Rui Shu
William Enck
ABSTRACT
Docker containers have recently become a popular approach to provision multiple applications over shared physical hosts in a more lightweight fashion than traditional virtual machines. This popularity has led to the creation of the Docker Hub registry, which distributes a large number of official and community images. In this paper, we study the state of security vulnerabilities in Docker Hub images. We create a scalable Docker image vulnerability analysis (DIVA) framework that automatically discovers, downloads, and analyzes both official and community images on Docker Hub. Using our framework, we have studied 356,218 images and made the following findings: (1) both official and community images contain more than 180 vulnerabilities on average when considering all versions; (2) many images have not been updated for hundreds of days; and (3) vulnerabilities commonly propagate from parent images to child images. These findings demonstrate a strong need for more automated and systematic methods of applying security updates to Docker images and our current Docker image analysis framework provides a good foundation for such automatic security update.
- Browse vulnerabilities by date from CVE Details. http://www.cvedetails.com/browse-by-date.php/.Google Scholar
- CVE-2015--1781. http://www.cvedetails.com/cve/CVE-2015--1781/.Google Scholar
- CVE-2015--4000. http://www.cvedetails.com/cve/CVE-2015--4000/.Google Scholar
- CVE: Common Vulnerabilities and Exposures. https://cve.mitre.org/.Google Scholar
- Docker Bench for Security. https://github.com/docker/docker-bench-security.Google Scholar
- National Vulnerability Database. https://nvd.nist.gov/home.cfm.Google Scholar
- NCSU Virtual Computing Lab. https://vcl.ncsu.edu/.Google Scholar
- NVD Common Vulnerability Scoring System. https://nvd.nist.gov/cvss.cfm.Google Scholar
- Repositories on Docker Hub. https://docs.docker.com/docker-hub/repos/.Google Scholar
- RHSA to CVE and CPE mapping. https://www.redhat.com/security/data/metrics/rhsamapcpe.txt.Google Scholar
- M. Almorsy, J. Grundy, I. Müller, et al. An analysis of the cloud computing security problem. In Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 30th Nov, 2010.Google Scholar
- Banyan Collector. https://github.com/banyanops/collector.Google Scholar
- S. Bellon, R. Koschke, G. Antoniol, J. Krinke, and E. Merlo. Comparison and evaluation of clone detection tools. IEEE Transactions on Software Engineering, 33(9):577--591, 2007. Google ScholarDigital Library
- A. Bettini. Vulnerability exploitation in Docker container environments. https://www.blackhat.com/docs/eu-15/materials/eu-15-Bettini-Vulnerability-Exploitation-In-Docker-Container-Environments-wp.pdf, 2015.Google Scholar
- S. Bugiel, S. Nürnberger, T. Pöppelmann, A.-R. Sadeghi, and T. Schneider. AmazonIA: When elasticity snaps back. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 389--400, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- CoreOS Clair. https://github.com/coreos/clair.Google Scholar
- Y. Dang, D. Zhang, S. Ge, C. Chu, Y. Qiu, and T. Xie. Xiao: tuning code clones at hands of engineers in practice. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 369--378. ACM, 2012. Google ScholarDigital Library
- Debian Security Bug Tracker. https://security-tracker.debian.org/tracker.Google Scholar
- B. DeHamer. Docker Hub Top 10. https://www.ctl.io/developers/blog/post/docker-hub-top-10/, August 2015.Google Scholar
- Docker Security Scanning. https://docs.docker.com/docker-cloud/builds/image-scan/.Google Scholar
- D. A. Fernandes, L. F. Soares, J. V. Gomes, M. M. Freire, and P. R. Inácio. Security issues in cloud environments: a survey. International Journal of Information Security, 13(2):113--170, 2014. Google ScholarDigital Library
- M. Gabel, J. Yang, Y. Yu, M. Goldszmidt, and Z. Su. Scalable and systematic detection of buggy inconsistencies in source code. In ACM Sigplan Notices, volume 45, pages 175--190. ACM, 2010. Google ScholarDigital Library
- B. Grobauer, T. Walloschek, and E. Stocker. Understanding cloud computing vulnerabilities. IEEE Security & Privacy, 9(2):50--57, 2011. Google ScholarDigital Library
- J. Gummaraju, T. Desikan, and Y. Turner. Over 30% of official images in docker hub contain high priority security vulnerabilities. Technical report, BanyanOps, 2015.Google Scholar
- K. Hashizume, D. G. Rosado, E. Fernández-Medina, and E. B. Fernandez. An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1):1, 2013.Google ScholarCross Ref
- K. Hashizume, N. Yoshioka, and E. B. Fernandez. Three misuse patterns for cloud computing. Security engineering for Cloud Computing: approaches and Tools, pages 36--53, 2012.Google Scholar
- IBM's Vulnerability Advisor. http://www-03.ibm.com/press/us/en/pressrelease/47165.wss.Google Scholar
- Is FROM scratch the root of all Docker Images? https://www.ctl.io/developers/blog/post/is-from-scratch-the-root-of-all-docker-images/.Google Scholar
- J. Jang, A. Agrawal, and D. Brumley. Redebug: finding unpatched code clones in entire os distributions. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 48--62. IEEE, 2012. Google ScholarDigital Library
- L. Jiang, G. Misherghi, Z. Su, and S. Glondu. Deckard: Scalable and accurate tree-based detection of code clones. In Proceedings of the 29th international conference on Software Engineering, pages 96--105. IEEE Computer Society, 2007. Google ScholarDigital Library
- T. Kamiya, S. Kusumoto, and K. Inoue. Ccfinder: a multilinguistic token-based code clone detection system for large scale source code. IEEE Transactions on Software Engineering, 28(7):654--670, 2002. Google ScholarDigital Library
- Library of official images. https://github.com/docker-library/official-images/tree/master/library/.Google Scholar
- OpenSCAP Container Compliance. https://github.com/OpenSCAP/container-compliance.Google Scholar
- Red Hat Security Data. https://www.redhat.com/security/data/metrics/.Google Scholar
- D. Reimer, A. Thomas, G. Ammons, T. Mummert, B. Alpern, and V. Bala. Opening black boxes: using semantic information to combat virtual machine image sprawl. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 111--120. ACM, 2008. Google ScholarDigital Library
- Twistlock. https://www.twistlock.com/product/vulnerabilitymanagement/.Google Scholar
- Ubuntu CVE Tracker. https://launchpad.net/ubuntu-cve-tracker.Google Scholar
- N. Viennot, E. Garcia, and J. Nieh. A measurement study of google play. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '14, pages 221--233, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- J. Wei, X. Zhang, G. Ammons, V. Bala, and P. Ning. Managing security of virtual machine images in a cloud environment. In Proceedings of the 2009 ACM workshop on Cloud computing security, pages 91--96. ACM, 2009. Google ScholarDigital Library
- S. Zhang, X. Zhang, and X. Ou. After we knew it: Empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across iaas cloud. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '14, pages 317--328, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- W. Zhou, P. Ning, X. Zhang, G. Ammons, R. Wang, and V. Bala. Always up-to-date: scalable offline patching of vm images in a compute cloud. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 377--386. ACM, 2010. Google ScholarDigital Library
Index Terms
- A Study of Security Vulnerabilities on Docker Hub
Recommendations
Security Enhancement using Image verification method to Secure Docker Containers
ICIMMI '22: Proceedings of the 4th International Conference on Information Management & Machine IntelligenceNow with the dawn of the internet, cloud computing has been reformed by opening new horizons at an inclusive level with auspicious opportunities. With the rise of opportunities, popularity, and public connectivity by the internet, it is the next ...
Understanding the Security Risks of Docker Hub
Computer Security – ESORICS 2020AbstractDocker has become increasingly popular because it provides efficient containers that are directly run by the host kernel. Docker Hub is one of the most popular Docker image repositories. Millions of images have been downloaded from Docker Hub ...
Helping Your Docker Images to Spread Based on Explainable Models
Machine Learning and Knowledge Discovery in DatabasesAbstractDocker is on the rise in today’s enterprise IT. It permits shipping applications inside portable containers, which run from so-called Docker images. Docker images are distributed in public registries, which also monitor their popularity. The ...
Comments