TY - GEN
T1 - Evaluating Container Debloaters
AU - Hassan, Muhammad
AU - Tahir, Talha
AU - Farrukh, Muhammad
AU - Naveed, Abdullah
AU - Naeem, Anas
AU - Zaffar, Fareed
AU - Shaon, Fahad
AU - Gehani, Ashish
AU - Rahaman, Sazzadur
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - DOCKER containers have been widely used by organizations because they are lightweight and single hardware can run multiple instances of a container. However, this ease of virtualization comes with weaker isolation as compared to virtual machines. A compromised container can allow the attacker to escape to the host and gain privileged access. Several approaches have been developed to reduce the attack surface of containers either through the reduction of system calls or through slimming container images. Unfortunately, measuring the performance of container debloaters is challenging as there exists no platform for this purpose. This paper aims to address this gap, by building a unified platform to benchmark them.Currently, our benchmark includes 7 workload applications, and 3 container debloaters, i.e., SPEAKER, CONFINE (syscalls reduction tools), and SLIMTOOLKIT (image size reduction tool). We added several evaluation metrics in the framework, which include category-based system call reduction, CVEs mitigated, size reduction, and execution correctness.Our evaluation revealed interesting insights into the existing techniques. Both the system call reduction tools were able to produce correct debloated containers as compared to SLIMTOOLKIT (tool to reduce image size) which worked well too by reducing almost 79 percent of the size of the image but it failed to produce correct results on 2 out of 7 applications.
AB - DOCKER containers have been widely used by organizations because they are lightweight and single hardware can run multiple instances of a container. However, this ease of virtualization comes with weaker isolation as compared to virtual machines. A compromised container can allow the attacker to escape to the host and gain privileged access. Several approaches have been developed to reduce the attack surface of containers either through the reduction of system calls or through slimming container images. Unfortunately, measuring the performance of container debloaters is challenging as there exists no platform for this purpose. This paper aims to address this gap, by building a unified platform to benchmark them.Currently, our benchmark includes 7 workload applications, and 3 container debloaters, i.e., SPEAKER, CONFINE (syscalls reduction tools), and SLIMTOOLKIT (image size reduction tool). We added several evaluation metrics in the framework, which include category-based system call reduction, CVEs mitigated, size reduction, and execution correctness.Our evaluation revealed interesting insights into the existing techniques. Both the system call reduction tools were able to produce correct debloated containers as compared to SLIMTOOLKIT (tool to reduce image size) which worked well too by reducing almost 79 percent of the size of the image but it failed to produce correct results on 2 out of 7 applications.
KW - Benchmark
KW - Container Debloating
UR - http://www.scopus.com/inward/record.url?scp=85179181451&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85179181451&partnerID=8YFLogxK
U2 - 10.1109/SecDev56634.2023.00023
DO - 10.1109/SecDev56634.2023.00023
M3 - Conference contribution
AN - SCOPUS:85179181451
T3 - Proceedings - 2023 IEEE Secure Development Conference, SecDev 2023
SP - 88
EP - 98
BT - Proceedings - 2023 IEEE Secure Development Conference, SecDev 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE Secure Development Conference, SecDev 2023
Y2 - 18 October 2023 through 20 October 2023
ER -