Abstract

Container technology has become a popular development that can conveniently accelerate building, running, and sharing applications. However, a container image packaging a collection of software usually lurks various defects threatening consumer safety, such as embedded malware, software vulnerability, privacy leakage, etc. Moreover, developers and users share container images through a centralized, public, and massive repository (e.g., Docker Hub), which can magnify the impact of these security defects in a fast-spreading way. Unfortunately, existing detection methods cannot effectively or efficiently discover such hidden flaws among the numerous images.This paper proposes a novel method to effectively detect and measure container security flaws embedded in images. Based on the crucial insight that container images are constructed hierarchically, each image depends on layers of forwarding image and adds updated content in layers of itself. Our work mines a Global Relationship Tree (GRT) based on dependency among the images that contain common layers. Meanwhile, by traversing the GRT and leveraging content differential analysis, we can locate the changing content in an image corresponding to defects. Therefore, when checking flaws among numerous images, we make a layer-sensitive detection by reusing common layers’ detection results in iterative processes to boost detection and accurately measure the influence scope of defects. Finally, we summarize and develop a set of detection primitives for scaling our approach to handle various flaws that may lead to multiple risks in potential.Depending upon this method, we implemented SEAF, a Scalable, Efficient, and Application-independent Framework, and evaluated it on popular images of diverse applications in Docker Hub. The experiment result shows that SEAF can discover different security flaws fast. Compared to the state-of-the-art tool, Clair, SEAF is more efficient and can find significantly more types of defects.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.