SEAF: A Scalable, Efficient, and Application-independent Framework for container security detection

Abstract

Container technology has become a popular development that can conveniently accelerate building, running, and sharing applications. However, a container image packaging a collection of software usually lurks various defects threatening consumer safety, such as embedded malware, software vulnerability, privacy leakage, etc. Moreover, developers and users share container images through a centralized, public, and massive repository (e.g., Docker Hub), which can magnify the impact of these security defects in a fast-spreading way. Unfortunately, existing detection methods cannot effectively or efficiently discover such hidden flaws among the numerous images.This paper proposes a novel method to effectively detect and measure container security flaws embedded in images. Based on the crucial insight that container images are constructed hierarchically, each image depends on layers of forwarding image and adds updated content in layers of itself. Our work mines a Global Relationship Tree (GRT) based on dependency among the images that contain common layers. Meanwhile, by traversing the GRT and leveraging content differential analysis, we can locate the changing content in an image corresponding to defects. Therefore, when checking flaws among numerous images, we make a layer-sensitive detection by reusing common layers’ detection results in iterative processes to boost detection and accurately measure the influence scope of defects. Finally, we summarize and develop a set of detection primitives for scaling our approach to handle various flaws that may lead to multiple risks in potential.Depending upon this method, we implemented SEAF, a Scalable, Efficient, and Application-independent Framework, and evaluated it on popular images of diverse applications in Docker Hub. The experiment result shows that SEAF can discover different security flaws fast. Compared to the state-of-the-art tool, Clair, SEAF is more efficient and can find significantly more types of defects.