An Empirical Study of Docker Vulnerabilities and of Static Code Analysis Applicability

Resumo

Containers are a lighter solution to traditional virtualization, avoiding the overhead of starting and configuring the virtual machines. Docker is very popular due to its portability, ease of deployment and configuration. However, the security problems that it may have are still not completely understood. This paper aims at understanding Docker security vulnerabilities and what could have been done to avoid them. For this, we performed a detailed analysis of the security reports and respective vulnerabilities, systematizing them according to causes, effects, and consequences. Then, we analyzed the applicability of static code analyzers in Docker codebase, trying to understand, in hindsight, the usefulness of tools reports. For a deeper understanding, we analyzed concrete exploits for some vulnerabilities. The results show a prevalence of bypass and gain privileges, and that the used tools are rather ineffective, not helping to identify the analyzed vulnerabilities. We also observed that some vulnerabilities would be easy to find using robustness or penetration testing, while others would be really challenging.