Moving Target Defense for diversification of microservices on Kubernetes

Abstract

The ease of deployment of containerized web applications and the ease of management offered by orchestrator platforms such as Kubernetes has driven the design of systems by microservices. Containers implementing microservices can be targets of security attacks and due to programming language homogenization said attacks are more likely to succeed. This document presents a moving target defense (MTD) that makes use of the basic load balancing and high availability features of Kubernetes to instantiate versions of microservices implemented in different programming languages; with the aim of mitigating the exploitation of vulnerabilities in these specific languages. An attack model is simulated and an experiment is conducted to explore the scope of the defense in terms of attacks mitigated and impact on service interruption. The results show that the proposed defense reduces the effectiveness of attacks on microservices with a minimum cost per failure (downtime, service interruption perceived by user) of around 0.235% on average.