Decentralized Content Trust for Docker Images
Quanqing Xu, Chao Jin, Mohamed Faruq Bin Mohamed Rasid, Bharadwaj Veeravalli, Khin Mi Mi Aung
2017
Abstract
Default Docker installation does not verify an image authenticity. Authentication is vital for users to trust that the image is not malicious or tampered with. As Docker is currently a popular choice for developers, tightening its security is a priority for system administrators and DevOps engineers. Docker recently deployed Notary that is a solution to verify authenticity of their images. Notary is a viable solution, but it has some drawbacks. This paper specifically addresses its vulnerability towards Denial-of-Service (DoS) attacks, the repercussions, and discuss two potential solutions. The proposed solutions involve decentralising the trust via either a BitTorrent-like protocol or a modified blockchain. The solutions greatly reduce the risk of DoS and at the same time provide a trustless signature verification service for Docker. The solutions could also possibly be repackaged for similar use cases on other technologies. We demonstrate the proposed blockchain-based solution’s scalability and efficiency by conducting performance evaluation.
References
- Arumugam, R. V., Xu, Q., Shi, H., Cai, Q., and Wen, Y. (2014). Virt cache: Managing virtual disk performance variation in distributed file systems for the cloud. In CloudCom, pages 210-217.
- Benet, J. (2014). Ipfs-content addressed, versioned, p2p file system. arXiv preprint arXiv:1407.3561.
- Brito, J. and Castillo, A. (2013). Bitcoin: A primer for policymakers. Mercatus Center at George Mason University.
- Bui, T. (2015). Analysis of docker security. arXiv preprint arXiv:1501.02967.
- Datadog (2016). 8 surprising facts about real docker adoption - datadog. Retrieved from https://www.datadoghq.com/dockeradoption/.
- Khandelwal, S. (2016). Dirty cow critical linux kernel flaw being exploited in the wild. Retrieved from http://thehackernews.com/2016/10/linux-kernelexploit.html.
- Matzutt, R., Hohlfeld, O., Henze, M., Rawiel, R., Ziegeldorf, J. H., and Wehrle, K. (2016). Poster: I don't want that content! on the risks of exploiting bitcoin's blockchain as a content store. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1769-1771.
- Merkel, D. (2014). Docker: lightweight linux containers for consistent development and deployment. Linux Journal, 2014(239):2.
- Mnica, D. (2015). Introducing docker content trust. Retrieved from https://blog.docker.com/2015/08/contenttrust-docker-1-8/.
- mrled (2017). No way to disable trust-on-first-use for 'docker pull' with content trust #342. Retrieved from https://github.com/docker/notary/issues/342.
- Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. URL: http://www.bitcoin.org/bitcoin.pdf.
- Pilkington, M. (2016). Blockchain technology: principles and applications. Research Handbook on Digital Transformations.
- Samuel, J., Mathewson, N., Cappos, J., and Dingledine, R. (2010). Survivable key compromise in software update systems. In Proceedings of the 17th ACM conference on Computer and communications security, pages 61-72.
- TUF-spec (2017). The update framework specification. Retrieved from https://raw.githubusercontent.com/theupdateframework/tuf/develop/docs/tuf-spec.txt.
- Xu, Q., Aung, K. M. M., Zhu, Y., and Yong, K. L. (2016). Building a large-scale object-based active storage platform for data analytics in the internet of things. The Journal of Supercomputing, 72(7):2796- 2814.
- Xu, Q., Aung, K. M. M., Zhu, Y., and Yong, K. L. (2017). A Blockchain-based Storage System for Data Analytics in the Internet of Things. To appear in “New Advances in the Internet of Things”.
- Xu, Q., Shen, H. T., Cui, B., Hou, X., and Dai, Y. (2009). A novel content distribution mechanism in dht networks. In International Conference on Research in Networking, pages 742-755. Springer Berlin Heidelberg.
Paper Citation
in Harvard Style
Xu Q., Rasid M., Jin C., Veeravalli B. and Aung K. (2017). Decentralized Content Trust for Docker Images . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 431-437. DOI: 10.5220/0006379404310437
in Bibtex Style
@conference{iotbds17,
author={Quanqing Xu and Mohamed Faruq Bin Mohamed Rasid and Chao Jin and Bharadwaj Veeravalli and Khin Mi Mi Aung},
title={Decentralized Content Trust for Docker Images},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={431-437},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006379404310437},
isbn={978-989-758-245-5},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - Decentralized Content Trust for Docker Images
SN - 978-989-758-245-5
AU - Xu Q.
AU - Rasid M.
AU - Jin C.
AU - Veeravalli B.
AU - Aung K.
PY - 2017
SP - 431
EP - 437
DO - 10.5220/0006379404310437