Investigation and Countermeasure toward Unintentional Access to Docker Container

Due to the ease of management and the high performance of the containerization, many services have been deployed on container, e.g., Web server running in Docker. However, the Docker implementation suffers several fatal loopholes. In this paper, we perform a study on a persistent security problem of Docker, i.e., the port mapping statement results in a wrong IPTABLES rule, which has been disclosed for a while but is still not solved. Therefore, we are motivated to investigate and articulate this vulnerability with a technical explanation. Nevertheless, we proposed several solutions to address the problem. Further, we applied our network testbed for demonstrating the loophole and the effectiveness of the security solutions. We tested the performance of both attack and defense prototyping. The experimental results show that our approach not only increase the time cost for the attacker to identify the target but also bring negligible overhead for deploying the countermeasures.