Toward just-in-time patching for containerized applications

Abstract

Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional pre-scheduled software update approaches not only become ineffective under dynamic container environments but also impose high overhead to containers. In this paper, we propose a new on-demand targeted patching framework for containerized applications. OPatch combines dynamic vulnerability exploit identification and targeted vulnerability patching to achieve more efficient security attack containment. We have implemented a prototype of OPatch and evaluated our schemes over 31 real world security vulnerability exploits in 23 commonly used server applications. Results show that OPatch can accurately detect and classify 81% vulnerability exploits and reduce security patching overhead by up to 84% for memory and 40% for disk.