BPFast: An eBPF/XDP-Based High-Performance Packet Payload Inspection System for Cloud Environments |
You, Myoung-sung
(KAIST)
Kim, Jin-woo (Kwangwoon University) Shin, Seung-won (KAIST) Park, Tae-june (Chonnam National University) |
1 | Michael Kerrisk, "ip-netns - process network namespace management," https://man7.org/linux/man-pages/man8/ip-netns.8.html, Feb. 2022. |
2 | H. Kang, M. Le, and S. Tao, "Container and microservice driven design for cloud infrastructure devops," In Proceedings of 2016 IEEE International Conference on Cloud Engineering (IC2E), pp. 202-211, Apr. 2016. |
3 | Docker, "Docker: Empowering App Development for Developers." https://www.docker.com/, Mar. 2021. |
4 | OpenVz, "Open source container-based virtualization for Linux," https://openvz.org/, Feb. 2022. |
5 | Docker, "Use bridge networks | Docker Documentation," https://docs.docker.com/network/bridge/, Feb. 2022. |
6 | P. Bosshart, G. Gibb, H. Kim, G. Varghese, N. McKeown, M. Izzard, and M. Horowitz, "Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN," ACM SIGCOMM Computer Communication Review, vol. 43, no. 4, pp. 99-110, Aug. 2013. DOI |
7 | DockerHub, "Httpd - Official Image | Docker Hub," https://hub.docker.com/_/httpd, Feb. 2022. |
8 | S. Sultan, I. Ahmad, and T. Dimitriou, "Container Security: Issues, Challenges, and the Road Ahead," IEEE Access, vol. 7, pp. 52976-52996, Apr. 2019. DOI |
9 | Kubernetes, "Configure a Security Context for a Pod or Container," https://kubernetes.io/docs/tasks/configure-pod-container/security-context/,Feb. 2022. |
10 | A. Martin, S. Raponi, T. Combe, and R. Di Pietro, "Docker Ecosystem-Vulnerability Analysis," Computer Communications, vol. 122, pp. 30-43, Jun. 2018. DOI |
11 | R. T. El-Maghraby, N. M. Abd Elazim and A. M. Bahaa-Eldin, "A survey on deep packet inspection," In Proceedings of 2017 12th International Conference on Computer Engineering and Systems (ICCES), pp. 188-197, Feb. 2017. |
12 | Z. Jian, and L. Chen, "A defense method against docker escape attack," In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP), pp. 142-146, Mar. 2017. |
13 | Kubernetes, "Production-Grade Container Orchestration," https://kubernetes.io/, Feb. 2022. |
14 | Kubernetes, 'Kubernetes API Concepts," https://kubernetes.io/docs/reference/using-api/api-concepts/, Feb. 2022. |
15 | DockerHub, "Ubuntu - Official Image | Docker Hub," https://hub.docker.com/_/ubuntu, Feb. 2022. |
16 | Will Glozer, "WRK - a HTTP benchma rking tool," https://github.com/wg/wrk, Feb. 2022. |
17 | Istio, "Mutual TLS Migration," https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/, Feb. 2022. |
18 | Docker, "Seccomp security profiles for Docker container," https://docs.docker.com/engine/security/seccomp/, Feb. 2022. |
19 | Tigera, "Protect Calico -Tigera." https://www.tigera.io/project-calico/, Feb. 2022. |
20 | Linkerd, "The world's lightest, fastest service mesh," https://linkerd.io/, Feb. 2022. |
21 | Cilium, "How Cilium enhances Istio with socket-aware BPF programs," https://cilium.io/blog/2018/08/07/istio-10-cilium, Feb. 2022. |
22 | A. Randal, "The ideal versus the real:Revisiting the history of virtual machines and containers," ACM Computing Surveys (CSUR), vol. 53, no. 2, pp. 1-31, Feb. 2020. DOI |
23 | G. Perrone and S. P. Romano, "The docker security playground: A hands-on approach to the study of network security," In Proceedings of Principles, Systems and Applications of IP Telecommunications (IPTComm), pp. 1-8, Sep. 2021. |
24 | Istio "The Istio Service Mesh," https://istio.io/, Feb. 2022. |
25 | Cilium, "eBPF cGuide," https://docs.cilium.io/en/latest/bpf/, Feb. 2022. |
26 | L. Lei, J. Sun, K. Sun, C. Shenefiel,R. Ma, Y. Wang, and Q. Li, "Speaker:Split-phase execution of application containers," In Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp.230-251, Jun. 2017. |
27 | S. Ghavamnia, T. Palit, A. Benameur,and M. Polychronakis, "Confine:Automated System Call Policy Generation for Container Attack Surface Reduction," In Proceedings of International Symposium on Research in Attacks, Intrusions and Defenses(RAID), pp. 443-458, Oct. 2020. |
28 | G. Budigiri, C. Baumann, J. T. M uhlberg, E. Truyen, and W. Joosen,"Network policies in kubernetes: Performance evaluation and security analysis," In proceedings of Joint European Conference on Networks and Communications & 6G Summit, pp. 407-412, Jun. 2021. |
29 | X. Li, Y. Chen, Z. Lin, X. Wang, and J. H. Chen, "Automatic Policy Generation for Inter-Service Access Control of Microservices," In Proceedings of 30th USENIX Security Symposium, pp. 3971-3988, Aug. 2021. |
30 | Cilium, "IPsec Transparent Encryption,"https://docs.cilium.io/en/v1.10/gettingstarted/encryption-ipsec/, Feb. 2022. |
31 | Cilium, "Envoy with Ciliumfilter," https://github.com/cilium/proxy, Feb. 2022. |
32 | J. Nam, S. Lee, H. Seo, P. Porras,V. Yegneswaran, and S. Shin, "BASTION: A Security Enforcement Network Stack for Container Networks," In Proceedings of the Annual Technical Conference. USENIX Association (ATC), pp. 81-95, Jul. 2020. |
33 | L. Li, T. Tang and W. Chou, "A REST Service Framework for Fine-Grained Resource Management in Container-Based Cloud," In Proceedings of 2015 IEEE 8th International Conference on Cloud Computing, pp. 645-652, Jun. 2015. |
34 | F. Minna, A. Blaise, F. Rebecchi, B. Chandrasekaran, and F. Massacci, "Understanding the security implications of kubernetes networking," IEEE Security & Privacy, vol. 19, pp. 46-56, May. 2021. DOI |
35 | Tripwire, "Tripwire State of Container Security Report," https://www.tripwire.com/solutions/devops/tripwire-dimensional-research-state-of-container-security-report-register, Jan. 2019. |
36 | Cilium, "Cilium: security-enhanced CNI," https://cilium.io/, Feb. 2022. |
37 | eBPF, "eBPF - Introduction, Tutorials & Community Resources," https://ebpf.io/, Mar. 2022. |