A survey on security issues in services communication of Microservices‐enabled fog applications

Fog computing is used as a popular extension of cloud computing for a variety of emerging applications. To incorporate various design choices and customized policies in fog computing paradigm, Microservices is proposed as a new software architecture, which is easy to modify and quick to deploy fog applications because of its significant features, ie, fine granularity and loose coupling. Unfortunately, the Microservices architecture is vulnerable due to its wildly distributed interfaces that are easily attacked. However, the industry has not been fully aware of its security issues. In this paper, a survey of different security risks that pose a threat to the Microservices‐based fog applications is presented. Because a fog application based on Microservices architecture consists of numerous services and communication among services is frequent, we focus on the security issues that arise in services communication of Microservices in four aspects: containers, data, permission, and network. Containers are often used as the deployment and operational environment for Microservices. Data is communicated among services and is vital for every enterprise. Permission is the guarantee of services security. Network security is the foundation for secure communication. Finally, we propose an ideal solution for security issues in services communication of Microservices‐based fog applications.

[1]  Marco Jahn,et al.  Designing a Smart City Internet of Things Platform with Microservice Architecture , 2015, 2015 3rd International Conference on Future Internet of Things and Cloud.

[2]  Long Sun,et al.  An open IoT framework based on microservices architecture , 2017, China Communications.

[3]  Ossi Taipale,et al.  Microservices validation: Mjolnirr platform case study , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[4]  Long Chen,et al.  A Defense Method against Docker Escape Attack , 2017, ICCSP '17.

[5]  Qun Li,et al.  Challenges and Software Architecture for Fog Computing , 2017, IEEE Internet Computing.

[6]  Wouter Joosen,et al.  Towards a container-based architecture for multi-tenant SaaS applications , 2016, ARM@Middleware.

[7]  Thanh Bui,et al.  Analysis of Docker Security , 2015, ArXiv.

[8]  Rubby Casallas,et al.  Evaluating the monolithic and the microservice architecture pattern to deploy web applications in the cloud , 2015, 2015 10th Computing Colombian Conference (10CCC).

[9]  Nane Kratzke,et al.  Understanding cloud-native applications after 10 years of cloud computing - A systematic mapping study , 2017, J. Syst. Softw..

[10]  Divyanand Malavalli,et al.  Scalable microservice based architecture for enabling DMTF profiles , 2015, 2015 11th International Conference on Network and Service Management (CNSM).

[11]  Yang Xiang,et al.  Modeling the Propagation of Worms in Networks: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[12]  M. Brian Blake,et al.  Service-Oriented Computing and Cloud Computing: Challenges and Opportunities , 2010, IEEE Internet Computing.

[13]  Jianhua Li,et al.  A Secure Mechanism for Big Data Collection in Large Scale Internet of Vehicle , 2017, IEEE Internet of Things Journal.

[14]  Lakhmi C. Jain,et al.  Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures , 2016, Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures.

[15]  Mariusz Glabowski,et al.  Modelling and Dimensioning of Mobile Wireless Networks: From GSM to LTE , 2011 .

[16]  David S. Linthicum,et al.  Practical Use of Microservices in Moving Workloads to the Cloud , 2016, IEEE Cloud Computing.

[17]  Christine Julien,et al.  Efficient and Scalable Runtime Monitoring for Cyber–Physical System , 2018, IEEE Systems Journal.

[18]  Travis Boraten,et al.  Mitigation of Hardware Trojan based Denial-of-Service attack for secure NoCs , 2018, J. Parallel Distributed Comput..

[19]  Hyunuk Hwang,et al.  A Study on MITM (Man in the Middle) Vulnerability in Wireless Network Using 802.1X and EAP , 2008, 2008 International Conference on Information Science and Security (ICISS 2008).

[20]  C. V. Guru Rao,et al.  Various Solutions for Address Resolution Protocol Spoofing Attacks , 2013 .

[21]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[22]  Pethuru Raj Chelliah,et al.  Securing Docker Containers from Denial of Service (DoS) Attacks , 2016, 2016 IEEE International Conference on Services Computing (SCC).

[23]  Wanlei Zhou,et al.  A Sword with Two Edges: Propagation Studies on Both Positive and Negative Information in Online Social Networks , 2015, IEEE Transactions on Computers.

[24]  Weisong Shi,et al.  The Promise of Edge Computing , 2016, Computer.

[25]  Eric W. Biederman,et al.  Multiple Instances of the Global Linux Namespaces , 2010 .

[26]  Raja Lavanya,et al.  Fog Computing and Its Role in the Internet of Things , 2019, Advances in Computer and Electrical Engineering.

[27]  Andy Singleton,et al.  The Economics of Microservices , 2016, IEEE Cloud Computing.

[28]  CallegatiFranco,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, S&P 2009.

[29]  Christine Julien,et al.  Real-Time Simulation Support for Runtime Verification of Cyber-Physical Systems , 2017, ACM Trans. Embed. Comput. Syst..

[30]  Dongwon Kim,et al.  Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks , 2010, IEEE Communications Letters.

[31]  Roberto Di Pietro,et al.  To Docker or Not to Docker: A Security Perspective , 2016, IEEE Cloud Computing.

[32]  Ivan Stojmenovic,et al.  An overview of Fog computing and its security issues , 2016, Concurr. Comput. Pract. Exp..

[33]  Kim-Kwang Raymond Choo,et al.  Challenges in Delivering Software in the Cloud as Microservices , 2016, IEEE Cloud Computing.

[34]  MölsäJarmo Mitigating denial of service attacks , 2005 .

[35]  Mianxiong Dong,et al.  A Hierarchical Security Framework for Defending Against Sophisticated Attacks on Wireless Sensor Networks in Smart Cities , 2016, IEEE Access.

[36]  Claus Pahl,et al.  Microservices: A Systematic Mapping Study , 2016, CLOSER.

[37]  Cong Wang,et al.  Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[38]  Udit Gupta,et al.  Comparison between security majors in virtual machine and linux containers , 2015, ArXiv.

[39]  Mianxiong Dong,et al.  New advances in future network technologies , 2017, Concurr. Comput. Pract. Exp..

[40]  Sabrina De Capitani di Vimercati Least Privilege , 2011, Encyclopedia of Cryptography and Security.

[41]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[42]  Lei Pan,et al.  Practical overview of security issues in wireless sensor network applications , 2017 .

[43]  Thomas Magedanz,et al.  Embedding security and privacy into the development and operation of cloud applications and services , 2016, 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks).

[44]  Piyush Harsh,et al.  CYCLOPS: A micro service based approach for dynamic rating, charging & billing for cloud , 2015, 2015 13th International Conference on Telecommunications (ConTEL).

[45]  Shakil Akhtar,et al.  Docker container security via heuristics-based multilateral security-conceptual and pragmatic study , 2016, 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT).

[46]  Bilal Gonen,et al.  Approaches to the Evolution of SOA Systems , 2016, Emerging Trends in the Evolution of Service-Oriented and Enterprise Architectures.

[47]  Arwa Alrawais,et al.  Fog Computing for the Internet of Things: Security and Privacy Issues , 2017, IEEE Internet Computing.

[48]  Jianfeng Ma,et al.  New Algorithms for Secure Outsourcing of Modular Exponentiations , 2012, IEEE Transactions on Parallel and Distributed Systems.

[49]  Ali E. Abdallah,et al.  A Trust Management Framework for Network Applications within an SDN Environment , 2017, 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA).

[50]  Ainuddin Wahid Abdul Wahab,et al.  Feature Selection of Denial-of-Service Attacks Using Entropy and Granular Computing , 2018 .

[51]  Pranali More REVIEW OF IMPLEMENTING FOG COMPUTING , 2015 .

[52]  Jin Li,et al.  Privacy-preserving outsourced classification in cloud computing , 2017, Cluster Computing.

[53]  Mianxiong Dong,et al.  Foud: Integrating Fog and Cloud for 5G-Enabled V2G Networks , 2017, IEEE Network.

[54]  Christine Julien,et al.  BraceAssertion: Runtime Verification of Cyber-Physical Systems , 2015, 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems.

[55]  Jin Li,et al.  Identity-based chameleon hashing and signatures without key exposure , 2014, Inf. Sci..

[56]  Cong Wang,et al.  Toward publicly auditable secure cloud data storage services , 2010, IEEE Network.

[57]  Sitanshu Sekhar Sahu,et al.  Image Texture-Based New Cryptography Scheme Using Advanced Encryption Standard , 2017 .

[58]  Liming Zhu,et al.  DevOps and Its Practices , 2016, IEEE Softw..

[59]  Cucinotta Tommaso,et al.  Hierarchical Multiprocessor CPU Reservations for the Linux Kernel , 2009 .

[60]  Mohsen Ahmadvand,et al.  Requirements Reconciliation for Scalable and Secure Microservice (De)composition , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[61]  Angelos D. Keromytis,et al.  DoubleCheck: Multi-path verification against man-in-the-middle attacks , 2009, 2009 IEEE Symposium on Computers and Communications.

[62]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[63]  Jie Wu,et al.  Hierarchical attribute-based encryption for fine-grained access control in cloud storage services , 2010, CCS '10.

[64]  Yuqiong Sun,et al.  Security-as-a-Service for Microservices-Based Cloud Applications , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[65]  Christian M. Schweda,et al.  Digital Enterprise Architecture with Micro-granular Systems and Services , 2016, BIR Workshops.

[66]  Nikhil Pathania Setting Up Jenkins on Docker and Cloud , 2017 .

[67]  Dan Ionescu,et al.  A microservices architecture for collaborative document editing enhanced with face recognition , 2016, 2016 IEEE 11th International Symposium on Applied Computational Intelligence and Informatics (SACI).

[68]  Xi Zheng,et al.  Security analysis of modern mission critical android mobile applications , 2017, ACSW.

[69]  Yogesh Joshi,et al.  Mitigating man in the middle attack over secure sockets layer , 2009, 2009 IEEE International Conference on Internet Multimedia Services Architecture and Applications (IMSAA).

[70]  Jianfeng Ma,et al.  New Publicly Verifiable Databases with Efficient Updates , 2015, IEEE Transactions on Dependable and Secure Computing.

[71]  Hans-Peter Fröschle DevOps , 2017, HMD Praxis der Wirtschaftsinformatik.

[72]  Peter Bak,et al.  Location and Context-Based Microservices for Mobile and Internet of Things Workloads , 2015, 2015 IEEE International Conference on Mobile Services.

[73]  Chris J. Mitchell,et al.  Analysing the Security of Google's Implementation of OpenID Connect , 2015, DIMVA.

[74]  Kanika Lakhani,et al.  Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing , 2010, 2010 First International Conference On Parallel, Distributed and Grid Computing (PDGC 2010).

[75]  Xi Zheng,et al.  A Testbed for Security Analysis of Modern Vehicle Systems , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[76]  Gary Anthes,et al.  Security in the cloud , 2010, Commun. ACM.

[77]  Tim Howes,et al.  Lightweight Directory Access Protocol , 1995, RFC.

[78]  Jianfeng Ma,et al.  Verifiable Computation over Large Database with Incremental Updates , 2014, IEEE Transactions on Computers.

[79]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[80]  Yoshiaki Tanaka,et al.  Device-to-device assisted video frame recovery for picocell edge users in heterogeneous networks , 2016, 2016 IEEE International Conference on Communications (ICC).

[81]  Hartmut Schmeck,et al.  A Microservice Architecture for the Intranet of Things and Energy in Smart Buildings: Research Paper , 2016, MOTA@Middleware.

[82]  Mary Baker,et al.  Auditing to Keep Online Storage Services Honest , 2007, HotOS.

[83]  Shakil Akhtar,et al.  A study, analysis and deep dive on cloud PAAS security in terms of Docker container security , 2016, 2016 International Conference on Circuit, Power and Computing Technologies (ICCPCT).

[84]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[85]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[86]  Eoin Woods Software Architecture in a Changing World , 2016, IEEE Software.

[87]  René Peinl,et al.  Docker Cluster Management for the Cloud - Survey Results and Own Solution , 2016, Journal of Grid Computing.

[88]  Alan Sill,et al.  The Design and Architecture of Microservices , 2016, IEEE Cloud Computing.

[89]  Jun Zhang,et al.  Modeling Propagation Dynamics of Social Network Worms , 2013, IEEE Transactions on Parallel and Distributed Systems.

[90]  Stefano Paraboschi,et al.  DockerPolicyModules: Mandatory Access Control for Docker containers , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[91]  Jin Li,et al.  Secure attribute-based data sharing for resource-limited users in cloud computing , 2018, Comput. Secur..

[92]  Lynn Batten,et al.  Cyber security attacks to modern vehicular systems , 2017, J. Inf. Secur. Appl..

[93]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[94]  Neal Langerman,et al.  Defense in Depth , 2014 .

[95]  Mianxiong Dong,et al.  Preserving Source-Location Privacy through Redundant Fog Loop for Wireless Sensor Networks , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[96]  Keijo Haataja,et al.  Two practical man-in-the-middle attacks on Bluetooth secure simple pairing and countermeasures , 2010, IEEE Transactions on Wireless Communications.

[97]  Dharmesh Kakadia,et al.  Virtualization vs Containerization to Support PaaS , 2014, 2014 IEEE International Conference on Cloud Engineering.

[98]  Jin Li,et al.  Secure Deduplication with Efficient and Reliable Convergent Key Management , 2014, IEEE Transactions on Parallel and Distributed Systems.

[99]  Avinash Devare,et al.  A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis , 2016 .

[100]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[101]  Franco Callegati,et al.  Data security issues in MaaS-enabling platforms , 2016, 2016 IEEE 2nd International Forum on Research and Technologies for Society and Industry Leveraging a better tomorrow (RTSI).

[102]  Lei Zhang,et al.  MEDAPs: secure multi-entities delegated authentication protocols for mobile cloud computing , 2016, Secur. Commun. Networks.

[103]  Tobias Straub,et al.  Grid Security Infrastructure , 2006 .

[104]  Yi Qian,et al.  High performance and security in cloud computing , 2017, Concurr. Comput. Pract. Exp..

[105]  Christine Julien,et al.  Perceptions on the State of the Art in Verification and Validation in Cyber-Physical Systems , 2017, IEEE Systems Journal.

[106]  Wanlei Zhou,et al.  Identifying Propagation Sources in Networks: State-of-the-Art and Comparative Studies , 2017, IEEE Communications Surveys & Tutorials.

[107]  Rubby Casallas,et al.  Infrastructure Cost Comparison of Running Web Applications in the Cloud Using AWS Lambda and Monolithic and Microservice Architectures , 2016, 2016 16th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGrid).

[108]  Dimitrios Pendarakis,et al.  ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[109]  Tharam S. Dillon,et al.  Cloud Computing: Issues and Challenges , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[110]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[111]  Xiangjian He,et al.  A System for Denial-of-Service Attack Detection Based on Multivariate Correlation Analysis , 2014, IEEE Transactions on Parallel and Distributed Systems.

[112]  Cristina L. Abad,et al.  An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks , 2007, 27th International Conference on Distributed Computing Systems Workshops (ICDCSW'07).

[113]  Tuomas Vase Integrating Docker to a Continuous Delivery pipeline : a pragmatic approach , 2016 .