边缘计算中的容器漏洞:一种部署修复方法

IF 4.1 2区 计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE
Haiyang Huang , Tianhui Meng , Jianxiong Guo , Zhiqing Tang , Weijia Jia
{"title":"边缘计算中的容器漏洞:一种部署修复方法","authors":"Haiyang Huang ,&nbsp;Tianhui Meng ,&nbsp;Jianxiong Guo ,&nbsp;Zhiqing Tang ,&nbsp;Weijia Jia","doi":"10.1016/j.sysarc.2025.103533","DOIUrl":null,"url":null,"abstract":"<div><div>Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.</div></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"168 ","pages":"Article 103533"},"PeriodicalIF":4.1000,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"On container vulnerabilities in edge computing: A fix-on-deployment approach\",\"authors\":\"Haiyang Huang ,&nbsp;Tianhui Meng ,&nbsp;Jianxiong Guo ,&nbsp;Zhiqing Tang ,&nbsp;Weijia Jia\",\"doi\":\"10.1016/j.sysarc.2025.103533\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.</div></div>\",\"PeriodicalId\":50027,\"journal\":{\"name\":\"Journal of Systems Architecture\",\"volume\":\"168 \",\"pages\":\"Article 103533\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2025-08-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Systems Architecture\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S138376212500205X\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S138376212500205X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0

摘要

像Docker这样的容器化技术由于其轻量级、快速初始化和低资源使用量而在边缘计算(EC)中得到了普及。在物联网中,电子商务在设备附近处理数据,大大降低了延迟,减轻了网络负载,增强了安全性和可靠性,成为现代物联网架构不可或缺的支柱。但是,在部署期间,边缘服务器(ESs)必须下载包含各种软件包的相关映像,这些软件包通常具有许多漏洞。即使有补丁可用,最新的映像也经常未打补丁。现有的容器调度解决方案忽略了在部署期间解决这些漏洞的必要性,从而使它们扩散到ESs。这不仅扩大了攻击面,也破坏了智能社会的整体安全。为了解决并发部署和漏洞修复的问题,我们首先提出了一种兼容性检测方案,该方案分析映像中的包依赖关系,以防止补丁更新期间出现兼容性问题。然后,提出了一种基于动态规划的补丁包选择算法,在考虑不同严重级别的情况下,在特定时间内最大限度地解决漏洞数量。最后,我们提出了一种快速高效的部署时修复算法,该算法利用标准软件和补丁包,以及ESs之间的协作机制,在确保高效容器部署的同时修复漏洞。实验结果表明,与现有方法相比,我们的在线方法修复漏洞的数量增加了14.65%,部署时间减少了6.08%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
On container vulnerabilities in edge computing: A fix-on-deployment approach
Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Systems Architecture
Journal of Systems Architecture 工程技术-计算机:硬件
CiteScore
8.70
自引率
15.60%
发文量
226
审稿时长
46 days
期刊介绍: The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信