Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 26

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

0

Share

Download to read offline

Presentation by Tom Mens of SANER 2019 paper that was awarded as best paper. The topic concerns Docker containers, and more in particular the relation between outdated packages, technical lag, security vulnerabilities and bugs.

On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs

  1. 1. On the Relation between Outdated Docker Containers, Severity Vulnerabilities, and Bugs Ahmed Zerouali, Tom Mens, Gregorio Robles, Jesus Gonzalez Barahona IEEE Int’l Conf. Software Analysis, Evolution and Reengineering Hangzhou, China February 24-27, 2019
  2. 2. On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images Ahmed Zerouali, Valerio Cosentino, Tom Mens, Gregorio Robles, Jesus Gonzalez Barahona IEEE Int’l Conf. Software Analysis, Evolution and Reengineering Hangzhou, China February 24-27, 2019
  3. 3. About Docker containers ● Containers are isolated bundles of software packages ● They are used to facilitate deploying software applications ● They are created by combining and modifying images from public (official or community) repositories ● Docker is one of the main tools for containerisation
  4. 4. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
  5. 5. Motivation: Security vulnerabilities are main barrier to container adoption in production environments
  6. 6. “1 out of 3 dependent npm packages never update their dependency to a vulnerable npm package.” A. Decan et al. “On the impact of security vulnerabilities in the npm package dependency network”, MSR 2018. “37% of websites include a JavaScript library with a known open source vulnerability.” T. Lauinger et al. "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web", NDSS 2017. So what about Docker containers relying on npm packages? Motivation: Security vulnerabilities in npm JavaScript
  7. 7. Motivation: Other main concerns for container adoption • Dependencies (required packages) • Bugs in third-party software • Outdated third-party software
  8. 8. Background: Technical Lag Measures how outdated a software deployment (e.g. a deployed container) is with respect to the ideal version of its bundled software packages. Ideal depends on the purpose of the deployment • latest available (most recent features) • most stable (bug-free) • most secure • most compatible • … “A formal framework for measuring technical lag in component repositories – and its application to npm.” A. Zerouali, T. Mens, J. Gonzalez-Barahona, A. Decan, E. Constantinou, G. Robles. J. Software Evolution and Process, Wiley, February 2019
  9. 9. deployed container Included Package version 1.0.1 1.1.0 2.0.01.2.1 2.1.0 Ideal Version Background: Technical Lag Technical lag ∆ time ∆ versions ∆ vulnerabilities ∆ bugs
  10. 10. Two Empirical Case Studies containers based on Debian distributions • 2453 images from official repositories • 4927 images from community repositories containers relying on npm Javascript packages • 961 images from official repositories
  11. 11. Process
  12. 12. Case Study 1 Type of data Data source Package metadata Debian Archive Security vulnerabilities Debian Security Tracker Bugs Ultimate Debian Database Debian 10 # Docker images per Debian distribution Buster (Debian 10 / Testing) Stretch (Debian 9 / Stable) Jessie (Debian 8 / Oldstable) Official 150 620 1683 Community 86 1248 3593
  13. 13. How outdated are container packages? How vulnerable are container packages? To which extent do containers suffer from bugs in packages? How long do bugs and security vulnerabilities remain unfixed? Case Study 1: Research Questions
  14. 14. How outdated are container packages? The majority of packages in Debian containers is up-to-date. Debian testing (Buster) images have more outdated packages.
  15. 15. Outdated packages in Debian containers tend to have a small technical lag. Actionable result: Container deployers should be aware that the optimal update frequency of their base images and installed packages depends on the base Debian version. How outdated are container packages?
  16. 16. How vulnerable are container packages? Nearly half of the vulnerabilities have no fix. 96% of containers are affected by vulnerabilities of all severity categories. Lesson learned: No release is devoid of vulnerabilities, so deployers cannot avoid them even if they deploy the most recent packages.
  17. 17. The number of vulnerabilities depends on the Debian release, and is moderately correlated with the number of outdated packages in a container. Actionable result: If you prefer stability over new features, use Stable and Oldstable releases as they include the major bug fixes and security updates. How vulnerable are container packages?
  18. 18. To which extent do containers suffer from bugs in packages? All containers have buggy packages. Half of all packages have bugs. 65% of all bugs have no fix
  19. 19. The number of bugs depends on the Debian release, and is weakly correlated with the number of outdated packages in containers. Actionable result: Container deployers concerned with having as few bugs as possible should upgrade to the Testing release, at the expense of having a lower package stability. To which extent do containers suffer from bugs in packages?
  20. 20. How long do bugs and vulnerabilities remain unfixed? High severity bugs are fixed much faster than other bugs. High/medium severity vulnerabilities are fixed faster than low ones. Bug survival analysisVulnerability survival analysis Actionable result: Continuous monitoring: Container deployers should be aware of new available versions of their installed packages that fix severe vulnerabilities and important bugs.
  21. 21. Case Study 2 Type of data Data source Package metadata Libraries.io Security vulnerabilities Snyk.io vulnerability database (1099 vulnerability reports)
  22. 22. How outdated are npm packages in Docker images? How vulnerable are npm packages in Docker images? Case Study 2: Research Questions
  23. 23. Median version lag = 1 patch How outdated are npm packages in Docker images? At the time of the image’s last update, outdated npm packages were mostly up to date.
  24. 24. At the date of the of the analysis (March 13th 2018): Median version lag = 1 major + 1 minor + 4 patch Docker deployers that use old Node.Js images might be missing updates. How outdated are npm packages in Docker images?
  25. 25. 2014-05 2014-12 2015-08 2016-04 2016-11 2017-07 2018-03 Image last update 0 5 10 15 20 Vulnerabilities high medium How vulnerable are npm packages in Docker images? Older images are more likely to have important vulnerabilities due to outdated npm packages
  26. 26. Conclusion Analysis of Debian and npm packages in Docker containers. - All images have packages with vulnerabilities and bugs. - Using third-party (npm) packages is a source of bugs and vulnerabilities. - Old images have more outdated packages. - The more outdated packages the higher the risk of vulnerabilities. - Docker deployers need to use package analysis and monitoring tools.

Editor's Notes

  • In June 2015, ClusterHQ asked enterprises “What are the biggest barriers to putting containers in a production environment?” a higher percentage of enterprises (>60%) said that security was the #1 barrier to putting containers in a production environment.
  • After some time, In August 2015, FlawCheck and one of our partners, surveyed enterprises asking which piece of the security equation was their top concern about running containers in production environments.
    At 42%, Vulnerabilities & Malware in container workloads was the top container security concern among those surveyed.
    Later on, A 2016 survey by DevOps.com and RedMonk, revealed that users who are more concerned by image security focused on scanning simple Common Vulnerabilities and Exposures (CVE) on the operating system.
  • later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was: “Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
  • later, in 2017, a survey by Anchore.io focused on the landscape of practices being deployed by container users [1]. One of the questions was: “Other than security, what are the other checks that you perform before running application containers?” The top answers related to software package were: required packages (∼ 40% of the answers); presence of bugs in major third-party software (∼ 33%); and verifying whether third party software versions are up-to-date (∼ 27%)
  • To do so, we relied on the concept of technical lag, the was introduced as the difference between the software version that is deployed and the ideal version available but not deployed yet.
  • For the first case study, we decided to work with DockerHub images based on a Linux Debian distribution, because applications in them are usually installed using well-defined packages. We considered ALL official repositories. For the 30,000+ community repositories, we only selected those with more than 500 pulls (i.e. the most popular ones)

    For the second case study, we selected 961 official repositories on DockerHub for which we found presence of npm Javascript packages.
  • The overall process, which we describe in detail below, is:
    (1) identification of Docker Hub base images for Debian, defining our base set;
    (2) identification of Docker Hub images in our dataset, including those derived from the base set;
    (3) analysis of all those images, matching their packages to a historical archive of all Debian packages; and
    (4) identification of bug and vulnerability reports for those packages, based on a historical database with those details for Debian packages.

  • The median proportion of up-to-date packages per container is 82%.
    For images updated during 2018, the median is even MUCH HIGHER: 98% are more up-to-date.
  • Outdated packages are lagging behind one version for Debian oldstable (Jessie) and stable (Strech).

    Outdated packages are lagging behind two versions for Debian testing (Buster).

    This is expected because stable Debian packages are not updated frequently, while this is much less the case for Debian testing release.
  • - Nearly half of the vulnerabilities have no fix. - 96% of containers are affected by all types of vulnerabilities, except for the not assigned vulnerabilities.
  • Deployers who prefer stability to new functionalities are recommended to use the Stable and Oldstable versions that include only the most important corrections or security updates. To have a lower number of severe vulnerabilities, container deployers using the Old- stable Debian release should upgrade to the Stable release.
  • Stefano confirmed. Many bugs are present in Debian, but nobody cares if these bugs do not affect security. At any given point their may be thousands of known (and unresolved) bugs.
  • , and is weakly correlated with the number of outdated packages in containers
    Except for the Buster release (i.e. the latest Debian Testing release, for which no correlation was found.
  • - High severity bugs are fixed ten times faster than other kind of bugs.

    - Vulnerability reports upstream might have different severity downstream.
  • At the time of the image’s last update, outdated npm packages were only missing one patch update
  • All official node-based images have vulnerable npm packages, with an average of 16 security vulnerabilities per image.
  • - We analyzed Debian and npm packages in Docker containers
    - Old images have more outdated packages.
    - All images have vulnerable and buggy packages.
    - Third-party packages are important and they should be considered when analyzing containers for vulnerabilities.
    - The number of outdated packages is correlated with the number of vulnerabilities.
    - Package update recommendation tools are needed in order to support Docker deployers.

  • ×