Go to DBLP homepageDetection and Analysis of Poisoned Image in Container Registry
Abstract: Container technology provides isolated, consistent, and efficient application environments across diverse computing platforms. Docker, as the dominant container platform, simplifies container creation, deployment, and operation. However, the integrity of the container supply chain is threatened by malicious “poisoned” images distributed via public registries like Docker Hub, which pose significant security risks to unsuspecting users. This study presents the first comprehensive investigation into this container registry image supply chain threat. We reveal that image poisoning occurs primarily during the build phase, where attackers embed malicious payloads into Dockerfiles and associated build artifacts via specific common vectors. To empirically assess this threat, we developed a detection system combining dynamic and static analysis. Scanning 214,920 images from public registries, we identified 122 poisoned images with high precision ($\mathbf{9 5. 3 1 \%}$). Our in-depth analysis shows these compromised images serve diverse malicious purposes, with cryptocurrency mining being prevalent, and exhibit significant characteristic differences compared to benign images. Finally, we propose concrete mitigation measures to improve the security of the Docker ecosystem. We reported our findings to Docker and received its confirmation.
External IDs:dblp:conf/issre/PangWYJFL25
Loading