Litcius/Paper detail

ProSPEC: Proactive Security Policy Enforcement for Containers

Hugo Kermabon-Bobinnec, Mahmood GholipourChoubeh, Sima Bagheri, Suryadipta Majumdar, Yosr Jarraya, Makan Pourzandi, Lingyu Wang

202219 citationsDOI

Abstract

By providing lightweight and portable support for cloud native applications, container environments have gained significant momentum lately. A container orchestrator such as Kubernetes can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also attracts a wide range of security threats exploiting misconfigurations or implementation flaws. Moreover, enforcing security policies at runtime against such security threats becomes far more challenging, as the large scale of container environments implies high complexity, while the high dynamicity demands a short response time. In this paper, we tackle this key security challenge to container environments through a proactive approach, namely, ProSPEC. Our approach leverages learning-based prediction to conduct the computationally intensive steps (e.g., security verification) in advance, while keeping the runtime steps (e.g., policy enforcement) lightweight. Consequently, ProSPEC can ensure a practical response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) for large container environments (up to 800 Pods).

Topics & Concepts

Container (type theory)Computer scienceSoftware deploymentComputer securityCloud computingEnforcementKey (lock)Security policyOperating systemEngineeringPolitical scienceMechanical engineeringLawSecurity and Verification in ComputingSoftware System Performance and ReliabilityCloud Data Security Solutions