Skip to main content
SpringerLink
Log in

Containers’ Privacy and Data Protection via Runtime Scanning Methods

  • Conference paper
  • First Online:
Broadband Communications, Networks, and Systems (BROADNETS 2021)

  • 779 Accesses

Abstract

Docker containers’ privacy and data protection is a critical issue. Unfortunately, existing works overlook runtime scanning methods. This paper proposes a novel lightweight and rapid scanning model under a framework covering assertion techniques during the container’s runtime, defined as vulnerability scanning framework VSF. Our framework includes identifying vulnerability, scanning security exposures, conduct analysis, and call-back notifications to the requestor asynchronously. In addition, the proposed scanning model is compared against other tools of similar and complementary objectives. The framework is modeled using nmap scripting engine NSE for its active scanning building block. It applies network port scanning and security assertion techniques to rapidly discover security vulnerabilities in a running Docker container environment for a proactive testing approach as a security engine. Also, providing an active trust model developed for Docker containers whether containers are black-listed or grey-listed. It was developed over a framework for DevSecOps environments and DevOps teams as the persona on its adoption. The empirical case studies demonstrate the capability of our scanning model, including standalone, CI/CD pipelines, and security containerized environment. The case studies revealed no tangible difference in the performance but the flexibility driven by the modeled architecture. The experiments presented a velocity of \( 1.15 \frac{scans}{sec}\). However, the execution time is directly proportional to the complexity of the vulnerability on the Docker ecosystem and its related attack vector complexity. Its core capability resides on the artifacts developed as part of the Art per relevant CVE via nmap NSE scripts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    docker.io/jenkins:2.60.3.

References

  1. Aguilera, X.M., Otero, C., Ridley, M., Elliott, D.: Managed containers: a framework for resilient containerized mission critical systems. In: Proceedings of the 2018 IEEE 11th International Conference on Cloud Computing (CLOUD 2018), pp. 946–949 (2018)

    Google Scholar 

  2. Berkovich, S., Kam, J., Wurster, G.: Ubcis: ultimate benchmark for container image scanning. In: Proceedings of the 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 2020), co-located with USENIX Security 2020 (2020)

    Google Scholar 

  3. Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: Containerleaks: emerging security threats of information leakages in container clouds. In: Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2017), pp. 237–248 (2017)

    Google Scholar 

  4. Google: Tsunami. https://github.com/google/tsunami-security-scanner. Accessed 3 Mar 2021

  5. Guo, Y., Yu, A., Gong, X., Zhao, L., Cai, L., Meng, D.: Building trust in container environment. In: Proceedings of the 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE 2019), pp. 1–9 (2019)

    Google Scholar 

  6. Huang, D., Cui, H., Wen, S., Huang, C.: Security analysis and threats detection techniques on docker container. In: 2019 IEEE 5th International Conference on Computer Communication, ICCC 2019, pp. 1214–1220 (2019). https://doi.org/10.1109/ICCC47050.2019.9064441

  7. Kong, T., Wang, L., Ma, D., Xu, Z., Yang, Q., Chen, K.: A secure container deployment strategy by genetic algorithm to defend against co-resident attacks in cloud computing. In: 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS), pp. 1825–1832 (2019). https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00251

  8. Kwon, S., Lee, J.H.: DIVDS: Docker image vulnerability diagnostic system. IEEE Access 8, 42666–42673 (2020)

    Google Scholar 

  9. Li, Z., Jin, H., Zou, D., Yuan, B.: Exploring new opportunities to defeat low-rate DDoS attack in container-based cloud environment. IEEE Trans. Parallel Distrib. Syst. 31, 695–706 (2020). https://doi.org/10.1109/TPDS.2019.2942591

  10. Martin, A., Raponi, S., Combe, T., Di Pietro, R.: Docker ecosystem-vulnerability analysis. Comput. Commun. 122, 30–43 (2018)

    Article  Google Scholar 

  11. Mostajeran, E., Mydin, M.N.M., Khalid, M.F., Ismail, B.I., Kandan, R., Hoe, O.H.: Quantitative risk assessment of container based cloud platform. In: Proceedings of the 2017 IEEE Conference on Application, Information and Network Security (AINS), pp. 19–24. IEEE (2017)

    Google Scholar 

  12. Schwarz, M., Lipp, M.: When good turns evil using intel SGX to stealthily steal bitcoins. In: Black Hat Asia 2018 (2018). https://i.blackhat.com/briefings/asia/2018/asia-18-Schwarz-When-Good-Turns-Evil-Using-Intel-SGX-To-Stealthily-Steal-Bitcoins-wp.pdf

  13. Sultan, S., Ahmad, I., Dimitriou, T.: Container security: issues, challenges, and the road ahead. IEEE Access 7, 52976–52996 (2019)

    Google Scholar 

  14. Xu, Q., Jin, C., Rasid, M.F.B.M., Veeravalli, B., Aung, K.M.M.: Blockchain-based decentralized content trust for docker images. Multimedia Tools Appl. 77(14), 18223–18248 (2017). https://doi.org/10.1007/s11042-017-5224-6

    Article  Google Scholar 

  15. Yasrab, R.: Mitigating docker security issues. arXiv preprint arXiv:1804.05039 (2018)

Download references

Author information

Authors and Affiliations

  1. Deakin University, Geelong, VIC, 3220, Australia

    Francisco Rojo & Lei Pan

Authors
  1. Francisco Rojo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lei Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francisco Rojo .

Editor information

Editors and Affiliations

  1. La Trobe University, Bundoora, VIC, Australia

    Wei Xiang

  2. RMIT University, Melbourne, VIC, Australia

    Fengling Han

  3. La Trobe University, Melbourne, VIC, Australia

    Tran Khoa Phan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rojo, F., Pan, L. (2022). Containers’ Privacy and Data Protection via Runtime Scanning Methods. In: Xiang, W., Han, F., Phan, T.K. (eds) Broadband Communications, Networks, and Systems. BROADNETS 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 413. Springer, Cham. https://doi.org/10.1007/978-3-030-93479-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93479-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93478-1

  • Online ISBN: 978-3-030-93479-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation