Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers

• URL: http://arxiv.org/abs/2405.10131v1
• Date: Thu, 16 May 2024 14:29:28 GMT
• Title: Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers
• Authors: Jordi Thijsman, Merlijn Sebrechts, Filip De Turck, Bruno Volckaert,
• Abstract summary: This paper presents an architecture that enrolls edge devices as trusted worker nodes. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap. We provide both a qualitative and a quantitative evaluation of the architecture.
• Score: 3.423623217014682
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: A Kubernetes cluster typically consists of trusted nodes, running within the confines of a physically secure datacenter. With recent advances in edge orchestration, this is no longer the case. This poses a new challenge: how can we trust a device that an attacker has physical access to? This paper presents an architecture and open-source implementation that securely enrolls edge devices as trusted Kubernetes worker nodes. By providing boot attestation rooted in a hardware Trusted Platform Module, a strong base of trust is provided. A new custom controller directs a modified version of Keylime to cross the cloud-edge gap and securely deliver unique cluster credentials required to enroll an edge worker. The controller dynamically grants and revokes these credentials based on attestation events, preventing a possibly compromised node from accessing sensitive cluster resources. We provide both a qualitative and a quantitative evaluation of the architecture. The qualitative scenarios prove its ability to attest and enroll an edge device with role-based access control (RBAC) permissions that dynamically adjust to attestation events. The quantitative evaluation reflects an average of 10.28 seconds delay incurred on the startup time of the edge node due to attestation for a total average enrollment time of 20.91 seconds. The presented architecture thus provides a strong base of trust, securing a physically exposed edge device and paving the way for a robust and resilient edge computing ecosystem.

Related papers

• Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
  The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm. This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
  arXiv  Detail & Related papers  (2024-10-29T09:06:13Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• ZTCloudGuard: Zero Trust Context-Aware Access Management Framework to Avoid Misuse Cases in the Era of Generative AI and Cloud-based Health Information Ecosystem [0.5530212768657544]
  This article proposes a zero-trust-based context-aware framework for managing access to the cloud ecosystem. The framework has two main scoring schemas to maintain the chain of trust. The analysis is based on a pre-trained machine learning model to generate the semantic and syntactic scores.
  arXiv  Detail & Related papers  (2023-11-28T22:12:07Z)
• Blockchain-based Zero Trust on the Edge [5.323279718522213]
  This paper proposes a novel approach based on Zero Trust Architecture (ZTA) extended with blockchain to further enhance security. The blockchain component serves as an immutable database for storing users' requests and is used to verify trustworthiness by analyzing and identifying potentially malicious user activities. We discuss the framework, processes of the approach, and the experiments carried out on a testbed to validate its feasibility and applicability in the smart city context.
  arXiv  Detail & Related papers  (2023-11-28T12:43:21Z)
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
  We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
  arXiv  Detail & Related papers  (2023-09-26T08:11:38Z)
• TrustGuard: GNN-based Robust and Explainable Trust Evaluation with Dynamicity Support [59.41529066449414]
  We propose TrustGuard, a GNN-based accurate trust evaluation model that supports trust dynamicity. TrustGuard is designed with a layered architecture that contains a snapshot input layer, a spatial aggregation layer, a temporal aggregation layer, and a prediction layer. Experiments show that TrustGuard outperforms state-of-the-art GNN-based trust evaluation models with respect to trust prediction across single-timeslot and multi-timeslot.
  arXiv  Detail & Related papers  (2023-06-23T07:39:12Z)
• Collective Robustness Certificates: Exploiting Interdependence in Graph Neural Networks [71.78900818931847]
  In tasks like node classification, image segmentation, and named-entity recognition we have a classifier that simultaneously outputs multiple predictions. Existing adversarial robustness certificates consider each prediction independently and are thus overly pessimistic for such tasks. We propose the first collective robustness certificate which computes the number of predictions that are simultaneously guaranteed to remain stable under perturbation.
  arXiv  Detail & Related papers  (2023-02-06T14:46:51Z)
• Randomized Message-Interception Smoothing: Gray-box Certificates for Graph Neural Networks [68.4543263023324]
  We propose novel gray-box certificates for Graph Neural Networks (GNNs) We randomly intercept messages and analyze the probability that messages from adversarially controlled nodes reach their target nodes. Our certificates provide stronger guarantees for attacks at larger distances.
  arXiv  Detail & Related papers  (2023-01-05T12:21:48Z)
• RobustBench: a standardized adversarial robustness benchmark [84.50044645539305]
  Key challenge in benchmarking robustness is that its evaluation is often error-prone leading to robustness overestimation. We evaluate adversarial robustness with AutoAttack, an ensemble of white- and black-box attacks. We analyze the impact of robustness on the performance on distribution shifts, calibration, out-of-distribution detection, fairness, privacy leakage, smoothness, and transferability.
  arXiv  Detail & Related papers  (2020-10-19T17:06:18Z)
• COVID-19 Antibody Test / Vaccination Certification: There's an app for that [1.1744028458220426]
  A COVID-19 'Immunity Passport' has been mooted as a way to enable individuals to return back to work. We develop a prototype mobile phone app and requisite decentralized server architecture that facilitates instant verification of tamper-proof test results.
  arXiv  Detail & Related papers  (2020-04-15T22:42:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.