Alan Mills
Longitudinal risk-based security assessment of docker software container images
Mills, Alan; White, Jonathan; Legg, Phil
Authors
Jonathan White Jonathan6.White@uwe.ac.uk
Senior Lecturer in Cyber Security
Professor Phil Legg Phil.Legg@uwe.ac.uk
Professor in Cyber Security
Abstract
As the use of software containerisation has increased, so too has the need for security research on their usage, with various surveys and studies conducted to assess the overall security posture of software container images. To date, there has been very little work that has taken a longitudinal view of container security to observe whether vulnerabilities are being resolved over time, as well as understanding the real-world implications of reported vulnerabilities, to assess the evolving security posture. In this work, we study the evolution of 380 software container images across 3 analysis periods between July 2022 and January 2023 to analyse maintenance and vulnerabilities factors over time. We sample across the 3 DockerHub categories: Official, Verified and OSS (Sponsored) Open Source Software. We found that the number of vulnerabilities present increased over time despite many containers receiving regular updates by providers. We also found that the choice of container OS can dramatically impact the number of reported vulnerabilities present over time, with Debian-based images typically having many more vulnerabilities that other Linux distributions, and with some containers still reporting vulnerabilities that date back as far as 1999. However, when taking into account additional reported attributes such as the attack vector required and the existence of a public exploit rated higher than negligible, we found that for each analysis period, less than 1% of all vulnerabilities present what we would consider as high risk real-world impact. Through our investigation, we aim to improve the understanding of the threat landscape posed by software containerisation that is further complicated by the discrepancies between different vulnerability reporting tools.
Citation
Mills, A., White, J., & Legg, P. (2023). Longitudinal risk-based security assessment of docker software container images. Computers and Security, 135, Article 103478. https://doi.org/10.1016/j.cose.2023.103478
Journal Article Type | Article |
---|---|
Acceptance Date | Sep 7, 2023 |
Online Publication Date | Sep 14, 2023 |
Publication Date | Dec 31, 2023 |
Deposit Date | Sep 8, 2023 |
Publicly Available Date | Nov 8, 2023 |
Journal | Computers and Security |
Print ISSN | 0167-4048 |
Publisher | Elsevier |
Peer Reviewed | Peer Reviewed |
Volume | 135 |
Article Number | 103478 |
Series ISSN | 0167-4048 |
DOI | https://doi.org/10.1016/j.cose.2023.103478 |
Keywords | Container Security, Vulnerability Analysis, CVE |
Public URL | https://uwe-repository.worktribe.com/output/11084139 |
Files
Longitudinal risk-based security assessment of docker software container images
(2.9 Mb)
PDF
Licence
http://creativecommons.org/licenses/by/4.0/
Publisher Licence URL
http://creativecommons.org/licenses/by/4.0/
You might also like
Teaching offensive and defensive cyber security in schools using a Raspberry Pi Cyber Range
(2023)
Journal Article
Interactive cyber-physical system hacking: Engaging students early using Scalextric
(2022)
Presentation / Conference
Cyber Funfair: Creating immersive and educational experiences for teaching Cyber Physical Systems Security
(2024)
Conference Proceeding
Interactive cyber-physical system hacking: Engaging students early using scalextric
(2023)
Journal Article
Downloadable Citations
About UWE Bristol Research Repository
Administrator e-mail: repository@uwe.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search