SysFlow: Toward a Programmable Zero Trust Framework for System Security

Zero Trust, as an emerging trend of cybersecurity paradigms in modern infrastructure (e.g., enterprise, cloud, edge, IoT, and 5G), is moving security defenses from static and perimeter-based control systems to focus on users and resources with no assumption of implicit trust. However, the current Zero Trust Architecture (ZTA) mainly focuses on the network security and lacks in-depth considerations on system-level security policies and abstractions, which leaves the realization of the principle incomplete. To bridge the gap, we propose an innovative programmable system security framework called SYS FLOW to enable unified, dynamic, and fine-grained Zero Trust security control for system resources. SYS FLOW introduces a novel system flow abstraction to model system activities across the entire infrastructure, and provides a system-level data plane and control plane separation and abstraction. The new logically centralized controller accommodates a unified programmable Policy Decision Point (PDP) that acquires a holistic view of system behaviors for controlling system resource accesses by translating programmable security policies into system flow rules. The SYS FLOW data plane, acting as Policy Enforcement Point (PEP), enforces translated system flow rules, which can be updated dynamically and facilitate fine-grained responsive actions. Our extensive evaluations demonstrate the effectiveness and scalability of SYS FLOW, which addresses the security issues in various scenarios with a minor performance overhead.