=Paper=
{{Paper
|id=Vol-2878/paper2
|storemode=property
|title=PIACERE: Programming Trustworthy Infrastructure As Code in a Secure Framework
|pdfUrl=https://ceur-ws.org/Vol-2878/paper2.pdf
|volume=Vol-2878
|authors=Juncal Alonso,Christophe Joubert,Leire Orue-Echevarria,Matteo Pradella,Daniel Vladusic
}}
==PIACERE: Programming Trustworthy Infrastructure As Code in a Secure Framework==
https://ceur-ws.org/Vol-2878/paper2.pdf
PIACERE: Programming trustworthy Infrastructure
As Code in a Secure Framework
Juncal Alonso1 , Christophe Joubert2 , Leire Orue-Echevarria3 , Matteo Pradella4 and
Daniel Vladušič5
1
TECNALIA, Basque Research and Technology Alliance (BRTA), Parque Científico y Tecnológico de Bizkaia, Astondo
bidea,700, E-48160 Derio, Spain
2
PRODEVELOP S.L., Paseo Ciutadella, 13 - entresuelos 2,3 y 4, 46003 Valencia, Spain
3
TECNALIA, Basque Research and Technology Alliance (BRTA), Parque Científico y Tecnológico de Bizkaia, Astondo
bidea,700, E-48160 Derio, Spain
4
Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano, Piazza Leonardo Da Vinci 32,
20133 Milano, Italy
5
XLAB d.o.o., Pot za Brdom 100, 1000 Ljubljana, Slovenia
Abstract
Infrastructure-as-Code (IaC), enables the automation of several deployment, configuration and manage-
ment tasks. IaC has a lot of potential in cloud computing as it results in a significant saving of time when
an application needs to be redeployed on a different set of resources, even running on different infrastruc-
tures. Unfortunately, IaC still suffers from some important issues, such as the large variety of competing
tools or the strong orientation toward the cloud, leaving aside e.g. the edge. Also, trustworthiness and
security aspects of are often left for the end of the cycle, where errors and vulnerabilities are often too
late or too expensive to correct. We present here the PIACERE project, which provides tools, methods
and techniques for the Infrastructure-as-Code approach. The project will make the creation of IaC more
accessible to designers, developers and operators, increasing the quality, security, trustworthiness and
evolvability of infrastructural code while ensuring its business continuity by providing self-healing
mechanisms anticipation of failures and violations.
Keywords
Secure software engineering, DevOps, Infrastructure as Code, DevOps Modelling Language, self-learning
and self-healing mechanisms, optimization algorithms, security analysis
1. Introduction
The virtualization revolution that has taken place in the last years along with the advent of the
cloud computing continuum (combination of cloud and edge), has allowed for an increase in
the use of software to build, control and configure entire virtual data centers and the entire
infrastructure layer. The use of such tools and APIs has only stressed the importance of software
in the infrastructure arena. Moreover, the significance of software has recently grown to the
First workshop on trustworthy software and open source, March 23-25, 2021, Virtual Conference
Envelope-Open juncal.alonso@tecnalia.com (J. Alonso); cjoubert@prodevelop.es (C. Joubert);
leire.orue-echevarria@tecnalia.com (L. Orue-Echevarria); matteo.pradella@polimi.it (M. Pradella);
daniel.vladusic@xlab.si (D. Vladušič)
Orcid 0000-0002-9244-2652 (J. Alonso); 0000-0002-0648-4689 (L. Orue-Echevarria); 0000-0003-3039-1084 (M. Pradella)
© 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
�point of merging the role of software developers with that of infrastructure operators, whose
main focus is the automation of infrastructure-related activities through the use of software,
giving birth to the Infrastructure as Code trend, the engine of the DevSecOps [1, 2, 2] movement,
which is an organizational change that consists of using software engineering tactics that reduce
the technical and organizational distance between development and operation, leading to the
creation of a single, well-coordinated team of people.
Infrastructure-as-Code (IaC) [3], enables the automation of several deployment, configuration
and management tasks that otherwise would have to be performed manually. IaC has a lot
of potential in a cloud computing context as it results in a significant saving of time when an
application needs to be redeployed on a different set of resources or needs to be extended with
new components, even possibly running on different cloud infrastructures. In these cases, the
infrastructural code can be reused, adapted, if needed, and then run for recreating very quickly
the new or extended software instance. As such, IaC has represented a very important progress
that has dramatically changed the work organization of many IT-intensive organizations (e.g.
Netflix1 ).
Unfortunately, IaC still suffers from these five main issues:
1. a large variety of competing tools requiring the adoption of different programming
languages for writing infrastructural code,
2. the fact that all these tools and languages are focusing on a single or a small set of
automation steps and of types of resources (e.g. VMs),
3. they mostly focus on cloud computing leaving aside other computational resources such
as the edge;
4. they focus on certain phases of the lifecycle of the IaC such as provisioning, configuration
or deployment but there is not really an end-to-end solution covering the Devs and the
Ops;
5. trustworthiness and security aspects of the IaC are often left for the end of the cycle,
for once the code is already in operation, when it is already too late, the errors and
vulnerabilities are expensive to correct and can affect the business continuity of the
application.
As an example of the problems just mentioned, software configuration can be performed by
writing Chef recipes or Puppet code, just to name two well-known languages, while deployment
orchestration can be defined by relying on TOSCA [4], Terraform [5], Brooklyn [6] or many
other less known approaches. Moreover, Software-Defined Networking (SDN) exploits specific
protocols, such as OpenFlow or NETCONF, each with its own data modeling language, storage
mechanisms, and based on a large number of proprietary protocols and configuration languages.
The same occurs if the monitoring stack, the load balancer or the auto-scaling mechanism are
to be configured using proprietary languages and associated tools. Such a diversity implies
that adopting the IaC approach today requires a variety of specialized skills and DevSecOps
environments that, in many cases, companies do not have, and struggle to find.
The main objective of the PIACERE project is thus to provide means (tools, methods and
techniques) to enable most organizations to fully embrace the Infrastructure-as-Code approach,
1
https://medium.com/netflix-techblog/how-we-build-code-at-netflix-c5d9bd727f15
� • Enable the definition of semantic machine-readable
abstractions of infrastructural artifacts from some of the
major existing IaC languages
• Support for Infrastructural requirements specification,
including NFRs
• Automatic infrastructural code • Modelling libraries of common patterns and typical
generation supported by language requirements to support context specific instantiation
transformations and different domains (Public Sector, critical
• Support for the most prominent infrastructures, 5G).
target environments and • Support for evolution and extension of the
languages infrastructural artifacts
• IaC execution to orchestrate
the deployment.
• (Optimized) Execution
environment
• Model level verification to check that the
model of the execution environment can
be transformed into executable code.
• Code level verification to assess the • Runtime security monitoring
correctness of the generated IaC • Monitoring tools and metrics
• IaC code security inspection to check the time - series collection
IaC code against cybersecurity issues
• Component security inspection checking
for known security vulnerabilities in
imported software components • Support for IaC self-healing decisions based on
the anomalous events identified or predicted.
• Self learning algorithms to detect non-
compliance or anomalies of a NFR of the
• Isolated testing of IaC behaviour (Canary
deployed IaC
Environment)
• Support for IaC improvements identification
• Catalogue of services, resources and
based on the monitored metrics
infrastructural elements
• Optimized deployment configuration
Figure 1. Relationship between PIACERE results and the DevOps cycle
Figure 1: Relationship between PIACERE and the DevOps cycle
through the DevSecOps philosophy, by making the creation of such infrastructural code more
accessible to designers, developers and operators (DevSecOps teams), increasing the quality,
security, trustworthiness and evolvability of infrastructural code while ensuring its business
continuity by providing self-healing mechanisms anticipation of failures and violations, allowing
it to self-learn from the conditions that triggered such re-adaptations.
To achieve the IaC DevSecOps concept, PIACERE will provide an integrated DevSecOps
framework to develop, verify, release, configure, provision, and monitor infrastructure as
code. The extensible architecture and modular approach of PIACERE will support the different
DevSecOps activities. Using a single integrated environment (IDE) to develop infrastructural
code will unify the automation of the main DevSecOps activities and will shorten the learning
curve for new DevSecOps teams. PIACERE will allow DevSecOps teams to model different
infrastructure environments, by means of abstractions, through a novel DevOps Modeling
Language (DOML), thus hiding the specificities and technicalities of current solutions. Moreover,
PIACERE will provide an extensible Infrastructural Code Generator (ICG), translating DOML into
source files for different existing IaC tools, to reduce the time needed for creating infrastructural
code for complex applications. The provided extensibility mechanisms (DOML-E) shall ensure
the sustainability and longevity of the PIACERE approach and tool-suite (new languages and
protocols that can appear in the near future). There are several projects whose research areas are
of interest for PIACERE and which already provide assets and methods dealing with IaC design,
�development, creation and maintenance.Therefore, PIACERE will actively monitor, survey and
consider the results from relevant projects and analyse potential adoption of aligned assets into
PIACERE solution. In the following list some of the already identified projects are presented:
• DevOps and IaC:
– DICE [7] offers a novel UML profile and tools for data – aware quality – driven
development
– DECIDE [8] provides a DevOps framework for multi-cloud applications, includ-
ing the optimization of their deployment and the monitoring and automatic re-
reployment of the applications (including the creation of the new infrastructure).
– MELODIC [9] enables data-intensive applications to run within defined security,
cost, and performance boundaries seamlessly on geographically distributed and
federated cloud infrastructures.
– SODALITE [10] provides a toolsuite for developers and infrastructure operators by
providing (1) a pattern-based abstraction library, including application and infrastruc-
ture (2) design and programming model for full-stack application and infrastructure
descriptions (3) deployment framework, enabling static optimisation (4) automated
run-time optimisation
• Modelling languages and extensions:
– SmartCLIDE [11] project provides high levels of abstraction at all stages (develop-
ment, testing, deployment and run-time) as well as self-discovery of IaaS and SaaS
Services
• Infrastructure/Code verification:
– RADON [12] aims at creating a DevOps framework to create and manage microservices-
based applications that can optimally exploit serverless computing technologies.
It provides a Defect Prediction tool which aims at analyzing IaC correctness, code
smells detection and refactoring of IaC blueprints
• Security in IaC:
– UNICORN [13] project simplifies the design, deployment and management of se-
cure and elastic – by design – multi-cloud services. It provides a component that
enables the continuous orchestration and automatic optimization of portable and
dynamic cloud services running on virtual instances or micro-execution containers
for increased security, data protection privacy and vast resource (de)-allocation.
• IaC monitoring:
– DECIDE [8] project provides as part of its solution a monitoring stack for heteroge-
neous cloud resources supporting different metrics that are configurable.
• Self-healing and self-learning IaC:
– DECIDE project’s ADAPT tool provides means for automatic re-deployment of a
microservices based application should a violation of the NFRs occur
– ACCORDION [14]orchestrates the compute and network continuum formed be-
tween edge and public clouds, using the latter as a capacitor
�Figure 2: The PIACERE workflow.
– MORPHEMIC [15] project proposes a way of adapting and optimizing Cloud com-
puting applications by introducing the novel concepts of poly-morph architecture
and proactive adaptation. Depending on the application’s requirements and its
current workload, its components could be deployed in various forms in differ-
ent environments to maximize the utility of the application deployment and the
satisfaction of the user
2. The PIACERE Approach
The PIACERE workflow (Figure 2) starts from the specification of qualitative requirements
such as infrastructure, security, networking and software characteristics. These trigger the
development of both the application and infrastructural software. Among the others, they
identify those non-functional requirements for application software that become functional
ones (need for provisioning certain services, for configuring certain network functions and the
like, security requirements, etc.) for the infrastructural code. Based on these requirements, the
DevSecOps team will focus on the development of the infrastructural code. Through DOML,
the DevSecOps Modeling Language, the topology and the properties of the infrastructure
to be created such as computation, memory, networking, software and services resources,
security requirements and rules, will be defined. This will allow the DevSecOps team to
model an infrastructure with its configuration abstracting the peculiarities of the provisioning
and configuration of complex execution environments, without being limited by the lack of
knowledge on the large variety of needed IaC languages and protocols.
After the modeling stage, the DevSecOps team will check if the resulting model can be turned
into executable code (verification at model level), using the Verification Tool (VT), a composition
of tools that works both at the level of models and infrastructural code.
Once the infrastructure, network, and execution environment models are ready and verified,
the DevSecOps team will generate the infrastructural code from them through the PIACERE
Infrastructure Code Generator (ICG). The currently most prominent target IaC environments and
�languages (e.g. Terraform, Ansible, TOSCA) will be supported by ICG, in terms of provisioning
and deployment orchestrators, configuration management environments, monitoring platforms,
and network APIs. The adequacy of the generated infrastructural code will be checked, ranging
from syntactic correctness to consistency and ability to fulfill specific non-functional properties
such as performance of applications after their deployment. Special focus on security will be
included. The VT will contain an IaC code Security Inspector that will check the IaC code
against the known cybersecurity issues offering a Static Analysis Security Testing. Additionally,
the VT will support the testing of the specific security libraries and middleware to be used
within the framework to build the security inclusion policy. This whitebox fuzzing testing
will be executed by the Security Components Inspector. All these components (from DOML
to VT) supporting the IaC DevSec process will be integrated in an IDE which will offer the
IaC developers an integrated framework to support the design, development, generation and
verification of the infrastructural code.
Once the code is verified, PIACERE will support the simulation of the conditions of the
production environment through the Canary Sandbox Environment, enabling isolated execution
and testing of the IaC behavior (reliability and behavior testing and cybersecurity threats) while
identifying potential vulnerabilities and bottlenecks before the code is deployed. As part of this
pre-deployment phase, PIACERE will offer the IaC optimized execution platform (IOP), which
will include both a catalog describing the available services (e.g. IaaS, XaaS) and infrastructural
elements (e.g. computation, networks) to deploy the IaC, and an Optimizer that will provide the
best combination of those services with such resources, based on a set of constraints (e.g., types
of infrastructural elements, NFRs, and so on).
The following step is the execution at runtime of the created IaC through the IaC execution
platform (IEP). The main task of the execution platform is to create a deployment plan by
splitting the work into separate tasks, ordering them according to their interdependencies,
and distributing them to the specialized subsystems that perform the actual provisioning (e.g.
creating virtual machines using proper IaaS connector, installing software packages or adjusting
application configuration using Ansible). Tracking dependencies also encompasses information
transfer between interdependent tasks, which is vital for producing functioning end-results.
The PIACERE Monitoring platform will log the whole IaC execution run, making metadata and
metrics about the creation of resources available to the rest of the PIACERE components. This
will enable insight into the effects of the specific IaC code, enabling feedback not only on the
application’s own runtime, but also on its provisioning, deployment. In such a complex system,
PIACERE will also verify any security violation at runtime through Runtime security monitoring.
This data (security-, performance-, uptime-related) will feed the PIACERE Self-learning and
self-healing mechanisms to ensure that the conditions of the QoS are met at all times and that
a failure or non-compliance of NFRs is not likely to occur. If any of these occurs an alert to
the DevSecOps teams will be sent and the most appropriate IaC deployment configuration
will be sought and selected by the optimizer again. PIACERE will support the automatic re-
deployment of the selected IaC to ensure that their infrastructural code is always conforming to
the SLAs committed with the end-user even if the environmental situation changes. PIACERE
baseline technologies will be open-source solutions and background technology and expertise
provided by each partner. Existing results form research projects, especially those where the
PIACERE partners participate will be incorporated, mainly form DECIDE, SODALITE, DICE
�and MELODIC.
2.1. PIACERE pilots
PIACERE outcomes will be validated in three specific use case validation activities focused on
three different application domains, namely 1) Public Administrations, 2) Critical Infrastructure
and 3) 5G (Public Safety in IoT using 5G) shortly described in the following subsections.
• Use Case 1 Public Administrations In public administrations, namely the Slovenian Min-
istry of Public Administration (SI-MPA) partner of the PIACERE project, the resource
provisioning, infrastructure configuration and deployment of new systems in centralized
infrastructure are the main challenges from an operational and security perspective.
Public administrations in general and SI-MPA in particular is using Infrastructure as
Code in segments of virtualization and network. In both cases dedicated tools are used
enabling automation just for a limited scope, out of the whole infrastructure creation
and maintenance life-cycle. PIACERE outcomes will enable to embrace the IaC approach
throughout the whole life-cycle, reducing the costs of deploying IT solutions which are
compliant with the requirements from the IT management standards while improving
the level of information security through the DevSecOps approach.
• Use Case 2 Critical Maritime Infrastructures In Industrial IoT platforms specially in those
of critical systems (such as maritime infrastructure) performance and trustworthiness
of the infrastructure to be created through the IaC is crucial. Therefore, performance
is usually guaranteed by over allocating resources for critical systems that most of the
time will be significantly infra-utilised. Thanks to the PIACERE outcomes developers and
operators will gain better knowledge (more frequent, more accurate, pervasive) of the use
of resources of the whole systems and the capability of dynamically assign computation
tasks to all nodes (cloud and edge). The inclusion of automatic verification both at model
and code level will guarantee the needed quality of the IaC to generate trustworthy
infrastructural ecosystem where to deploy the required software.
• Use Case 3 Public Safety on IoT in 5G Mobile networks (5G) are well suited for this kind
of public safety applications because of their ability to handle traffic from large numbers
of low-energy devices that are transmitting small volumes of data. In this case, the
definition of security requirements of the infrastructure needed is a key need. All the
policies to be configured can be described at model and code level and applied regardless
the concrete technology used for the infrastructural layer. PIACERE platform will ensure
the full adoption of DevSecOps approach improving the quality, security and evolvability
of infrastructural code. Furthermore, the possibility of performing static analysis security
testing by checking the code against known cyber-security issues and vulnerabilities
will provide feedback in exploring the security by design approach in the context of IoT
distributed architectures and relevant technologies.
�3. Conclusion
The main aim we envision for the PIACERE project is to enable organizations to embrace
the Infrastructure-as-Code (IaC) approach, through the DevSecOps philosophy, by making the
creation of such code more accessible to designers, developers and operators (DevSecOps teams),
increasing the quality, security, trustworthiness and evolvability of infrastructural code while
ensuring its business continuity by providing self-healing mechanisms anticipating to failures
and violations, and self-learning from the conditions that triggered such re-adaptations.
The envisioned PIACERE benefits will be assessed and demonstrated on its Use Cases (5G,
Public Administrations, Critical Infrastructures), with the focus on the utility and suitability
of the PIACERE approach and toolset in real cases from relevant application domains and
industrial sectors (telco, IoT, services).
Acknowledgments
This project has received funding from the European Union’s Horizon 2020 research and
innovation programme under grant agreement No 101000162.
References
[1] L. J. Bass, I. M. Weber, L. Zhu, DevOps - A Software Architect’s Perspective, SEI series in
software engineering, Addison-Wesley, 2015.
[2] V. Mohan, L. B. Othmane, Secdevops: Is it a marketing buzzword? - mapping research on
security in devops, in: 2016 11th International Conference on Availability, Reliability and
Security (ARES), 2016, pp. 542–547. doi:1 0 . 1 1 0 9 / A R E S . 2 0 1 6 . 9 2 .
[3] K. Morris, Infrastructure as Code: Managing Servers in the Cloud, 1st ed., O’Reilly Media,
Inc., 2016.
[4] OASIS, Topology and Orchestration Specification for Cloud Applications, 2016. URL:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=tosca.
[5] HashiCorp, Terraform, Online; accessed 07-April-2021. URL: https://www.terraform.io/.
[6] Apache, Brooklyn, Online; accessed 07-April-2021. URL: https://brooklyn.apache.org/.
[7] DICE, Dice project, NA. URL: https://cordis.europa.eu/project/id/644869.
[8] DECIDE, Decide project, NA. URL: https://www.decide-h2020.eu/.
[9] MELODIC, Melodic project, NA. URL: https://h2020.melodic.cloud/.
[10] SODALITE, Sodalite project, NA. URL: https://www.sodalite.eu/.
[11] SmartCLIDE, Smartclide project, NA. URL: https://smartclide.eu/.
[12] RADON, Radon project, NA. URL: https://radon-h2020.eu/.
[13] UNICORN, Unicorn project, NA. URL: https://cordis.europa.eu/project/id/731846.
[14] ACCORDION, Accordion project, NA. URL: https://www.accordion-project.eu/.
[15] MORPHEMIC, Morphemic project, NA. URL: https://www.morphemic.cloud/.
�