WEKO3
アイテム
Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification
https://ipsj.ixsq.nii.ac.jp/records/220196
https://ipsj.ixsq.nii.ac.jp/records/22019632f0acaa-2821-44b1-9686-77fba4ca10d1
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6309012.pdf (1.8 MB)
|
Copyright (c) 2022 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2022-09-15 | |||||||||||||
| タイトル | ||||||||||||||
| タイトル | Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification | |||||||||||||
| タイトル | ||||||||||||||
| 言語 | en | |||||||||||||
| タイトル | Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification | |||||||||||||
| 言語 | ||||||||||||||
| 言語 | eng | |||||||||||||
| キーワード | ||||||||||||||
| 主題Scheme | Other | |||||||||||||
| 主題 | [特集:量子時代をみすえたコンピュータセキュリティ技術] Manifest integrity, Kubernetes, Signature | |||||||||||||
| 資源タイプ | ||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||
| 資源タイプ | journal article | |||||||||||||
| 著者所属 | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属 | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属 | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属 | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者所属(英) | ||||||||||||||
| en | ||||||||||||||
| IBM Research - Tokyo | ||||||||||||||
| 著者名 |
Ruriko, Kudo
× Ruriko, Kudo
× Hirokuni, Kitahara
× Kugamoorthy, Gajananan
× Yuji, Watanabe
|
|||||||||||||
| 著者名(英) |
Ruriko, Kudo
× Ruriko, Kudo
× Hirokuni, Kitahara
× Kugamoorthy, Gajananan
× Yuji, Watanabe
|
|||||||||||||
| 論文抄録 | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | The integrity of the cloud is the most important requirement for mission-critical enterprise workloads. NIST SP 800-53 states that information systems must prevent the installation of any components that have not been verified digitally. On a Kubernetes cluster, the admission controller can control requests for application installations, and it would be a powerful protection tool if it could control requests for Kubernetes resources on the basis of signature verification. However, there are various technical challenges when it comes to verifying the signature for a Kubernetes resource at the admission controller because a signed resource is rewritten automatically by internal cluster work and many requests that include an internal mutation without a signature are generated. In this work, we propose an approach to protect the integrity of a Kubernetes resource with signature verification at the admission controller. Our approach addresses the issue that the differences between the signed resource in the admission request and the signature message occur automatically in Kubernetes and conducts signature verification properly by using DryRun. We also propose a profile framework to address the internal mutation request that cannot be attached to the signature. Our experimental results demonstrate that standard applications can be protected by our approach. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.30(2022) (online) DOI http://dx.doi.org/10.2197/ipsjjip.30.626 ------------------------------ |
|||||||||||||
| 論文抄録(英) | ||||||||||||||
| 内容記述タイプ | Other | |||||||||||||
| 内容記述 | The integrity of the cloud is the most important requirement for mission-critical enterprise workloads. NIST SP 800-53 states that information systems must prevent the installation of any components that have not been verified digitally. On a Kubernetes cluster, the admission controller can control requests for application installations, and it would be a powerful protection tool if it could control requests for Kubernetes resources on the basis of signature verification. However, there are various technical challenges when it comes to verifying the signature for a Kubernetes resource at the admission controller because a signed resource is rewritten automatically by internal cluster work and many requests that include an internal mutation without a signature are generated. In this work, we propose an approach to protect the integrity of a Kubernetes resource with signature verification at the admission controller. Our approach addresses the issue that the differences between the signed resource in the admission request and the signature message occur automatically in Kubernetes and conducts signature verification properly by using DryRun. We also propose a profile framework to address the internal mutation request that cannot be attached to the signature. Our experimental results demonstrate that standard applications can be protected by our approach. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.30(2022) (online) DOI http://dx.doi.org/10.2197/ipsjjip.30.626 ------------------------------ |
|||||||||||||
| 書誌レコードID | ||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 63, 号 9, 発行日 2022-09-15 |
|||||||||||||
| ISSN | ||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||
| 公開者 | ||||||||||||||
| 言語 | ja | |||||||||||||
| 出版者 | 情報処理学会 | |||||||||||||
