Evaluating Container Debloaters
Docker containers are widely used because they are lightweight and can run multiple instances on a single hardware. However, they are less isolated than virtual machines, which makes them more vulnerable to attacks. Several approaches have been developed to reduce the attack surface of containers, but measuring the performance of these debloaters is challenging. This paper presents a unified platform, DebloatBenchC, to benchmark container debloaters. The platform currently includes 7 workload applications and 3 container debloaters: Speaker, Confine (syscall reduction tools), and Slimtoolkit (image size reduction tool).
Abstract
Docker containers have been widely used by organizations because they are lightweight and single hardware can run multiple instances of a container. However, this ease of virtualization comes with weaker isolation as compared to virtual machines. A compromised container can allow the attacker to escape to the host and gain privileged access. Several approaches have been developed to reduce the attack surface of containers either through the reduction of system calls or through slimming container images. Unfortunately, measuring the performance of container debloaters is challenging as there exists no platform for this purpose. This paper aims to address this gap, by building a unified platform to benchmark them.
Currently, our benchmark includes 7 workload applications, and 3 container debloaters, i.e., Speaker, Confine (syscalls reduction tools), and Slimtoolkit (image size reduction tool). We added several evaluation metrics in the framework, which include category-based system call reduction, CVEs mitigated, size reduction, and execution correctness.
Our evaluation revealed interesting insights into the existing techniques. Both the system call reduction tools were able to produce correct debloated containers as compared to Slimtoolkit (tool to reduce image size) which worked well too by reducing almost 79 percent of the size of the image but it failed to produce correct results on 2 out of 7 applications.
Cite
@inproceedings{hassan2023evaluating,
title={Evaluating container debloaters},
author={Hassan, Muhammad and Tahir, Talha and Farrukh, Muhammad and Naveed, Abdullah and Naeem, Anas and Zaffar, Fareed and Shaon, Fahad and Gehani, Ashish and Rahaman, Sazzadur},
booktitle={IEEE Secure Development Conference, SecDev},
pages={18--20},
year={2023}
}
Artifacts
Tags
Container Debloater, Debloating Comparison, Benchmark, Docker, Speaker, Confine, Slimtoolkit