the increasing number
of components in the systems. As a result of these growing challenges, there is a practical need
for effective monitoring and performance management tools for containerized systems. This work
reviews the containerization ecosystem and several widely used tools to monitor and collect data
from this kind of system, discussing their potentialities and limitations, and presents Monintainer
[75], an extensible and scalable solution designed to monitor entire container-based systems, from
applications to their underlying infrastructure, addressing configuration and scalability limitations
identified in similar tools. Monintainer allows a better understanding of systems’ behavior in runtime, and can be used by multiple interested parties, such as design and accountability teams and
system orchestrators to aid in the design, implementation, and optimization of container-based
systems through the correlation, visualization, and evaluation of the collected data
Proactive Security Policy Enforcement for Containers
By providing lightweight and portable support for cloud native applications, container environments have recently gained significant momentum. A container orchestrator, such as Kubernetes, can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this thesis, we tackle this key security challenge to container environments through a novel proactive approach. Our proposed approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, this approach can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (e.g., up to 800 Pods). We demonstrate its deployability by integrating our solution with Kubernetes, one of the most popular container orchestrators