Defensa de blanco móvil para diversificación de microservicios en Kubernetes
Archivos
Fecha
2023
Tipo
tesis de maestría
Autores
González Pineda, Kenneth Ronaldo
Título de la revista
ISSN de la revista
Título del volumen
Editor
Resumen
La facilidad de implementación de aplicaciones web contenerizadas y la facilidad de administración que ofrecen las plataformas orquestadoras como Kubernetes ha impulsado el diseño de sistemas por microservicios. Los contenedores que implementan microservicios pueden ser objetivos de ataques a nivel de seguridad y debido a la homogeneización del lenguaje de programación dichos ataques son más propensos al éxito. En este documento se presenta una defensa de blanco móvil (Moving Target Defense, MTD por sus siglas en inglés) que hace uso de las funcionalidades básicas de balanceo de carga y alta disponibilidad de Kubernetes para instanciar versiones de los mismos microservicios pero implementados en distintos lenguajes de programación, con el objetivo de mitigar la explotación de vulnerabilidades diseñadas para lenguajes específicos. Se simula un modelo de ataque y se realiza un experimento para explorar los alcances de la defensa en términos de ataques mitigados e impacto en la interrupción del servicio. Los resultados evidencian que la defensa propuesta disminuye la efectividad de los ataques a los microservicios con un mínimo costo por fallos (downtime, interrupción del servicio percibido por el usuario) de alrededor de 0.235% en promedio.
The ease of deployment of containerized web applications and the ease of management offered by orchestrator platforms such as Kubernetes has driven the design of systems by microservices. Containers implementing microservices can be targets of security attacks and due to programming language homogenization said attacks are more likely to succeed. This document presents a moving target defense (MTD) that makes use of the basic load balancing and high availability features of Kubernetes to instantiate versions of microservices implemented in different programming languages; with the aim of mitigating the exploitation of vulnerabilities in these specific languages. An attack model is simulated and an experiment is conducted to explore the scope of the defense in terms of attacks mitigated and impact on service interruption. The results show that the proposed defense reduces the effectiveness of attacks on microservices with a minimum cost per failure (downtime, service interruption perceived by user) of around 0.235 % on average.
The ease of deployment of containerized web applications and the ease of management offered by orchestrator platforms such as Kubernetes has driven the design of systems by microservices. Containers implementing microservices can be targets of security attacks and due to programming language homogenization said attacks are more likely to succeed. This document presents a moving target defense (MTD) that makes use of the basic load balancing and high availability features of Kubernetes to instantiate versions of microservices implemented in different programming languages; with the aim of mitigating the exploitation of vulnerabilities in these specific languages. An attack model is simulated and an experiment is conducted to explore the scope of the defense in terms of attacks mitigated and impact on service interruption. The results show that the proposed defense reduces the effectiveness of attacks on microservices with a minimum cost per failure (downtime, service interruption perceived by user) of around 0.235 % on average.
Descripción
Palabras clave
DIVERSIFICACIÓN, MICROSERVICIO, INFORMÁTICA