Abstract
With the advancements in multi-core CPU architectures, it is now possible for a server operating system (OS) such as Linux to handle a large number of concurrent application services on a single server instance. Individual service components of such services may run in different isolated environments, such as chrooted jails or application containers, and may need controlled access to system resources and the ability to collaborate and coordinate with each other in a regulated and secure manner. In an earlier work, we motivated the need for an access control framework that is based on the principle of least privilege for formulation, management, and enforcement of policies that allows controlled access to system resources and also permits controlled collaboration and coordination for service components deployed in disjoint containerized environments under a single OS instance. The current work provides a more in-depth treatment of secure inter-component communication in such environments. We show the policies needed for such communication and demonstrate how they can be enforced through a Linux Policy Machine that acts as the centralized reference monitor. The inter-component interaction occurs through the persistent layer using a tuple space abstraction. We implemented a tuple space library that provides operations on the tuple space. We present preliminary experimental results of its implementation that discuss the resource usage and performance.
This work was supported by a grant from NIST under award no. 70NANB15H264, 60NANB16D249 and 60NANB16D250.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Balzarotti, D., Costa, P., Picco, G.P.: The LighTS tuple space framework and its customization for context-aware applications. WAIS 5(2), 215–231 (2007)
Belyaev, K.: Linux Policy Machine (LPM) - Managing the Application-Level OS Resource Control in the Linux Environment (2016). https://github.com/kirillbelyaev/tinypm/tree/LPM. Accessed 18 Sep 2016
Belyaev, K., Ray, I.: Towards access control for isolated applications. In: Proceedings of SECRYPT, pp. 171–182. SCITEPRESS (2016)
Cabri, G., Leonardi, L., Zambonelli, F.: XML dataspaces for mobile agent coordination. In: Proceedings of ACM SAC, pp. 181–188. ACM (2000)
Chen, X., Sha, E.H.-M., Zhuge, Q., Jiang, W., Chen, J., Chen, J., Xu, J.: A unified framework for designing high performance in-memory and hybrid memory file systems. JSA 68, 51–64 (2016)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of ACM MobiSys, pp. 239–252. ACM (2011)
Docker Developers. What is Docker? (2016). https://www.docker.com/what-docker/. Accessed 18 Sep 2016
Gelernter, D.: Generative communication in Linda. ACM TOPLAS 7(1), 80–112 (1985)
Havoc Pennington Red Hat, Inc.: D-Bus Specification (2016). https://dbus.freedesktop.org/doc/dbus-specification.html. Accessed 18 Sep 2016
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M.F., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. ACM SIGOPS OSR 41(6), 321–334 (2007)
Linux Programmer’s Manual. Kernel Namespaces (2016). http://man7.org/linux/man-pages/man7/namespaces.7.html. Accessed 18 Sep 2016
Minsky, N.H., Minsky, Y.M., Ungureanu, V.: Making tuple spaces safe for heterogeneous distributed systems. In: Proceedings of ACM SAC, pp. 218–226 (2000)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM TOSEM 9(4), 410–442 (2000)
Roy, I., Porter, D.E., Bond, M.D., Mckinley, K.S., Witchel, E.: Laminar: practical fine-grained decentralized information flow control. ACM SIGPLAN Not. 44(6), 63–74 (2009)
Vitek, J., Bryce, C., Oriol, M.: Coordinating processes with secure spaces. Sci. Comput. Program. 46(1), 163–193 (2003)
XStream Developers. XStream Serialization Library (2016). http://x-stream.github.io/. Accessed 18 Sep 2016
Xu, Y., Dunn, A.M., Hofmann, O.S., Lee, M.Z., Mehdi, S.A., Witchel, E.: Application-defined decentralized access control. In: Proceedings of USENIX ATC, pp. 395–408 (2014)
Yu, J., Buyya, R.: A novel architecture for realizing grid workflow using tuple spaces. In: Proceedings of International Workshop on Grid Computing, pp. 119–128. IEEE (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Belyaev, K., Ray, I. (2016). Component-Oriented Access Control for Deployment of Application Services in Containerized Environments. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)