Skip to main content
SpringerLink
Log in

MisMesh: Security Issues and Challenges in Service Meshes

  • Conference paper
  • First Online:
Book cover Security and Privacy in Communication Networks (SecureComm 2020)

Abstract

Service meshes have emerged as an attractive DevOps solution for collecting, managing, and coordinating microservice deployments. However, current service meshes leave fundamental security mechanisms missing or incomplete. The security burden means service meshes may actually cause additional workload and overhead for administrators over traditional monolithic systems. By assessing the effectiveness and practicality of service mesh tools, this work provides necessary insights into the available security of service meshes. We evaluate service meshes under skilled administrators (who deploy optimal configurations of available security mechanisms) and default configurations. We consider a comprehensive set of adversarial scenarios, uncover design flaws contradicting system goals, and present limitations and challenges encountered in employing service mesh tools for operational environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. HashiCorp. Download Consul. https://www.consul.io/downloads. Accessed 06 2020

  2. Balalaie, A., Heydarnoori, A., Jamshidi, P.: Microservices architecture enables DevOps: migration to a cloud-native architecture. IEEE Softw. 33(3), 42–52 (2016)

    Article  Google Scholar 

  3. Chen, L.: Microservices: architecting for continuous delivery and DovOps. In: 2018 IEEE International Conference on Software Architecture (ICSA), pp. 39–397, April 2018

    Google Scholar 

  4. Cherny, M., Dulce, S.: Well, that escalated quickly! how abusing docker api led to remote code execution, same origin bypass and persistence in the hypervisor via shadow containers. In: BlackHat 17 (2017)

    Google Scholar 

  5. Christopherson, J.: Spaceflight uses HashiCorp consul for service discovery and runtime configuration in their hub-and-spoke network architecture. https://www.hashicorp.com/blog/spaceflight-uses-hashicorp-consul-for-service-discovery-and-real-time-updates-to-their-hub-and-spoke-network-architecture/. Accessed 02 2020

  6. Combe, T., Martin, A., Di Pietro, R.: To docker or not to docker: a security perspective. IEEE Cloud Comput. 3(5), 54–62 (2016)

    Article  Google Scholar 

  7. Csikor, L., Rothenberg, C., Pezaros, D.P., Schmid, S., Toka, L., Rétvári, G.: Policy injection: a cloud dataplane DoS attack. In: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, pp. 147–149 (2018)

    Google Scholar 

  8. Das, A., Gupta, I., Motivala, A.: SWIM: scalable weakly-consistent infection-style process group membership protocol. In: Proceedings International Conference on Dependable Systems and Networks, pp. 303–312. IEEE (2002)

    Google Scholar 

  9. Fishner, K.: How BitBrains/ASP4all uses Consul for Continuous Deployment across Development, Testing, Acceptance, and Production. https://www.hashicorp.com/blog/how-bitbrains-asp4all-uses-consul/. Accessed 02 2020

  10. Fishner K.: Using Consul at Bol.com, the Largest Online Retailer in the Netherlands and Belgium. https://www.hashicorp.com/blog/using-consul-at-bol-com-the-largest-online-retailer-in-the-netherlands-and-belgium/. Accessed 02 2020

  11. Cloud Native Computing Foundation. CNCF Cloud Native Interactive Landscape. https://landscape.cncf.io. Accessed 01 2020

  12. Gupta, D., Saia, J., Young, M.: Peace through superior puzzling: an asymmetric sybil defense. In: 2019 IEEE International Parallel and Distributed Processing Symposium (IPDPS), pp. 1083–1094. IEEE (2019)

    Google Scholar 

  13. HashiCorp. Consul by HashiCorp. https://www.consul.io/index.html. Accessed 01 2020

  14. HashiCorp. Consul Docs. https://www.consul.io/docs. Accessed 02 2020

  15. HashiCorp. Github hashicorp/consul. https://github.com/hashicorp/consul. Accessed 02 2020

  16. Hashicorp. Modern Service Networking for Cloud and Microservices. https://www.hashicorp.com/resources/modern-service-networking-cloud-microservices. Accessed 01 2020

  17. HashiCorp. Serf. https://www.serf.io/. Accessed 02 2020

  18. HashiCorp. Vault by HashiCorp. https://www.vaultproject.io/. Accessed 02 2020

  19. Buoyant Inc., Linkerd. https://linkerd.io. Accessed 01 2020

  20. Docker Inc., Docker Home. https://docker.io. Accessed 02 2020

  21. Istio. Github istio/istio. https://github.com/istio/istio. Accessed 02 2020

  22. Istio. Istio. https://istio.io. Accessed 01 2020

  23. Istio. Istio Docs. https://istio.io/latest/docs/. Accessed 02 2020

  24. Jamshidi, P., Pahl, C., Mendonça, N.C., Lewis, J., Tilkov, S.: Microservices: the journey so far and challenges ahead. IEEE Softw. 35(3), 24–35 (2018)

    Article  Google Scholar 

  25. Grant Joy. Distil Networks securely stores and manages all their secrets with Vault and Consul. https://www.hashicorp.com/blog/distil-networks-securely-stores-and-manages-all-their-secrets-with-vault-and-consul/. Accessed 02 2020

  26. Kubernetes. Kubernetes - Production-Grade Container Orchestration. https://kubernetes.io/. Accessed 01 2020

  27. Kubernetes. Kubernetes Pods. https://kubernetes.io/docs/concepts/workloads/pods/. Accessed 02 2020

  28. Lewis, I.: What are Kubernetes Pods Anyway? https://www.ianlewis.org/en/what-are-kubernetes-pods-anyway. Accessed 02 2020

  29. Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429 (2018)

    Google Scholar 

  30. Martin, A., Raponi, S., Combe, T., Di Pietro, R.: Docker ecosystem-vulnerability analysis. Comput. Commun. 122, 30–43 (2018)

    Article  Google Scholar 

  31. Rastogi, V., Davidson, D., De Carli, L., Jha, S., McDaniel, P.: Cimplifier: automatically debloating containers. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pp. 476–486 (2017)

    Google Scholar 

  32. Sakic, E., Kellerer, W.: Response time and availability study of RAFT consensus in distributed SDN control plane. IEEE Trans. Netw. Serv. Manage. 15(1), 304–318 (2018)

    Article  Google Scholar 

  33. Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)

    Article  Google Scholar 

  34. Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 269–280. Association for Computing Machinery, New York (2017)

    Google Scholar 

  35. Singleton, A.: The economics of microservices. IEEE Cloud Comput. 3(5), 16–20 (2016)

    Article  Google Scholar 

  36. SSH.COM. Ssh (secure shell). https://www.ssh.com/ssh. Accessed 02 2020

  37. Sukhwani, H., Martínez, J.M., Chang, X., Trivedi, K.S., Rindos, A.: Performance modeling of PBFT consensus process for permissioned blockchain network (hyperledger fabric). In: 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pp. 253–255. IEEE (2017)

    Google Scholar 

  38. Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 50–57. IEEE (2015)

    Google Scholar 

  39. Thomson, R.: LogicMonitor uses terraform, packer & consul for disaster recovery environments. https://www.hashicorp.com/blog/logic-monitor-uses-terraform-packer-and-consul-for/. Accessed 02 2020

  40. Yarygina, T., Bagge, A.H.: Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pp. 11–20. IEEE (2018)

    Google Scholar 

Download references

Acknowledgments

The authors would like to acknowledge Seena Saiedian for their contributions in proofreading and revising this work.

Author information

Authors and Affiliations

  1. EECS Department, ITTC University of Kansas, Lawrence, KS, USA

    Dalton A. Hahn, Drew Davidson & Alexandru G. Bardas

Authors
  1. Dalton A. Hahn
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Drew Davidson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alexandru G. Bardas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dalton A. Hahn .

Editor information

Editors and Affiliations

  1. Yonsei University, Seoul, Korea (Republic of)

    Noseong Park

  2. George Mason University, Fairfax, VA, USA

    Kun Sun

  3. Dipartimento di Informatica, Universita degli Studi, Milan, Milano, Italy

    Sara Foresti

  4. University of Florida, Gainesville, FL, USA

    Kevin Butler

  5. Division of Nephrology, University of Alabama, Birmingham, AL, USA

    Nitesh Saxena

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hahn, D.A., Davidson, D., Bardas, A.G. (2020). MisMesh: Security Issues and Challenges in Service Meshes. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63086-7_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63085-0

  • Online ISBN: 978-3-030-63086-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation