skip to main content
10.1145/3702637.3702958acmconferencesArticle/Chapter ViewAbstractPublication PagesmiddlewareConference Proceedingsconference-collections
research-article

Multi-Stakeholder Policy Enforcement for Distributed Systems

Published: 02 December 2024 Publication History

Abstract

Cloud environments, comprising both virtual and physical servers, are complex distributed systems that require clear and expressive configuration descriptions. Human-readable configuration formats like Kubernetes YAML are state of the art, but they lack the granularity needed for fine-grained control and advanced policy enforcement. To address these limitations, we propose an abstract system description approach that incorporates additional application properties, enabling more sophisticated policy decision-making rather than relying on resource constraints and port-based network restrictions. Our framework introduces two modes of policy enforcement: one allows system designers to automatically verify and manipulate system descriptions before translating them into concrete configurations, while the other enables communication partners to review the descriptions for assessing trustworthiness. We introduce a user-friendly description language paired with an extensible policy enforcement engine, providing stakeholders with the ability to define deployment scenarios intuitively and securely. We demonstrate the suitability of the approach for three different platforms, ranging from an embedded system to state-of-the-art container runtimes, namely Kubernetes and Docker Compose.

References

[1]
The Programming Language Lua. https://www.lua.org/. (Accessed: Oct 2024).
[2]
Programming in Lua - Sec. 22.2: Other System Calls. https://www.lua.org/pil/22.2.html. (Accessed: Oct 2024).
[3]
Programming in Lua - Ch. 21: The I/O Library. https://www.lua.org/pil/21.html. (Accessed: Oct 2024).
[4]
Lua 5.3 Reference Manual - Sec. 6.10: The Debug Library. https://www.lua.org/manual/5.3/manual.html#6.10. (Accessed: Oct 2024).
[5]
Nils Asmussen, Marcus Völp, Benedikt Nöthen, Hermann Härtig, and Gerhard Fettweis. M3: A Hardware/Operating-System Co-Design to Tame Heterogeneous Manycores. In 21st International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 189--203. ACM, March 2016.
[6]
Kubernetes. https://kubernetes.io/. (Accessed: Oct 2024).
[7]
Docker compose. https://docs.docker.com/compose/. (Accessed: Oct 2024).
[8]
Nils Asmussen, Sebastian Haas, Carsten Weinhold, Till Miemietz, and Michael Roitzsch. Efficient and Scalable Core Multiplexing with M3v. In 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 452--466. ACM, February 2022.
[9]
Kubernetes Documentation: Network Policies. https://kubernetes.io/docs/concepts/services-networking/network-policies/. (Accessed: Oct 2024).
[10]
Overlay network driver. https://docs.docker.com/engine/network/drivers/overlay/. (Accessed: September 2024).
[11]
OASIS Standard. eXtensible Access Control Markup Language (XACML) Version 3.0. https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html, January 2013.
[12]
Open Policy Agent. https://www.openpolicyagent.org/. (Accessed: Oct 2024).
[13]
Open Policy Agent: Policy Language. https://www.openpolicyagent.org/docs/latest/policy-language/. (Accessed: Oct 2024).
[14]
Cedar Language. https://www.cedarpolicy.com/. (Accessed: Oct 2024).
[15]
Secure Remote Access - AWS Verified Access - AWS. https://aws.amazon.com/verified-access/. (Accessed: Oct 2024).
[16]
Nicodemos Damianou, Naranker Dulay, Emil Lupu, and Morris Sloman. The Ponder Policy Specification Language. In Morris Sloman, Emil C. Lupu, and Jorge Lobo, editors, Policies for Distributed Systems and Networks, pages 18--38. Springer, 2001.
[17]
Peter Amthor and Marius Schlegel. Towards Language Support for Model-based Security Policy Engineering. In Pierangela Samarati et al., editor, 17th International Conference on Security and Cryptography, SECRYPT '20, pages 513--521. INSTICC, SciTePress, 2020.
[18]
Marius Schlegel and Peter Amthor. Putting the Pieces Together: Model-Based Engineering Workflows for Attribute-Based Access Control Policies. In Pierangela Samarati et al., editor, E-Business and Telecommunications, volume 1795 of Communications in Computer and Information Science (CCIS), pages 249--280. Springer Nature, 2023.
[19]
Luigi Logrippo. Logical method for reasoning about access control and data flow control models. In Frédéric Cuppens et al., editor, Foundations and Practice of Security, pages 205--220. Springer, 2015.
[20]
Peter Amthor and Martin Rabe. Command Dependencies in Heuristic Safety Analysis of Access Control Models. In Abdelmalek Benzekri et al., editor, Foundations and Practice of Security (FPS '19), volume 12056 of LNCS, pages 207--224. Springer, 2020.
[21]
Arif Khan and Philip Fong. Satisfiability and Feasibility in a Relationship-Based Workflow Authorization Model. In Sara Foresti, Moti Yung, and Fabio Martinelli, editors, Computer Security - ESORICS 2012, volume 7459 of LNCS, pages 109--126. Springer, 2012.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WoC '24: Proceedings of the 10th International Workshop on Container Technologies and Container Clouds
December 2024
16 pages
ISBN:9798400713392
DOI:10.1145/3702637
This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

In-Cooperation

  • IFIP

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 December 2024

Check for updates

Author Tags

  1. application deployment
  2. policy enforcement
  3. scenario language

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

MIDDLEWARE '24
Sponsor:
MIDDLEWARE '24: 25th International Middleware Conference
December 2 - 6, 2024
Hong Kong, Hong Kong

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 38
    Total Downloads
  • Downloads (Last 12 months)38
  • Downloads (Last 6 weeks)9
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media