文献——将持续性安全评估集成到微服务和云原生中

Integrating Continuous Security Assessments in Microservices and Cloud Native Applications

期刊简介

• 会议：10th IEEE/ACM International Conference on Utility and Cloud Computing

• 会议简介

  • UCC is the premier IEEE/ACM conference covering all areas related to utility computing, cloud and edge computing services, and other forms of advanced distributed computing.
  • UCC是首屈一指的IEEE/ACM会议，涵盖了与效用计算、云计算和边缘计算服务以及其他高级分布式计算形式相关的所有领域。
  • This will be the 14th UCC in a successful conference series of community-driven events. Previous events were held in Shanghai, China (Cloud 2009), Melbourne, Australia (Cloud 2010 & UCC 2011), Chennai, India (UCC 2010), Chicago, USA (UCC 2012), Dresden, Germany (UCC 2013), London, UK (UCC 2014), Limassol, Cyprus (UCC 2015), Shanghai, China (UCC 2016), Austin, Texas, USA (UCC 2017), Zurich, Switzerland (UCC 2018), and Auckland, New Zealand (UCC 2019), and the 2020 edition was held online.Source of Information
  • 这将是第14次成功的UCC会议，它属于社区驱动的系列会议。之前在很多地方举行过。

• 时间: 2017

• 地点: Austin, Texas, USA

• 会议排名
  
  
  

• 作者团队简介

  • 三位作者都来自同一个机构
  • Hasso Plattner Institute (Potsdam Germany)

在微服务和云原生应用中集成持续安全评估。

0. Abstract

Cloud Native Application
云原生应用有扩展性和恢复性强的特点。
每一个微服务都可以采取不同的技术。技术的多样性增加了微服务中的脆弱性。
快速的开发周期可能导致安全测试不足。
由于微服务很短暂，造成了脆弱发现挑战。

本文通过一个原创的安全控制概念 the Security Gateway. 为了支撑这一概念，又提出了动态文档存储和安全健康断电

1. Introduction

一种减少CNA攻击面的方法是采用连续安全评估[12]。持续的安全评估用于检测应用程序和网络中的漏洞。检测到的漏洞之后会被修补，本质上减少了安全攻击的机会。 传统上，安全评估是为静态部署的应用程序和网络主机配置的。 然而，在 CNA 部署中， 微服务是动态编排的， 这是由于云系统中的扩展需求和复杂性等因素导致的故障[22]。因此，传统的安全评估技术受到了discoverability problems 的挑战，即持续定位已部署微服务的能力。此外，传统的安全评估技术未能探索REST web服务，而REST web服务是微服务实现[26]的核心。然而，探索阶段是web 服务和 web应用程序漏洞检测的先决条件。由于web 服务不是通过像web应用程序这样定义良好的接口来实现的，所以出现了这种探索困难。

贡献

In this paper, we introduce a methodology for integrating continuous security assessment in microservices and CNA. Our methodology, is realized by an innovative concept, the notion of a Security Gateway.
通过安全网关(Security Gateway)将持续性安全评估整合进微服务和CNA中。
The security gateway serves as a security control for enforcing security policies.
安全网关被用于强制执行安全策略。
In order to support the security gateway concept, we propose two additional concepts: dynamic document store and security health endpoints.
为了支撑安全网关的概念，本文提出了动态文件存储(dynamic document store)和安全健康端点(security health endpoint)。

• dynamic document store

  • The dynamic document stores overcome this challenge by generating and retaining OpenAPI2(formerly Swagger) documents for every microservice.

  • 为每一个microservice生成和保持OpenAPI2文件
• term

  • The security health endpoint effectively affords security observability by easily providing security health information for every deployed microservice instance.

  • 为每一个部署的微服务实例提供安全健康信息

2.2 相关工作

与之前的有关CNA的工作不同, 这篇文章关注微服务的部署安全。大部分已有的工作关注安全机制例如，加密，认证，授权。这些工作虽然很有用，但脆弱性检测和安全评估仍未解决。

Christian Esposito, Aniello Castiglione, and Kim-Kwang Raymond Choo. 2016.Challenges in Delivering Software in the Cloud as Microservices. IEEE CloudComputing 3, 5 (2016), 10–14.
In [7] the challenges of deploying microservices to cloud platforms were highlighted including the security issues, however the authors offered no practical solutions to the raised issues.
将部署安全纳入安全挑战，但未提出实际的解决方案。

Tran Quang Thanh, Stefan Covaci, Thomas Magedanz, Panagiotis Gouvas, andAnastasios Zafeiropoulos. 2016. Embedding security and privacy into the devel-opment and operation of cloud applications and services. In TelecommunicationsNetwork Strategy and Planning Symposium (Networks), 2016 17th International.IEEE, 31–36.
Thanh et al. [25] introduced an approach thatallows developers and CSPs integrate security and privacy require-ments across application lifecycles. Their focus was on securitypractices in development pipelines, we are more concerned withsecurity measures for CNA deployed to production environments.However, their proposals could be combined with ours to enablea holistic security approach in CNA i.e. vulnerability detectioncoordination through application lifecycles.
关注开发，而非部署。

Dmitry I Savchenko, Gleb I Radchenko, and Ossi Taipale. 2015. Microservicesvalidation: Mjolnirr platform case study. In Information and CommunicationTechnology, Electronics and Microelectronics (MIPRO), 2015 38th International Con-vention on. IEEE, 235–240.
[20]introduced a methodology for validating microservice cloud applications. There are two shortcomings in this work, first it is not clear if the proposed framework is evaluated and tested, secondly the work is limited to development environments and focuses on non-security tests e.g. unit tests and integration tests.
所提出的框架未经评估和测试，研究被限制于开发环境，关注非安全测试，单元测试和整合测试。

3. 背景和问题

We use Spring PetClinic3as an example, to illustrate our points.

Spring PetClinic is an open-source Java application commonly used for research and demonstration purposes.

Several versions have been developed to demonstrate different design patterns or concepts, here we use the microservices version aimed at demonstrating microservices and CNA.

3.1 Cloud Native Applications 综述

CNA combine two major application design concepts: microservices and cloud application design.

Microservices concepts decompose monolithic applications into smaller

Cloud ApplicationArchitectures (CAA) describe the general structure of cloud appli-cations

Applications developed using CAA and Microservice Architectures (MSA) become cloud native.

3.2 Security challenges in Cloud-Native Applications

本文主要解决持续性安全评估和漏洞管理中的挑战。

每一个微服务都可以采取不同的技术。技术的多样性增加了微服务中的脆弱性。
快速的开发周期可能导致安全测试不足。
由于微服务很短暂，造成了脆弱发现挑战。

Novel security assessments techniques specifically adapted and integrated to cloud native environments are therefore required to tackle these security challenges

新的安全评估技术，需要被整合进云原生环境。

之前研究的局限性
之前的研究局限于安全机制。本文主要解决持续性安全评估和漏洞管理中的挑战。

4 设计和系统模型

4.1 CNA节点安全评估要求

• 首先，安全评估解决方案必须能够发现所有注册的微服务实例。
• 第二，应支持广泛的安全策略。
• 第三，解决方案必须是防篡改的，即与可能的攻击隔离。除了核心服务，不应该被其它微服务发现。
  • 安全虚拟机与应用虚拟机，通过SDN进行隔离。
• 第四，解决不同的技术如不同的编程语言。自动识别开发技术，并进行相应的检测。
  • 自动识别开发技术并测试它。

论文不严谨，说是五个，其实是四个。

4.2 安全网关(Security Gateway)

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

ZAP是免费开源的测试工具，主要用于测试web app.

Arachni - Web Application Security Scanner Framework

OpenVAS 是一个全功能的漏洞扫描器。它的功能包括非认证测试、认证测试、各种高水平和低水平的互联网和工业协议、大规模扫描的性能调整和一个强大的内部编程语言来实现任何类型的漏洞测试。

Security Enforcement Points (SEP) are commonly used to enforce security policies at run-time.

SEP通常被用来在运行时强制执行安全策略。

For example in [2], Almorsy et al leveraged SEP to enforce security policies by intercepting and validating requests sent against critical components.

Almorsy 等利用SEP 通过拦截和验证发往关键组件的请求来强制执行安全策略。

本文采用不同的方法实现。

The security gateway, though similar to the microservices gateway pattern differs operationally.

安全网关，看起来跟微服务网关模式很像，但操作起来不同。
与防火墙，和路由器不同。本文的安全网关的概念主要用于安全测量

严格模式：不符合策略的微服务实例，不允许注册。
宽松模式：

4.3 安全策略的支持

根据对象不同，分为：

• 全局
• 指定
• 虚拟机和容器策略

Dynamic Documentation for SecurityAssessments

RESTful resources带来的挑战，可以通过web服务描述文档(web service description documents)来解决。该文档包含web服务的一些信息。它在SOA中被广泛应用。
安全工具例如，security scanners可以利用这些文档提取必要的信息用于安全测试。
这些文档一般使用JSON，而不适用XML，原因是后者更复杂。
每一个微服务都被设计成，可以自动生成需要的文档。
这些文档随后按照 externalized configuration cloud native design pattern 被保存起来。

这些文档与配置服务器中的文档一起保存。

策略文档也可以被保存。

可以用基于令牌的认证机制保护存储过程。

4.5 Security Health endpoint

运行状况端点监视模式通过心跳检查提供针对应用程序的定期运行状况检查。这些心跳检查对于快速识别故障是必要的，例如与性能相关的故障。这种情景感知的方法符合微服务的可观察性原则。然而，上述方法并不包括关于微服务实例的安全状态的信息，而这对于高效、实时的安全监控也是很重要的。微服务的分布式特性使安全监控更加复杂，因此，容易获取微服务实例的安全状态的方法是有益的。
但是，目前除了日志聚合之外，没有其他方法可以方便地访问微服务实例的安全运行状况，而日志聚合需要解析和分析以获得可操作的智能。因此，在本工作中，我们引入了安全健康端点的概念。除了最初的预注册评估测试外，我们还自动安排安全扫描以不断检测漏洞。通过身份验证的管理员可以方便地在指定端点访问这些扫描的结果，类似于访问运行状况检查。例如，可以使用url http://localhost:8090/security-health 访问访问服务的安全运行状况度量(图 2)，而通过http://localhost:8090/health 访问运行状况检查。这些安全运行状况信息显示最新的安全评估结果，其中包含最重要的方面，如漏洞名称、解决方案、漏洞度量(如cVEs和 cce)。这些信息可以被其他部署的安全应用程序直接使用并用于安全任务，如自动配置防火墙即服务(FWaaS)规则，以及将漏洞信息集成到入侵检测系统(IDS)和安全信息与事件管理(SIEM)[19]。

4.6 外部服务评估

5.实践

云环境使用OpenStack Newton

5.1 安全网关的实现。

我们实现的核心是一个可拔插的安全网关(参见图4)，它直接与服务注册中心和发现服务(Eureka 服务器)交互，以实现策略实施和漏洞评估。有必要改变Eureka服务器的默认服务实例注册行为。

We adapt Spring Cloud’s implementation of Netflix Eureka server to route every initial registration request to the Security Gateway.

将初始注册请求转到安全网关
将Eureka服务器与客户端之间的异步心跳由30s增加到90s。

requesting microservice instances are initially added to a probation list pending the completion of the pre-registration security assessment.

发出注册请求的微服务实例首先被添加到试用列表中，等待注册前评估的完成。
注册前评估有三个参数the OpenAPI documentlocation, application name, and application homepage url.
三个参数直接从请求中获得。

Access to the production environment is granted to the requesting instance based on the result and the operation mode of the security gateway(earlier discussed in Section 4.2) pre-registration assessment.

根据结果及安全网关的操作mode，决定是否将生产环境的访问权限授予请求实例。

5.2 注册前安全评估。

评估过程如图所示

service instances might only be registered if the security policy is fulfilled. Security policies could be useful in checking for specific vulnerabilities

只有满足安全策略才可以被注册。安全策略可被用来检查特定的漏洞。

The scan policy manager (Figure 4) translates the policy to the specific format for the configured vulnerability scanners.
scan policy manager将策略翻译成特定格式。

For example,Listing 1 is a baseline security policy for testing service instances for SQL Injection, XSS and CSRF vulnerabilities.

5.3 Security Health Endpoints

expose health metrics per service instance at specific paths such as GET localhost:9966/health.

每个微服务都通过特定路径暴露自己的health metrics

we implement security health endpoint resources in each Spring PetClinic microservice. These resources are capable of retrieving the current security assessment result from the security gateway by sending GET requests.

在每一个Sprint PetClinic microservice 中都加有一个 security health endpoint resources 。这些资源能够从安全网关中获取current security assessment result

For example on receipt of a GET request against the Visits service (GET localhost:9966/security-health, the Visits service sends a request to the Security Gateway to retrieve the most recent security testing report, which is subsequently returned to the requester in json format (Listing 2)

5.4 微服务漏洞追踪

Though these metrics are available at instance endpoints, they do not provide detailed information on the security history necessary for vulnerability tracking e.g. security test results of service instances.

未提供对漏洞追踪而言十分必要的，安全历史记录。

DefectDojo is an open-source OWASP project for vulnerability management, it offers features available on commercial systems such as application vulnerability tracking, unified custom report generation and vulnerability metrics aggregation.

DefectDojo 有漏洞追踪功能， 同时整合了生成报告，vulnerability metrics 聚合功能。

DefectDojo provides an API through which we send security testing results for every microservice. This result can be subsequently visualized and organised for security analysis

DefectDojo 提供了一个API，我们可以发送每个微服务的安全测试结果给这个API，然后就可以得到可视化的结果，用于安全分析。

6 评估

• 主要评估三方面:
  1. measuring the overhead incurred by the discovery and service registry service (Eureka Server) in handling registration requests due to the Security Gateway.
     度量安全网关造成的时间消耗。
  2. Secondly, we want to evaluatethe performance of security tests using dynamic document stores vis-a-vis traditional security assessment methods.
     动态文件存储在安全检测中的性能。
  3. Thirdly, we demonstrate with a case study the effectiveness of our prototype in enforcing security policies.
     强制执行安全策略的效率。

6.1 Security Gateway Time Overhead

Two versions of the Eureka server are used : Version A - default Eu-reka Server and Version B - Security Gateway enabled Eureka Server.

两个版本，A默认版本 B 开启安全网关的版本。

we deployed our security gateway and then launched the other service instances one after the other, while measuring the time taken from start to registration.

先部署安全网关，然后启动其它服务，同时度量从启动到注册花费的时间。

customer service 代码量最大，因此攻击面也最大，所以安全测试花费的时间更长。

安全测试花费的时间并不多，但是如果将安全测试整合进开发过程中，那么测试所花费的时间就会彻底消失。

6.2 Vulnerability Detection with DynamicDocument Store

The first test used the dynamic document store, while the second test ran without it.

第一个测试用了动态文件存储，第二个没有用。

6.3 Enforcement of Security Policies

In order to demonstrate the efficiency of the security gateway, we push another microservice called the PetsFans microservice to production.

引入PetsFans微服务。

We use the baseline security policy in Listing 1 to ensure that new service instances with vulnerability risk ratings up to high are not registered.

使用Listing 1中的基线安全策略，来确保高风险的微服务不会被注册。

we then launch the PetsFan microservice, the security gateway is thereafter called by the Eureka server to test PetsFan microservice using the new security policy.

然后启动PetsFan，Eureka server 调用 安全网关 来测试 PetsFan 微服务的安全性。

The test reveals that the microservice has 69 vulnerabilities including 5 XSS vulnerabilities with a risk ranking high, see an example of a discovered high risk vulnerabilities in Figure 7.

69个漏洞，其中5个高危XSS.
图7 有一个发现的高危漏洞的示例。

未来工作

将安全网关，整合进开发流程中。
集成 Vulnerability Correlation
继承 state-aware security testing techniques