Docker镜像是Docker容器运行的基础, 目前缺少完善的镜像安全检测方法, 导致容器运行时易受到容器逃逸、拒绝服务攻击等各种安全威胁. 为避免有毒镜像使用, 本文提出一种Docker可信镜像源检测模型DTDIS (detect trusted Docker image source), 该模型使用可信密码模块vTCM (virtual trusted cryptography module)构建镜像基准值数据库, 检测本地镜像文件是否被篡改; 使用父镜像漏洞数据库扩展Clair镜像扫描器避免重复扫描; 结合文件度量信息、漏洞扫描信息判别Docker镜像源是否可信. 经云环境下实验证明, 该模型能够有效对Docker镜像进行安全评估, 保证用户使用可信镜像.
Docker image is the operating basis of Docker containers. As robust methods of image security detection remain to be developed, containers are subject to various security threats, such as container escape and denial of service attacks, during their operation. To avoid the use of toxic images, this study proposes a detection model for trusted Docker image sources, namely detect trusted Docker image source (DTDIS). In this model, the virtual trusted cryptography module (vTCM) is used to build an image benchmark database and thereby detect whether the local image file has been tampered with. The parent image vulnerability database is utilized to extend the Clair image scanner and thus avoid repeated scanning. File measurement information and vulnerability scanning information are availed to determine whether the Docker image source is credible. Experiments in a cloud environment prove that the proposed model can effectively evaluate the security of Docker images and ensure that users use trusted images.