Evaluating Container Debloaters

Muhammad Hassan, Talha Tahir, Muhammad Farrukh, Abdullah Naveed, Anas Naeem, Fareed Zaffar, Fahad Shaon, Ashish Gehani, Sazzadur Rahaman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

DOCKER containers have been widely used by organizations because they are lightweight and single hardware can run multiple instances of a container. However, this ease of virtualization comes with weaker isolation as compared to virtual machines. A compromised container can allow the attacker to escape to the host and gain privileged access. Several approaches have been developed to reduce the attack surface of containers either through the reduction of system calls or through slimming container images. Unfortunately, measuring the performance of container debloaters is challenging as there exists no platform for this purpose. This paper aims to address this gap, by building a unified platform to benchmark them.Currently, our benchmark includes 7 workload applications, and 3 container debloaters, i.e., SPEAKER, CONFINE (syscalls reduction tools), and SLIMTOOLKIT (image size reduction tool). We added several evaluation metrics in the framework, which include category-based system call reduction, CVEs mitigated, size reduction, and execution correctness.Our evaluation revealed interesting insights into the existing techniques. Both the system call reduction tools were able to produce correct debloated containers as compared to SLIMTOOLKIT (tool to reduce image size) which worked well too by reducing almost 79 percent of the size of the image but it failed to produce correct results on 2 out of 7 applications.

Original languageEnglish (US)
Title of host publicationProceedings - 2023 IEEE Secure Development Conference, SecDev 2023
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages88-98
Number of pages11
ISBN (Electronic)9798350331325
DOIs
StatePublished - 2023
Event2023 IEEE Secure Development Conference, SecDev 2023 - Atlanta, United States
Duration: Oct 18 2023Oct 20 2023

Publication series

NameProceedings - 2023 IEEE Secure Development Conference, SecDev 2023

Conference

Conference2023 IEEE Secure Development Conference, SecDev 2023
Country/TerritoryUnited States
CityAtlanta
Period10/18/2310/20/23

Keywords

  • Benchmark
  • Container Debloating

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications
  • Software

Fingerprint

Dive into the research topics of 'Evaluating Container Debloaters'. Together they form a unique fingerprint.

Cite this