Full-stack vulnerability analysis of the cloud-native platform

Qingyang Zeng, Mohammad Kavousi, Yinhong Luo, Ling Jin, Yan Chen*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

8 Scopus citations

Abstract

Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.

Original languageEnglish (US)
Article number103173
JournalComputers and Security
Volume129
DOIs
StatePublished - Jun 2023

Keywords

  • Cloud-native security
  • CNI
  • Container security
  • Docker
  • Istio
  • Kubernetes
  • Vulnerability

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'Full-stack vulnerability analysis of the cloud-native platform'. Together they form a unique fingerprint.

Cite this