Security challenges of microservices

Abstract. Security issues regarding microservice are well researched, however the different security issues and solutions have not been brought together as yet. This study searched through academic databases to find out what security issues and proposed solutions or mitigation methods can be found in existing literature. It found several security issues and methods in literature. Most security issues are raised regarding microservice that externally facing or in open environment. Majority of sources addressed security monitoring and authentication and authorization issues, fewer studies on implementation and bug-related issues such as container implementation and -bugs and some on networking related issues. This study found also that there is some amount of disconnect in literature when it comes to addressing security issues and their solutions and mitigation methods. The study offers a more detailed account of existing microservice security issues and solutions

Lic-Sec: an enhanced AppArmor Docker security profile generator

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection

Monintainer : a monitoring approach for container-based services

Tese de Mestrado, Informática, 2023, Universidade de Lisboa, Faculdade de CiênciasContainerization has recently gained popularity due to its low overhead in terms of resources, which results in higher efficiency and performance compared to virtual machines. The rise of this technology can be attributed to the advancement of cloud computing and the adoption of microservices architecture. Both can be leveraged through containerization to offer a more efficient and fine-grained system design through the benefits of properties such as isolation, portability, and performance. However, container-based systems have created new challenges in the monitoring scope due to their distributed approaches, automated flexibility, ephemerality, and the increasing number of components in the systems. As a result of these growing challenges, there is a practical need for effective monitoring and performance management tools for containerized systems. This work reviews the containerization ecosystem and several widely used tools to monitor and collect data from this kind of system, discussing their potentialities and limitations, and presents Monintainer [75], an extensible and scalable solution designed to monitor entire container-based systems, from applications to their underlying infrastructure, addressing configuration and scalability limitations identified in similar tools. Monintainer allows a better understanding of systems’ behavior in runtime, and can be used by multiple interested parties, such as design and accountability teams and system orchestrators to aid in the design, implementation, and optimization of container-based systems through the correlation, visualization, and evaluation of the collected data

Proactive Security Policy Enforcement for Containers

By providing lightweight and portable support for cloud native applications, container environments have recently gained significant momentum. A container orchestrator, such as Kubernetes, can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this thesis, we tackle this key security challenge to container environments through a novel proactive approach. Our proposed approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, this approach can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (e.g., up to 800 Pods). We demonstrate its deployability by integrating our solution with Kubernetes, one of the most popular container orchestrators