Abstract
Service meshes have emerged as an attractive DevOps solution for collecting, managing, and coordinating microservice deployments. However, current service meshes leave fundamental security mechanisms missing or incomplete. The security burden means service meshes may actually cause additional workload and overhead for administrators over traditional monolithic systems. By assessing the effectiveness and practicality of service mesh tools, this work provides necessary insights into the available security of service meshes. We evaluate service meshes under skilled administrators (who deploy optimal configurations of available security mechanisms) and default configurations. We consider a comprehensive set of adversarial scenarios, uncover design flaws contradicting system goals, and present limitations and challenges encountered in employing service mesh tools for operational environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
HashiCorp. Download Consul. https://www.consul.io/downloads. Accessed 06 2020
Balalaie, A., Heydarnoori, A., Jamshidi, P.: Microservices architecture enables DevOps: migration to a cloud-native architecture. IEEE Softw. 33(3), 42–52 (2016)
Chen, L.: Microservices: architecting for continuous delivery and DovOps. In: 2018 IEEE International Conference on Software Architecture (ICSA), pp. 39–397, April 2018
Cherny, M., Dulce, S.: Well, that escalated quickly! how abusing docker api led to remote code execution, same origin bypass and persistence in the hypervisor via shadow containers. In: BlackHat 17 (2017)
Christopherson, J.: Spaceflight uses HashiCorp consul for service discovery and runtime configuration in their hub-and-spoke network architecture. https://www.hashicorp.com/blog/spaceflight-uses-hashicorp-consul-for-service-discovery-and-real-time-updates-to-their-hub-and-spoke-network-architecture/. Accessed 02 2020
Combe, T., Martin, A., Di Pietro, R.: To docker or not to docker: a security perspective. IEEE Cloud Comput. 3(5), 54–62 (2016)
Csikor, L., Rothenberg, C., Pezaros, D.P., Schmid, S., Toka, L., Rétvári, G.: Policy injection: a cloud dataplane DoS attack. In: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, pp. 147–149 (2018)
Das, A., Gupta, I., Motivala, A.: SWIM: scalable weakly-consistent infection-style process group membership protocol. In: Proceedings International Conference on Dependable Systems and Networks, pp. 303–312. IEEE (2002)
Fishner, K.: How BitBrains/ASP4all uses Consul for Continuous Deployment across Development, Testing, Acceptance, and Production. https://www.hashicorp.com/blog/how-bitbrains-asp4all-uses-consul/. Accessed 02 2020
Fishner K.: Using Consul at Bol.com, the Largest Online Retailer in the Netherlands and Belgium. https://www.hashicorp.com/blog/using-consul-at-bol-com-the-largest-online-retailer-in-the-netherlands-and-belgium/. Accessed 02 2020
Cloud Native Computing Foundation. CNCF Cloud Native Interactive Landscape. https://landscape.cncf.io. Accessed 01 2020
Gupta, D., Saia, J., Young, M.: Peace through superior puzzling: an asymmetric sybil defense. In: 2019 IEEE International Parallel and Distributed Processing Symposium (IPDPS), pp. 1083–1094. IEEE (2019)
HashiCorp. Consul by HashiCorp. https://www.consul.io/index.html. Accessed 01 2020
HashiCorp. Consul Docs. https://www.consul.io/docs. Accessed 02 2020
HashiCorp. Github hashicorp/consul. https://github.com/hashicorp/consul. Accessed 02 2020
Hashicorp. Modern Service Networking for Cloud and Microservices. https://www.hashicorp.com/resources/modern-service-networking-cloud-microservices. Accessed 01 2020
HashiCorp. Serf. https://www.serf.io/. Accessed 02 2020
HashiCorp. Vault by HashiCorp. https://www.vaultproject.io/. Accessed 02 2020
Buoyant Inc., Linkerd. https://linkerd.io. Accessed 01 2020
Docker Inc., Docker Home. https://docker.io. Accessed 02 2020
Istio. Github istio/istio. https://github.com/istio/istio. Accessed 02 2020
Istio. Istio. https://istio.io. Accessed 01 2020
Istio. Istio Docs. https://istio.io/latest/docs/. Accessed 02 2020
Jamshidi, P., Pahl, C., Mendonça, N.C., Lewis, J., Tilkov, S.: Microservices: the journey so far and challenges ahead. IEEE Softw. 35(3), 24–35 (2018)
Grant Joy. Distil Networks securely stores and manages all their secrets with Vault and Consul. https://www.hashicorp.com/blog/distil-networks-securely-stores-and-manages-all-their-secrets-with-vault-and-consul/. Accessed 02 2020
Kubernetes. Kubernetes - Production-Grade Container Orchestration. https://kubernetes.io/. Accessed 01 2020
Kubernetes. Kubernetes Pods. https://kubernetes.io/docs/concepts/workloads/pods/. Accessed 02 2020
Lewis, I.: What are Kubernetes Pods Anyway? https://www.ianlewis.org/en/what-are-kubernetes-pods-anyway. Accessed 02 2020
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429 (2018)
Martin, A., Raponi, S., Combe, T., Di Pietro, R.: Docker ecosystem-vulnerability analysis. Comput. Commun. 122, 30–43 (2018)
Rastogi, V., Davidson, D., De Carli, L., Jha, S., McDaniel, P.: Cimplifier: automatically debloating containers. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 476–486 (2017)
Sakic, E., Kellerer, W.: Response time and availability study of RAFT consensus in distributed SDN control plane. IEEE Trans. Netw. Serv. Manage. 15(1), 304–318 (2018)
Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)
Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 269–280. Association for Computing Machinery, New York (2017)
Singleton, A.: The economics of microservices. IEEE Cloud Comput. 3(5), 16–20 (2016)
SSH.COM. Ssh (secure shell). https://www.ssh.com/ssh. Accessed 02 2020
Sukhwani, H., Martínez, J.M., Chang, X., Trivedi, K.S., Rindos, A.: Performance modeling of PBFT consensus process for permissioned blockchain network (hyperledger fabric). In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 253–255. IEEE (2017)
Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 50–57. IEEE (2015)
Thomson, R.: LogicMonitor uses terraform, packer & consul for disaster recovery environments. https://www.hashicorp.com/blog/logic-monitor-uses-terraform-packer-and-consul-for/. Accessed 02 2020
Yarygina, T., Bagge, A.H.: Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pp. 11–20. IEEE (2018)
Acknowledgments
The authors would like to acknowledge Seena Saiedian for their contributions in proofreading and revising this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Hahn, D.A., Davidson, D., Bardas, A.G. (2020). MisMesh: Security Issues and Challenges in Service Meshes. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)