Docker has become increasingly popular because it provides efficient containers that are directly run by the host kernel. Docker Hub is one of the most popular Docker image repositories. Millions of images have been downloaded from Docker Hub billions of times. However, in the past several years, a number of high-profile attacks that exploit this key channel of image distribution have been reported. It is still unclear what security risks the new ecosystem brings. In this paper, we reveal, characterize, and understand the security issues with Docker Hub by performing the first large-scale analysis. First, we uncover multiple security-critical aspects of Docker images with an empirical but comprehensive analysis, covering sensitive parameters in run-commands, the executed programs in Docker images, and vulnerabilities in contained software. Second, we conduct a large-scale and in-depth security analysis against Docker images. We collect 2,227,244 Docker images and the associated meta-information from Docker Hub. This dataset enables us to discover many insightful findings. (1) run-commands with sensitive parameters expose disastrous harm to users and the host, such as the leakage of host files and display, and denial-of-service attacks to the host. (2) We uncover 42 malicious images that can cause attacks such as remote code execution and malicious cryptomining. (3) Vulnerability patching of software in Docker images is significantly delayed or even ignored. We believe that our measurement and analysis serves as an important first-step study on the security issues with Docker Hub, which calls for future efforts on the protection of the new Docker ecosystem.
|Original language||English (US)|
|Title of host publication||Computer Security – ESORICS 2020 - 25th European Symposium on Research in Computer Security, Proceedings|
|Editors||Liqun Chen, Steve Schneider, Ninghui Li, Kaitai Liang|
|Publisher||Springer Science and Business Media Deutschland GmbH|
|Number of pages||20|
|State||Published - 2020|
|Event||25th European Symposium on Research in Computer Security, ESORICS 2020 - Guildford, United Kingdom|
Duration: Sep 14 2020 → Sep 18 2020
|Name||Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)|
|Conference||25th European Symposium on Research in Computer Security, ESORICS 2020|
|Period||9/14/20 → 9/18/20|
Bibliographical noteFunding Information:
Acknowledgements. This work was partly supported by the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. LR19F020003, the National Key Research and Development Program of China under No. 2018YFB0804102, NSFC under No. 61772466, U1936215, and U1836202, the Zhe-jiang Provincial Key R&D Program under No. 2019C01055, and the Ant Financial Research Funding.