CLARION: Sound and Clear Provenance Tracking for Microservice Deployments

Authors: 

Xutong Chen, Northwestern University; Hassaan Irshad, SRI International; Yan Chen, Northwestern University; Ashish Gehani and Vinod Yegneswaran, SRI International

Abstract: 

Linux container-based microservices have emerged as an attractive alternative to virtualization as they reduce application footprints and facilitate more efficient resource utilization. Their popularity has also led to increased scrutiny of the underlying security properties and attack surface of container technology. Provenance-based analysis techniques have been proposed as an effective means toward comprehensive and high-assurance security control as they provide fine-grained mechanisms to track data flows across the system and detect unwanted or unexpected changes to data objects. However, existing provenance tracking techniques are limited in their ability to build sound and clear provenance in container network environments due to complexities introduced by namespace virtualization.

We describe a namespace- and container-aware provenance tracking solution, called CLARION, that addresses the unique soundness and clarity challenges introduced by traditional provenance tracking solutions. Specifically, we first describe fragmentation and ambiguities introduced in provenance analysis tools by each of the Linux namespaces and propose solutions to address analysis soundness. Then we discuss the design of specialized semantics-summarization techniques that improve the clarity of provenance analysis. We have developed a prototype implementation of CLARION and evaluate its performance against a spectrum of container-specific attacks. The results demonstrate the utility of our system and how it outperforms the state-of-the-art provenance tracking systems by providing an accurate and concise view of data provenance in container environments.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {272190,
author = {Xutong Chen and Hassaan Irshad and Yan Chen and Ashish Gehani and Vinod Yegneswaran},
title = {{CLARION}: Sound and Clear Provenance Tracking for Microservice Deployments},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {3989--4006},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/chen-xutong},
publisher = {USENIX Association},
month = aug
}

Presentation Video