Call me Ishmael: Using Dynamic Analysis to Hunt Whales on the Internet
More Info
expand_more
Abstract
Docker has been one of the most widely used DevOps tools in the last decade, enabling fast development of personalized services. Indeed, the common practice is to reuse already available containers and customize them based on the developer's needs. DockerHub is the leading platform for uploading and downloading Docker containers. Unfortunately, reusing code and infrastructure exposes developers to security and privacy threats, as the original developer might have had malicious intent to collect sensitive data or create backdoors in a victim's system. The existing literature has raised concerns about this security and privacy threats, and performed a mass vulnerability scans of Docker images. However, currently existing studies are mostly based on static analysis, which has been proved to be insufficient for a complete security assessment.
In this thesis we present a novel framework for the en-masse identification of vulnerabilities in Docker Containers. Additionally, as part of the framework, we document and implement a component which sorts and downloads images based on their popularity, which improves on the current fuzzy-search based state-of-the-art. Using this framework we found vulnerabilities in 2.44% of the containers we scanned. The framework also succeeded in finding novel vulnerabilities, resulting in two new reserved CVE numbers in the social network software Friendica.