| Title | Reducing Docker Daemon Attack Surface Using Rootless Mode |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Rahmansyah, Reyhan, Suryani, Vera, Arif Yulianto, Fazmah, Hidayah Ab Rahman, Nurul |
| Conference Name | 2021 International Conference on Software Engineering Computer Systems and 4th International Conference on Computational Science and Information Management (ICSECS-ICOCSIM) |
| Keywords | attack surface, container, Containers, daemon, Docker, Information management, Metrics, privilege, pubcrawl, resilience, Resiliency, root, rootless, Scalability, Scientific computing, virtualization |
| Abstract | Containerization technology becomes one of alternatives in virtualization. Docker requires docker daemon to build, distribute and run the container and this makes the docker vulnerable to an attack surface called Docker daemon Attack Surface - an attack against docker daemon taking over the access (root). Using rootless mode is one way to prevent the attack. Therefore, this research demonstrates the attack prevention by making and running the docker container in the rootless mode. The success of the attack can be proven when the user is able to access the file /etc/shadow that is supposed to be only accessible for the rooted users. Findings of this research demonstrated that the file is inaccessible when the docker is run using the rootless mode. CPU usage is measured when the attack is being simulated using the docker run through root privileges and rootless mode, to identify whether the use of rootless mode in the docker adds the load of CPU usage and to what extent its increased. Results showed that the CPU use was 39% when using the docker with the rootless mode. Meanwhile, using the docker with the right of the root access was only 0%. The increase of 39% is commensurate with the benefit that can prevent the docker daemon attack surface. |
| DOI | 10.1109/ICSECS52883.2021.00097 |
| Citation Key | rahmansyah_reducing_2021 |
Reducing Docker Daemon Attack Surface Using Rootless Mode