Unikernel-based approach for software-defined security in cloud infrastructures

Abstract: The heterogeneity of cloud resources implies substantial overhead to deploy and configure adequate security mechanisms. In that context, we propose a software-defined security strategy based on unikernels to support the protection of cloud infrastructures. This approach permits to address management issues by uncoupling security policy from their enforcement through programmable security interfaces. It also takes benefits from unikernel virtualization properties to support this enforcement and provide resource… Show more

“…We showed in our previous work [3] an architecture for programmable security mechanisms in cloud infrastructures. It relies on the generation of specific resources based on unikernels, that integrate security mechanisms [4]. However, it should take advantage of orchestration languages, such as TOSCA, to drive the building and configuration of protected virtualized resources.…”

“…Applications are capable to run as independent virtual machines [15], contributing to a simplified management as discussed in [16]. We argue in favor of exploiting unikernels to minimize the attack surface and showed how such unikernel-based virtual machines can be generated in an on-the-fly manner in [4].…”

“…A minimal set of routines is required to be composed in order to generate such an instance. In phase with our approach developed in [4], we take benefits from the simplified system architecture of unikernels to compose and build resources. This description of unikernel resources enables the orchestrator to take charge of the building and parameterization of these resources.…”

“…• Generator of Unikernel Images. This component is in charge of building unikernel images based on the description of unikernel components [4]. This description includes the components required to build the service, but also the ones required to protect it (e.g.…”

“…The foundation of this layer relies on the SDSec logic to express and propagate security policies to the considered cloud resources, and on the autonomic paradigm to dynamically configure and adjust these mechanisms to distributed cloud constraints. We have also evaluated the benefits of using unikernel virtualization techniques to build and maintain specific cloud resources embedding security mechanisms in [4]. These lightweight virtual machines are built using a minimal set of libraries, enabling to reduce the attack surface.…”

A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

“…We showed in our previous work [3] an architecture for programmable security mechanisms in cloud infrastructures. It relies on the generation of specific resources based on unikernels, that integrate security mechanisms [4]. However, it should take advantage of orchestration languages, such as TOSCA, to drive the building and configuration of protected virtualized resources.…”

“…Applications are capable to run as independent virtual machines [15], contributing to a simplified management as discussed in [16]. We argue in favor of exploiting unikernels to minimize the attack surface and showed how such unikernel-based virtual machines can be generated in an on-the-fly manner in [4].…”

“…A minimal set of routines is required to be composed in order to generate such an instance. In phase with our approach developed in [4], we take benefits from the simplified system architecture of unikernels to compose and build resources. This description of unikernel resources enables the orchestrator to take charge of the building and parameterization of these resources.…”

“…• Generator of Unikernel Images. This component is in charge of building unikernel images based on the description of unikernel components [4]. This description includes the components required to build the service, but also the ones required to protect it (e.g.…”

“…The foundation of this layer relies on the SDSec logic to express and propagate security policies to the considered cloud resources, and on the autonomic paradigm to dynamically configure and adjust these mechanisms to distributed cloud constraints. We have also evaluated the benefits of using unikernel virtualization techniques to build and maintain specific cloud resources embedding security mechanisms in [4]. These lightweight virtual machines are built using a minimal set of libraries, enabling to reduce the attack surface.…”

A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

Software-Defined Multi-domain Tactical Networks: Foundations and Future Directions

Practical Autonomous Cyberhealth for resilient Micro, Small and Medium-sized Enterprises