Top

Published in:

2018 | OriginalPaper | Chapter

Security Analysis of Container Images Using Cloud Analytics Framework

Authors : Byungchul Tak, Hyekyung Kim, Sahil Suneja, Canturk Isci, Prabhakar Kudva

Published in: Web Services – ICWS 2018

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Container technology has become an integral part of today’s major IT services. Although it offers several benefits, it also introduces new challenges for operating and maintaining secure container environments. One such challenge is to retain the ability to detect and address the containers’ vulnerabilities and compliance violations. However, designing an effective solution to enable this capability must be based on the accurate understanding of characteristics observed from actual container images and instances. To contribute toward this objective, we have built a general data processing framework, applying the principles of the state-of-the-art. It is a system that decouples the data collection process from the analysis so as to allow user to focus more on building new analysis logics rather than on the tools for monitoring agents. We applied it to the analysis of container images from the Docker Hub image repository, to learn about their security posture. In this work we present various interesting findings and new insights from analyzing the public image corpus. We have learned that more than 92% of the images contain compliance violations and/or vulnerable packages.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Privacy-Preserving Homomorphic MACs with Efficient Verification

next chapter Detection of Damage and Failure Events of Road Infrastructure Using Social Media

We use the terms ‘scan’ and ‘crawl’ interchangeably.

Agentless System Crawler. https://github.com/cloudviz/agentless-system-crawler

Census Project. https://www.coreinfrastructure.org/programs/census-project

Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735. https://securingtomorrow.mcafee.com/mcafee-labs/dont-substitute-cvss-for-risk-scoring-system-inflates-importance-of-cve-2017-3735/

Record-Breaking Number of Vulnerabilities Disclosed (2017). https://www.securityweek.com/record-breaking-number-vulnerabilities-disclosed-2017-report

Vulnerability QuickView. https://pages.riskbasedsecurity.com/hubfs/Reports/2017/2017%20Year%20End%20Vulnerability%20QuickView%20Report.pdf

Amazon Inspector. https://aws.amazon.com/inspector/

Anchore. Open source tools for container security and compliance. http://anchore.com

Aqua. https://www.aquasec.com/

Bui, T.: Analysis of docker security. arXiv preprint arXiv:1501.02967 (2015)

10.

Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on GitHub. In: Proceedings of the 14th International Conference on Mining Software Repositories, pp. 323–333. IEEE Press (2017)

11.

Clair. Automatic container vulnerability and security scanning for appc and docker. http://coreos.com/clair/

12.

Combe, T., Martin, A., Di Pietro, R.: To docker or not to docker: a security perspective. IEEE Cloud Comput. 3(5), 54–62 (2016)CrossRef

13.

Wheeler, D.A., Khakimov, S.: Open Source Software Projects Needing Security Investments. https://www.coreinfrastructure.org/sites/cii/files/pages/files/pub_ida_lf_cii_070915.pdf

14.

Docker-slim. https://github.com/docker-slim/docker-slim

15.

Dockerhub. https://hub.docker.com/

16.

Gschwind, K., Adam, C., Duri, S., Nadgowda, S., Vukovic, M.: Optimizing service delivery with minimal runtimes. In: Proceedings of the 15th International Conference on Service-Oriented Computing (2017)

17.

Gummaraju, J., Desikan, T., Turner, Y.: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities. https://www.banyanops.com/blog/analyzing-docker-hub/

18.

Doran, J.: Is your docker container secure? Ask vulnerability advisor!. https://www.ibm.com/blogs/bluemix/2015/07/vulnerability-advisor/

19.

Koller, R., Isci, C., Suneja, S., de Lara, E.: Unified monitoring and analytics in the cloud. In: 7th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 2015), Santa Clara, CA. USENIX Association (2015)

20.

Microcontainers Tiny, Portable Docker Containers. https://blog.iron.io/microcontainers-tiny-portable-containers/

21.

Oliveira, F., Suneja, S., Nadgowda, S., Nagpurkar, P., Isci, C.: Opvis: extensible, cross-platform operational visibility and analytics for cloud. In: Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference: Industrial Track, pp. 43–49. ACM (2017)

22.

OpenSCAP oscap-docker. https://github.com/OpenSCAP/container-compliance

23.

Rastogi, V., Niddodi, C., Mohan, S., Jha, S.: New directions for container debloating. In: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation, pp. 51–56. ACM (2017)

24.

Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_5CrossRef

25.

Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY 2017, pp. 269–280. ACM, New York (2017)

26.

Tak, B., Isci, C., Duri, S., Bila, N., Nadgowda, S., Doran, J.: Understanding security implications of using containers in the cloud. In: 2017 USENIX Annual Technical Conference (USENIX ATC 17), Santa Clara, CA, pp. 313–319. USENIX Association (2017)

27.

Tenable Network Security. Nessus vulnerability scanner. http://www.tenable.com

28.

Twistlock. https://www.twistlock.com/

29.

Xu, T., Marinov, D.: Mining container image repositories for software configuration and beyond. arXiv preprint arXiv:1802.03558 (2018)

Title: Security Analysis of Container Images Using Cloud Analytics Framework
Authors: Byungchul Tak
Hyekyung Kim
Sahil Suneja
Canturk Isci
Prabhakar Kudva
Publisher: Springer International Publishing
Book: Web Services – ICWS 2018
Print ISBN: 978-3-319-94288-9

Electronic ISBN: 978-3-319-94289-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-94289-6_8

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner