Segurança em imagens Docker: um estudo de ferramentas de análise estática
Abstract
The use of container technology has experienced a massive adoption over the past years being Docker one of the most used technologies. Docker uses the concept of images, which stores them in a hierarchical way to improve reuse. Despite its benefits, images may present security vulnerabilities. When not treated, such applications can be a potential treat. Although there are several static analysis tools to identify vulnerabilities in images, their advantages and deficiencies are not clear, which makes the task of selecting an appropriate tool a challenging task. This work evaluates the performance of four popular solutions in the literature: Anchore Grype, Clair, Dagda and Snyk. The evaluation considers their ability to identify vulnerabilities and usability. Using a set of known vulnerabilities in the images as a baseline (control), the tools are compared against each other. The results show that Anchore Grype obtained the best result among the evaluated tools with an identification rate (TIV) of 23% of the vulnerability of the control used. Among the tools, Anchore Grype reported over two times more vulnerabilities than the second-best alternative.
References
Anchore (2021b). Anchore open-source. Avaliable: https://anchore.com/opensource/. Last accessed 19 May 2021.
Armstrong, J. (2020). Docker desktop with snyk and new docker vulnerability cheat sheet available. Last accessed 18 May 2021.
Avi (2021). 10 container security scanners to find vulnerabilities. Avaliable: https://geekflare.com/container-security-scanners/. Last accessed 17 May 2021.
Aws (2021). Aws image scanning. Avaliable: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html. Last accessed 21 May 2021.
Bhat, S. (2018). 5 open source tools for container security. Avaliable: https://opensource.com/article/18/8/tools-container-security. Last accessed 17 May 2021.
Brady, K., Moon, S., Nguyen, T., and Coffman, J. (2020). Docker container security in cloud computing. In 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), pages 0975–0980.
Circl (2021). cve-search - common vulnerabilities and exposure web interface and api. Avaliable: https://cve.circl.lu/. Last accessed 20 May 2021.
Clair (2021). Clair. Avaliable: https://quay.github.io/clair/. Last accessed 18 May 2021.
Dagda (2021). Dagda. Avaliable: https://github.com/eliasgranderubio/dagda. Last accessed 18 May 2021.
Docker (2021a). Docker. Avaliable: https://www.docker.com/. Last accessed 17 May 2021.
Docker (2021b). Docker hub. Avaliable: https://hub.docker.com/. Last accessed 17 May 2021.
Fialho, Y. and Bordim, J. (2021). Imagens e vulnerabilidades de controle. Avaliable: [link]. Last accessd 16 Jun 2021.
Google (2021). Google automatic vulnerability scanning. Avaliable: https://cloud.google.com/container-analysis/docs/vulnerability-scanning. Last accessed 21 May 2021.
IBM (2021). Ibm’s vulnerability advisor. Avaliable: https://cloud.ibm.com/docs/Registry?topic=va-va\_index. Last accessed 21 May 2021.
Jain, R. (1991). The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation, and Modeling. Wiley.
Kwon, S. and Lee, J.-H. (2020). Divds: Docker image vulnerability diagnostic system. IEEE Access, 8:42666–42673.
Lin, C., Nadi, S., and Khazaei, H. (2020). A large-scale data set and an empirical study of docker images hosted on docker hub. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 371–381.
Mell, P., Scarfone, K., and Romanosky, S. (2007). The common vulnerabi-lity scoring system (CVSS) and its applicability to federal agency sys-tems, NIST IR 7435. USA: Department of Commerce.
Prevasio (2020). Industry’s first dynamic analysis of 4 millionpublicly available docker hub container images. Last accessed 18 May 2021.
Shu, R., Gu, X., and Enck, W. (2017). A study of security vulnerabilities on docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY ’17, page 269–280, New York, NY, USA. Association for Computing Machinery.
Snyk (2021). Snyk. Avaliable: https://snyk.io/. Last accessed 19 May 2021.
Son, D. (2019). dagda: perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats. Last accessed 18 May 2021.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tunde-Onadele, O., He, J., Dai, T., and Gu, X. (2019). A study on container vulnerability exploit detection. In 2019 IEEE International Conference on Cloud Engineering (IC2E), pages 121–127.
Twistlock (2021). Twistlock - prima cloud. Avaliable: https://www.paloaltonetworks.com/prisma/cloud. Last accessed 21 May 2021.
Vulhub (2021). Vulhub: Docker-compose file for vulnerability environment. Avaliable: http://vulhub.org. Last accessed 18 May 2021.
Zheng, Y., Dong, W., and Zhao, J. (2021). Zerodvs: Trace-ability and security detection of container image based on inheritance graph. In 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP), pages 186–192.
