research-article

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking

Authors:
Myoungsung You

KAIST

KAIST

0000-0001-5822-5243
View Profile

,
Jaehyun Nam

Dankook University

Dankook University

0000-0001-8907-5495
View Profile

,
Minjae Seo

KAIST

KAIST

0000-0001-9240-5213
View Profile

,
Seungwon Shin

KAIST

KAIST

0000-0002-1077-5606
View Profile

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud ComputingOctober 2023Pages 486–501https://doi.org/10.1145/3620678.3624786

Published:31 October 2023Publication History

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

Pages 486–501

ABSTRACT

With the increasing adoption of containerization in cloud services, container networking has become a critical concern, as it enables the agile deployment of microservices but also introduces new vulnerabilities susceptible to network attacks, posing a threat to container environments. While several security solutions have been introduced to address this concern, they unfortunately exhibit significant shortcomings, including security vulnerabilities and limited performance. We thus propose Helios, a novel hardware-based network security extension that addresses the security and performance limitations in existing solutions. Leveraging a smartNIC, Helios enhances both the security and performance facets of container networking through two key mechanisms: (i) the establishment of physically isolated container communication channels and (ii) the network security engines fully offloaded to the smartNIC. Our evaluation shows that Helios mitigates various network threats initiated from both container- and host-side while performing up to 3x faster than the existing solutions in container communication.

References

2008. PCI-SIG Single Root I/O Virtualization (SR-IOV) Support in Intel® Virtualization Technology for Connectivity. https://www.intel.com/content/www/us/en/pci-express/pci-sig-single-root-io-virtualization-support-in-virtualization-technology-for-connectivity-paper.html.Google Scholar
2013. Namespaces in Operation, Part 1: Namespaces Overview. https://lwn.net/Articles/531114/.Google Scholar
2014. wrk -- a HTTP Benchmarking Tool. https://github.com/wg/wrk.Google Scholar
2015. Kubernetes Performance Measurements and Roadmap. https://kubernetes.io/blog/2015/09/kubernetes-performance-measurements-and/.Google Scholar
2018. Flask Docker Container Image. https://hub.docker.com/r/jcdemo/flaskapp.Google Scholar
2019. CVE-2019-8341. https://nvd.nist.gov/vuln/detail/CVE-2019-8341/.Google Scholar
2020. CVE-2020-11100. https://nvd.nist.gov/vuln/detail/CVE-2020-11100/.Google Scholar
2021. State of Kubernetes Security Report. https://thechief.io/c/editorial/state-of-kubernetes-security-report.Google Scholar
2022. 7 Most Infamous Cloud Security Breaches. https://blog.storagecraft.com/7-infamous-cloud-security-breaches/.Google Scholar
2022. Amazon Web Services. https://aws.amazon.com/.Google Scholar
2023. AppArmor, Linux Kernel Security Module. https://apparmor.net/.Google Scholar
2023. bridge(8) --- Linux manual page. https://man7.org/linux/manpages/man8/bridge.8.html.Google Scholar
2023. Calio-felix. https://docs.projectcalico.org/reference/felix/.Google Scholar
2023. Cilim Envoy Extension. https://docs.cilium.io/en/v1.13/security/network/proxy/envoy/.Google Scholar
2023. Cilium. https://www.cilium.io/.Google Scholar
2023. Cilium-agent. https://docs.cilium.io/en/stable/cmdref/cilium-agent/.Google Scholar
2023. CNI: The container network interface. https://www.cni.dev/.Google Scholar
2023. Docker. https://www.docker.com.Google Scholar
2023. Docker host networking. https://docs.docker.com/network/host/.Google Scholar
2023. DockerHub: envoyproxy/envoy. https://hub.docker.com/r/envoyproxy/envoy.Google Scholar
2023. DockerHub: hashicorp/boundary. https://hub.docker.com/r/hashicorp/boundary.Google Scholar
2023. DockerHub: sysdig. https://hub.docker.com/r/sysdig/sysdig.Google Scholar
2023. eBPF Introduction, Tutorials. https://docs.cilium.io/en/stable/bpf/.Google Scholar
2023. Flannel-d. https://github.com/flannel-io/flannel.Google Scholar
2023. Google Cloud Platform (GCP). https://cloud.google.com/.Google Scholar
2023. HAProxy ingress controler. https://haproxy-ingress.github.io/.Google Scholar
2023. Hewlett Packard Enterprise. Netperf. https://hewlettpackard.github.io/netperf/.Google Scholar
2023. Host network driver. https://docs.docker.com/network/drivers/host/.Google Scholar
2023. iPerf. Network Bandwidth Measurement Tool. https://iperf.fr/iperf-download.php.Google Scholar
2023. Kubernetes. https://kubernetes.io.Google Scholar
2023. Kubernetes API Watcher Design. https://docs.openstack.org/kuryr/0.2.0/devref/k8s_api_watcher_design.html.Google Scholar
2023. Kubernetes: Considerations for large clusters. https://kubernetes.io/docs/setup/best-practices/cluster-large/.Google Scholar
2023. Kubernetes Privilege Escalation. https://i.blackhat.com/USA-22/Thursday/US-22-Avrahami-Kubernetes-Privilege-Escalation-Container-Escape-Cluster-Admin.pdf.Google Scholar
2023. Linux SYSSTAT. http://sebastien.godard.pagesperso-orange.fr/.Google Scholar
2023. Microsoft Azure. https://azure.microsoft.com/.Google Scholar
2023. Netronome Agilo CX smartNIC 2x40GbE. https://www.netronome.com/media/documents/PB_NFP-4000-7-20.pdf.Google Scholar
2023. Nginx Docker Container. https://hub.docker.com/_/nginx.Google Scholar
2023. OpenVPN Access Server. https://hub.docker.com/r/mace/openvpn-as.Google Scholar
2023. Project Calico. https://www.projectcalico.org/.Google Scholar
2023. Redis Docker Container. https://hub.docker.com/_/redis.Google Scholar
2023. Service | Kubernetes. https://kubernetes.io/docs/concepts/services-networking/service/.Google Scholar
2023. TCPdump manpage. https://www.tcpdump.org/manpages/.Google Scholar
2023. The Istio service mesh. https://istio.io/.Google Scholar
2023. The Linked servie mesh. https://linkerd.io/.Google Scholar
2023. veth -- Virtual Ethernet Device. https://man7.org/linux/manpages/man4/veth.4.html/.Google Scholar
Ali AlSabeh, Elie Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2022. P4DDPI: Securing P4-Programmable Data Plane Networks via DNS Deep Packet Inspection. In Proceedings of the 2022 Network and Distributed System Security (NDSS) Symposium. 1ś7.Google ScholarCross Ref
Kelly Brady, Seung Moon, Tuan Nguyen, and Joel Coffman. 2020. Docker Container Security in Cloud Computing. In In Proceedings of Annual Computing and Communication Workshop and Conference. 975--980.Google Scholar
Gerald Budigiri, Christoph Baumann, Jan Tobias Mühlberg, Eddy Truyen, and Wouter Joosen. 2021. Network Policies in Kubernetes: Performance Evaluation and Security Analysis. In In proceedings of Joint European Conference on Networks and Communications & 6G Summit. 407--412.Google Scholar
Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of the Web Conference 2020. 939--950.Google ScholarDigital Library
Ana Duarte and Nuno Antunes. 2018. An Empirical Study of Docker Vulnerabilities and of Static Code Analysis Applicability. In In Proceedings of Latin-American Symposium on Dependable Computing. 27--36.Google Scholar
William Findlay, David Barrera, and Anil Somayaji. 2021. BPFContain: Fixing the Soft Underbelly of Container Security. arXiv preprint arXiv:2102.06972 (2021).Google Scholar
Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses. 443--458.Google Scholar
Joel Hypolite, John Sonchack, Shlomo Hershkop, Nathan Dautenhahn, André DeHon, and Jonathan M Smith. 2020. DeepMatch: practical deep packet inspection in the data plane using network processors. In Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies. 336--350.Google ScholarDigital Library
Theo Jepsen, Daniel Alvarez, Nate Foster, Changhoon Kim, Jeongkeun Lee, Masoud Moshref, and Robert Soulé. 2019. Fast string searching on pisa. In Proceedings of ACM Symposium on SDN Research. 21--28.Google ScholarDigital Library
Jakub Kicinski and Nicolaas Viljoen. 2016. eBPF Hardware Offload to SmartNICs: cls bpf and XDP. Proceedings of netdev 1 (2016).Google Scholar
Abhinav Kommula, Yen-Hung Frank Hu, Mary Ann Hoppa, and Samuel Olatunbosun. 2020. Machine Learning Techniques to Enhance Container Network Security. In In proceedings of International Conference on Computational Science and Computational Intelligence. 622--627.Google ScholarCross Ref
Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, and Qi Li. 2017. SPEAKER: Split-phase execution of application containers. In Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.Google ScholarCross Ref
Wubin Li, Yves Lemieux, Jing Gao, Zhuofeng Zhao, and Yanbo Han. 2019. Service mesh: Challenges, state of the art, and future research opportunities. In Proceedings of IEEE International Conference on Service-Oriented System Engineering. 122--1225.Google ScholarCross Ref
Xing Li, Xue Leng, and Yan Chen. 2021. Securing Serverless Computing: Challenges, Solutions, and Opportunities. arXiv preprint arXiv:2105.12581 (2021).Google Scholar
Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A measurement study on linux container security: Attacks and countermeasures. In Proceedings of Annual Computer Security Applications Conference. 418--429.Google ScholarDigital Library
Coleman Link, Jesse Sarran, Garegin Grigoryan, Minseok Kwon, M Mustafa Rafique, and Warren R Carithers. 2019. Container Orchestration by Kubernetes for RDMA Networking. In Proceedings of IEEE International Conference on Network Protocols. 1--2.Google ScholarCross Ref
Chang Liu, Longtao He, Gang Xiong, Zigang Cao, and Zhen Li. 2019. Fs-net: A flow sequence network for encrypted traffic classification. In IEEE INFOCOM 2019-IEEE Conference On Computer Communications. IEEE, 1171--1179.Google ScholarDigital Library
Antony Martin, Simone Raponi, Théo Combe, and Roberto Di Pietro. 2018. Docker Ecosystem -- Vulnerability Analysis. Computer Communications 122 (2018), 30--43.Google ScholarCross Ref
Jaehyun Nam, Seungsoo Lee, Phillip Porras, Vinod Yegneswaran, and Seungwon Shin. 2022. Secure Inter-Container Communications Using XDP/eBPF. IEEE/ACM Transactions on Networking 31, 2 (2022), 934--947.Google ScholarDigital Library
Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. BASTION: A Security Enforcement Network Stack for Container Networks. In Proceedings of USENIX Annual Technical Conference. 81--95.Google Scholar
Salvatore Pontarelli, Roberto Bifulco, Marco Bonola, Carmelo Cascone, Marco Spaziani, Valerio Bruschi, Davide Sanvito, Giuseppe Siracusano, Antonio Capone, Michio Honda, et al. 2019. Flowblaze: Stateful packet processing in hardware. In Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019. USENIX ASSOC, 531--547.Google Scholar
Jamal Hadi Salim. 2015. Linux traffic control classifier-action subsystem architecture. Proceedings of Netdev 0.1 (2015).Google Scholar
Meng Shen, Jinpeng Zhang, Liehuang Zhu, Ke Xu, and Xiaojiang Du. 2021. Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Transactions on Information Forensics and Security 16 (2021), 2367--2380.Google ScholarCross Ref
Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996.Google ScholarCross Ref
Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. 2018. Security Namespace: Making Linux Security Frameworks Available to Containers. In Proceedings of USENIX Security Symposium. 1423--1439.Google Scholar
Kun Suo, Yong Zhao, Wei Chen, and Jia Rao. 2018. An analysis and empirical study of container networks. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 189--197.Google ScholarDigital Library
Linyih Teng, Chi-Hsiang Hung, and Charles H-P Wen. 2022. P4SF: A High-Performance Stateful Firewall on Commodity P4-Programmable Switch. In NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--5.Google ScholarDigital Library
Wei Wang, Ming Zhu, Jinlin Wang, Xuewen Zeng, and Zhongzhen Yang. 2017. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE international conference on intelligence and security informatics (ISI). IEEE, 43--48.Google ScholarDigital Library
Jinli Yan, Lu Tang, Junnan Li, Xiangrui Yang, Wei Quan, Hongyi Chen, and Zhigang Sun. 2019. UniSec: a unified security framework with SmartNIC acceleration in public cloud. In Proceedings of the ACM Turing Celebration Conference-China. 1--6.Google ScholarDigital Library
Zirak Zaheer, Hyunseok Chang, Sarit Mukherjee, and Jacobus Van der Merwe. 2019. Eztrust: Network-independent Zero-trust Perimeterization for Microservices. In Proceedings of the Symposium on SDN Research. 49--61.Google ScholarDigital Library

Index Terms

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking
1. Networks
  1. Network services
    1. Cloud computing

Recommendations

CNTC: A Container Aware Network Traffic Control Framework
Green, Pervasive, and Cloud Computing
Abstract
As a lightweight virtualization technology, containers are attracting much attention and widely deployed in the cloud data centers. To provide consistent and reliable performance, cloud providers should ensure resource isolation since each host ...
Read More
SuperNIC: An FPGA-Based, Cloud-Oriented SmartNIC
FPGA '24: Proceedings of the 2024 ACM/SIGDA International Symposium on Field Programmable Gate Arrays

With CPU scaling slowing down in today's data centers, more functionalities are being offloaded from the CPU to auxiliary devices. One such device is the SmartNIC, which is being increasingly adopted in data centers. In today's cloud environment, VMs on ...
Read More
Janus: An Experimental Reconfigurable SmartNIC with P4 Programmability and SDN Isolation
FPGA '23: Proceedings of the 2023 ACM/SIGDA International Symposium on Field Programmable Gate Arrays

Disparate deployment models of cloud computing pose varying requirements on cloud infrastructure components such as networking, storage, provisioning, and security. Infrastructure providers need to study these and often create custom infrastructure ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing
October 2023
624 pages
ISBN:9798400703874
DOI:10.1145/3620678

Copyright © 2023 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 31 October 2023
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Container Network
Security Policy Enforcement
SmartNIC
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate169of722submissions,23%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 138
  Total Downloads
- Downloads (Last 12 months)138
- Downloads (Last 6 weeks)14
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

CNTC: A Container Aware Network Traffic Control Framework

SuperNIC: An FPGA-Based, Cloud-Oriented SmartNIC

Janus: An Experimental Reconfigurable SmartNIC with P4 Programmability and SDN Isolation

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

CNTC: A Container Aware Network Traffic Control Framework

SuperNIC: An FPGA-Based, Cloud-Oriented SmartNIC

Janus: An Experimental Reconfigurable SmartNIC with P4 Programmability and SDN Isolation

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media