Skip to main content

Analysis and Improvement of Heterogeneous Hardware Support in Docker Images

Part of the Lecture Notes in Computer Science book series (LNCCN,volume 12718)


Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor hdocker give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.


  • Docker
  • Containers
  • Trusted execution
  • Hardware dependencies

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Google just recently announced SEV-enabled instances [5], while AWS is introducing Nitro Enclaves, heavily inspired by Intel SGX [1].

  2. 2.

    Docker Hub:

  3. 3.

    Red Hat Registry:, Tenable:

  4. 4.

    42nd rev

  5. 5.



  1. AWS Nitro Enclaves.

  2. Confidential computing on Azure.

  3. Graphene Secure Container Environment.

  4. Image Manifest Version 2, Schema 2.

  5. Introducing Google Cloud Confidential Computing with Confidential VMs.

  6. NVIDIA Docker: GPU Server Application Deployment Made Easy.

  7. SCONTAIN Homepage.

  8. Amacher, J., Schiavoni, V.: On the performance of ARM TrustZone. In: Pereira, J., Ricci, L. (eds.) DAIS 2019. LNCS, vol. 11534, pp. 133–151. Springer, Cham (2019).

    CrossRef  Google Scholar 

  9. Arnautov, S., et al.: SCONE: secure linux containers with intel SGX. In: 12th USENIX Conference on OSDI, pp. 689–703 (2016)

    Google Scholar 

  10. Ayed, A.B., Subercaze, J., Laforest, F., Chaari, T., Louati, W., Kacem, A.H.: Docker2rdf: lifting the docker registry hub into RDF. In: 2017 IEEE World Congress on Services (SERVICES), pp. 36–39. IEEE (2017)

    Google Scholar 

  11. Binz, T., Breitenbücher, U., Kopp, O., Leymann, F.: TOSCA: portable automated deployment and management of cloud applications. In: Advanced Web Services, pp. 527–549. Springer (2014).

  12. Felber, P., et al.: Secure end-to-end processing of smart metering data. J. Cloud Comput. 8(1), 19 (2019)

    CrossRef  Google Scholar 

  13. Brogi, A., Neri, D., Soldani, J.: DockerFinder: multi-attribute search of docker images. In: IEEE International Conference on Cloud Engineering (IC2E) (2017)

    Google Scholar 

  14. Byrne, A., Nadgowda, S., Coskun, A.: ACE: just-in-time serverless software component discovery through approximate concrete execution. In: Proceedings of Middleware Workshops/Sixth International Workshop on Serverless Computing (WoSC6) (2020)

    Google Scholar 

  15. Carrasco, J., Durán, F., Pimentel, E.: Live migration of trans-cloud applications. Comput. Stand. Interfaces 69, 103392 (2020)

    CrossRef  Google Scholar 

  16. Cho, K., Lee, H., Bang, K., Kim, S.: Possibility of HPC application on cloud infrastructure by container cluster. In: IEEE International Conference on CSE and Computational Science and IEEE International Conference on EUC, pp. 266–271 (2019)

    Google Scholar 

  17. Cito, J., Schermann, G., Wittern, J.E., Leitner, P., Zumberi, S., Gall, H.C.: An empirical analysis of the docker container ecosystem on github. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 323–333 (2017)

    Google Scholar 

  18. Coppolino, L., D’Antonio, S., Mazzeo, G., Romano, L.: A comprehensive survey of hardware-assisted security: from the edge to the cloud. Internet Things 6, 100055 (2019)

    CrossRef  Google Scholar 

  19. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(86), 1–118 (2016)

    Google Scholar 

  20. Di Martino, B.: Applications portability and services interoperability among multiple clouds. IEEE Cloud Comput. 1(1), 74–77 (2014)

    CrossRef  Google Scholar 

  21. Florin, R., Ionut, R.: FPGA based architecture for securing IoT with blockchain. In: International Conference on Speech Technology and Human-Computer Dialogue, SpeD 2019, pp. 1–8. IEEE (2019)

    Google Scholar 

  22. Herardian, R.: The soft underbelly of cloud security. IEEE Secur. Privacy 17(3), 90–93 (2019)

    CrossRef  Google Scholar 

  23. Johnson, S., Rizzo, D., Ranganathan, P., McCune, J., Ho, R.: Titan: enabling a transparent silicon root of trust for cloud. In: Hot Chips: a Symposium on High Performance Chips (2018)

    Google Scholar 

  24. Kaplan, D., Powell, J., Woller, T.: AMD memory encryption. White paper (2016)

    Google Scholar 

  25. Mao, Y., Oak, J., Pompili, A., Beer, D., Han, T., Hu, P.: DRAPS: Dynamic and Resource-Aware Placement Scheme for Docker Containers in a Heterogeneous Cluster. CoRR abs/1805.08598 (2018).

  26. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)

    CrossRef  Google Scholar 

  27. Petcu, D.: Portability and interoperability between clouds: challenges and case study. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 62–74. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  28. Pinto, S., Santos, N.: Demystifying ARM TrustZone: a comprehensive survey. ACM Comput. Surv. (CSUR) 51(6), 1–36 (2019)

    CrossRef  Google Scholar 

  29. Portabales, A.R., Nores, M.L.: Dockemu: extension of a scalable network simulation framework based on docker and NS3 to cover IoT Scenarios. In: Proceedings 8th International Conference on Simulation and Modeling Methodologies, Technologies and Applications, SIMULTECH 2018, pp. 175–182. SciTePress (2018)

    Google Scholar 

  30. Ren, J., Qi, Y., Dai, Y., Yu, X., Shi, Y.: Nosv: a lightweight nested-virtualization VMM for hosting high performance computing on cloud. J. Syst. Softw. 124, 137–152 (2017)

    CrossRef  Google Scholar 

  31. Schinianakis, D., Trapero, R., Michalopoulos, D.S., Crespo, B.G.: Security considerations in 5G networks: a slice-aware trust zone approach. In: IEEE WCNC, pp. 1–8 (2019)

    Google Scholar 

  32. Shepovalov, M., Akella, V.: FPGA and GPU-based acceleration of ML workloads on Amazon cloud - a case study using gradient boosted decision tree library. Integration 70, 1–9 (2020)

    CrossRef  Google Scholar 

  33. Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of 7th ACM CODASPY, pp. 269–280 (2017)

    Google Scholar 

  34. Tarafdar, N., Eskandari, N., Lin, T., Chow, P.: Designing for FPGAs in the cloud. IEEE Des. Test 35(1), 23–29 (2018)

    CrossRef  Google Scholar 

  35. Tian, C.X., Pan, A., Tay, Y.C.: ConHub: a metadata management system for docker containers. In: Proceedings of 25th ACM International Conference on Information and Knowledge Management, CIKM 2016, pp. 2453–2455 (2016)

    Google Scholar 

  36. Villari, M., Fazio, M., Dustdar, S., Rana, O., Jha, D.N., Ranjan, R.: Osmosis: the osmotic computing platform for microelements in the cloud, edge, and Internet of Things. IEEE Comput. 52(8), 14–26 (2019)

    CrossRef  Google Scholar 

  37. Yeh, T., Chen, H., Chou, J.: KubeShare: a framework to manage GPUs as first-class and shared resources in container cloud. In: 29th International Symposium High-Performance Parallel and Distributed Computing, pp. 173–184. ACM (2020)

    Google Scholar 

  38. Zhao, N., et al.: Large-scale analysis of the docker hub dataset. In: 2019 IEEE International Conference on Cluster Computing, Cluster, pp. 1–10 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Valerio Schiavoni .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gkikopoulos, P., Schiavoni, V., Spillner, J. (2021). Analysis and Improvement of Heterogeneous Hardware Support in Docker Images. In: Matos, M., Greve, F. (eds) Distributed Applications and Interoperable Systems. DAIS 2021. Lecture Notes in Computer Science(), vol 12718. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78197-2

  • Online ISBN: 978-3-030-78198-9

  • eBook Packages: Computer ScienceComputer Science (R0)