Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

Hui Zhu; Christian Gehrmann

doi:10.1109/COMSNETS53615.2022.9668504

Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

Forskningsoutput: Kapitel i bok/rapport/Conference proceeding › Konferenspaper i proceeding › Peer review

Sammanfattning

Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface.

Originalspråk	engelska
Titel på värdpublikation	2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022
Förlag	IEEE - Institute of Electrical and Electronics Engineers Inc.
Sidor	129-137
Antal sidor	9
ISBN (elektroniskt)	9781665421041
DOI	https://doi.org/10.1109/COMSNETS53615.2022.9668504
Status	Published - 2022
Evenemang	14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022 - Bangalore, Indien Varaktighet: 2022 jan. 4 → 2022 jan. 8

Publikationsserier

Namn	International Conference on Communication Systems and Networks
ISSN (tryckt)	2155-2487
ISSN (elektroniskt)	2155-2509

Konferens

Konferens	14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022
Land/Territorium	Indien
Ort	Bangalore
Period	2022/01/04 → 2022/01/08

Ämnesklassifikation (UKÄ)

Datavetenskap (datalogi)

Tillgång till dokument

10.1109/COMSNETS53615.2022.9668504

Sec4Factory: Cybersäkerhet för nästa generations fabrik (SEC4FACTORY)
Gehrmann, C., Kihl, M., Hell, M., Fitzgerald, E., Toorani, M., Fitzgerald, E., Tärneberg, W. & Akbarian, F.
Stiftelsen för Strategisk Forskning, SSF
2018/04/01 → 2024/12/31
Projekt: Forskning

Citera det här

Zhu, H., & Gehrmann, C. (2022). Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine. I 2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022 (s. 129-137). [21458101] (International Conference on Communication Systems and Networks). IEEE - Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/COMSNETS53615.2022.9668504

@inproceedings{911454bfe9fb4ed99bc8bf5b18344a85,

title = "Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine",

abstract = "Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface. ",

keywords = "AppArmor, cloud, Kubernetes, security",

author = "Hui Zhu and Christian Gehrmann",

year = "2022",

doi = "10.1109/COMSNETS53615.2022.9668504",

language = "English",

series = "International Conference on Communication Systems and Networks",

publisher = "IEEE - Institute of Electrical and Electronics Engineers Inc.",

pages = "129--137",

booktitle = "2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022",

address = "United States",

note = "14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022 ; Conference date: 04-01-2022 Through 08-01-2022",

}

Zhu, H & Gehrmann, C 2022, Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine. i 2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022., 21458101, International Conference on Communication Systems and Networks, IEEE - Institute of Electrical and Electronics Engineers Inc., s. 129-137, 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022, Bangalore, Indien, 2022/01/04. https://doi.org/10.1109/COMSNETS53615.2022.9668504

Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine. / Zhu, Hui; Gehrmann, Christian.

2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022. IEEE - Institute of Electrical and Electronics Engineers Inc., 2022. s. 129-137 21458101 (International Conference on Communication Systems and Networks).

Forskningsoutput: Kapitel i bok/rapport/Conference proceeding › Konferenspaper i proceeding › Peer review

TY - GEN

T1 - Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

AU - Zhu, Hui

AU - Gehrmann, Christian

PY - 2022

Y1 - 2022

N2 - Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface.

AB - Kubernetes (K8s) is one of the best options available to deploy applications in large-scale infrastructures. Security has been a big concern for all practitioners in the K8s eco-system. Almost all cloud vendors have their security solution for K8s cluster, pods, workloads, etc. In recent years, a large number of open-source tools and projects related to K8s security have emerged to meet the increased demand for enhanced security in these systems. Following this general need and trend, we propose a new design for automatic K8s cluster AppArmor profile generation. Our design is based on a most recent work of automatic AppArmor policy generator for Docker containers called Lic-Sec. The system collects the behavioral data of application containers in all worker nodes distributively, then centrally transforms the data to AppArmor policies for each application container, and enforces the policies without interrupting the service. We present a prototype of the system using Google K8s environment and with an AppArmor profile for a WordPress personal blog. We show that the security policies generated by the system can defend one typical kind of attack which targets all WordPress's XML-RPC interface.

KW - AppArmor

KW - cloud

KW - Kubernetes

KW - security

U2 - 10.1109/COMSNETS53615.2022.9668504

DO - 10.1109/COMSNETS53615.2022.9668504

M3 - Paper in conference proceeding

AN - SCOPUS:85125188840

T3 - International Conference on Communication Systems and Networks

SP - 129

EP - 137

BT - 2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022

PB - IEEE - Institute of Electrical and Electronics Engineers Inc.

T2 - 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022

Y2 - 4 January 2022 through 8 January 2022

ER -

Zhu H, Gehrmann C. Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine. I 2022 14th International Conference on COMmunication Systems and NETworkS, COMSNETS 2022. IEEE - Institute of Electrical and Electronics Engineers Inc. 2022. s. 129-137. 21458101. (International Conference on Communication Systems and Networks). doi: 10.1109/COMSNETS53615.2022.9668504

Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine

Sammanfattning

Publikationsserier

Konferens

Ämnesklassifikation (UKÄ)

Tillgång till dokument

Fingeravtryck

Projekt

Sec4Factory: Cybersäkerhet för nästa generations fabrik (SEC4FACTORY)

Citera det här