iBet uBet web content aggregator. Adding the entire web to your favor.

Link to original content: https://unpaywall.org/10.1145/3141235.3141241

New Directions for Container Debloating | Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

research-article

New Directions for Container Debloating

Authors:

Vaibhav Rastogi,

Chaitra Niddodi,

Somesh JhaAuthors Info & Claims

FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

Pages 51 - 56

https://doi.org/10.1145/3141235.3141241

Published: 03 November 2017 Publication History

Abstract

Application containers, such as Docker containers, are light-weight virtualization environments that "contain" applications together with their resources and configuration information. While they are becoming increasingly popular as a method for agile software deployment, current techniques for preparing containers add unnecessary bloat into them: they often include unneeded files that increase the container size by several orders of magnitude. This not only leads to storage and network transfer issues but also security concerns. The problem is well-recognized but available solutions are mostly ad-hoc and not largely deployed.

Our previous work, Cimplifier, on debloating containers uses dynamic analysis to identify the resources necessary to a container and then debloat it. However, the dynamic analysis uses model executions or test runs, which if incomplete, may not allow detection of all the necessary resources. Therefore, it is important to explore other directions towards container debloating. In this paper, we discuss two of them: a new intermediate representation allowing incorporation of multiple techniques, such as dynamic analysis and static analysis, for debloating; and test case augmentation using symbolic execution.

References

[1]

Abrams, V. The microcontainer manifesto and the right tool for the job. Web Article, June 2017. https://blogs.oracle.com/developers/the-microcontainer-manifesto.

[2]

Baldoni, R., Coppa, E., D'Elia, D. C., Demetrescu, C., and Finocchi, I. A survey of symbolic execution techniques. arXiv preprint arXiv:1610.00502 (2016).

[3]

Ball, T., and Daniel, J. Deconstructing dynamic symbolic execution. Tech. rep., January 2015.

[4]

BIGOT, J.-T. L., April 2015. http://blog.yadutaf.fr/2015/04/25/how-i-shrunk-a-docker-image-by-98-8-featuring-fanotify/.

[5]

Brumley, D., Jager, I., Avgerinos, T., and Schwartz, E. J. BAP: A Binary Analysis Platform. Springer Berlin Heidelberg, 2011, pp. 463--469.

[6]

Brumley, D., and Song, D. Privtrans: Automatically partitioning programs for privilege separation. In USENIX Security Symposium (2004), pp. 57--72.

Digital Library

[7]

Bucur, S., Ureche, V., Zamfir, C., and Candea, G. Parallel symbolic execution for automated real-world software testing. In Proceedings of the Sixth Conference on Computer Systems (2011), ACM, pp. 183--198.

Digital Library

[8]

Burnim, J., and Sen, K. Heuristics for scalable dynamic test generation. In 2008 23rd IEEE/ACM International Conference on Automated Software Engineering (2008), pp. 443--446.

Digital Library

[9]

Cadar, C., Dunbar, D., and Engler, D. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (2008), USENIX Association, pp. 209--224.

Digital Library

[10]

Cha, S. K., Avgerinos, T., Rebert, A., and Brumley, D. Unleashing mayhem on binary code. In 2012 IEEE Symposium on Security and Privacy (2012), pp. 380--394.

Digital Library

[11]

Chaudhuri, A., and Foster, J. S. Symbolic security analysis of ruby-on-rails web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security (2010), ACM, pp. 585--594.

Digital Library

[12]

Cheung, A., Madden, S., Arden, O., and Myers, A. C. Automatic partitioning of database applications. Proceedings of the VLDB Endowment 5, 11 (2012), 1471--1482.

Digital Library

[13]

Chipounov, V., Kuznetsov, V., and Candea, G. The s2e platform: Design, implementation, and applications. ACM Trans. Comput. Syst. 30 (Feb. 2012), 2:1--2:49.

Digital Library

[14]

Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. Building secure web applications with automatic partitioning. Communications of the ACM 52, 2 (2009), 79--87.

Digital Library

[15]

Churchville, F. Popularity of application containers begins to shadow devops, paas. Web Article, January 2017. http://searchmicroservices.techtarget.com/news/450410820/Popularity-of-application-containers-begins-to-shadow-DevOps-PaaS.

[16]

deHamer, B. Optimizing docker images. CenturyLink Developer Center Blog, July 2014. https://www.ctl.io/developers/blog/post/optimizing-docker-images/.

[17]

Docker. Website. https://www.docker.com/.

[18]

Docker security. Docker documentation. https://docs.docker.com/engine/security/security/.

[19]

Dowideit, S. Slim application containers (using docker). Blog, April 2015. http://fosiki.com/blog/2015/04/28/slim-application-containers-using-docker/.

[20]

Godefroid, P. Test generation using symbolic execution. In LIPIcs-Leibniz International Proceedings in Informatics (2012), vol. 18, Schloss Dagstuhl-LeibnizZentrum fuer Informatik.

[21]

Godefroid, P., Klarlund, N., and Sen, K. Dart: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (2005), ACM, pp. 213--223.

Digital Library

[22]

Godefroid, P., Levin, M. Y., and Molnar, D. Sage: Whitebox fuzzing for security testing. Queue 10, 20:20--20:27.

Digital Library

[23]

Hentschel, M., Bubel, R., and Hähnle, R. Symbolic Execution Debugger (SED). Springer International Publishing, 2014, pp. 255--262.

[24]

on: Docker official images are moving to alpine linux. https://news.ycombinator.com/item?id=11046768.

[25]

Jeon, J., Micinski, K. K., and Foster, J. S. Symdroid: Symbolic execution for dalvik bytecode.

[26]

Krohn, M. N., Efstathopoulos, P., Frey, C., Kaashoek, M. F., Kohler, E., Mazieres, D., Morris, R., Osborne, M., VanDeBogart, S., and Ziegler, D. Make least privilege a right (not a privilege). In HotOS (2005).

Digital Library

[27]

Kumar, A., May 2015. https://medium.com/@aneeshep/working-with-dockers-64c8bc4b5f92#.f3i10qkyt.

[28]

Li, G., Andreasen, E., and Ghosh, I. Symjs: Automatic symbolic testing of javascript web applications. In Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (2014), ACM, pp. 449--459.

Digital Library

[29]

Luckow, K., Dimjašević, M., Giannakopoulou, D., Howar, F., Isberner, M., Kahsai, T., Rakamarić, Z., and Raman, V. JDart: A Dynamic Symbolic Analysis Framework. Springer Berlin Heidelberg, 2016, pp. 442--459.

[30]

Linux containers. Website. https://linuxcontainers.org/.

[31]

Pǎsǎreanu, C. S., and Rungta, N. Symbolic pathfinder: Symbolic execution of java bytecode. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (2010), ACM, pp. 179--180.

Digital Library

[32]

Quest, K. C. https://github.com/cloudimmunity/docker-slim.

[33]

Rastogi, V., Davidson, D., Carli, L. D., Jha, S., and McDaniel, P. Cimplifier: Automatically debloating containers. In Proceedings of the 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE) (2017).

Digital Library

[34]

Reisner, E., Song, C., Ma, K.-K., Foster, J. S., and Porter, A. Using symbolic evaluation to understand behavior in configurable software systems. In Proceedings of the 32Nd ACM/IEEE International Conference on Software Engineering - Volume 1 (2010), ACM, pp. 445--454.

Digital Library

[35]

Saltzer, J. H., and Schroeder, M. D. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (1975), 1278--1308.

[36]

Sen, K., and Agha, G. CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools. Springer Berlin Heidelberg, 2006, pp. 419--423.

[37]

Sen, K., Kalasapur, S., Brutch, T., and Gibbs, S. Jalangi: A selective record-replay and dynamic analysis framework for javascript. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (2013), ACM, pp. 488--498.

Digital Library

[38]

Sen, K., Marinov, D., and Agha, G. Cute: A concolic unit testing engine for c. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (2005), ACM, pp. 263--272.

Digital Library

[39]

Sharma, A. Exploiting undefined behaviors for efficient symbolic execution. In Companion Proceedings of the 36th International Conference on Software Engineering (2014), ACM, pp. 727--729.

Digital Library

[40]

Siegel, S. F., Zheng, M., Luo, Z., Zirkel, T. K., Marianiello, A. V., Edenhofner, J. G., Dwyer, M. B., and Rogers, M. S. Civl: The concurrency intermediate verification language. In Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis (2015), ACM, pp. 61:1--61:12.

Digital Library

[41]

Silva, J. A vocabulary of program slicing-based techniques. ACM computing surveys (CSUR) 44, 3 (2012), 12.

[42]

Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security (2008), Springer-Verlag, pp. 1--25.

Digital Library

[43]

Tillmann, N., and de Halleux, J. Pex - White Box Test Generation for .NET. Springer Berlin Heidelberg, 2008, pp. 134--153.

[44]

Tip, F. A survey of program slicing techniques. Centrum voor Wiskunde en Informatica, 1994.

[45]

Val, C. G. Conflict-driven symbolic execution: How to learn to get better. In MSc thesis, University of British Columbia (2014).

[46]

van Holsteijn, M. How to create the smallest possible docker container of any image. Xebia blog, June 2015. http://blog.xebia.com/how-to-create-the-smallest-possible-docker-container-of-any-image/.

[47]

Vaughan-Nichols, S. J. What is docker and why is it so darn popular? Web Article, May 2017. http://www.zdnet.com/article/what-is-docker-and-why-is-it-so-darn-popular/.

[48]

Xu, B., Qian, J., Zhang, X., Wu, Z., and Chen, L. A brief survey of program slicing. ACM SIGSOFT Software Engineering Notes 30, 2 (2005), 1--36.

Digital Library

Cited By

Malhotra RBansal AKessentini M(2024)A Systematic Literature Review on Maintenance of Software ContainersACM Computing Surveys10.1145/364509256:8(1-38)Online publication date: 10-Apr-2024
https://dl.acm.org/doi/10.1145/3645092
Durieux TRoychoudhury APaiva AAbreu RStorey M(2024)Empirical Study of the Docker Smells Impact on the Image SizeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639143(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639143
Rahaman MIslam ACerny THutton S(2023)Static-Analysis-Based Solutions to Security Challenges in Cloud-Native Systems: Systematic Mapping StudySensors10.3390/s2304175523:4(1755)Online publication date: 4-Feb-2023
https://doi.org/10.3390/s23041755
Show More Cited By

Index Terms

New Directions for Container Debloating
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Software maintenance tools

Recommendations

Cimplifier: automatically debloating containers
ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their ...
A New Variant of Truck Scheduling for Transporting Container Problem
SoICT '19: Proceedings of the 10th International Symposium on Information and Communication Technology

We consider in this paper the truck scheduling for container transportation problem in which trucks and trailers are separate objects which can attach together for transporting containers. It is called Truck-Trailer-Container Routing Problem (TTCRP). In ...
Application of attribute theory for container throughput forecast
GRC '12: Proceedings of the 2012 IEEE International Conference on Granular Computing (GrC-2012)

To accurately forecast container throughput is crucial to the success of any port operation policy. In this article, Attribute Theory is used for forecast port container throughput. The method of container throughput forecast based on Attribute Theory ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

November 2017

78 pages

ISBN:9781450353953

DOI:10.1145/3141235

General Chairs:
Taesoo Kim
Georgia Tech, USA
,
Cliff Wang
Army Research Office, USA
,
Program Chairs:
Taesoo Kim
Georgia Tech, USA
,
Dinghao Wu
Penn State University, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2017

Texas, Dallas, USA

Acceptance Rates

Overall Acceptance Rate 4 of 4 submissions, 100%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
322
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)6

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Malhotra RBansal AKessentini M(2024)A Systematic Literature Review on Maintenance of Software ContainersACM Computing Surveys10.1145/364509256:8(1-38)Online publication date: 10-Apr-2024
https://dl.acm.org/doi/10.1145/3645092
Durieux TRoychoudhury APaiva AAbreu RStorey M(2024)Empirical Study of the Docker Smells Impact on the Image SizeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639143(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639143
Rahaman MIslam ACerny THutton S(2023)Static-Analysis-Based Solutions to Security Challenges in Cloud-Native Systems: Systematic Mapping StudySensors10.3390/s2304175523:4(1755)Online publication date: 4-Feb-2023
https://doi.org/10.3390/s23041755
Wang XHui TZhao LCheng YChandra SBlincoe KTonella P(2023)Input-Driven Dynamic Program Debloating for Code-Reuse Attack MitigationProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616274(934-946)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616274
Hassan MTahir TFarrukh MNaveed ANaeem AZaffar FShaon FGehani ARahaman S(2023)Evaluating Container Debloaters2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00023(88-98)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00023
Xin QZhang QOrso A(2022)Studying and Understanding the Tradeoffs Between Generality and Reduction in Software DebloatingProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556970(1-13)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3556970
Ahmad ANoor ASharif HHameed UAsif SAnwar MGehani AZaffar FSiddiqui J(2022)Trimmer: An Automated System for Configuration-Based Software DebloatingIEEE Transactions on Software Engineering10.1109/TSE.2021.309571648:9(3485-3505)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TSE.2021.3095716
McDonough KGao XWang SWang H(2022)Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN53405.2022.00048(402-414)Online publication date: Jun-2022
https://doi.org/10.1109/DSN53405.2022.00048
Abhishek MRajeswara Rao D(2021)Framework to Secure Docker Containers2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4)10.1109/WorldS451998.2021.9514041(152-156)Online publication date: 29-Jul-2021
https://doi.org/10.1109/WorldS451998.2021.9514041
Brady KMoon SNguyen TCoffman J(2020)Docker Container Security in Cloud Computing2020 10th Annual Computing and Communication Workshop and Conference (CCWC)10.1109/CCWC47524.2020.9031195(0975-0980)Online publication date: Jan-2020
https://doi.org/10.1109/CCWC47524.2020.9031195
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents