사물인터넷융복합논문지 (Journal of Internet of Things and Convergence)

한국사물인터넷학회 (The Korea Internet of Things Society)
권호 표지
DOI QR코드

DOI QR Code

안전한 컨테이너 이미지 레지스트리 제공을 위한 파이프라인 설계 방안에 관한 연구

A Study on Pipeline Design Methods for Providing Secure Container Image Registry

  • 투고 : 2023.03.26
  • 심사 : 2023.05.29
  • 발행 : 2023.06.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

애플리케이션의 개발 및 배포 방식이 모노리스에서 마이크로서비스로 전환되며 경량 가상화 기술인 컨테이너가 IT 핵심 기술로 자리 잡고 있다. 그러나 컨테이너 기술은 기존 하이퍼바이저 기반의 가상머신과 달리 동일한 커널을 공유하는 방식으로 구체적인 보안 경계를 제공하지 못한다. 다양한 선행연구에 따르면 현재 공유되는 대부분의 컨테이너 이미지에는 다수의 보안 취약점이 존재한다. 이에, 공격자들은 보안 취약점을 이용하여 익스플로잇을 시도할 수 있으며 이는 시스템 환경에 심각한 영향을 미칠 수 있다. 따라서 본 연구에서는 보안 취약점이 존재하는 컨테이너 이미지가 배포되는 것을 방지하기 위한 효율적인 자동화 배포 파이프라인 설계 방안을 제시한다. 이를 통해 안전한 컨테이너 환경을 제공할 수 있을 것이다.

The development and distribution approach of applications is transitioning from a monolithic architecture to microservices and containerization, a lightweight virtualization technology, is becoming a core IT technology. However, unlike traditional virtual machines based on hypervisors, container technology does not provide concrete security boundaries as it shares the same kernel. According to various preceding studies, there are many security vulnerabilities in most container images that are currently shared. Accordingly, attackers may attempt exploitation by using security vulnerabilities, which may seriously affect the system environment. Therefore, in this study, we propose an efficient automated deployment pipeline design to prevent the distribution of container images with security vulnerabilities, aiming to provide a secure container environment. Through this approach, we can ensure a safe container environment.

키워드

참고문헌

  1. M.H.Park, D.H.Kim, H.S.Han and Y.J.Lee, "Server Workload Security Trends in Cloud Environments," Korea Institute of Information Security and Cryptology, Vol.31, No.3, pp.39-44, 2021.
  2. B.Tak, "A Study on the Security Vulnerabilities of Container Images," The Journal of Korean Institute of Next Generation Computing, Vol.14, No.3, pp.7-15, 2018.
  3. M.S.You, J.H.Kim and S.W.Shin, "Revisiting Security Landscape of Docker Hub Container Images," The Journal of Korean institute of communications and information sciences, Vol.47, No.8, pp.1231-1243, 2022. https://doi.org/10.7840/kics.2022.47.8.1231
  4. L.Rice, Container Security: Fundamental Technology Concepts that Protect Containerized Applications, 1st ed., O'Reilly Media, 2020.
  5. B.Kaur, M.Dugr'e, A.Hanna and T.Glatard, "An analysis of security vulnerabilities in container images for scientific data analysis," GigaScience, Vol.10, 2021.
  6. M.Souppaya, J.Morello and K.Scarfone, "Application Container Security Guide," NIST Special Publication 800-190, 2017 September.
  7. Q. Zhang, L.Liu, C.Pu, Q.Dou, L.Wu and W.Zhou, "A Comparative Study of Containers and Virtual Machines in Big Data Environment," 2018 IEEE 11th International Conference on Cloud Computing, 2018.
  8. Aquasec, CVE-2019-5021: Alpine Docker Image 'null root password' Vulnerability[Internet], https://blog.aquasec.com/cve-2019-5021-alpine-dock er-image-vulnerability
  9. S.H. Kim and Y.Han. Kim, "A Structural Analysis of Argo Workflows for Task Automation in Kubernetes Environment," The Journal of Korean institute of communications and information sciences, pp.910-911, 2021.
  10. National Security Agency, Cybersecurity and Infrastructure Security Agency, "Kubernetes Hardening Guide," Cybersecurity Technical Report, 2022.
  11. M.Slik, Validating the replacement filtering features of popular alternative admission controllers for Pod Security Policies[Internet] https://rp.os3.nl/2020-2021/p76/report.pdf
  12. Container-security-checklist[Internet], https://github.com/krol3/container-security-checklist
  13. AquaSecurity, Trivy[Internet], https://github.com/aquasecurity/trivy
  14. Argo Workflow[Internet], https://argoproj.github.io/argo-workflows/
  15. CNCF Annual Survey 2021[Internet], https://www.cncf.io/reports/cncf-annual-survey-2021/
  16. CIS Benchmark[Internet], https://www.cisecurity.org/cis-benchmarks/
  17. Docker [Internet], https://docs.docker.com/