论文信息 - Decentralized Content Trust for Docker Images

Decentralized Content Trust for Docker Images

Default Docker installation does not verify an image authenticity. Authentication is vital for users to trust that the image is not malicious or tampered with. As Docker is currently a popular choice for developers, tightening its security is a priority for system administrators and DevOps engineers. Docker recently deployed Notary that is a solution to verify authenticity of their images. Notary is a viable solution, but it has some drawbacks. This paper specifically addresses its vulnerability towards Denial-of-Service (DoS) attacks, the repercussions, and discuss two potential solutions. The proposed solutions involve decentralising the trust via either a BitTorrent-like protocol or a modified blockchain. The solutions greatly reduce the risk of DoS and at the same time provide a trustless signature verification service for Docker. The solutions could also possibly be repackaged for similar use cases on other technologies. We demonstrate the proposed blockchain-based solution’s scalability and efficiency by conducting performance evaluation.

Bharadwaj Veeravalli | Khin Mi Mi Aung | Chao Jin | Quanqing Xu | Mohamed Faruq Bin Mohamed Rasid

[1] Dirk Merkel,et al. Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[2] Yonggang Wen,et al. Virt Cache: Managing Virtual Disk Performance Variation in Distributed File Systems for the Cloud , 2014, 2014 IEEE 6th International Conference on Cloud Computing Technology and Science.

[3] Heng Tao Shen,et al. A Novel Content Distribution Mechanism in DHT Networks , 2009, Networking.

[4] Marc Pilkington,et al. Blockchain Technology: Principles and Applications , 2015 .

[5] Thanh Bui,et al. Analysis of Docker Security , 2015, ArXiv.

[6] Klaus Wehrle,et al. POSTER: I Don't Want That Content! On the Risks of Exploiting Bitcoin's Blockchain as a Content Store , 2016, CCS.

[7] Khin Mi Mi Aung,et al. A Blockchain-Based Storage System for Data Analytics in the Internet of Things , 2018 .

[8] Khin Mi Mi Aung,et al. Building a large-scale object-based active storage platform for data analytics in the internet of things , 2016, The Journal of Supercomputing.

[9] Juan Benet,et al. IPFS - Content Addressed, Versioned, P2P File System , 2014, ArXiv.

[10] Nick Mathewson,et al. Survivable key compromise in software update systems , 2010, CCS '10.

[11] Jerry Brito,et al. Bitcoin: A Primer for Policymakers , 2016 .