Introduction
What is SEDIMENT? SEDIMENT (SEcure DIstributed IoT ManagemENT) uses a combination of software root of trust, remote attestation, and resource-efficient cryptography, to build a system that scales across heterogeneous computing platforms. The aim is to provide secure remote attestation framework that can be leveraged for lightweight devices.
What is KubeArmor? KubeArmor is a runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.
The intention is to use SEDIMENT as a containerized application for which KubeArmor will provide visibility and protection policies.
Architecture Topology
Note: In Phase 1, we will target only the Gateway security and not work on the device side of things.
Systems Requirements
OS Distribution: Ubuntu >= 18.04
Arch: x86_64
CPU: 2 vcpus
Memory: 8 GB
Network: Relying Party TCP port 8000, Verifier TCP port 8100, Application Server TCP port 8001
External Access: ssh access to the node would be required
SEDIMENT System Requirements
- Memory: 8 GB
- CPU: 4 Cores
- Other hardware requirements? <TODO
KubeArmor System Requirements
Deployment Mode
SEDIMENT Deployment Mode
- Containerized app deployed using docker container
KubeArmor Deployment Mode
- Deployed in systemd mode
Security use-cases to target with KubeArmor
- Visibility into SEDIMENT application behavior
- Identify the process forking behavior of the application
- Identify sensitive asset access of SEDIMENT
- Identify network access required by SEDIMENT
- Protection policies for Gateway deploying SEDIMENT Verifier.
- Process Whitelisting: Do not allow processes to execute within SEDIMENT container outside of the given spec.
- Network Access: Only allow SEDIMENT binaries to use the network primitives
- Check SEDIMENT configuration files and create a security net around SEDIMENT’s sensitive assets.
- Use host hardening policies to protect host.
Tasks/Action Items
Task | Description | Status | ETA | Owner |
Document | For arch, sys requirements, deployment model etc | WIP | 20th April 2023 | AccuKnox to create, and Peraton to update as necessary |
SEDIMENT app containerization | WIP | <TODO> | Peraton Labs | |
Provision a common VM that can be used for tests | ssh sbp@ 172.173.219.229 … credentials will be provided to relevant folks | Done | 20th April 2023 | AccuKnox |
Deploy SEDIMENT on a sample Linux VM | TODO | Peraton | ||
Deploy KubeArmor on same VM as SEDIMENT | TODO | AccuKnox | ||
Get KubeArmor visibility for SEDIMENT app | TODO | AccuKnox | ||
Apply protection policies for securing SEDIMENT | TODO | AccuKnox | ||
Identify lab requirements | Based on the VM used above, identify lab requirement | TODO | Peraton + AccuKnox | |
Joint Demo to 5G-SBP | TODO | Peraton + AccuKnox |