search menu icon-carat-right cmu-wordmark

Microservice-Aware Reference Monitoring through Hybrid Program Analysis

September 2021 Video

In this talk, we present a microservice-aware reference monitor (MRM) for enforcing stateful security policies over lightweight system call traces produced by the SysFlow pipeline.

Publisher:

Software Engineering Institute

Watch

Abstract

 

In this talk, we present a microservice-aware reference monitor (MRM) for enforcing stateful security policies over lightweight system call traces produced by the SysFlow pipeline. Current state-of-the-art reference monitors (RMs), such as SELinux, AppArmor, and audit, can only enforce stateless policies. This limits a program to issuing specific system calls that act on a subset of system resources. Microservice architectures, in which distributed applications run within individual containers across large computing clusters, require new reference monitoring approaches that can track execution context. Our MRM design runs at the edge of a computing cloud alongside individual containers and enforces reference policies that encode permissible system call sequences. Manually defining security policies is a notoriously difficult task that requires deep domain expertise of targeted programs and policy specification language. While recent innovations such as the Common Intermediate Language (CIL) for SELinux simplify authoring declarative security policies, producing useful policies still remains a time-consuming task. For this reason, we propose a static analysis that automatically synthesizes stateful security policies from Docker images, which an MRM can use to enforce on SysFlow streams. We limit our analysis to Docker images containing binary programs as their entry point. This allows us to utilize the advanced analysis features found within the Binary Analysis Platform (BAP) to micro-execute a container's entry point. It automatically synthesizes security policies that capture the system behavior of a running program. Such reference policies denote security automatons, which can be embedded directly into an MRM. We evaluated our prototype implementation on binary programs from the DARPA Cyber Grand Challenge (CGC) dataset, a corpus of programs that utilize a simplified system call interface and have known security vulnerabilities. This provides the ground truth for evaluating the ability of our framework to automatically synthesize accurate security policies in a simplified computing environment and enforce such policies atop our MRM.