research-article

Public Access

Cimplifier: automatically debloating containers

Authors:

Vaibhav Rastogi,

Lorenzo De Carli,

Patrick McDanielAuthors Info & Claims

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Pages 476 - 486

https://doi.org/10.1145/3106237.3106271

Published: 21 August 2017 Publication History

Abstract

Application containers, such as those provided by Docker, have recently gained popularity as a solution for agile and seamless software deployment. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. Unfortunately, the ease with which containers can be created is oftentimes a double-edged sword, encouraging the packaging of logically distinct applications, and the inclusion of significant amount of unnecessary components, within a single container. These practices needlessly increase the container size-sometimes by orders of magnitude. They also decrease the overall security, as each included component-necessary or not-may bring in security issues of its own, and there is no isolation between multiple applications packaged within the same container image. We propose algorithms and a tool called Cimplifier, which address these concerns: given a container and simple user-defined constraints, our tool partitions it into simpler containers, which (i) are isolated from each other, only communicating as necessary, and (ii) only include enough resources to perform their functionality. Our evaluation on real-world containers demonstrates that Cimplifier preserves the original functionality, leads to reduction in image size of up to 95%, and processes even large containers in under thirty seconds.

References

[1]

Selenium IDE. Tool Documentation. http://www.seleniumhq.org/docs/02_ selenium_ide.jsp.

[2]

BIGOT, J.-T. L., April 2015. http://blog.yadutaf.fr/2015/04/25/ how-i-shrunk-a-docker-image-by-98-8-featuring-fanotify/.

[3]

Bittau, A., Marchenko, P., Handley, M., and Karp, B. Wedge: Splitting applications into reduced-privilege compartments. In NSDI (2008), pp. 309–322.

Digital Library

[4]

Blankstein, A., and Freedman, M. J. Automating isolation and least privilege in web services. In Security and Privacy (SP), 2014 IEEE Symposium on (2014), IEEE, pp. 133–148.

Digital Library

[5]

Brumley, D., and Song, D. Privtrans: Automatically partitioning programs for privilege separation. In USENIX Security Symposium (2004), pp. 57–72.

Digital Library

[6]

Docker and btrfs in practice. Docker documentation. https://docs.docker.com/ engine/userguide/storagedriver/btrfs-driver/.

[7]

Cheung, A., Madden, S., Arden, O., and Myers, A. C. Automatic partitioning of database applications. Proceedings of the VLDB Endowment 5, 11 (2012), 1471–1482.

Digital Library

[8]

Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. Building secure web applications with automatic partitioning. Communications of the ACM 52, 2 (2009), 79–87.

Digital Library

[9]

Clark, C., Fraser, K., Hand, S., Hansen, J. G., Jul, E., Limpach, C., Pratt, I., and Warfield, A. Live migration of virtual machines. In Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation-Volume 2 (2005), USENIX Association, pp. 273–286.

Digital Library

[10]

8 surprising facts about real docker adoption. Web Article, October 2015. https: //www.datadoghq.com/docker-adoption/.

[11]

deHamer, B. Optimizing docker images. CenturyLink Developer Center Blog, July 2014. https://www.ctl.io/developers/blog/post/optimizing-docker-images/.

[12]

Docker. Website. https://www.docker.com/.

[13]

Understand images, containers, and storage drivers. Docker documentation. https: //docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/.

[14]

Docker security. Docker documentation. https://docs.docker.com/engine/ security/security/.

[15]

Douglis, F., and Ousterhout, J. Transparent process migration: Design alternatives and the sprite implementation. Software: Practice and Experience 21, 8 (1991), 757–785.

Digital Library

[16]

Dowideit, S. Slim application containers (using docker). Blog, April 2015. http://fosiki.com/blog/2015/04/28/slim-application-containers-using-docker/.

[17]

The elastic stack | make sense of your data. Website. https://www.elastic.co/ products.

[18]

The 2016 workshop on forming an ecosystem around software transformation (feast), October 2016. https://sites.google.com/site/ccsfeast16/.

[19]

Guo, P. J., and Engler, D. R. Cde: Using system call interposition to automatically create portable software packages. In USENIX Annual Technical Conference (2011).

Digital Library

[20]

Haproxy – the reliable, high performance tcp/http load balancer. Website. http: //www.haproxy.org/.

[21]

Krohn, M. N., Efstathopoulos, P., Frey, C., Kaashoek, M. F., Kohler, E., Mazieres, D., Morris, R., Osborne, M., VanDeBogart, S., and Ziegler, D. Make least privilege a right (not a privilege). In HotOS (2005).

Digital Library

[22]

Kumar, A., May 2015.

[23]

https://medium.com/@aneeshep/ working-with-dockers-64c8bc4b5f92#.f3i10qkyt.

[24]

Linux containers. Website. https://linuxcontainers.org/.

[25]

MediaWiki. Website. https://www.mediawiki.org/wiki/MediaWiki.

[26]

MongoDB. Website. https://www.mongodb.org/.

[27]

Myers, A. C. Jflow: practical mostly-static information flow control. In 26th ACM Symp. on Principles of Programming Languages (POPL) (January 1999), pp. 228–241.

Digital Library

[28]

Myers, A. C., and Liskov, B. A decentralized model for information flow control. In 16th ACM Symp. on Operating System Principles (SOSP) (October 1997), pp. 129– 142.

Digital Library

[29]

Nginx. Website. http://nginx.org/en/.

[30]

Oracle. https://github.com/oracle/crashcart.

[31]

Osman, S., Subhraveti, D., Su, G., and Nieh, J. The design and implementation of zap: A system for migrating computing environments. ACM SIGOPS Operating Systems Review 36, SI (2002), 361–376.

Digital Library

[32]

Parasoft c/c++test. https://www.parasoft.com/product/cpptest/.

[33]

Provos, N., Friedl, M., and Honeyman, P. Preventing privilege escalation. In USENIX Security (2003), vol. 3.

Digital Library

[34]

Quest, K. C. https://github.com/cloudimmunity/docker-slim.

[35]

Redis. Website. http://redis.io/.

[36]

Docker registry. Website. https://docs.docker.com/registry/.

[37]

Linux audit. Website. https://people.redhat.com/sgrubb/audit/.

[38]

Docker adoption doubles in a year, February 2016. http: //www.datacenterdynamics.com/content-tracks/servers-storage/ docker-adoption-doubles-in-a-year/95703.fullarticle.

[39]

Saltzer, J. H., and Schroeder, M. D. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (1975), 1278–1308.

[40]

Swamp: Software assurance marketplace. https://continuousassurance.org/.

[41]

van Holsteijn, M. How to create the smallest possible docker container of any image. Xebia blog, June 2015. http://blog.xebia.com/ how-to-create-the-smallest-possible-docker-container-of-any-image/.

[42]

WordPress.org. Website. https://wordpress.org/.

Cited By

Brown MMeily AFairservice BSood ADorn JBits TEytchison RBalzarotti DXu W(2024)A broad comparative evaluation of software debloating toolsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699120(3927-3943)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699120
Alhanahnah MBoshmaf YGehani ACraven RMickelson M(2024)SoK: Software Debloating Landscape and Future DirectionsProceedings of the 2024 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3689937.3695792(11-18)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3689937.3695792
Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Show More Cited By

Index Terms

Cimplifier: automatically debloating containers
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Software maintenance tools

Recommendations

New Directions for Container Debloating
FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation

Application containers, such as Docker containers, are light-weight virtualization environments that "contain" applications together with their resources and configuration information. While they are becoming increasingly popular as a method for agile ...
Reproducible Distributed Clusters with Mutable Containers: To Minimize Cost and Provisioning Time
HotConNet '17: Proceedings of the Workshop on Hot Topics in Container Networking and Networked Systems

Reproducible and repeatable provisioning of large-scale distributed systems is laborious. The cost of virtual infrastructure and the provisioning complexity are two of the main concerns. The trade-offs between virtual machines (VMs) and containers, the ...
Combining containers and virtual machines to enhance isolation and extend functionality on cloud computing
Abstract
Virtualization technology is the underlying element of cloud computing. Traditionally, cloud computing has employed virtual machines to distribute available resources and provide isolated environments among users. Multiple virtual ...
Highlights
- We study the combination of virtual machines and containers in the cloud.
- The ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

August 2017

1073 pages

ISBN:9781450351058

DOI:10.1145/3106237

General Chairs:
Eric Bodden
Paderborn University, Germany / Fraunhofer IEM, Germany
,
Wilhelm Schäfer
Paderborn University, Germany
,
Program Chairs:
Arie van Deursen
Delft University of Technology, Netherlands
,
Andrea Zisman
Open University, UK

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Defence Advanced Research Agency
National Science Foundation

Conference

ESEC/FSE'17

Sponsor:

SIGSOFT

ESEC/FSE'17: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 4 - 8, 2017

Paderborn, Germany

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
1,288
Total Downloads

Downloads (Last 12 months)249
Downloads (Last 6 weeks)34

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brown MMeily AFairservice BSood ADorn JBits TEytchison RBalzarotti DXu W(2024)A broad comparative evaluation of software debloating toolsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699120(3927-3943)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699120
Alhanahnah MBoshmaf YGehani ACraven RMickelson M(2024)SoK: Software Debloating Landscape and Future DirectionsProceedings of the 2024 Workshop on Forming an Ecosystem Around Software Transformation10.1145/3689937.3695792(11-18)Online publication date: 14-Oct-2024
https://dl.acm.org/doi/10.1145/3689937.3695792
Drosos GSotiropoulos TSpinellis DMitropoulos D(2024)Bloat beneath Python’s Scales: A Fine-Grained Inter-Project Dependency AnalysisProceedings of the ACM on Software Engineering10.1145/36608211:FSE(2584-2607)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660821
Thévenon GNguetchouang KLazri KTchana AOlivier PSchiavoni VEdinger JCao JJin Z(2024)B-Side: Binary-Level Static System Call IdentificationProceedings of the 25th International Middleware Conference10.1145/3652892.3700761(225-237)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3652892.3700761
Thung FLiu JRattanukul PMaoz SToch EGao DLo DRubin JLam WCatolino GPoshyvanyk D(2024)Towards Speedy Permission-Based Debloating for Android AppsProceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems10.1145/3647632.3651390(84-87)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3647632.3651390
Malhotra RBansal AKessentini M(2024)A Systematic Literature Review on Maintenance of Software ContainersACM Computing Surveys10.1145/364509256:8(1-38)Online publication date: 10-Apr-2024
https://dl.acm.org/doi/10.1145/3645092
Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin A(2024)Machine Learning Systems are Bloated and VulnerableProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390328:1(1-30)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639032
Durieux TRoychoudhury APaiva AAbreu RStorey M(2024)Empirical Study of the Docker Smells Impact on the Image SizeProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639143(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639143
Song XWang YCheng XLiang GWang QZhu ZRoychoudhury APaiva AAbreu RStorey M(2024)Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency AnalysisProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639123(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639123
Haq MNguyen TTosun AVollmer FKorkmaz TSadeghi A(2024)SoK: A Comprehensive Analysis and Evaluation of Docker Container Attack and Defense Mechanisms2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00268(4573-4590)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00268
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten