Dr. Docker: A Large-Scale Security Measurement of Docker Image Ecosystem

Download PDF

Hequan Shi, Lingyun Ying, Libo Chen, Hai-Xin Duan, Ming Liu, Zhi Xue

Published: 29 Jan 2025, Last Modified: 29 Jan 2025WWW 2025 PosterEveryoneRevisionsBibTeXCC BY 4.0
Track: Security and privacy
Keywords: Docker Security, Supply Chain Security, Malware Detection
TL;DR: This paper investigates five threats within Docker images, proposes a security analysis framework for the Docker image ecosystem, and implements a large-scale security measurement. It identifies significant risks and proposes mitigation strategies.
Abstract: Docker has transformed modern software development, enabling the widespread reuse of containerized applications. Currently, Docker images are primarily distributed through centralized registries, among which Docker Hub is the largest, allowing developers to share and reuse images easily. The threats within these images also spread through the supply chain via dependency relationships, posing risks to anyone using the image and all images built based on it. However, it is unclear to what extent the threats within Docker images are distributed and propagated. In this paper, we investigate five potential security risks in three dimensions of Docker image information, including sensitive command parameters, secret leakage, software vulnerabilities, misconfigurations, and malicious files. We propose a security analysis framework DITECTOR based on these security issues. We utilize it to conduct a large-scale security measurement of the Docker image ecosystem. We collect descriptions of over 12 million image repositories from Docker Hub and construct an image dependency graph based on the layer information of the images. We select two sets of influential images for the Docker image ecosystem: high-pull-count images and high-dependency-weight images, totaling 33,952 images for inspection. Our findings are alarming: 93.7% of analyzed images contain known vulnerabilities, 4,437 images have secret leaks, 50 images contain misconfigurations, and 31 images execute malicious files. Furthermore, we identify 334 downstream images affected by malicious images based on the image dependency graph and uncover patterns of attack propagation within the supply chain. We have discussed the measures to mitigate these issues, reported our findings to the relevant parties, and received positive responses.
Submission Number: 1782

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview