Understanding Security Implications of Using Containers in the Cloud

Authors: 

Byungchul Tak, Kyungpook National University; Canturk Isci, Sastry Duri, Nilton Bila, Shripad Nadgowda, and James Doran, IBM TJ Watson Research Center

Abstract: 

Container technology is being adopted as a mainstream platform for IT solutions because of high degree of agility, reusability and portability it offers. However, there are challenges to be addressed for successful adoption. First, it is difficult to establish the full pedigree of images downloaded from public registries. Some might have vulnerabilities introduced unintentionally through rounds of updates by different users. Second, non-conformance to the immutable software deployment policies, such as those promoted by the DevOps principles, introduces vulnerabilities and the loss of control over deployed software. In this study, we investigate containers deployed in a production cloud to derive a set of recommended approaches to address these challenges. Our analysis reveals evidences that (i), images of unresolved pedigree have introduced vulnerabilities to containers belonging to third parties; (ii), updates to live public containers are common, defying the tenet that deployed software is immutable; and (iii), scanning containers or images alone is insufficient to eradicate vulnerabilities from public containers. We advocate for better systems support for tracking image provenance and resolving disruptive changes to containers, and propose practices that container users should adopt to limit the vulnerability of their containers.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {203251,
author = {Byungchul Tak and Canturk Isci and Sastry Duri and Nilton Bila and Shripad Nadgowda and James Doran},
title = {Understanding Security Implications of Using Containers in the Cloud},
booktitle = {2017 {USENIX} Annual Technical Conference ({USENIX} {ATC} 17)},
year = {2017},
isbn = {978-1-931971-38-6},
address = {Santa Clara, CA},
pages = {313--319},
url = {https://www.usenix.org/conference/atc17/technical-sessions/presentation/tak},
publisher = {{USENIX} Association},
month = jul,
}

Presentation Audio