Skip to main content
main-content

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2021 | OriginalPaper | Buchkapitel

Analysis and Improvement of Heterogeneous Hardware Support in Docker Images

verfasst von : Panagiotis Gkikopoulos, Valerio Schiavoni, Josef Spillner

Erschienen in: Distributed Applications and Interoperable Systems

Verlag: Springer International Publishing

share
TEILEN

Abstract

Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor hdocker give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.
Fußnoten
1
Google just recently announced SEV-enabled instances [5], while AWS is introducing Nitro Enclaves, heavily inspired by Intel SGX [1].
 
3
Red Hat Registry: http://​quay.​io, Tenable: http://​tenable.​io.
 
Literatur
9.
Zurück zum Zitat Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016) Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016)
10.
Zurück zum Zitat Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017) Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017)
12.
Zurück zum Zitat Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019) CrossRef Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019) CrossRef
13.
Zurück zum Zitat Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017) Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017)
14.
Zurück zum Zitat Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020) Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020)
15.
Zurück zum Zitat Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020) CrossRef Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020) CrossRef
16.
Zurück zum Zitat Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019) Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019)
17.
Zurück zum Zitat Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017) Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017)
18.
Zurück zum Zitat Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019) CrossRef Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019) CrossRef
19.
Zurück zum Zitat Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016) Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)
20.
Zurück zum Zitat Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014) CrossRef Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014) CrossRef
21.
Zurück zum Zitat Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019) Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019)
22.
Zurück zum Zitat Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019) CrossRef Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019) CrossRef
23.
Zurück zum Zitat Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018) Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018)
24.
Zurück zum Zitat Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016) Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016)
26.
Zurück zum Zitat Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013) CrossRef Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013) CrossRef
28.
Zurück zum Zitat Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019) CrossRef Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019) CrossRef
29.
Zurück zum Zitat Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018) Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018)
30.
Zurück zum Zitat Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017) CrossRef Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017) CrossRef
31.
Zurück zum Zitat Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019) Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019)
32.
Zurück zum Zitat Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020) CrossRef Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020) CrossRef
33.
Zurück zum Zitat Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017) Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017)
34.
Zurück zum Zitat Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018) CrossRef Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018) CrossRef
35.
Zurück zum Zitat Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016) Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016)
36.
Zurück zum Zitat Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019) CrossRef Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019) CrossRef
37.
Zurück zum Zitat Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020) Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020)
38.
Zurück zum Zitat Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019) Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019)
Metadaten
Titel
Analysis and Improvement of Heterogeneous Hardware Support in Docker Images
verfasst von
Panagiotis Gkikopoulos
Valerio Schiavoni
Josef Spillner
Copyright-Jahr
2021
DOI
https://doi.org/10.1007/978-3-030-78198-9_9

Premium Partner