research-article

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking

Authors:

Myoungsung You,

Seungwon ShinAuthors Info & Claims

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

Pages 486 - 501

https://doi.org/10.1145/3620678.3624786

Published: 31 October 2023 Publication History

Abstract

With the increasing adoption of containerization in cloud services, container networking has become a critical concern, as it enables the agile deployment of microservices but also introduces new vulnerabilities susceptible to network attacks, posing a threat to container environments. While several security solutions have been introduced to address this concern, they unfortunately exhibit significant shortcomings, including security vulnerabilities and limited performance. We thus propose Helios, a novel hardware-based network security extension that addresses the security and performance limitations in existing solutions. Leveraging a smartNIC, Helios enhances both the security and performance facets of container networking through two key mechanisms: (i) the establishment of physically isolated container communication channels and (ii) the network security engines fully offloaded to the smartNIC. Our evaluation shows that Helios mitigates various network threats initiated from both container- and host-side while performing up to 3x faster than the existing solutions in container communication.

References

[1]

2008. PCI-SIG Single Root I/O Virtualization (SR-IOV) Support in Intel® Virtualization Technology for Connectivity. https://www.intel.com/content/www/us/en/pci-express/pci-sig-single-root-io-virtualization-support-in-virtualization-technology-for-connectivity-paper.html.

[2]

2013. Namespaces in Operation, Part 1: Namespaces Overview. https://lwn.net/Articles/531114/.

[3]

2014. wrk -- a HTTP Benchmarking Tool. https://github.com/wg/wrk.

[4]

2015. Kubernetes Performance Measurements and Roadmap. https://kubernetes.io/blog/2015/09/kubernetes-performance-measurements-and/.

[5]

2018. Flask Docker Container Image. https://hub.docker.com/r/jcdemo/flaskapp.

[6]

2019. CVE-2019-8341. https://nvd.nist.gov/vuln/detail/CVE-2019-8341/.

[7]

2020. CVE-2020-11100. https://nvd.nist.gov/vuln/detail/CVE-2020-11100/.

[8]

2021. State of Kubernetes Security Report. https://thechief.io/c/editorial/state-of-kubernetes-security-report.

[9]

2022. 7 Most Infamous Cloud Security Breaches. https://blog.storagecraft.com/7-infamous-cloud-security-breaches/.

[10]

2022. Amazon Web Services. https://aws.amazon.com/.

[11]

2023. AppArmor, Linux Kernel Security Module. https://apparmor.net/.

[12]

2023. bridge(8) --- Linux manual page. https://man7.org/linux/manpages/man8/bridge.8.html.

[13]

2023. Calio-felix. https://docs.projectcalico.org/reference/felix/.

[14]

2023. Cilim Envoy Extension. https://docs.cilium.io/en/v1.13/security/network/proxy/envoy/.

[15]

2023. Cilium. https://www.cilium.io/.

[16]

2023. Cilium-agent. https://docs.cilium.io/en/stable/cmdref/cilium-agent/.

[17]

2023. CNI: The container network interface. https://www.cni.dev/.

[18]

2023. Docker. https://www.docker.com.

[19]

2023. Docker host networking. https://docs.docker.com/network/host/.

[20]

2023. DockerHub: envoyproxy/envoy. https://hub.docker.com/r/envoyproxy/envoy.

[21]

2023. DockerHub: hashicorp/boundary. https://hub.docker.com/r/hashicorp/boundary.

[22]

2023. DockerHub: sysdig. https://hub.docker.com/r/sysdig/sysdig.

[23]

2023. eBPF Introduction, Tutorials. https://docs.cilium.io/en/stable/bpf/.

[24]

2023. Flannel-d. https://github.com/flannel-io/flannel.

[25]

2023. Google Cloud Platform (GCP). https://cloud.google.com/.

[26]

2023. HAProxy ingress controler. https://haproxy-ingress.github.io/.

[27]

2023. Hewlett Packard Enterprise. Netperf. https://hewlettpackard.github.io/netperf/.

[28]

2023. Host network driver. https://docs.docker.com/network/drivers/host/.

[29]

2023. iPerf. Network Bandwidth Measurement Tool. https://iperf.fr/iperf-download.php.

[30]

2023. Kubernetes. https://kubernetes.io.

[31]

2023. Kubernetes API Watcher Design. https://docs.openstack.org/kuryr/0.2.0/devref/k8s_api_watcher_design.html.

[32]

2023. Kubernetes: Considerations for large clusters. https://kubernetes.io/docs/setup/best-practices/cluster-large/.

[33]

2023. Kubernetes Privilege Escalation. https://i.blackhat.com/USA-22/Thursday/US-22-Avrahami-Kubernetes-Privilege-Escalation-Container-Escape-Cluster-Admin.pdf.

[34]

2023. Linux SYSSTAT. http://sebastien.godard.pagesperso-orange.fr/.

[35]

2023. Microsoft Azure. https://azure.microsoft.com/.

[36]

2023. Netronome Agilo CX smartNIC 2x40GbE. https://www.netronome.com/media/documents/PB_NFP-4000-7-20.pdf.

[37]

2023. Nginx Docker Container. https://hub.docker.com/_/nginx.

[38]

2023. OpenVPN Access Server. https://hub.docker.com/r/mace/openvpn-as.

[39]

2023. Project Calico. https://www.projectcalico.org/.

[40]

2023. Redis Docker Container. https://hub.docker.com/_/redis.

[41]

2023. Service | Kubernetes. https://kubernetes.io/docs/concepts/services-networking/service/.

[42]

2023. TCPdump manpage. https://www.tcpdump.org/manpages/.

[43]

2023. The Istio service mesh. https://istio.io/.

[44]

2023. The Linked servie mesh. https://linkerd.io/.

[45]

2023. veth -- Virtual Ethernet Device. https://man7.org/linux/manpages/man4/veth.4.html/.

[46]

Ali AlSabeh, Elie Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2022. P4DDPI: Securing P4-Programmable Data Plane Networks via DNS Deep Packet Inspection. In Proceedings of the 2022 Network and Distributed System Security (NDSS) Symposium. 1ś7.

[47]

Kelly Brady, Seung Moon, Tuan Nguyen, and Joel Coffman. 2020. Docker Container Security in Cloud Computing. In In Proceedings of Annual Computing and Communication Workshop and Conference. 975--980.

[48]

Gerald Budigiri, Christoph Baumann, Jan Tobias Mühlberg, Eddy Truyen, and Wouter Joosen. 2021. Network Policies in Kubernetes: Performance Evaluation and Security Analysis. In In proceedings of Joint European Conference on Networks and Communications & 6G Summit. 407--412.

[49]

Pubali Datta, Prabuddha Kumar, Tristan Morris, Michael Grace, Amir Rahmati, and Adam Bates. 2020. Valve: Securing Function Workflows on Serverless Computing Platforms. In Proceedings of the Web Conference 2020. 939--950.

Digital Library

[50]

Ana Duarte and Nuno Antunes. 2018. An Empirical Study of Docker Vulnerabilities and of Static Code Analysis Applicability. In In Proceedings of Latin-American Symposium on Dependable Computing. 27--36.

[51]

William Findlay, David Barrera, and Anil Somayaji. 2021. BPFContain: Fixing the Soft Underbelly of Container Security. arXiv preprint arXiv:2102.06972 (2021).

[52]

Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction. In Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses. 443--458.

[53]

Joel Hypolite, John Sonchack, Shlomo Hershkop, Nathan Dautenhahn, André DeHon, and Jonathan M Smith. 2020. DeepMatch: practical deep packet inspection in the data plane using network processors. In Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies. 336--350.

Digital Library

[54]

Theo Jepsen, Daniel Alvarez, Nate Foster, Changhoon Kim, Jeongkeun Lee, Masoud Moshref, and Robert Soulé. 2019. Fast string searching on pisa. In Proceedings of ACM Symposium on SDN Research. 21--28.

Digital Library

[55]

Jakub Kicinski and Nicolaas Viljoen. 2016. eBPF Hardware Offload to SmartNICs: cls bpf and XDP. Proceedings of netdev 1 (2016).

[56]

Abhinav Kommula, Yen-Hung Frank Hu, Mary Ann Hoppa, and Samuel Olatunbosun. 2020. Machine Learning Techniques to Enhance Container Network Security. In In proceedings of International Conference on Computational Science and Computational Intelligence. 622--627.

[57]

Lingguang Lei, Jianhua Sun, Kun Sun, Chris Shenefiel, Rui Ma, Yuewu Wang, and Qi Li. 2017. SPEAKER: Split-phase execution of application containers. In Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.

[58]

Wubin Li, Yves Lemieux, Jing Gao, Zhuofeng Zhao, and Yanbo Han. 2019. Service mesh: Challenges, state of the art, and future research opportunities. In Proceedings of IEEE International Conference on Service-Oriented System Engineering. 122--1225.

[59]

Xing Li, Xue Leng, and Yan Chen. 2021. Securing Serverless Computing: Challenges, Solutions, and Opportunities. arXiv preprint arXiv:2105.12581 (2021).

[60]

Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A measurement study on linux container security: Attacks and countermeasures. In Proceedings of Annual Computer Security Applications Conference. 418--429.

Digital Library

[61]

Coleman Link, Jesse Sarran, Garegin Grigoryan, Minseok Kwon, M Mustafa Rafique, and Warren R Carithers. 2019. Container Orchestration by Kubernetes for RDMA Networking. In Proceedings of IEEE International Conference on Network Protocols. 1--2.

[62]

Chang Liu, Longtao He, Gang Xiong, Zigang Cao, and Zhen Li. 2019. Fs-net: A flow sequence network for encrypted traffic classification. In IEEE INFOCOM 2019-IEEE Conference On Computer Communications. IEEE, 1171--1179.

Digital Library

[63]

Antony Martin, Simone Raponi, Théo Combe, and Roberto Di Pietro. 2018. Docker Ecosystem -- Vulnerability Analysis. Computer Communications 122 (2018), 30--43.

[64]

Jaehyun Nam, Seungsoo Lee, Phillip Porras, Vinod Yegneswaran, and Seungwon Shin. 2022. Secure Inter-Container Communications Using XDP/eBPF. IEEE/ACM Transactions on Networking 31, 2 (2022), 934--947.

Digital Library

[65]

Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. BASTION: A Security Enforcement Network Stack for Container Networks. In Proceedings of USENIX Annual Technical Conference. 81--95.

[66]

Salvatore Pontarelli, Roberto Bifulco, Marco Bonola, Carmelo Cascone, Marco Spaziani, Valerio Bruschi, Davide Sanvito, Giuseppe Siracusano, Antonio Capone, Michio Honda, et al. 2019. Flowblaze: Stateful packet processing in hardware. In Proceedings of the 16th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2019. USENIX ASSOC, 531--547.

[67]

Jamal Hadi Salim. 2015. Linux traffic control classifier-action subsystem architecture. Proceedings of Netdev 0.1 (2015).

[68]

Meng Shen, Jinpeng Zhang, Liehuang Zhu, Ke Xu, and Xiaojiang Du. 2021. Accurate decentralized application identification via encrypted traffic analysis using graph neural networks. IEEE Transactions on Information Forensics and Security 16 (2021), 2367--2380.

[69]

Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996.

[70]

Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. 2018. Security Namespace: Making Linux Security Frameworks Available to Containers. In Proceedings of USENIX Security Symposium. 1423--1439.

[71]

Kun Suo, Yong Zhao, Wei Chen, and Jia Rao. 2018. An analysis and empirical study of container networks. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 189--197.

Digital Library

[72]

Linyih Teng, Chi-Hsiang Hung, and Charles H-P Wen. 2022. P4SF: A High-Performance Stateful Firewall on Commodity P4-Programmable Switch. In NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--5.

Digital Library

[73]

Wei Wang, Ming Zhu, Jinlin Wang, Xuewen Zeng, and Zhongzhen Yang. 2017. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE international conference on intelligence and security informatics (ISI). IEEE, 43--48.

Digital Library

[74]

Jinli Yan, Lu Tang, Junnan Li, Xiangrui Yang, Wei Quan, Hongyi Chen, and Zhigang Sun. 2019. UniSec: a unified security framework with SmartNIC acceleration in public cloud. In Proceedings of the ACM Turing Celebration Conference-China. 1--6.

Digital Library

[75]

Zirak Zaheer, Hyunseok Chang, Sarit Mukherjee, and Jacobus Van der Merwe. 2019. Eztrust: Network-independent Zero-trust Perimeterization for Microservices. In Proceedings of the Symposium on SDN Research. 49--61.

Digital Library

Cited By

You MNam JSeo HSeo MKim JChoi DShin S(2024)HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00053(496-507)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00053

Index Terms

HELIOS: Hardware-assisted High-performance Security Extension for Cloud Networking
1. Networks
  1. Network services
    1. Cloud computing

Recommendations

CNTC: A Container Aware Network Traffic Control Framework
Green, Pervasive, and Cloud Computing
Abstract
As a lightweight virtualization technology, containers are attracting much attention and widely deployed in the cloud data centers. To provide consistent and reliable performance, cloud providers should ensure resource isolation since each host ...
Janus: An Experimental Reconfigurable SmartNIC with P4 Programmability and SDN Isolation
FPGA '23: Proceedings of the 2023 ACM/SIGDA International Symposium on Field Programmable Gate Arrays

Disparate deployment models of cloud computing pose varying requirements on cloud infrastructure components such as networking, storage, provisioning, and security. Infrastructure providers need to study these and often create custom infrastructure ...
SuperNIC: An FPGA-Based, Cloud-Oriented SmartNIC
FPGA '24: Proceedings of the 2024 ACM/SIGDA International Symposium on Field Programmable Gate Arrays

With CPU scaling slowing down in today's data centers, more functionalities are being offloaded from the CPU to auxiliary devices. One such device is the SmartNIC, which is being increasingly adopted in data centers. In today's cloud environment, VMs on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SoCC '23: Proceedings of the 2023 ACM Symposium on Cloud Computing

October 2023

624 pages

ISBN:9798400703874

DOI:10.1145/3620678

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

ICT Challenge and Advanced Network of HRD support program, Ministry of Science and ICT, Korea
Information Technology Research Center support program, Ministry of Science and ICT, Korea

Conference

SoCC '23

Sponsor:

SoCC '23: ACM Symposium on Cloud Computing

October 30 - November 1, 2023

CA, Santa Cruz, USA

Acceptance Rates

Overall Acceptance Rate 169 of 722 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
222
Total Downloads

Downloads (Last 12 months)221
Downloads (Last 6 weeks)18

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

You MNam JSeo HSeo MKim JChoi DShin S(2024)HardWhale: A Hardware-Isolated Network Security Enforcement System for Cloud Environments2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00053(496-507)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00053

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents