Segurança em imagens Docker: um estudo de ferramentas de análise estática
Resumo
O uso da tecnologia de contêineres experimentou uma adoção massiva nosúltimos anos sendo o Docker uma das tecnologias mais utilizadas. O Docker usa o conceito de imagens, que as armazena de forma hierárquica para melhorar a reutilização. Apesar de seus benefícios, as imagens podem apresentar vulnerabilidades de segurança. Quando não tratadas, essas aplicações podem ter riscos em potencial. Embora existam várias ferramentas de análise estática para identificar vulnerabilidades em imagens, suas vantagens e deficiências não são claras, o que torna a tarefa de selecionar uma ferramenta adequada bastante desafiadora. Este trabalho avalia o desempenho de quatro soluções populares na literatura: Anchore Grype, Clair, Dagda e Snyk. A avaliação considera sua capacidade de identificar vulnerabilidades e usabilidade. Usando um conjunto de vulnerabilidades conhecidas nas imagens como linha de base (controle), as ferramentas são comparadas entre si. Os resultados mostram que Anchore Grype obteve o melhor resultado entre as ferramentas avaliadas com uma taxa de identificação (TIV) de 23% das vulnerabilidades do controle utilizado. Entre as ferramentas, Anchore Grype encontrou duas vezes mais vulnerabilidades do que a segunda melhor alternativa.
Referências
Anchore (2021b). Anchore open-source. Avaliable: https://anchore.com/opensource/. Last accessed 19 May 2021.
Armstrong, J. (2020). Docker desktop with snyk and new docker vulnerability cheat sheet available. Last accessed 18 May 2021.
Avi (2021). 10 container security scanners to find vulnerabilities. Avaliable: https://geekflare.com/container-security-scanners/. Last accessed 17 May 2021.
Aws (2021). Aws image scanning. Avaliable: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html. Last accessed 21 May 2021.
Bhat, S. (2018). 5 open source tools for container security. Avaliable: https://opensource.com/article/18/8/tools-container-security. Last accessed 17 May 2021.
Brady, K., Moon, S., Nguyen, T., and Coffman, J. (2020). Docker container security in cloud computing. In 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), pages 0975–0980.
Circl (2021). cve-search - common vulnerabilities and exposure web interface and api. Avaliable: https://cve.circl.lu/. Last accessed 20 May 2021.
Clair (2021). Clair. Avaliable: https://quay.github.io/clair/. Last accessed 18 May 2021.
Dagda (2021). Dagda. Avaliable: https://github.com/eliasgranderubio/dagda. Last accessed 18 May 2021.
Docker (2021a). Docker. Avaliable: https://www.docker.com/. Last accessed 17 May 2021.
Docker (2021b). Docker hub. Avaliable: https://hub.docker.com/. Last accessed 17 May 2021.
Fialho, Y. and Bordim, J. (2021). Imagens e vulnerabilidades de controle. Avaliable: [link]. Last accessd 16 Jun 2021.
Google (2021). Google automatic vulnerability scanning. Avaliable: https://cloud.google.com/container-analysis/docs/vulnerability-scanning. Last accessed 21 May 2021.
IBM (2021). Ibm’s vulnerability advisor. Avaliable: https://cloud.ibm.com/docs/Registry?topic=va-va\_index. Last accessed 21 May 2021.
Jain, R. (1991). The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation, and Modeling. Wiley.
Kwon, S. and Lee, J.-H. (2020). Divds: Docker image vulnerability diagnostic system. IEEE Access, 8:42666–42673.
Lin, C., Nadi, S., and Khazaei, H. (2020). A large-scale data set and an empirical study of docker images hosted on docker hub. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 371–381.
Mell, P., Scarfone, K., and Romanosky, S. (2007). The common vulnerabi-lity scoring system (CVSS) and its applicability to federal agency sys-tems, NIST IR 7435. USA: Department of Commerce.
Prevasio (2020). Industry’s first dynamic analysis of 4 millionpublicly available docker hub container images. Last accessed 18 May 2021.
Shu, R., Gu, X., and Enck, W. (2017). A study of security vulnerabilities on docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, CODASPY ’17, page 269–280, New York, NY, USA. Association for Computing Machinery.
Snyk (2021). Snyk. Avaliable: https://snyk.io/. Last accessed 19 May 2021.
Son, D. (2019). dagda: perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats. Last accessed 18 May 2021.
Sultan, S., Ahmad, I., and Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE Access, 7:52976–52996.
Tunde-Onadele, O., He, J., Dai, T., and Gu, X. (2019). A study on container vulnerability exploit detection. In 2019 IEEE International Conference on Cloud Engineering (IC2E), pages 121–127.
Twistlock (2021). Twistlock - prima cloud. Avaliable: https://www.paloaltonetworks.com/prisma/cloud. Last accessed 21 May 2021.
Vulhub (2021). Vulhub: Docker-compose file for vulnerability environment. Avaliable: http://vulhub.org. Last accessed 18 May 2021.
Zheng, Y., Dong, W., and Zhao, J. (2021). Zerodvs: Trace-ability and security detection of container image based on inheritance graph. In 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP), pages 186–192.
