Documente Academic
Documente Profesional
Documente Cultură
net/publication/327974062
CITATIONS READS
0 206
5 authors, including:
72 PUBLICATIONS 186 CITATIONS
Peking University
92 PUBLICATIONS 1,096 CITATIONS
SEE PROFILE
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Kennedy Torkura on 30 September 2018.
example. 2 https://spring.io/
vulnerabilites in closely related applications [4]. For example, 1) Risk Analysis Using CVSS: The CVSS [26] is a widely
an attacker might exploit an XSS vulnerability (e.g. CVE- adopted vulnerability metrics standard. It provides vulnerabil-
2018-11039 3 ) in the API Gateway, to gain control of the ity severity base scores which can extracted from vulnerability
microservice. Next, the attacker compromises the other 3 scan reports. In order to derive the SR, the base scores of all
microservices using a single vulnerability e.g. CVE-2016- detected vulnerabilities can be summed and averaged [25] as
7167 4 . Lateral movement within microservices is easier once expressed below:
one of the collaborating microservices has been compro-
TV
mised since there is an established trust relationship. Lateral X
movement within microservices networks is easy once one Si
i=1
microservice is compromised since microservices within an SR =
application trust themselves are inter-instance communications TV
are rarely include authentication/authorization. Furthermore, where Si is the CVSS base score of vulnerabilities i, and T V
the availability of most images on public image repositories is the total number of vulnerabilities detected in microservice
e.g. DockerHub provides Open Source Intelligence (OSINT) m. However, averaging vulnerabilities to obtain single metrics
and economies of scale [8] for attackers. These images can be for representing microservice security state is not optimal
analyzed for vulnerabilities and the knowledge gained used to because the derived values are not sufficiently representative of
orchestrate large scale attacks against MSA. other factors such as availability of exploits for vulnerabilities.
Therefore, we employ another scoring technique namely, the
IV. D ESIGN AND S YSTEM M ODEL
shrinkage estimator [27]. This approach has been popularly
In this Section, we illustrate the security implications of used for online rating systems such as Internet Movie Database
homogeneous MSA with a running example, and thereafter (IMDB), and is well suited to our case because it considers not
present our analysis of microservice attack surfaces and how just the average rating but also the number of vulnerabilities.
MTD can mitigate risks due to these attack surfaces. The last The shrinkage estimator is expressed as:
sub-section briefly highlights on microservice vulnerability
correlation matrix. SR = (T V )/(T V + M V )).R + (M V /(T V + M V )).C
A. Risk Analysis for Microservice Diversification where, M V is minimum number of vulnerabilities required to
In Section III, we provided justification for microservice di- be included in the assessment, and C is the mean vulnerability
versification i.e. to counter security issues due to homogeneous security score. Following, the Pearson’s correlation coefficient
microservices. To provide a structured procedure to support is derived to determine the dependence relationship between
security-biased diversification, we employ security metrics to the microservices.
design a cyber risk-based MTD mechanism. Security metrics 2) Risk Analysis Using OWASP Risk Rating Methodology:
are useful tools for risk assessments due to inherent encapsula- The risk assessment method described in the previous subsec-
tion of risk quantification variables [25]. We aim at computing tion is limited to vulnerabilites published in the Common Vul-
risks per microservice and thereafter employing vulnerabil- nerabilities and Exposures (CVE) dictionary. The CVE does
ity prioritization such that diversification is a function of not provide an exhaustive representation of web application
microservice risk analysis. This approach is consistent with vulnerabilities, thus we need to derive another risk assessment
compliance security measures as defined by several standards methodology for web vulnerabilities. We use the ORRM,
e.g. ISO/IEC 27001/27002. To characterize this requirement, which is specifically designed for web applications [28]. The
we introduce the notion of Diversification Index - D, as an ORRM expresses risks as a function of two parameters: the
expression of the depth of diversification to be implemented. likelihood of occurrence of a vulnerability and the potential
Given a microservice-based application M consisting a set of impact due to vulnerability exploitation. More formally this is
microservice instances {m1 , m2 , m3 , . . . , mn }, we express D expressed as:
as follows:
D = T M/n Risk = Likelihood ∗ Impact
where, T M is number of microservices to be diversified These parameters are assigned considering threat vectors,
and n is the total number of microservices instances in the possible attacks, and impacts of successful attacks.
application. Therefore, D provides a flexible guidance on the
number of microservices to be transformed. Due to specific B. Anatomy of Microservice Attack Surfaces
requirements, developers might not want to diversify some A core aspect of our methodology is manipulation of
microservices which can be excluded. A second metric is microservice attack surfaces against attackers through random
constructed, the Security Risk - SR, to provide a numeric architectural transformations. We adopt Howard et. al’s at-
expression of microservice’s security state. We employ two tack opportunities concept [29] for defining attack surfaces.
approaches for determining SR: The attack opportunities concept defines attack sufaces along
3 https://nvd.nist.gov/vuln/detail/CVE-2018-11039 three abstract dimensions: targets and enablers, channels and
4 https://security-tracker.debian.org/tracker/CVE-2016-7167 protocols, and access rights which are used for estimating
2) Vertical Vulnerability Correlation: The vertical correla-
tion technique is similar to the horizontal correlation, however
the interactions across application-image layers are analyzed.
In Figure 2, attack Path 1 illustrates the exploitation of a
vulnerability across the vertical attack surface. The attacker
initiates an attack against the PetClinic’s API Gateway, and
moves laterally through the application-image layer. From
there, another attack is launched through the Customers ser-
vice’s application-image layer and finally the database is com-
promised. The same attack can be repeated against the other
microservices hence the need to correlate casual relationships
between vulnerabilities.
V V2 ... Vn
1
Figure 2: Horizontal and Vertical Microservice Attack Sur- M1 1 1 ··· ...
faces of the PetClinic Application Exploited via Multi-Step M2 1
0 ··· ...
Attacks .. .. .. ..
. . . .
Mn 1 1 ··· ...
application attackability [30]. According to OWASP [31], at- Figure 3: Microservice Vulnerability Correlation Matrix
tack surfaces for web and REST applications include all entry
and exit points e.g. APIs, HTTP headers and cookies, user
interfaces e.t.c. Hence, to reduce microservices attackability, C. Microservices Vulnerability Correlation Matrix
attack surfaces are identified and altered, these attack surfaces
Correlated vulnerabilities can be represented with correla-
are further characterized as : horizontal and vertical attack
tion matrices, more specifically refered to as microservices
surfaces. Furthermore, vulnerability correlation methods are
vulnerability correlation matrix. Therefore, we are influenced
applied to establish the relationship between vulnerabilities.
by the definition in [18] to define microservices vulnera-
1) Horizontal Vulnerability Correlation: The objective of
bility correlation matrix as a mapping of vulnerabilities to
correlating vulnerabilities horizontally is analyze the relation-
microservice instances in a microservice-based application.
ship of vulnerabilities along the horizontal attack surface.
The microservices vulnerability correlation matrix presents
Figure 2 illustrates the multi-layered attack surface of Pet-
a view of vulnerabilities that concurrently affect multiple
Clinic. The application layer horizontal attack surface consists
microservices. An example of the microservice correlation
of interactions against the exit/entry points from the API
matrix is Figure 3, where M1 and M2 will have a correlated
gateway to the Vets,Visits and Customer services application
failures under an attack that exploits vulnerability V1 since
layers. Application requests and responses transversed along
they share the same vulnerability. However, an attack that
this layer, providing attack opportunities for attackers e.g
exploits V2 can only affect M1 , while M2 remains unaffected.
XSS vulnerabilities. We leverage vulnerability correlation to
understand the relationship between the vulnerabilities along V. I MPLEMENTATION
this plane. In this context, vulnerability correlation process
differs from the mathematical correlation, it is similar to Our MTD mechanism is implemented in software com-
security event correlation techniques [32], though rather than ponents which have been integrated into our previous work:
clustering similar attributes e.g. malicious IP addresses, we Cloud Aware Vulnerability Assessment System (CAVAS) [12,
focus on Common Weakness Enumeration (CWE) Ids. CWE 33]. In Figure 4, the new components are distinguished with
is a standard classification system for application weaknesses ash colors and bordered with dashed lines. For the purposes
5
. For example, CWE 89 categorizes all vulnerabilities related of this paper, we discuss only the components related to our
to Improper Neutralization of Special Elements used in an proposed solution. The components shown in the workflow
SQL Command (SQL Injection) 6 and can be mapped to several of our proposed approach (Figure 5) are explained in the
CVEs e.g. CVE-2016-6652 7 , an SQL injection vulnerability in following subsections.
Spring Data JPA. If this vulnerability exists in all PetClinic’s A. Security Gateway
microservices, an attacker could easily conduct a correlated
attacks (Attack Paths 2,4,5 and 6 of Figure 2) resulting to The Security Gateway leverages cloud design patterns for
correlated failures and eventual application failure. vulnerability assessment by modifying the behaviour of the
service discovery and registry server to suit security testing
5 https://cwe.mitre.org/index.html requirements. This approach enables integration of SEPs for
6 https://cwe.mitre.org/data/definitions/89.html security policy enforcement. Implementation details of the
7 https://nvd.nist.gov/vuln/detail/CVE-2016-6652 Security Gateway are described in [12].
Figure 4: CAVAS Architecture Showing New Components in Dashed Lines.