Biblio

Filters: Author is Rui Shu  [Clear All Filters]
2017-03-31
Rui Shu, Xiaohui Gu, William Enck.  2017.  A Study of Security Vulnerabilities on Docker Hub. Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY).

Docker containers have recently become a popular approach to provision multiple applications over shared physical hosts in a more lightweight fashion than traditional virtual machines. This popularity has led to the creation of the Docker Hub registry, which distributes a large number of official and community images. In this paper, we study the state of security vulnerabilities in Docker Hub images. We create a scalable Docker image vulnerability analysis (DIVA) framework that automatically discovers, downloads, and analyzes both official and community images on Docker Hub. Using our framework, we have studied 356,218 images and made the following findings: (1) both official and community images contain more than 180 vulnerabilities on average when considering all versions; (2) many images have not been updated for hundreds of days; and (3) vulnerabilities commonly propagate from parent images to child images. These findings demonstrate a strong need for more automated and systematic methods of applying security updates to Docker images and our current Docker image analysis framework provides a good foundation for such automatic security update.

2017-01-03
Rui Shu, Xiaohui Gu, William Enck.  2017.  A Study of Security Vulnerabilities on Docker Hub. Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY).
2016-09-29
Rui Shu, Peipei Wang, Sigmund A. Gorski III, Benjamin Andow, Adwait Nadkarni, Luke Deshotels, Jason Gionta, William Enck, Xiaohui Gu.  2016.  A Study of Security Isolation Techniques. ACM Computing Surveys (CSUR).

Security isolation is a foundation of computing systems that enables resilience to different forms of attacks. This article seeks to understand existing security isolation techniques by systematically classifying different approaches and analyzing their properties. We provide a hierarchical classification structure for grouping different security  isolation techniques.  At the top level, we consider two principal aspects: mechanism and policy. Each aspect is broken down into salient dimensions that describe key properties. We break the mechanism into two dimensions: enforcement location and isolation granularity, and break the policy aspect  down into three dimensions: policy generation, policy configurability, and policy lifetime. We apply our classification to a set of representative papers that cover a breadth of security isolation techniques and discuss trade-offs among different design choices and limitations of existing  approaches.