{"title":"边缘计算中的容器漏洞:一种部署修复方法","authors":"Haiyang Huang , Tianhui Meng , Jianxiong Guo , Zhiqing Tang , Weijia Jia","doi":"10.1016/j.sysarc.2025.103533","DOIUrl":null,"url":null,"abstract":"<div><div>Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.</div></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"168 ","pages":"Article 103533"},"PeriodicalIF":4.1000,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"On container vulnerabilities in edge computing: A fix-on-deployment approach\",\"authors\":\"Haiyang Huang , Tianhui Meng , Jianxiong Guo , Zhiqing Tang , Weijia Jia\",\"doi\":\"10.1016/j.sysarc.2025.103533\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.</div></div>\",\"PeriodicalId\":50027,\"journal\":{\"name\":\"Journal of Systems Architecture\",\"volume\":\"168 \",\"pages\":\"Article 103533\"},\"PeriodicalIF\":4.1000,\"publicationDate\":\"2025-08-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Systems Architecture\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S138376212500205X\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S138376212500205X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
On container vulnerabilities in edge computing: A fix-on-deployment approach
Containerization technologies like Docker have gained popularity in edge computing (EC) due to their lightweight nature, fast initialization, and low resource usage. In Internet of Things (IoT), EC processes data close to devices, significantly reducing latency, relieving network load, and enhancing security and reliability, making it an indispensable pillar of modern IoT architectures. However, during deployment, Edge servers (ESs) must download associated images containing various software packages, which often have numerous vulnerabilities. Even when patches are available, the latest images frequently remain unpatched. Existing container scheduling solutions overlook the necessity of addressing these vulnerabilities during deployment, allowing them to spread to ESs. This not only enlarges the attack surface but also undermines the overall security of the smart society. To solve the problem of concurrent deployment and vulnerability fixing, we first propose a compatibility detection scheme that analyzes package dependencies within images to prevent compatibility issues during patch updates. Then, a dynamic programming-based algorithm for selecting patch packages is presented to maximize the number of vulnerabilities addressed within a specific duration while considering different severity levels. Finally, we propose a fast and efficient fix-on-deployment algorithm that leverages standard software and patch packages, along with a collaboration mechanism among ESs, to repair vulnerabilities while ensuring efficient container deployment. Experimental results show that our online approach increases the number of fixed vulnerabilities by 14.65% and reduces deployment time by 6.08% compared to the state-of-the-art method.
期刊介绍:
The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software.
Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.