Skip to main content
Springer Nature Link
Log in

Hardening Containers with Static and Dynamic Analysis

  • Conference paper
  • First Online:
Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media

Part of the book series: Springer Proceedings in Complexity ((SPCOM))

  • 626 Accesses

Abstract

Containers are a popular technology that helps build portable and scalable applications. They use lightweight virtualization that wraps an application with all its dependencies, binaries and libraries. They are also isolated, and therefore, useful in systems that host multiple applications. The security of these containers is an important, yet widely overlooked, aspect of container deployment and maintenance. Since the use of containers is extensive and only growing, a weak security framework can lead to vulnerable containers and in some cases, vulnerable hosts as well. Though guidelines such as the CIS benchmark exist, they are too broad as they harden the entire container without accounting for the compatibility of the security measures with the functionality of the application. It is often observed that on hardening the container, the functionality is hindered and the container, though now secure, is unable to perform the task it was created for. Thus, selecting which parts of the benchmark to apply and which to skip is a crucial part of developing a hardening policy. This paper deals with hardening containers, specifically those provided by a company that we shall not name. This is done by analyzing the image statically (before it is deployed) and then dynamically (while it is running). The results are then used and analyzed to create a hardening policy for the containers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Jagelid, M.: Container vulnerability scanners: an analysis [Internet] [Dissertation]. (KTH ) (TRITA-EECS-EX) (2020). http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-279967

  2. Sultan, S., Ahmad, I., Dimitriou, T.: Container security: issues, challenges, and the road ahead. IEEE Access 7, 52976–52996 (2019). https://doi.org/10.1109/ACCESS.2019.2911732

    Article  Google Scholar 

  3. X. Wang, Q., Shen, W., Luo, P., Wu.: RSDS: Getting System Call Whitelist for Container Through Dynamic and Static Analysis. In: 2020 IEEE 13th International Conference on Cloud Computing (CLOUD), pp. 600–608, (2020) https://doi.org/10.1109/CLOUD49709.2020.00089

  4. Gantikow, Holger, Reich, Christoph, Knahl, Martin, Clarke, Nathan. Rule-based Security Monitoring of Containerized Workloads. 543–550. (2019) https://doi.org/10.5220/0007770005430550

  5. https://docs.docker.com/engine/security/seccomp/

  6. https://en.wikipedia.org/wiki/Linux_Security_Modules

  7. https://www.redhat.com/en/topics/linux/what-is-selinux

  8. https://apparmor.net/

  9. Loukidis-Andreou, F., Giannakopoulos, I., Doka K., Koziris, N.:Docker-Sec: A Fully Automated Container Security Enhancement Mechanism. In: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pp. 1561–1564, (2018) https://doi.org/10.1109/ICDCS.2018.00169.

  10. Anchore: https://github.com/anchore/anchore-engine

  11. Aqua Security: https://github.com/aquasecurity/trivy

  12. Claire: https://www.redhat.com/en/topics/containers/what-is-clair

  13. https://sysdig.com/

  14. https://falco.org/

  15. Ghavamnia, Seyedhamed, Palit, Tapti, Benameur, Azzedine, Polychronakis, Michalis. Confine: Automated system call policy generation for container attack surface reduction (2020)

    Google Scholar 

  16. Docker Bench Security: https://github.com/docker/docker-bench- security

  17. CIS benchmarks: https://www.cisecurity.org/benchmark/docker/

  18. https://opensource.com/article/18/8/tools-container-security

  19. https://medium.com/karthi.net/8-best-docker-security-tools- de7f514aa94d

Download references

Author information

Authors and Affiliations

  1. PES University, Bengaluru, KA, 560085, India

    Sachet Rajat Kumar Patil, Neil John, Poorvi Sameep Kunja, Anushka Dwivedi, S. Suganthi & Prasad B. Honnnavali

Authors
  1. Sachet Rajat Kumar Patil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Neil John
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Poorvi Sameep Kunja
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anushka Dwivedi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. S. Suganthi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Prasad B. Honnnavali
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sachet Rajat Kumar Patil .

Editor information

Editors and Affiliations

  1. Research Series Ltd, London, UK

    Cyril Onwubiko

  2. Dublin City University, Dublin, Ireland

    Pierangelo Rosati

  3. Temple University, Philadelphia, PA, USA

    Aunshul Rege

  4. University of Oxford, Oxford, UK

    Arnau Erola

  5. Lupovis, Glasgow, UK

    Xavier Bellekens

  6. Ain Shams University, Cairo, Egypt

    Hanan Hindy

  7. University of Stavanger, Stavanger, Norway

    Martin Gilje Jaatun

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Patil, S.R.K., John, N., Kunja, P.S., Dwivedi, A., Suganthi, S., Honnnavali, P.B. (2023). Hardening Containers with Static and Dynamic Analysis. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-19-6414-5_12

Download citation

Publish with us

Policies and ethics