Abstract
Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor hdocker give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Docker Hub: https://hub.docker.com/.
- 3.
Red Hat Registry: http://quay.io, Tenable: http://tenable.io.
- 4.
- 5.
References
AWS Nitro Enclaves. https://aws.amazon.com/ec2/nitro/nitro-enclaves/
Confidential computing on Azure. https://docs.microsoft.com/en-us/azure/confidential-computing/overview
Graphene Secure Container Environment. https://github.com/oscarlab/graphene/tree/master/Tools
Image Manifest Version 2, Schema 2. https://docs.docker.com/registry/spec/manifest-v2-2/
Introducing Google Cloud Confidential Computing with Confidential VMs. https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms
NVIDIA Docker: GPU Server Application Deployment Made Easy. https://developer.nvidia.com/blog/nvidia-docker-gpu-server-application-deployment-made-easy/
SCONTAIN Homepage. https://scontain.com/
Amacher, J., Schiavoni, V.: On the performance of ARM TrustZone. In: Pereira, J., Ricci, L. (eds.) DAIS 2019. LNCS, vol. 11534, pp. 133–151. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22496-7_9
Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016)
Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017)
Binz, T., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications. In: Advanced Web Services, pp. 527–549. Springer (2014). https://doi.org/10.1007/978-0-8176-4540-3
Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019)
Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017)
Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020)
Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020)
Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019)
Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017)
Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019)
Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)
Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014)
Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019)
Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019)
Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018)
Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016)
Mao, Y., Oak, J., Pompili, A., Beer, D., Han, T., Hu, P.: DRAPS: Dynamic and Resource-Aware Placement Scheme for Docker Containers in a Heterogeneous Cluster. CoRR abs/1805.08598 (2018). http://arxiv.org/abs/1805.08598
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Petcu, D.: Portability and interoperability between clouds: challenges and case study. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 62–74. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24755-2_6
Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019)
Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018)
Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017)
Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019)
Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020)
Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017)
Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018)
Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016)
Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019)
Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020)
Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gkikopoulos, P., Schiavoni, V., Spillner, J. (2021). Analysis and Improvement of Heterogeneous Hardware Support in Docker Images. In: Matos, M., Greve, F. (eds) Distributed Applications and Interoperable Systems. DAIS 2021. Lecture Notes in Computer Science(), vol 12718. Springer, Cham. https://doi.org/10.1007/978-3-030-78198-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-78198-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78197-2
Online ISBN: 978-3-030-78198-9
eBook Packages: Computer ScienceComputer Science (R0)