Introduction
What is SEDIMENT? SEDIMENT (SEcure DIstributed IoT ManagemENT) uses a combination of software root of trust, remote attestation, and resource-efficient cryptography, to build a system that scales across heterogeneous computing platforms. The aim is to provide secure remote attestation framework that can be leveraged for lightweight devices.
What is KubeArmor? KubeArmor is a runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.
Our objective is to demonstrate the 5G SBP Use Case - Remote Attestation Use Case 1- IoT Device Security and Authentication, where SEDIMENT RA Verifier and an example Relying Party application are containerized and deployed with KubeArmor providing visibility and protection policies. Initially the result of attestation is to used to control access to the example application. In the future this may be a third parry application or may be used to control network access through integration with the 5G ONAP AMF. The onboarding of the device to be attested is outside the purview of this use case, and a separate use case will address that concern.
Architecture Topology
** XXX: integrate both diagrams into a single view **
Note: In Phase 1, we will target only the Gateway security and not work on the device side of things.
Systems Requirements
** XXX: state this for verifier, app server, and device separately **
OS Distribution: Ubuntu >= 18.04
Arch: x86_64
CPU: 4 vcpus
Memory: 8 GB
Network: The following TCP ports needs to be open for the corresponding containers, Relying Party: 8000 and 8101, Verifier: 8100, Application Server: 8001. Browser based GUIs for Application Server and Verifier are hosted elsewhere on the container host or other PC(s).
** XXX: use open-source tools such as drawio and include sources if possible **
External Access: ssh access to the node would be required
SEDIMENT System Requirements
- Ubuntu 20.04 docker container for replying party, verifier and app server
- Memory: 8 GB
- CPU: 4 cores
KubeArmor System Requirements
Deployment Mode
SEDIMENT Deployment Mode
** XXX: discuss each of the three parties **
- Containerized app deployed using docker container
KubeArmor Deployment Mode
- Deployed in systemd mode
Security use-cases to target with KubeArmor
- Visibility into SEDIMENT application behavior
- Identify the process forking behavior of the application
- Identify sensitive asset access of SEDIMENT
- Identify network access required by SEDIMENT
- Protection policies for Gateway deploying SEDIMENT Verifier.
- Process Whitelisting: Do not allow processes to execute within SEDIMENT container outside of the given spec.
- Network Access: Only allow SEDIMENT binaries to use the network primitives
- Check SEDIMENT configuration files and create a security net around SEDIMENT’s sensitive assets.
- Use host hardening policies to protect host.
Tasks/Action Items
Task | Description | Status | ETA | Owner |
Document | For arch, sys requirements, deployment model etc | WIP | 20th April 2023 | AccuKnox to create, and Peraton to update as necessary |
SEDIMENT app containerization | WIP | 28th, April, 2023 | Peraton Labs | |
Provision a common VM that can be used for tests | ssh sbp@ 172.173.219.229 … credentials will be provided to relevant folks | Done | 20th April 2023 | AccuKnox |
Deploy SEDIMENT on a sample Linux VM | TODO | Peraton | ||
Identify prover device and camera | TODO | Peraton | ||
Deploy KubeArmor on same VM as SEDIMENT | TODO | AccuKnox | ||
Get KubeArmor visibility for SEDIMENT app | TODO | AccuKnox | ||
Apply protection policies for securing SEDIMENT | TODO | AccuKnox | ||
Identify lab requirements | Based on the VM used above, identify lab requirement | TODO | Peraton + AccuKnox | |
Joint Demo to 5G-SBP | TODO | Peraton + AccuKnox |