한국정보통신학회논문지 (Journal of the Korea Institute of Information and Communication Engineering)

  • 제26권7호
  • /
  • Pages.1047-1059
  • /
  • 2022
  • /
  • 2234-4772(pISSN)
  • /
  • 2288-4165(eISSN)
한국정보통신학회 (The Korea Institute of Information and Commucation Engineering)
권호 표지
DOI QR코드

DOI QR Code

STRIDE 위협 모델링에 기반한 클라우드 컴퓨팅의 쿠버네티스(Kubernetes)의 보안 요구사항에 관한 연구

Kubernetes of cloud computing based on STRIDE threat modeling

  • Lee, Seungwook (Department of Convergence Security, Chung-Ang University) ;
  • Lee, Jaewoo (Department of Industrial Security, Chung-Ang University)
  • 투고 : 2022.04.26
  • 심사 : 2022.05.27
  • 발행 : 2022.07.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

클라우드 컴퓨팅 기술의 발전으로 가상 환경을 기반으로 서비스를 제공하는 컨테이너 기술 또한 발전하고 있다. 컨테이너 오케스트레이션 기술은 클라우드 서비스를 위한 핵심적인 요소이며, 대규모로 구성된 컨테이너를 빌드, 배포, 테스트하는데 자동화로 관리하기 위한 중요한 핵심 기술이 되었다. 최초 구글에 의해 설계되었고, 현재 리눅스 재단에 의해 관리되고 있는 쿠버네티스는 컨테이너 오케스트레이션 중에 하나이며 사실상 표준으로 자리 매김을 하고 있다. 하지만 컨테이너 오케스트레이션 중 쿠버네티스의 사용이 증가하고 있음에도 불구하고, 보안 취약점에 의한 사고사례도 또한 증가하고 있다. 이에 본 논문에서는 쿠버네티스의 취약점을 연구하고, 위협 분석을 통해 개발 초기 또는 설계 단계에서부터 보안을 고려할 수 있는 보안 정책을 제안한다. 특히, STRIDE 위협 모델링을 적용하여 보안 위협을 분류함으로써 구체적인 보안 가이드를 제시하고자 한다.

With the development of cloud computing technology, container technology that provides services based on a virtual environment is also developing. Container orchestration technology is a key element for cloud services, and it has become an important core technology for building, deploying, and testing large-scale containers with automation. Originally designed by Google and now managed by the Linux Foundation, Kubernetes is one of the container orchestrations and has become the de facto standard. However, despite the increasing use of Kubernetes in container orchestration, the number of incidents due to security vulnerabilities is also increasing. Therefore, in this paper, we study the vulnerabilities of Kubernetes and propose a security policy that can consider security from the initial development or design stage through threat analysis. In particular, we intend to present a specific security guide by classifying security threats by applying STRIDE threat modeling.

키워드

참고문헌

  1. Sysdig, Sysdig 2019 Container Usage Report: New Kubernetes and security insights [Internet]. Available: https://sysdig.com/blog/sysdig-2019-container-usage-report/.
  2. M. Aoyama, Kubernetes Perfect Guide, 1st ed. Seoul, Korea, Ltd. Gilbot, 2021.
  3. Cloudstore Ceart, "Main Cloud Computing Trends in 2020," Ceart Issue Report, vol. 2, pp. 12, Jan. 2020.
  4. Kubernetes [Internet]. Available: https://en.wikipedia.org/wiki/Kubernetes.
  5. K. Kim, G. Lee, T. Kim, J. Choi, S. Ha, Y. Jeong, and S. Jin, "Kubernetes Architecture for Cloud Services," Information & Communications Magazine, vol. 35, no 11, pp. 11-19, Oct. 2018.
  6. Kubernetes, Cloud native security overview [Internet]. Available:https://Kubernetes.io/ko/docs/concepts/security/overview/.
  7. H. Kang, S. Park, H. Yoon, and E. Lee, "A Study on Web Server Security Policy in Docker Kubernetes Environment," in Korea Society of IT Services 2020 Fall Conference, Seoul, Korea, pp, 632-637, 2020.
  8. M. Panagiotis, "Attack methods and defenses on Kubernetes," Bachelor's dissertation, University of Piraeu, Pireas, Greece, 2020.
  9. N. Habbal, "Enhancing Availability of Microservice Architecture," A Case Study on Kubernetess Security Configurations, Bachelor's dissertation, Lulea University of Technology, Lulea, Seden, 2020.
  10. T. Autio, "Securing a Kubernetes Cluster on Google Cloud Platform," Bachelor's dissertation, Metropolia University of Applied Sciences, Vantaa, Finland, 2021.
  11. T. Fowley, "Security of Virtual Infrastructures : Assessing Kubernetes Attack Automation," M. S. dissertation, Trinity College Dublin, Dublin, Ireland, 2021.
  12. H. Kim, "Cloud Security Guide (Container Security) - Docker, Kubernetes", SK infosec, Technical Report, Korea, Jun. 2019.
  13. Kubernetes, The 4Cs of Cloud Native Security [Internet]. Available: https://Kubernetes.io/ko/docs/concepts/security/overview/.
  14. NSC/CISA, "Kubernetes Hardening Guidance," NSC/CISA, Washington D.C, USA, Technical Report PP-21-1104, Ver 1.0, Aug. 2021.
  15. The MITRE Corp., CVE-2022-27211 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27211.
  16. The MITRE Corp., CVE-2022-27210 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20 22-27210.
  17. The MITRE Corp., CVE-2022-27209 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-20 22-27209.
  18. The MITRE Corp., CVE-2022-27208 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27208.
  19. The MITRE Corp., CVE-2022-26311 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26311.
  20. The MITRE Corp., CVE-2022-24768 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24768.
  21. The MITRE Corp., CVE-2022-24731, CVE-2022-24730 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24731,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24730.
  22. The MITRE Corp., CVE-2022-23652 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23652.
  23. The MITRE Corp., CVE-2022-23648 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648.
  24. The MITRE Corp., CVE-2022-21701 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21701.
  25. The MITRE Corp., CVE-2022-0811 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0811.
  26. The MITRE Corp., CVE-2022-0270 [Internet]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0270.
  27. WIKIPEDIA. Attack Tree [Internet]. Available: https://en.wikipedia.org/wiki/Attack_tree.
  28. LINDDUN, Privacy threat modeling(LINDDUN) [Internet]. Available: https://www.linddun.org/