TY - GEN
T1 - Uncontained Danger
T2 - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
AU - Tsoukaladelis, Chris
AU - Perdisci, Roberto
AU - Nikiforakis, Nick
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Containers benefit software developers, aiding them with increased portability, scalability, and consistency across different environments. From a security point of view, containers incentivize the conversion of monolithic software into microservices which then can be isolated from each other, better lending themselves to least-privilege deployments. In this paper, we shed light to the unexplored issue of remote dependencies in Docker images and containers. Unless a Docker image is fully self-contained, every dependence to the outside world is an opportunity for attackers to hijack these dependencies and conduct supply-chain attacks against these images. To do so, we curate a dataset of 200 K Docker images and design DockerGym, a dynamic analysis system which automatically installs, executes, and stimulates running containers, while monitoring their network communications. We discuss multiple approaches for activating the images in our dataset and the types of remote dependencies that we were able to discover. Among others, we observe that 13% of evaluated Docker images have some form of remote dependencies, with approximately 10 K images resolving public domain names. We observe the use of unencrypted protocols (such as HTTP) and a range of other issues that could be straightforwardly exploited by attackers in the context of supply-chain attacks.
AB - Containers benefit software developers, aiding them with increased portability, scalability, and consistency across different environments. From a security point of view, containers incentivize the conversion of monolithic software into microservices which then can be isolated from each other, better lending themselves to least-privilege deployments. In this paper, we shed light to the unexplored issue of remote dependencies in Docker images and containers. Unless a Docker image is fully self-contained, every dependence to the outside world is an opportunity for attackers to hijack these dependencies and conduct supply-chain attacks against these images. To do so, we curate a dataset of 200 K Docker images and design DockerGym, a dynamic analysis system which automatically installs, executes, and stimulates running containers, while monitoring their network communications. We discuss multiple approaches for activating the images in our dataset and the types of remote dependencies that we were able to discover. Among others, we observe that 13% of evaluated Docker images have some form of remote dependencies, with approximately 10 K images resolving public domain names. We observe the use of unencrypted protocols (such as HTTP) and a range of other issues that could be straightforwardly exploited by attackers in the context of supply-chain attacks.
UR - https://www.scopus.com/pages/publications/105033578885
U2 - 10.1109/RAID67961.2025.00071
DO - 10.1109/RAID67961.2025.00071
M3 - Conference contribution
AN - SCOPUS:105033578885
T3 - Proceedings - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
SP - 935
EP - 949
BT - Proceedings - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 October 2025 through 22 October 2025
ER -