Robert Walther
TU Dresden
Carsten Weinhold
Barkhausen Institut
Peter Amthor
TU Ilmenau
Michael Roitzsch
Barkhausen Institut

Multi-Stakeholder Policy Enforcement for Distributed Systems (WoC’24)

Cloud environments, comprising both virtual and physical servers, are complex distributed systems that require clear and expressive configuration descriptions. Human-readable configuration formats like Kubernetes YAML are state of the art, but they lack the granularity needed for fine-grained control and advanced policy enforcement. To address these limitations, we propose an abstract system description approach that incorporates additional application properties, enabling more sophisticated policy decision-making rather than relying on resource constraints and port-based network restrictions. Our framework introduces two modes of policy enforcement: one allows system designers to automatically verify and manipulate system descriptions before translating them into concrete configurations, while the other enables communication partners to review the descriptions for assessing trustworthiness. We introduce a user-friendly description language paired with an extensible policy enforcement engine, providing stakeholders with the ability to define deployment scenarios intuitively and securely. We demonstrate the suitability of the approach for three different platforms, ranging from an embedded system to state-of-the-art container runtimes, namely Kubernetes and Docker Compose.