A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

Cloud infrastructures provide new facilities to build elaborated added-value services by composing and configuring a large variety of computing resources, from virtualized hardware devices to software products. In the meantime, they are further exposed to security attacks than traditional environments. The complexity of security management tasks has been increased by the multi-tenancy, heterogeneity and geographical distribution of these resources. They introduce critical issues for cloud service providers and their customers, with respect to security programmability and scenarios of adaptation to contextual changes. In this paper, we propose a software-defined security approach based on the TOSCA language, to enable unikernel-based protected clouds. We first introduce extensions of this language to describe unikernels and specify security constraints for their orchestrations. We then describe an architecture exploiting this extended version of TOSCA for automatically generating, deploying and adjusting cloud resources in the form of protected unikernels with a low attack surface. We finally detail a proof-of-concept prototype, and evaluate the proposed solution through extensive series of experiments.

[1]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[2]  Alf-Andre Walla Live updating in Unikernels , 2017 .

[3]  Remi Badonnel,et al.  Unikernel-based approach for software-defined security in cloud infrastructures , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[4]  Roberto Di Cosmo,et al.  Managing the Complexity of Large Free and Open Source Package-Based Software Distributions , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[5]  Athanasios V. Vasilakos,et al.  Leveraging software-defined networking for security policy enforcement , 2016, Inf. Sci..

[6]  Subasish Mohapatra,et al.  Virtualization: A Survey on Concepts, Taxonomy and Associated Security Issues , 2010, 2010 Second International Conference on Computer and Network Technology.

[7]  Jon Crowcroft,et al.  Unikernels: library operating systems for the cloud , 2013, ASPLOS '13.

[8]  Herbert Bos,et al.  Slick: an intrusion detection system for virtualized storage devices , 2016, SAC.

[9]  Chris Rose,et al.  A Break in the Clouds: Towards a Cloud Definition , 2011 .

[10]  Mahmoud Al-Ayyoub,et al.  SDSecurity: A Software Defined Security experimental framework , 2015, 2015 IEEE International Conference on Communication Workshop (ICCW).

[11]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[12]  Olivier Festor,et al.  Towards a Software-Defined Security Framework for Supporting Distributed Cloud , 2017, AIMS.

[13]  Kung-Kiu Lau,et al.  Software Component Models , 2006, IEEE Transactions on Software Engineering.

[14]  Nicolae Tapus,et al.  LKL: The Linux kernel library , 2010, 9th RoEduNet IEEE International Conference.

[15]  Oliver Kopp,et al.  TOSCA: Portable Automated Deployment and Management of Cloud Applications , 2014, Advanced Web Services.