Skip to main content

Analysis and Improvement of Heterogeneous Hardware Support in Docker Images

  • Conference paper
  • First Online:
Distributed Applications and Interoperable Systems (DAIS 2021)

Abstract

Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor hdocker give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Google just recently announced SEV-enabled instances [5], while AWS is introducing Nitro Enclaves, heavily inspired by Intel SGX [1].

  2. 2.

    Docker Hub: https://hub.docker.com/.

  3. 3.

    Red Hat Registry: http://quay.io, Tenable: http://tenable.io.

  4. 4.

    42nd rev https://lore.kernel.org/lkml/20201214114200.GD26358@zn.tnic/.

  5. 5.

    MAO: https://mao-mao-research.github.io/.

References

  1. AWS Nitro Enclaves. https://aws.amazon.com/ec2/nitro/nitro-enclaves/

  2. Confidential computing on Azure. https://docs.microsoft.com/en-us/azure/confidential-computing/overview

  3. Graphene Secure Container Environment. https://github.com/oscarlab/graphene/tree/master/Tools

  4. Image Manifest Version 2, Schema 2. https://docs.docker.com/registry/spec/manifest-v2-2/

  5. Introducing Google Cloud Confidential Computing with Confidential VMs. https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms

  6. NVIDIA Docker: GPU Server Application Deployment Made Easy. https://developer.nvidia.com/blog/nvidia-docker-gpu-server-application-deployment-made-easy/

  7. SCONTAIN Homepage. https://scontain.com/

  8. Amacher, J., Schiavoni, V.: On the performance of ARM TrustZone. In: Pereira, J., Ricci, L. (eds.) DAIS 2019. LNCS, vol. 11534, pp. 133–151. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22496-7_9

    Chapter  Google Scholar 

  9. Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016)

    Google Scholar 

  10. Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017)

    Google Scholar 

  11. Binz, T., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications. In: Advanced Web Services, pp. 527–549. Springer (2014). https://doi.org/10.1007/978-0-8176-4540-3

  12. Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019)

    Article  Google Scholar 

  13. Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017)

    Google Scholar 

  14. Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020)

    Google Scholar 

  15. Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020)

    Article  Google Scholar 

  16. Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019)

    Google Scholar 

  17. Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017)

    Google Scholar 

  18. Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019)

    Article  Google Scholar 

  19. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)

    Google Scholar 

  20. Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014)

    Article  Google Scholar 

  21. Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019)

    Google Scholar 

  22. Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019)

    Article  Google Scholar 

  23. Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018)

    Google Scholar 

  24. Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016)

    Google Scholar 

  25. Mao, Y., Oak, J., Pompili, A., Beer, D., Han, T., Hu, P.: DRAPS: Dynamic and Resource-Aware Placement Scheme for Docker Containers in a Heterogeneous Cluster. CoRR abs/1805.08598 (2018). http://arxiv.org/abs/1805.08598

  26. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)

    Article  Google Scholar 

  27. Petcu, D.: Portability and interoperability between clouds: challenges and case study. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 62–74. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24755-2_6

    Chapter  Google Scholar 

  28. Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019)

    Article  Google Scholar 

  29. Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018)

    Google Scholar 

  30. Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017)

    Article  Google Scholar 

  31. Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019)

    Google Scholar 

  32. Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020)

    Article  Google Scholar 

  33. Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017)

    Google Scholar 

  34. Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018)

    Article  Google Scholar 

  35. Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016)

    Google Scholar 

  36. Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019)

    Article  Google Scholar 

  37. Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020)

    Google Scholar 

  38. Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Valerio Schiavoni .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2021 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gkikopoulos, P., Schiavoni, V., Spillner, J. (2021). Analysis and Improvement of Heterogeneous Hardware Support in Docker Images. In: Matos, M., Greve, F. (eds) Distributed Applications and Interoperable Systems. DAIS 2021. Lecture Notes in Computer Science(), vol 12718. Springer, Cham. https://doi.org/10.1007/978-3-030-78198-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78198-9_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78197-2

  • Online ISBN: 978-3-030-78198-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics