TY - JOUR
T1 - Full-stack vulnerability analysis of the cloud-native platform
AU - Zeng, Qingyang
AU - Kavousi, Mohammad
AU - Luo, Yinhong
AU - Jin, Ling
AU - Chen, Yan
N1 - Publisher Copyright:
© 2023
PY - 2023/6
Y1 - 2023/6
N2 - Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.
AB - Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.
KW - Cloud-native security
KW - CNI
KW - Container security
KW - Docker
KW - Istio
KW - Kubernetes
KW - Vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85150434506&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85150434506&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2023.103173
DO - 10.1016/j.cose.2023.103173
M3 - Article
AN - SCOPUS:85150434506
SN - 0167-4048
VL - 129
JO - Computers and Security
JF - Computers and Security
M1 - 103173
ER -