Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures

Gerking, Christopher; Schubert, David

doi:10.1109/icsa.2019.00015

Cited by 15 publications

(9 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Access control and network security policies for cloud deployment are well studied by providing either access control solutions [6], [7], [8], [9] or by supporting the automated policy generation from given specifications [10], [6], [11]. Recent works also provide mechanisms for formal verification of microservice deployments [12], or continuous assessment methodologies [13]. Yet, the automatic or even computeraided exploration and validation of configuration policies as available in practical deployments (e.g.…”

Section: Related Workmentioning

confidence: 99%

Towards a Security Stress-Test for Cloud Configurations

Minna¹,

Massacci²,

Tuma³

2022

Preprint

View full text Add to dashboard Cite

Securing cloud configurations is an elusive task, which is left up to system administrators who have to base their decisions on "trial and error" experimentations or by observing good practices (e.g., CIS Benchmarks). We propose a knowledge, AND/OR, graphs approach to model cloud deployment security objects and vulnerabilities. In this way, we can capture relationships between configurations, permissions (e.g., CAP SYS ADMIN), and security profiles (e.g., AppArmor and SecComp), as first-class citizens. Such an approach allows us to suggest alternative and safer configurations, support administrators in the study of what-if scenarios, and scale the analysis to large scale deployments. We present an initial validation and illustrate the approach with three real vulnerabilities from known sources.

show abstract

Section: Related Workmentioning

confidence: 99%

Towards a Security Stress-Test for Cloud Configurations

Minna¹,

Massacci²,

Tuma³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The findings include cryptographic protocols such as Diffie-Hellman and TLS; protocols for secure communication, such as gRPC and WS-Security; communication and message protocols such as RESTful, RabbitMQ, AMQP, ZeroMQ, Google Protobuf serializer, OPC Unified Architecture (OPC UA), Extendable Machine Connector (XSC), Pasty Protocol; and, Pastry or Scribe, as protocols for the discovery of services. In addition, we found six articles that discuss protocols and API construction patterns for the communication of systems, entities, and processes in a microservices architecture: [27], [31], [32], [33], [34] and [35].…”

Section: Safety Conceptmentioning

confidence: 99%

Confidentiality and Integrity Mechanisms for Microservices Communication

Leines-Vite¹,

Arriaga²,

Limón³

2021

Computer Science and Information Technology Trends

View full text Add to dashboard Cite

The microservices architecture tries to deal with the challenges posed by distributed systems, such as scalability, availability, and system deployment; by means of highly cohesive, heterogeneous, and independent microservices. However, this architecture also brings new security challenges related to communication, system design, development, and operation. The literature contains spread information regarding security related solutions for microservicesbased systems, but this spread makes difficult for practitioners to adopt novel security related solutions. In this study, we aim to present a catalogue of security solutions based on algorithms, protocols, standards, or implementations; supporting principles or characteristics of information security, also considering the three possible states of data, according to the McCumber Cube. Our research follows a Systematic Literature Review, synthesizing the results with a meta-aggregation process. We identified a total of 30 primary studies, yielding 71 security solutions for the communication of microservices.

show abstract

“…Then, it is possible to send requests to a concrete data vault by using their identifier when sending the request. There are several message broker applications available, such as Apache ActiveMQ 3 (the one currently in use by Vaultage), Kafka 4 , or Mosquitto [8].…”

Section: Network Architecturementioning

confidence: 99%

“…Related to communication aspects, there are several model-driven approaches that aim to ease the definition of network configurations. These approaches focus mostly on information flow and access control [1,4,13], which are general concerns of any kind of network infrastructure. However, less efforts have been put into the automatic generation of secure network communication capabilities provided by Vaultage.…”

Section: Related Workmentioning

confidence: 99%

Towards model-based development of decentralised peer-to-peer data vaults

Yohannis

Vega

Kahrobaei

et al. 2020

Proceedings of the 23rd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems: Companion Proceedi

View full text Add to dashboard Cite

Using centralised data storage systems has been the standard practice followed by online service providers when managing the personal data of their users. This method requires users to trust these providers and, to some extent, users are not in full control over their data. The development of applications around decentralised data vaults, i.e., encrypted storage systems located in user-managed devices, can give this control back to the users as sole owners of the data. However, the development of such applications is not effortfree, and it requires developers to have specialised knowledge, such as how to deploy secure and peer-to-peer communication systems. We present Vaultage, a model-based framework that can simplify the development of data vault applications. We demonstrate its core features through a social network application case study and include some initial evaluation results, showing Vaultage's code generation capabilities and some profiling analysis of the generated network components. CCS CONCEPTS• Software and its engineering → Development frameworks and environments; Automatic programming; • Security and privacy → Software security engineering.

show abstract

Component-Based Refinement and Verification of Information-Flow Security Policies for Cyber-Physical Microservice Architectures

Cited by 15 publications

References 33 publications

Towards a Security Stress-Test for Cloud Configurations

Towards a Security Stress-Test for Cloud Configurations

Confidentiality and Integrity Mechanisms for Microservices Communication

Towards model-based development of decentralised peer-to-peer data vaults

Contact Info

Product

Resources

About