Docker images are used to distribute and deploy cloud-native applications in containerised form. A container engine runs them with separated privileges according to namespaces. Recent studies have investigated security vulnerabilities and runtime characteristics of Docker images. In contrast, little is known about the extent of hardware-dependent features in them such as processor-specific trusted execution environments, graphics acceleration or extension boards. This problem can be generalised to missing knowledge about the extent of any hardware-bound instructions within the images that may require elevated privileges. We first conduct a systematic one-year evolution analysis of a sample of Docker images concerning their use of hardware-specific features. To improve the state of technology, we contribute novel tools to manage such images. Our heuristic hardware dependency detector and a hardware-aware Docker executor give early warnings upon missing dependencies instead of leading to silent or untimely failures. Our dataset and tools are released to the research community.

中文翻译：

---

Docker镜像中异构硬件支持的分析与改进

Docker映像用于以容器化形式分发和部署云原生应用程序。容器引擎根据名称空间以单独的特权运行它们。最近的研究调查了Docker映像的安全漏洞和运行时特征。相反，对于其中与硬件相关的功能（例如，特定于处理器的受信任执行环境，图形加速或扩展板）的程度知之甚少。可以将该问题归结为缺少有关映像中可能需要提升特权的任何硬件绑定指令的程度的知识。我们首先对Docker映像样本进行系统的为期一年的演变分析，涉及它们对硬件特定功能的使用。为了改善技术水平，我们提供了新颖的工具来管理此类图像。我们的启发式硬件依赖检测器和硬件感知的Docker执行器会在缺少依赖项时发出早期警告，而不是导致静默或不合时宜的故障。我们的数据集和工具已发布给研究社区。