当前位置:
X-MOL 学术
›
arXiv.cs.CR
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Analysis and Improvement of Heterogeneous Hardware Support in Docker Images
arXiv - CS - Cryptography and Security Pub Date : 2021-05-06 , DOI: arxiv-2105.02606 Panagiotis Gkikopoulos, Valerio Schiavoni, Josef Spillner
arXiv - CS - Cryptography and Security Pub Date : 2021-05-06 , DOI: arxiv-2105.02606 Panagiotis Gkikopoulos, Valerio Schiavoni, Josef Spillner
Docker images are used to distribute and deploy cloud-native applications in
containerised form. A container engine runs them with separated privileges
according to namespaces. Recent studies have investigated security
vulnerabilities and runtime characteristics of Docker images. In contrast,
little is known about the extent of hardware-dependent features in them such as
processor-specific trusted execution environments, graphics acceleration or
extension boards. This problem can be generalised to missing knowledge about
the extent of any hardware-bound instructions within the images that may
require elevated privileges. We first conduct a systematic one-year evolution
analysis of a sample of Docker images concerning their use of hardware-specific
features. To improve the state of technology, we contribute novel tools to
manage such images. Our heuristic hardware dependency detector and a
hardware-aware Docker executor give early warnings upon missing dependencies
instead of leading to silent or untimely failures. Our dataset and tools are
released to the research community.
中文翻译:
Docker镜像中异构硬件支持的分析与改进
Docker映像用于以容器化形式分发和部署云原生应用程序。容器引擎根据名称空间以单独的特权运行它们。最近的研究调查了Docker映像的安全漏洞和运行时特征。相反,对于其中与硬件相关的功能(例如,特定于处理器的受信任执行环境,图形加速或扩展板)的程度知之甚少。可以将该问题归结为缺少有关映像中可能需要提升特权的任何硬件绑定指令的程度的知识。我们首先对Docker映像样本进行系统的为期一年的演变分析,涉及它们对硬件特定功能的使用。为了改善技术水平,我们提供了新颖的工具来管理此类图像。我们的启发式硬件依赖检测器和硬件感知的Docker执行器会在缺少依赖项时发出早期警告,而不是导致静默或不合时宜的故障。我们的数据集和工具已发布给研究社区。
更新日期:2021-05-07
中文翻译:
Docker镜像中异构硬件支持的分析与改进
Docker映像用于以容器化形式分发和部署云原生应用程序。容器引擎根据名称空间以单独的特权运行它们。最近的研究调查了Docker映像的安全漏洞和运行时特征。相反,对于其中与硬件相关的功能(例如,特定于处理器的受信任执行环境,图形加速或扩展板)的程度知之甚少。可以将该问题归结为缺少有关映像中可能需要提升特权的任何硬件绑定指令的程度的知识。我们首先对Docker映像样本进行系统的为期一年的演变分析,涉及它们对硬件特定功能的使用。为了改善技术水平,我们提供了新颖的工具来管理此类图像。我们的启发式硬件依赖检测器和硬件感知的Docker执行器会在缺少依赖项时发出早期警告,而不是导致静默或不合时宜的故障。我们的数据集和工具已发布给研究社区。