Smart Isolation in Large-Scale Production Computing Infrastructures - October 2016

Submitted by drwright on Wed, 09/14/2016 - 10:53am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Xiaohui (Helen) Gu, William Enck
Researchers: Rui Shu, Adwait Nadkarni, Luke Deshotels

HARD PROBLEM(S) ADDRESSED

Resilient Architectures - Our current focus is the creation and validation of a classification system of existing security isolation techniques, through which we will identify underlying design principles and tradeoffs that will lead to the design of next generation smart isolation techniques to support resilient architectures.

PUBLICATIONS

Adwait Nadkarni, Benjamin Andow, William Enck, Somesh Jha. 2016. Practical DIFC Enforcement on Android. USENIX Security Symposium.

ACCOMPLISHMENT HIGHLIGHTS

In this quarter, we completed our analysis of over 350,000 images on Docker Hub from nearly 100,000 repositories. Our major findings include: (1) both official images and community images contain more than 100 vulnerabilities on average, and about 90% of images include at least one high severity vulnerability; (2) a large number of both community and official images have not been updated for hundreds of days, but the latest version of official images are better maintained; and (3) vulnerabilities commonly propagate from parent images to children images. These findings demonstrate a strong need for more automated and systematic methods of applying security updates to Docker images and our current container image analysis framework provides a good foundation for such automatic security update.

Groups:

NCSU Science of Security Lablet Research Initiative