Valve: Securing Function Workflows on Serverless Computing Platforms
| Autor: | Prabuddha Kumar, Tristan Morris, Pubali Datta, Amir Rahmati, Michael Grace, Adam Bates |
|---|---|
| Rok vydání: | 2020 |
| Předmět: |
021110 strategic
defence & security studies business.industry Computer science Distributed computing media_common.quotation_subject 0211 other engineering and technologies 020207 software engineering Cloud computing 02 engineering and technology Reuse Task (computing) Workflow Software deployment Container (abstract data type) 0202 electrical engineering electronic engineering information engineering Overhead (computing) business Function (engineering) media_common |
| Zdroj: | WWW |
| DOI: | 10.1145/3366423.3380173 |
| Popis: | Serverless Computing has quickly emerged as a dominant cloud computing paradigm, allowing developers to rapidly prototype event-driven applications using a composition of small functions that each perform a single logical task. However, many such application workflows are based in part on publicly-available functions developed by third-parties, creating the potential for functions to behave in unexpected, or even malicious, ways. At present, developers are not in total control of where and how their data is flowing, creating significant security and privacy risks in growth markets that have embraced serverless (e.g., IoT). As a practical means of addressing this problem, we present Valve, a serverless platform that enables developers to exert complete fine-grained control of information flows in their applications. Valve enables workflow developers to reason about function behaviors, and specify restrictions, through auditing of network-layer information flows. By proxying network requests and propagating taint labels across network flows, Valve is able to restrict function behavior without code modification. We demonstrate that Valve is able defend against known serverless attack behaviors including container reuse-based persistence and data exfiltration over cloud platform APIs with less than 2.8% runtime overhead, 6.25% deployment overhead and 2.35% teardown overhead. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|