Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept

Luyi Li; Yueyang Li; Ruxue Luo; Yuzhen Chen; Wenjun Fan

doi:10.1109/ISCC58397.2023.10218166

Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept

Luyi Li, Yueyang Li, Ruxue Luo, Yuzhen Chen, Wenjun Fan^*

^*Corresponding author for this work

Xi'an Jiaotong-Liverpool University

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

Abstract

Due to the ease of management and the high performance of the containerization, many services have been deployed on container, e.g., Web server running in Docker. However, the Docker implementation suffers several fatal loopholes. In this paper, we study a persistent security problem of Docker, i.e., the port mapping statement results in a wrong IPTABLES rule, which has been disclosed for a while but is still not solved. Therefore, we are motivated to provide a technical primer as well as a proof of concept for this issue. Nevertheless, we discuss several methods to mitigate the security problem. Further, we apply our network testbed for demonstrating the loophole and the effectiveness of the defense methods. The experimental results show that our approach not only increase the time cost for the attacker to identify the target but also bring negligible overhead for deploying the countermeasures.

Original language	English
Title of host publication	ISCC 2023 - 28th IEEE Symposium on Computers and Communications
Subtitle of host publication	Computers and Communications for the Benefits of Humanity
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1331-1334
Number of pages	4
ISBN (Electronic)	9798350300482
DOIs	https://doi.org/10.1109/ISCC58397.2023.10218166
Publication status	Published - 2023
Event	28th IEEE Symposium on Computers and Communications, ISCC 2023 - Hybrid, Gammarth, Tunisia Duration: 9 Jul 2023 → 12 Jul 2023

Publication series

Name	Proceedings - IEEE Symposium on Computers and Communications
Volume	2023-July
ISSN (Print)	1530-1346

Conference

Conference	28th IEEE Symposium on Computers and Communications, ISCC 2023
Country/Territory	Tunisia
City	Hybrid, Gammarth
Period	9/07/23 → 12/07/23

Keywords

Container
Docker
IPTABLES
Port Mapping
Unintentional Access

Access to Document

10.1109/ISCC58397.2023.10218166

Cite this

Li, L., Li, Y., Luo, R., Chen, Y., & Fan, W. (2023). Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept. In ISCC 2023 - 28th IEEE Symposium on Computers and Communications: Computers and Communications for the Benefits of Humanity (pp. 1331-1334). (Proceedings - IEEE Symposium on Computers and Communications; Vol. 2023-July). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISCC58397.2023.10218166

Li, Luyi ; Li, Yueyang ; Luo, Ruxue et al. / Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept. ISCC 2023 - 28th IEEE Symposium on Computers and Communications: Computers and Communications for the Benefits of Humanity. Institute of Electrical and Electronics Engineers Inc., 2023. pp. 1331-1334 (Proceedings - IEEE Symposium on Computers and Communications).

@inproceedings{da556c12553b467ebb434d0ac83fd328,

title = "Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept",

abstract = "Due to the ease of management and the high performance of the containerization, many services have been deployed on container, e.g., Web server running in Docker. However, the Docker implementation suffers several fatal loopholes. In this paper, we study a persistent security problem of Docker, i.e., the port mapping statement results in a wrong IPTABLES rule, which has been disclosed for a while but is still not solved. Therefore, we are motivated to provide a technical primer as well as a proof of concept for this issue. Nevertheless, we discuss several methods to mitigate the security problem. Further, we apply our network testbed for demonstrating the loophole and the effectiveness of the defense methods. The experimental results show that our approach not only increase the time cost for the attacker to identify the target but also bring negligible overhead for deploying the countermeasures.",

keywords = "Container, Docker, IPTABLES, Port Mapping, Unintentional Access",

author = "Luyi Li and Yueyang Li and Ruxue Luo and Yuzhen Chen and Wenjun Fan",

note = "Funding Information: ACKNOWLEDGMENT This work was supported in part by XJTLU Research Development Funding RDF-21-02-012 and XJTLU Teaching Development Funding TDF21/22-R24-177. This work was also partially supported by the XJTLU AI University Research Centre and Jiangsu Province Engineering Research Centre of Data Science and Cognitive Computation at XJTLU. Publisher Copyright: {\textcopyright} 2023 IEEE.; 28th IEEE Symposium on Computers and Communications, ISCC 2023 ; Conference date: 09-07-2023 Through 12-07-2023",

year = "2023",

doi = "10.1109/ISCC58397.2023.10218166",

language = "English",

series = "Proceedings - IEEE Symposium on Computers and Communications",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1331--1334",

booktitle = "ISCC 2023 - 28th IEEE Symposium on Computers and Communications",

}

Li, L, Li, Y, Luo, R, Chen, Y & Fan, W 2023, Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept. in ISCC 2023 - 28th IEEE Symposium on Computers and Communications: Computers and Communications for the Benefits of Humanity. Proceedings - IEEE Symposium on Computers and Communications, vol. 2023-July, Institute of Electrical and Electronics Engineers Inc., pp. 1331-1334, 28th IEEE Symposium on Computers and Communications, ISCC 2023, Hybrid, Gammarth, Tunisia, 9/07/23. https://doi.org/10.1109/ISCC58397.2023.10218166

Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept. / Li, Luyi; Li, Yueyang; Luo, Ruxue et al.
ISCC 2023 - 28th IEEE Symposium on Computers and Communications: Computers and Communications for the Benefits of Humanity. Institute of Electrical and Electronics Engineers Inc., 2023. p. 1331-1334 (Proceedings - IEEE Symposium on Computers and Communications; Vol. 2023-July).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept

AU - Li, Luyi

AU - Li, Yueyang

AU - Luo, Ruxue

AU - Chen, Yuzhen

AU - Fan, Wenjun

N1 - Funding Information: ACKNOWLEDGMENT This work was supported in part by XJTLU Research Development Funding RDF-21-02-012 and XJTLU Teaching Development Funding TDF21/22-R24-177. This work was also partially supported by the XJTLU AI University Research Centre and Jiangsu Province Engineering Research Centre of Data Science and Cognitive Computation at XJTLU. Publisher Copyright: © 2023 IEEE.

PY - 2023

Y1 - 2023

N2 - Due to the ease of management and the high performance of the containerization, many services have been deployed on container, e.g., Web server running in Docker. However, the Docker implementation suffers several fatal loopholes. In this paper, we study a persistent security problem of Docker, i.e., the port mapping statement results in a wrong IPTABLES rule, which has been disclosed for a while but is still not solved. Therefore, we are motivated to provide a technical primer as well as a proof of concept for this issue. Nevertheless, we discuss several methods to mitigate the security problem. Further, we apply our network testbed for demonstrating the loophole and the effectiveness of the defense methods. The experimental results show that our approach not only increase the time cost for the attacker to identify the target but also bring negligible overhead for deploying the countermeasures.

AB - Due to the ease of management and the high performance of the containerization, many services have been deployed on container, e.g., Web server running in Docker. However, the Docker implementation suffers several fatal loopholes. In this paper, we study a persistent security problem of Docker, i.e., the port mapping statement results in a wrong IPTABLES rule, which has been disclosed for a while but is still not solved. Therefore, we are motivated to provide a technical primer as well as a proof of concept for this issue. Nevertheless, we discuss several methods to mitigate the security problem. Further, we apply our network testbed for demonstrating the loophole and the effectiveness of the defense methods. The experimental results show that our approach not only increase the time cost for the attacker to identify the target but also bring negligible overhead for deploying the countermeasures.

KW - Container

KW - Docker

KW - IPTABLES

KW - Port Mapping

KW - Unintentional Access

UR - http://www.scopus.com/inward/record.url?scp=85171991835&partnerID=8YFLogxK

U2 - 10.1109/ISCC58397.2023.10218166

DO - 10.1109/ISCC58397.2023.10218166

M3 - Conference Proceeding

AN - SCOPUS:85171991835

T3 - Proceedings - IEEE Symposium on Computers and Communications

SP - 1331

EP - 1334

BT - ISCC 2023 - 28th IEEE Symposium on Computers and Communications

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 28th IEEE Symposium on Computers and Communications, ISCC 2023

Y2 - 9 July 2023 through 12 July 2023

ER -

Li L, Li Y, Luo R, Chen Y, Fan W. Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept. In ISCC 2023 - 28th IEEE Symposium on Computers and Communications: Computers and Communications for the Benefits of Humanity. Institute of Electrical and Electronics Engineers Inc. 2023. p. 1331-1334. (Proceedings - IEEE Symposium on Computers and Communications). doi: 10.1109/ISCC58397.2023.10218166

Still Not Aware of the Loophole of Unintentional Access to Docker? A Proof of Concept

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this