Automatic Policy Generation for Inter-Service Access Control of Microservices

Cloud applications today are often composed of many microservices. To prevent a microservice from being abused by other (compromised) microservices, inter-service access control is applied. However, the complexity of fine-grained access control policies, along with the large-scale and dynamic nature of microservices, makes the current manual configurationbased access control unsuitable. This paper presents AUTOARMOR, the first attempt to automate inter-service access control policy generation for microservices, with two fundamental techniques: (1) a static analysis-based request extraction mechanism that automatically obtains the invocation logic among microservices, and (2) a graph-based policy management mechanism that generates corresponding access control policies with on-demand policy update. Our evaluation on popular microservice applications shows that AUTOARMOR is able to generate fine-grained inter-service access control policies and update them timely based on changes in the application, with only a minor runtime overhead. By seamlessly integrating with the lifecycle of microservices, it does not require any changes to existing code and infrastructures.

[1]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[2]  A. Greenberg,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM '07.

[3]  Tao Xie,et al.  Automated extraction of security policies from natural-language software documents , 2012, SIGSOFT FSE.

[4]  Úlfar Erlingsson,et al.  Fay: extensible distributed tracing from kernels to clusters , 2011, SOSP '11.

[5]  Richard Mortier,et al.  Using Magpie for Request Extraction and Workload Modelling , 2004, OSDI.

[6]  Yang Xiang,et al.  Extracting Business Execution Processes of API Services for Mashup Creation , 2018, CollaborateCom.

[7]  Jingyu Zhou,et al.  Extracting URLs from JavaScript via program analysis , 2013, ESEC/FSE 2013.

[8]  Paolina Centonze,et al.  Combining Static and Dynamic Analysis for Automatic Identification of Precise Access-Control Policies , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[9]  Stephen L. Scott,et al.  Web Services Policy Generation Based on SLA Requirements , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).

[10]  Lei Xue,et al.  Toward Automatically Generating Privacy Policy for Android Apps , 2017, IEEE Transactions on Information Forensics and Security.

[11]  Ehab Al-Shaer,et al.  Synthetic security policy generation via network traffic clustering , 2010, AISec '10.

[12]  James B. D. Joshi,et al.  An Unsupervised Learning Based Approach for Mining Attribute Based Access Control Policies , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[13]  Chun Zhang,et al.  vPath: Precise Discovery of Request Processing Paths from Black-Box Observations of Thread and Network Activities , 2009, USENIX Annual Technical Conference.

[14]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[15]  Shang-Pin Ma,et al.  Using Service Dependency Graph to Analyze and Test Microservices , 2018, 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC).

[16]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[17]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[18]  David S. Linthicum,et al.  Practical Use of Microservices in Moving Workloads to the Cloud , 2016, IEEE Cloud Computing.

[19]  Ben Y. Zhao,et al.  Safely and automatically updating in-network ACL configurations with intent language , 2019, SIGCOMM.

[20]  Azzedine Benameur,et al.  Confine: Automated System Call Policy Generation for Container Attack Surface Reduction , 2020, RAID.

[21]  Eric A. Brewer,et al.  Pinpoint: problem determination in large, dynamic Internet services , 2002, Proceedings International Conference on Dependable Systems and Networks.

[22]  Hovav Shacham,et al.  Automated policy synthesis for system call sandboxing , 2020, Proc. ACM Program. Lang..

[23]  Sven Lachmund Auto-generating access control policies for applications by static analysis with user input recognition , 2010, SESS '10.

[24]  Manish Gupta,et al.  Mining activity data for dynamic dependency discovery in e-business systems , 2004, IEEE Transactions on Network and Service Management.

[25]  Yongliang Wang,et al.  Network System Model-Based Multi-level Policy Generation and Representation , 2008, 2008 International Conference on Computer Science and Software Engineering.

[26]  Ulrich Lang,et al.  OpenPMF SCaaS: Authorization as a Service for Cloud & SOA Applications , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[27]  Yuanyuan Zhou,et al.  Towards Continuous Access Control Validation and Forensics , 2019, CCS.

[28]  Prabhakar Kudva,et al.  Security Analysis of Container Images Using Cloud Analytics Framework , 2018, ICWS.

[29]  Guofei Gu,et al.  Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[30]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[31]  Gail-Joon Ahn,et al.  Towards System Integrity Protection with Graph-Based Policy Analysis , 2009, DBSec.

[32]  Yan Zhang,et al.  Towards Automatic Update of Access Control Policy , 2010, LISA.

[33]  Zhaohui Wu,et al.  CloudScout: A Non-Intrusive Approach to Service Dependency Discovery , 2017, IEEE Transactions on Parallel and Distributed Systems.

[34]  Marcos K. Aguilera,et al.  Performance debugging for distributed systems of black boxes , 2003, SOSP '03.

[35]  Manar Alohaly,et al.  A Deep Learning Approach for Extracting Attributes of ABAC Policies , 2018, SACMAT.

[36]  Chan-Yi Lin,et al.  DRAGON: A Dynamic Scheduling and Scaling Controller for Managing Distributed Deep Learning Jobs in Kubernetes Cluster , 2019, CLOSER.

[37]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.