ABSTRACT
Microservice architectures decompose web applications into loosely-coupled, distributed components that interact with each other to provide an overall service. While this popular software architecture paradigm has many advantages in development and deployment, it also introduces a wider attack surface that is vulnerable to both internal and external attackers. Potentially malicious third-party services or software packages, as well as increased communication endpoints, introduce a wide array of security concerns. To improve the resiliency of microservice-based applications, many of which store sensitive data, we propose a novel, path-based anomaly detection and access control infrastructure that requires no modifications to existing software. We propose leveraging trusted proxies deployed alongside each service for request inspection, anomaly detection and signed token propagation for end-user path validation. Our approach reduces the trusted computing base away from the microservices to a smaller set of components that allow for less trust and a smaller attack surface.
- Rabe Abdalkareem, Olivier Nourry, Sultan Wehaibi, Suhaib Mujahid, and Emad Shihab. 2017. Why do developers use trivial packages? an empirical case study on npm. In Proceedings of the 2017 11th joint meeting on foundations of software engineering. ACM, New York, NY, 385--395.Google ScholarDigital Library
- Lee Calcote and Zack Butcher. 2019. Istio: Up and running: Using a service mesh to connect, secure, control, and observe. O'Reilly Media.Google Scholar
- Ramaswamy Chandramouli. 2019. Microservices-based application systems. NIST Special Publication 800, 204 (2019), 800--204.Google Scholar
- Binildas Christudas. 2019. Practical Microservices Architectural Patterns: Event- Based Java Microservices with Spring Boot and Spring Cloud. Apress.Google Scholar
- Nishu Dissanayake. 2021. Handling Cross-Cutting Concerns in Microservices: The Sidecar Pattern. https://blog.bitsrc.io/handling-cross-cutting-concerns-in- microservices-the-sidecar\-pattern-59890fe3dc0f. Accessed: March 21, 2023.Google Scholar
- Nicola Dragoni, Saverio Giallorenzo, Alberto Lluch Lafuente, Manuel Mazzara, Fabrizio Montesi, Ruslan Mustafin, and Larisa Safina. 2017. Microservices: yes- terday, today, and tomorrow. Present and ulterior software engineering (2017), 195--216.Google Scholar
- Envoy Proxy 2023. Envoy Proxy - Home. https://www.envoyproxy.io/. (Accessed on 02/10/2023).Google Scholar
- ESLint 2018. ESLint. https://eslint.org/blog/2018/07/postmortem-for-malicious- package-publishes/Google Scholar
- Pronnoy Goswami, Saksham Gupta, Zhiyuan Li, Na Meng, and Daphne Yao. 2020. Investigating the reproducibility of npm packages. In 2020 IEEE International Con- ference on Software Maintenance and Evolution (ICSME). IEEE, Adelaide, Australia, 677--681.Google Scholar
- Ronen Heled. 2005. HTTP REQUEST SMUGGLING.Google Scholar
- Bahruz Jabiyev, Omid Mirzaei, Amin Kharraz, and Engin Kirda. 2021. Preventing server-side request forgery attacks. In Proceedings of the 36th Annual ACM Symposium on Applied Computing. ACM, Virtual Conference, Republic of Korea, 1626--1635.Google ScholarDigital Library
- Yizhen Jia, Yinhao Xiao, Jiguo Yu, Xiuzhen Cheng, Zhenkai Liang, and Zhiguo Wan. 2018. A novel graph-based mechanism for identifying traffic vulnerabilities in smart home IoT. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, Honolulu, HI, 1493--1501.Google ScholarDigital Library
- Igibek Koishybayev and Alexandros Kapravelos. 2020. Mininode: Reducing the Attack Surface of Node.js Applications. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, San Sebastian, 121--134. https://www.usenix.org/conference/raid2020/presentation/ koishybayevGoogle Scholar
- Markus Legner, Tobias Klenze, Marc Wyss, Christoph Sprenger, and Adrian Perrig. 2020. EPIC: Every packet is checked in the data plane of a path-aware Internet. In Proceedings of the 29th USENIX Conference on Security Symposium. 541--558.Google Scholar
- Tim McLean. 2020. Critical vulnerabilities in JSON Web Token libraries. https:// auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/. (Accessed on 02/16/2023).Google Scholar
- Sam Newman. 2021. Building microservices. "O'Reilly Media, Inc.".Google Scholar
- Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath. 2019. Your cache has fallen: Cache-poisoned denial-of-service attack. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London, United Kingdom, 1915--1936.Google ScholarDigital Library
- Christoforos Ntantogian, Panagiotis Bountakas, Dimitris Antonaropoulos, Con- stantinos Patsakis, and Christos Xenakis. 2021. NodeXP: NOde. js server-side JavaScript injection vulnerability DEtection and eXPloitation. Journal of Information Security and Applications 58 (2021), 102752.Google ScholarCross Ref
- Marc-Oliver Pahl and François-Xavier Aubet. 2018. All eyes on you: Distributed Multi-Dimensional IoT microservice anomaly detection. In 2018 14th International Conference on Network and Service Management (CNSM). IEEE, Rome, Italy, 72--80.Google Scholar
- Marc-Oliver Pahl, François-Xavier Aubet, and Stefan Liebald. 2018. Graph-based IoT microservice security. In NOMS 2018--2018 IEEE/IFIP Network Operations and Management Symposium. IEEE, Taipei, Taiwan, 1--3.Google ScholarDigital Library
- Marc-Oliver Pahl and Lorenzo Donini. 2018. Securing IoT microservices with certificates. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium. IEEE, Taipei, Taiwan, 1--5.Google ScholarDigital Library
- Cesare Pautasso, Olaf Zimmermann, Mike Amundsen, James Lewis, and Nicolai Josuttis. 2017. Microservices in practice, part 1: Reality check and service design. IEEE software 34, 01 (2017), 91--98.Google Scholar
- Joshua H Seaton, Sena Hounsinou, Timothy Wood, Shouhuai Xu, Philip N Brown, and Gedare Bloom. 2022. Poster: Toward Zero-Trust Path-Aware Access Control. In Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies. 267--269.Google ScholarDigital Library
- Ekaterina Shmeleva et al. 2020. How Microservices are Changing the Security Landscape. Aalto University, Espoo, Finland.Google Scholar
- Usage Statistics and Market Share of Node.js [n. d.]. Usage Statistics and Market Share of Node.js, February 2023. https://w3techs.com/technologies/details/ws-nodejs. (Accessed on 02/14/2023).Google Scholar
- Erik Wittern, Philippe Suter, and Shriram Rajagopalan. 2016. A look at the dynam- ics of the JavaScript package ecosystem. In Proceedings of the 13th International Conference on Mining Software Repositories. ACM, Austin, Texas, 351--361.Google ScholarDigital Library
Index Terms
- Sidecar-based Path-aware Security for Microservices
Recommendations
The Case of the Poisoned Event Handler: Weaknesses in the Node.js Event-Driven Architecture
EuroSec'17: Proceedings of the 10th European Workshop on Systems SecurityNode.js has seen rapid adoption in industry and the open-source community. Unfortunately, its event-driven architecture exposes Node.js applications to Event Handler-Poisoning denial of service attacks. Our evaluation of the state of practice in Node.js-...
Comments