Hardware-Enforced Integrity and Provenance for Distributed Code Deployments

TL;DR

This paper introduces CDI, a security framework that ensures distributed microservice deployments meet diverse security and regulatory requirements by establishing trust through high-integrity provenance information, even amid code transformations.

Contribution

It proposes a novel trust model based on trusted tools to verify code integrity and provenance in distributed deployments, addressing gaps in current security enforcement methods.

Findings

Enables automatic enforcement of security policies during deployment

Preserves code security properties through transformations

Builds trust via high-integrity provenance information

Abstract

Deployed microservices must adhere to a multitude of application-level security requirements and regulatory constraints imposed by mutually distrusting application principals--software developers, cloud providers, and even data owners. Although these principals wish to enforce their individual security requirements, they do not currently have a common way of easily identifying, expressing and automatically enforcing these requirements at deployment time. CDI (Code Deployment Integrity) is a security policy framework that enables distributed application principals to establish trust in deployed code through high-integrity provenance information. We observe that principals expect the software supply chain to preserve certain code security properties throughout the creation of an executable bundle, even if the code is transformed or inspected through various tools (e.g., compilation inserts stack canaries for memory safety). Our key insight in designing CDI is that even if application principals do not trust each other directly, they can trust a microservice bundle to meet their security policies if they can trust the tools involved in creating the bundle.