Introducing ARVOS: Vulnerability Management Done Right

Introducing ARVOS: Vulnerability Management Done Right

“We have tons of vulnerability scanning tools, but nobody cares about their output”. With 53 vulnerabilities being published daily, vulnerability management may feel like “crying wolf”. Eventually, you miss that one vulnerability that lets attackers gain access to your cloud application.

Today, Elastisys and Debricked announced the joint project ARVOS. It uses two exciting technologies, AI and eBPF, to turn 53 vulnerabilities into 2 action points.

Vulnerability management today

To keep your Kubernetes cluster and the application on top secure you need to have effective vulnerability management. Failure may lead to disastrous consequences and crippling fines. False alarms are the #1 challenge with vulnerability management, eventually leading to vulnerability management becoming a “security theatre”. 

Various approaches exist to reduce false alarms. The CVE itself publishes a “score” — also called CVSS — from 0-10, which tries to assess the seriousness of the vulnerability. The higher the score, the more its patching should be prioritized. Various vendors augment the CVSS with information such as exploitability. A vulnerability exploitable through the network will get its score bumped. Similarly, a vulnerability for which an exploit is known to exist will have its score bumped.

And while such approaches greatly reduce false alarms, I have yet to hear anyone saying “our vulnerability management is great”.

Some vulnerabilities cannot be exploited, because of a disabled plugin or configuration that makes said vulnerability unexploitable. Other vulnerabilities are isolated inside a container that is highly restricted, e.g., having no network access. In the end, time is wasted on vulnerabilities that don’t deserve any attention.

Wouldn’t it be great to get vulnerabilities based on the code-paths and risks of your software?

Vulnerability Management tomorrow

The ARVOS (AI and Risk Based Vulnerability Management for Trustworthy Open source Adoption) project envisions to achieve just that. The high-level architecture is illustrated above. Information sources, such as GitHub source code commits and CVEs, are regularly retrieved and fed into a vulnerability analyzer. This vulnerability analyzer uses AI to match vulnerabilities with source code commits that patch those vulnerabilities. Given the small size of such commits, it is often possible to extract a single function or method name — we call these “symbols” — whose execution is necessary for a vulnerability to be a problem. In other words, if said symbol is never executed, then the vulnerability is unlikely to be exploitable in your software. The output of the vulnerability analyzer is a vulnerability symbols database. This contains the CVE, name of the vulnerable symbol, and the git commit fixing the vulnerability.

This database is put into context by an eBPF-based symbol usage monitor. eBPF is an exciting new technology available on Linux that allows to safely set probes — both in kernel space and user space — and execute small code snippets when those probes are triggered. For example, uprobe can be added to count how many times a symbol is being executed. Combined with information on the isolation of the container — e.g., NetworkPolicies, mounted volumes, service account, etc. — a vulnerability can be prioritized based on risk, otherwise said, how likely it is to affect your software system given the protections you have in place.

Imagine the Following

A vulnerability with CVSS 7.8 was published affecting nginx. As the Nginx is the front door of your Kubernetes installation, this is alarming news. Fortunately, ARVOS can detect that HTTP/2 is disabled in your system — symbols related to the fix are not executed — hence dealing with this vulnerability is not a priority. No need to skip lunch break over this.

Next day, a vulnerability with CVSS 2.1 was published affecting Kubernetes. ARVOS detects that the CreateImage symbol is executed, hence this vulnerability affects your system. This vulnerability should be immediately evaluated. Good thing this was brought to our attention.

Integrated with Compliant Kubernetes

While good vulnerability management can definitely help improve your security posture, it is not a silver bullet. Therefore, ARVOS will be integrated in Compliant Kubernetes, augmenting the current vulnerability dashboard. It will become one of the many controls included in Compliant Kubernetes — alongside network security, access control and intrusion detection — to offer you a comprehensive picture of your security and compliance posture.

Cristian Klein

Cristian is a cloud native architect at Elastisys and a teacher at Umeå University, Sweden. He received a PhD in 2012 from INRIA, France. He gathered over 9 years of experience in the area of cloud computing, acting variously as a practitioner, a teacher, as well as a researcher. He was overall responsible for a cloud computing course, chief cloud architect and executive in a start-up, but also worked hands-on in customer projects, teaching them how to reap the benefits of cloud native technologies. When coming out of the clouds, Cristian works out by playing with his two daughters.