Top

Published in:

2021 | OriginalPaper | Chapter

Analysis and Improvement of Heterogeneous Hardware Support in Docker Images

Authors : Panagiotis Gkikopoulos, Valerio Schiavoni, Josef Spillner

Published in: Distributed Applications and Interoperable Systems

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor hdocker give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter KeVlar-Tz: A Secure Cache for Arm TrustZone

next chapter Simulation of Large Scale Computational Ecosystems with Alchemist: A Tutorial

Google just recently announced SEV-enabled instances [5], while AWS is introducing Nitro Enclaves, heavily inspired by Intel SGX [1].

Docker Hub: https://hub.docker.com/.

Red Hat Registry: http://quay.io, Tenable: http://tenable.io.

42nd rev https://lore.kernel.org/lkml/20201214114200.GD26358@zn.tnic/.

MAO: https://mao-mao-research.github.io/.

AWS Nitro Enclaves. https://aws.amazon.com/ec2/nitro/nitro-enclaves/

Confidential computing on Azure. https://docs.microsoft.com/en-us/azure/confidential-computing/overview

Graphene Secure Container Environment. https://github.com/oscarlab/graphene/tree/master/Tools

Image Manifest Version 2, Schema 2. https://docs.docker.com/registry/spec/manifest-v2-2/

Introducing Google Cloud Confidential Computing with Confidential VMs. https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms

NVIDIA Docker: GPU Server Application Deployment Made Easy. https://developer.nvidia.com/blog/nvidia-docker-gpu-server-application-deployment-made-easy/

SCONTAIN Homepage. https://scontain.com/

Amacher, J., Schiavoni, V.: On the performance of ARM TrustZone. In: Pereira, J., Ricci, L. (eds.) DAIS 2019. LNCS, vol. 11534, pp. 133–151. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22496-7_9CrossRef

Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016)

10.

Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017)

11.

Binz, T., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications. In: Advanced Web Services, pp. 527–549. Springer (2014). https://doi.org/10.1007/978-0-8176-4540-3

12.

Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019)CrossRef

13.

Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017)

14.

Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020)

15.

Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020)CrossRef

16.

Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019)

17.

Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017)

18.

Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019)CrossRef

19.

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)

20.

Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014)CrossRef

21.

Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019)

22.

Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019)CrossRef

23.

Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018)

24.

Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016)

25.

Mao, Y., Oak, J., Pompili, A., Beer, D., Han, T., Hu, P.: DRAPS: Dynamic and Resource-Aware Placement Scheme for Docker Containers in a Heterogeneous Cluster. CoRR abs/1805.08598 (2018). http://arxiv.org/abs/1805.08598

26.

Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)CrossRef

27.

Petcu, D.: Portability and interoperability between clouds: challenges and case study. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 62–74. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24755-2_6CrossRef

28.

Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019)CrossRef

29.

Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018)

30.

Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017)CrossRef

31.

Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019)

32.

Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020)CrossRef

33.

Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017)

34.

Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018)CrossRef

35.

Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016)

36.

Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019)CrossRef

37.

Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020)

38.

Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019)

Title: Analysis and Improvement of Heterogeneous Hardware Support in Docker Images
Authors: Panagiotis Gkikopoulos
Valerio Schiavoni
Josef Spillner
Publisher: Springer International Publishing
Book: Distributed Applications and Interoperable Systems
Print ISBN: 978-3-030-78197-2

Electronic ISBN: 978-3-030-78198-9

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-78198-9_9

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner